Professional Documents
Culture Documents
CIS Synthesis
CIS Synthesis
CIS Synthesis
SAS 78 / COSO
Describes the relationship between the firm’s:
a. internal control structure,
b. auditor’s assessment of risk; and
c. the planning of audit procedures
The weaker the internal control structure, the higher the assessed level of risk; the higher the risk,
the more auditor procedures applied in the audit.
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
Control environment
Risk assessment
Monitoring
The process for assessing the quality of internal control design and operation
Separate procedures—test of controls by internal auditors
Ongoing monitoring:
computer modules integrated into routine operations
management reports which highlight trends and exceptions from normal performance
Control activities
Policies and procedures to ensure that the appropriate actions are taken in response to identified
risks
Transaction Authorization
Segregation of Duties
Supervision
Accounting Records
Access Control
Independent Verification
Sarbanes-Oxley Act
The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules
Created company accounting oversight board
Increased accountability for company officers and board of directors
Increased white collar crime penalties
Prohibits a company’s external audit firms from providing financial information systems
Organizational Structure IC
Audit objective – verify that individuals in incompatible areas are segregated to minimize
risk while promoting operational efficiency
Segregation of Duties
Transaction authorization is separate from transaction processing.
Asset custody is separate from record-keeping responsibilities.
The tasks needed to process the transactions are subdivided so that fraud requires
collusion.
Distributed IT Structure
Despite its many advantages, important IC implications are present:
incompatible software among the various work centers
data redundancy may result
consolidation of incompatible tasks
difficulty hiring qualified professionals
lack of standards
Organizational Structure IC
A corporate IT function alleviates potential problems associated with distributed IT
organizations by providing:
central testing of commercial hardware and software
a user services staff
a standard-setting body
reviewing technical credentials of prospective systems professionals
Audit Procedures
Review the corporate policy on computer security
- Verify that the security policy is communicated to employees
Review documentation to determine if individuals or groups are performing incompatible
functions
Review systems documentation and maintenance records
- Verify that maintenance programmers are not also design programmers
Audit objective – verify that DRP is adequate and feasible for dealing with disasters
What is an IT Audit?
IT audits:
focus on the computer-based aspects of an organization’s information system
assess the proper implementation, operation, and control of computer resources
Elements of an IT Audit
Systematic procedures are used
Evidence is obtained
- tests of internal controls
- substantive tests
Determination of materiality for weaknesses found
Prepare audit report & audit opinion
Audit Risk:
the probability the auditor will issue an unqualified (clean) opinion when in fact the financial
statements are materially misstated.\
Three Components of Audit Risk
Inherent risk – associated with the unique characteristics of the business or industry of the client
Control risk – the likelihood that the control structure is flawed because controls are either absent
or inadequate to prevent or detect errors in the accounts
Detection risk – the risk that errors not detected or prevented by the control structure will also
not be detected by the auditor
Operating Systems
Log-On Procedure
- first line of defense – user IDs and passwords
Access Token
- contains key information about the user
Access Control List
- defines access privileges of users
Discretionary Access Control
- allows user to grant access to another user
Access Privileges
Audit objectives: verify that access privileges are consistent with separation of
incompatible functions and organization policies
Password Control
Audit objectives: ensure adequacy and effectiveness password policies for controlling
access to the operating system
Access controls
Audit objectives: (1) those authorized to use databases are limited to data needed to
perform their duties and (2) unauthorized individuals are denied access to data
Backup controls
Audit objectives: backup controls can adequately recovery lost, destroyed, or corrupted
data
Access Controls
User views - based on sub-schemas
Database authorization table - allows greater authority to be specified
User-defined procedures - user to create a personal security program or routine
Data encryption - encoding algorithms
Biometric devices - fingerprints, retina prints, or signature characteristics
Equipment failure
Audit objective: the integrity of the electronic commerce transactions by determining that
controls are in place to detect and correct message loss due to equipment failure
EDI Risks
Authorization
- automated and absence of human intervention
Access
- need to access EDI partner’s files
Audit trail
- paperless and transparent (automatic) transactions
EDI Controls
Authorization
- use of passwords and value added networks (VAN) to ensure valid partner
Access
- software to specify what can be accessed and at what level
Audit trail
- control log records the transaction’s flow through each phase of the transaction
processing
Auditing Procedures for EDI
Tests of Authorization and Validation Controls
- Review procedures for verifying trading partner identification codes
- Review agreements with VAN
- Review trading partner files
Tests of Access Controls
- Verify limited access to vendor and customer files
- Verify limited access of vendors to database
- Test EDI controls by simulation
Tests of Audit Trail Controls
- Verify exists of transaction logs are key points
- Review a sample of transactions