Professional Documents
Culture Documents
Cis
Cis
-uses the computer to check adequacy of system limited to an independent review of systems
controls, data and output development activities
-evaluates how audit strategy is affected by an - Auditors should review the policies, procedures,
organization’s use of IT standards and documentation
-auditors need specialized skills to - Audited on the process by which software is selected.
Determine how the audit will be affected by IT. Did management approve of it? Do they have a
Assess and evaluate IT controls strategic IT plan
Design and perform both tests of IT controls
and substantive tests 3. Program modifications have management’s
authorization and approval.
Information systems (Internal Control) - Auditing applications program and system software
-This audit reviews the control of and AIS to assess changes:
compliance with internal control policies and When a program change is submitted for
procedures and the effectiveness of safeguarding assets approval, a list of all required updates should be
compiled and approved by management and
Information Systems Audit program users.
Objectives During systems review, auditors gain an
1. Security provisions protect computer equipment understanding of the change process by
programs, communications , and data from discussing it with management and user
unauthorized access, modification or destruction. personnel
*Framework for auditing computer security An important part of an auditor’s tests of
Types of security errors and fraud found in controls is to verify that program changes were
companies: hardware or software damage, identified , listed, approved, tested and
theft, loss or unauthorized information documented
disclosure, interruption of crucial business To test for unauthorized program changes ,
activities. auditors can use a source code comparison
Control procedures to minimize security errors program
and fraud: security protection plan, restrictions Two additional techniques to detect unauthorized
on physical and logical access, password program changes:
protection, antivirus software, disaster recovery 1. The reprocessing technique also uses a verified copy
plan, backup and recovery, fault tolerant of the source code. On a surprise basis, the auditor
design. uses the program to reprocess data and compare that
Systems review audit procedures: these include output with the company’s data.
inspecting sites, interviewing people, reviewing 2. Parallel simulation is similar to reprocessing except
policies and procedures, examining access logs, that the auditor writes a program instead of saving a
disaster recovery plans. verified copy of the source code. The auditor’s results
Test of controls – audit procedures, testing the are compared with the company’s results and any
controls: observe site access procedures, differences are investigated
process for backing up files, password process,
firewalls, uninterruptible power supplies, 4. Processing transactions, files , reports and other
preventative maintenance, data transmission computer records is accurate and complete
controls - The focus is the processing of transactions, files and
Compensating controls- do these exist if the related computer records to update files and databases
controls are weak? Do you have sound and to generate reports
personnel policies? Effective user controls? Options to test processing controls:
Segregation of incompatible duties? a.) Processing test data
- One way to test a program is to process a hypothetical
2. Program development and acquisition are series of valid and invalid transactions
performed in accordance with management’s general - The following resources are helpful when preparing
and specific authorization test data:
- A listing of actual transactions
- The test transactions the programmer used to test the - If an auditor suspects that a particular application
program program contains unauthorized code or serious errors ,
- A test data generator program, which automatically then a detailed analysis of the program logic may be
prepares a test data based on program specifications necessary.
4.) Audit Hooks 6. Computer data files are accurate, complete and
It is used to flag the suspicious transactions. confidential
Auditor is informed of questionable - Concerns with the accuracy, integrity and security of
transactions as they occur via real time data stored in machine-readable files
notification. - Are they protected against unauthorized modification
destruction or disclosure of data
5.) Continuous and Intermittent Simulation (CIS)-
embeds an audit module in a database Computer Software Audit
management system (DBMS). The CIS module - A number of computer programs, called computer
examines all transactions that update the audit software (CAS) or generalized audit software
database using criteria similar to those of (GAS) , have been written especially for auditors
SCARF. - General Audit Software is software designed to read,
process and write data with the help of functions
c.) Analyzing program logic performing specific audit routines and with self-made
macros. It is a tool in applying Computer Assisted thereby detecting and facilitating correction of
Auditing Techniques Functions of generalized audit any errors prior to shipment
software include importing computerized data; Cash receipts are processed more quickly,
thereafter other functions can be applied. improving cash flow.
Reports and performance measures are
Two of the most popular software
timelier, enhancing management’s ability to
1. Audit Control Language is a data
monitor and improve efficiency and
interrogation tool used by auditors to view,
explore, and analyze data efficiently and effectiveness.
cost effectively. ACL enables auditors to Internal control in revenue cycle
access data in diverse formats and on
various types of storage devices. 1. Authorization
2. IDEA ( Interactive Data Extraction and 2. Supervision
Analysis) is a Generalized Audit Software. It 3. Segregation of duties
is able to import a wide range of different 4. Access control
types of data files. During the import a 5. Independent verification
IDEA file and its field statistics are created. 6. Accounting records
Computer-based Purchases