Professional Documents
Culture Documents
Information Systems Audit 2022
Information Systems Audit 2022
Information Systems Audit 2022
IT ICT IS
Hardware Hardware Hardware
Software Software Software
Data Data Data
Networks Network
People
Processes
Definition : Any organized combination of
hardware, software, communication networks,
data resources, and policies and procedures to
store, retrieve, transform, and disseminate
information.
INPUT PROCESSING
Data into OUTPUT
of Data Information of information
Resources products
Network Resources
(Comunications media & network support)
Key Concepts
“Reasonable Assurance”
“Acceptable Levels”
Control Environments
Primary Element of Internal Control
Establishes conditions under which Internal
Controls will Operate
Organization Structure
Control Framework
Organizational policies and procedures
External Influences
Organizational structure
Defines individual managers’ responsibilities
Sets limits of authority
Ensures appropriate segregation of duties
May be complex or simple
Large organizations tend to have highly
structured control frameworks
Small organizations frequently use personal
contact between employees.
Elements
Segregation of duties
Competence and integrity of people
Appropriate levels of authority
Accountability
Adequate resources
Supervision and review
Describe what is to be done
Scope of the function
Activities
Interrelationships with other departments
External influences
Laws and regulations
Customs
Union agreements
Competitive environments
Systems Software
Computer programs and routines controlling
computer hardware, processing and non-user
functions
Includes
Operating systems
Telecommunications software
Data management
Applications Software
Computer programs written to support business
functions
Includes
General Ledger/ Payroll/ Inventory/ Order Processing
Generated outside the IT organization to
meet specific user needs
Includes
Micro-based systems
User-developed systems
General IT Controls
Computer Operations
Physical security
Logical security
Program change control
Systems Development
Application Controls
Business systems oriented
Accuracy
Completeness
Authorization
Preventive- prevents an undesirable event
Restrictions on users
Requirements for passwords
Separate authorization
Detective- detects undesirable events
after the fact
Effective use of audit trails
Exception reports
Corrective- allow things to be put right
Disaster Recovery Plans
Transaction reversal capability
Discretionary- subject to human discretion
Supervisory review of signatures
Non-discretionary-provided by the system
and cannot be overridden
Use of PIN numbers
Voluntary/ Mandated
Voluntary- chosen by the organization to support
its business
Mandatory- required by laws and regulations
Manual/ Automated
Manual-implemented by manual intervention
Automated- implemented by the computer
system
Application/ General IS
Application- to do with the business function
General IS- to do with the running of the IS
function
Control Objectives and Risks
Potential Risks
Fraud
Business interruption
Errors
Customer dissatisfaction
Poor public image
Ineffective and inefficient use of resources
General Control Objectives
Integrity of information
Security
Compliance
Integrity of information
Input
All transaction are initially and completely recorded
All transactions are completely and accurately entered
into the system
All transactions are entered once only
Controls may include:
Pre-numbered documents
Control total reconciliation
Data validation
Activity logging
Document scanning
Access authorization
Document cancellation
Processing
Approved transactions are accepted by the
system and processed
All rejected transactions are reported,
corrected and re-input
All accepted transactions are processed once
only
All transactions are accurately processed
All transactions are completely processed
Controls may include:
Control totals
Programmed balancing
Segregation of duties
Restricted access
File labels
Exception reports
Error logs
Reasonableness tests
Concurrent update control
Output
Hard copy
File output
On-line enquiry files
Primary Objectives
Assurance that the results of Input and
Processing are output
Output is available only to authorized
personnel
Typical Controls
Complete audit trail
Output distribution logs
Integrity
of programs and processing
Change control
Prevention of unwanted changes
Ensuring adequate design and development
control
Ensuring adequate testing
Controlled program transfer
On-going maintainability of systems
Systems Development
Typical controls
Use of a formal SDLC
User involvement
Adequate documentation
Formalized testing plan
Planned conversion
Use of post-implementation reviews
Establishment of a QA function
Involvement of Internal Auditors
Nowadays
On-line, real-time input with a small batch
component
Input via a terminal
Instantaneous update
Overnight report production
Terminals my be local or remote
Terminals may be dial-up or dedicated
Terminals may be differing types
Primary control objectives
Availability
Security
Confidentiality
Accuracy
Microwave
Satellite
Cables
Dedicated
Dial-Up
Line operations
Digital to analogue
Simplex- one way only
Half-duplex-one way at a time
Duplex-two way communications
Wireless-everywhere
Synchronous Communications
High speed transmission and reception of long groups
of characters
Asynchronous Communications
Slow, irregular transmissions, one character at a time
with start and stop bits
Encryption
Scrambling of data into unreadable forms such that it
can be unscrambled
Protocol
A set of rules for message transmission in the network
Private Public Switched (PSNs)
Value Added (VANs)
Local Area (LANs)
Wide Area (WANs)
The Internet
The Cloud
Point-to-Point
Separate, direct links
Multidrop
Multiple terminals sharing a single line
Ring Networks
No central computer, each machine is a “node”
Star Networks
Single central computer coordinating all
communications
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Application Software as a Service (ASaaS)
Online enquiry
Allows a remote user to retrieve data directly
Primary concern- Confidentiality
Online data entry
Remote entry of data
Allows concurrent processing of data
Primary concern
Transaction authenticity
Accuracy
Completeness
Online update
As per on-line data entry but with immediate effect
Primary concerns
Concurrency control
Availability
Availability
Security
Unauthorized access
Accidental or intentional changes
Security threatened areas
Operating system
Management features
Inter-computer communication
Dial-up access
Gateways
Poor performance
Hardware components
Software
Data
Networkingcapability
Human resources
Ensured by
Adequate physical environment
Adequate backups
Multiple redundancies
Peer-to-peer networking
Adequate Disaster Recovery Planning
Training
A factor of
Hardware
Software
Human element
Hardware
Theft
Sabotage
Penetration
Operating System
Theft
Corruption
By-passing
Substitution
Application Software
Theft
Corruption
By-passing
Substitution
Data
Theft
Corruption
Substitution
Manipulation
Insiders- Users
Insiders – Specialists
Outsiders – Legitimate
Outsiders - Hackers
Programming languages
Who programs?
The SDLC
Change control
Problem management
Source code
Object code
Executable code
Compilers
Assemblers
Interpreters
Analyze
Design
Code
Test
Retest
Redesign
Retest
Run
Audit
Binary programs
Example: 0110 1001 1110 0101
The symbolic code
Example:
PACK RATE, RATE1
L HRS, HRS1
MVC REG,4
FORTRAN
Example:
REGPA=RATE*HOURS
CALL TXCAL
DED=WITTX+UIF+INS+PENS
COBOL
Example:
NET-PAY CALC-ROUTINE.
MULTIPLY RATE BY HOURS-WORKED
GIVING NORMAL-PAY
Future
4th Generation Languages
5th Generation Languages
No Languages?
Artificial Intelligence
Used to control the generation of
programmed systems
Objective- to produce a quality system, as
specified, on time, within budget
Primary phases
Feasibility study
Outline system design
Detailed system design
Code
Test
Implement
Post-implementation review
Availabilityof user staff
Access to the right level of staff
“Technology lust”
Over-extended timescales
Inexperienced staff
Timescale problems
Too long between milestones
Key staff change
Business objectives change
Costs escalate
Hardware / software may become obsolete
Agreed schedules/ schedule review
Work assignment
Performance monitoring
Progress monitoring
Status reporting and follow-up
Project planning elements
Project guidelines
Work breakdowns
Start and completion dates
A monitoring mechanism
Incomplete economic evaluation
Management abdication
Inadequate specifications
Systems design errors
Incompetent personnel
Technical self- gratification
Poor communication
No project “kill” points
Temptations to computer abuse
Incoherent direction
Erroneous management decisions
Unacceptable accounting policies
Inaccurate record-keeping
Business interruption
Built-in fraud
Violation of legal statutes
Excessive operating cost
Inflexibility
Overrun budgets
Unfulfilled objectives
Acquisition of data
Identification of data
Development of conversion programs
Sanitization of input data
Maintenance of current systems
File conversion
Major task
Requires strict control
May jeopardize the whole project
Rubbish in-rubbish out
Audit involvement essential
Objective-
to ensure risk is controlled, not
introduced, during a change
All changes are authorized
All authorized changes are made
Only authorized changes are made
All changes are as specified
All changes are cost-effective
Objective-
to control systems during
emergency situations
Unforeseen changes
Bypass normal control mechanisms
May require direct programmer access to live
data
Must be controlled separately
Must involve user authorization
Definition of Terms
Database – a collection of data logically organized to
meet the information requirements of a universe of
users.
Database Management System (DBMS)- a hardware /
software system which manages data by providing
organization, access and control functions.
Data Dictionary/ Data Directory System (DD/DS)- the
software which manages a repository of information
about data and the data base environment.
Database Administrator- a human function involved in
the co-ordination and control of data related
activities.
User System Interfaces- components of the
data base environment which request,
manipulate and transform data into
information for an end user.
Data structures- the interrelationships of
data.
Storage structures- methods and thecniques
used to physically represent data structures
on storage devices.
Access methods- software logic procedures
used to retrieve, insert, modify, and delete
data on a storage device.
Sequential
Hierarchical
Network
Relational
Model
Components
Data Definition Language (DDL)
Storage Structure Definition Language (SSDL)
Data Manipulation Language (DML)
DBMS Nucleus and Utilities