Professional Documents
Culture Documents
08 Auditing in An It Environment
08 Auditing in An It Environment
1. General Controls – control policies and procedures that relate to the overall computer information system.
a. Organization Controls
Designed to define the strategic direction and establish an organization framework over IT activities including:
Strategic information and technology plan
Policies and procedures
Segregation of incompatible functions
Between IT department and User Department
Segregation of duties within the IT departments
Monitoring of IT activities performed by Third Part Consultants
b. Systems Development, Maintenance and Documentation Controls
User Department must participate in the system design
Written system specification must be required and approved by management and user department
Both user and IT personnel must test new systems
Management, user and IT personnel must approve new systems before implementation
Control of all master and transaction files to avoid unauthorized changes
All programs changes should be approved
Adequate documentation should be made to facilitate the use of programs
c. Access Controls
1) Physical access control
a) Limited physical access
b) Visitor entry log
2) Electronic access control
a) Requiring user identification (specially on on-line systems) and regular changes of passwords
b) Defining user data access privilege
c) Call back – users dial up for access to the IT system, the system logs them out and then re-establish
communication link when identification is established
3) Hardware controls
a) Diagnostic routines – hardware of software supplied by manufacturers to check the internal operations
and devices within the computer system
b) Boundary protection – to ensure integrity of the allocated memory for a job currently running under
simultaneous processing in a multiprogramming environment
c) Periodic maintenance
4) Data transmission controls
a) Parity check – data are processed and transmitted by computers in arrays of bits. Redundant bit may be
added to verify the integrity of the information that is processed or transmitted
b) Data encryption – data are coded into secret characters to avoid unauthorized individuals from reading
the information
c) Message acknowledgement technique (ex. Echo Check) – receiving device sends a message that
verifies a transmission back to the sending device
d) Private lines – using phone lines owned or leased by the organization, thereby more secure
(a) Programming the operating system to generate a computer log of failed access attempt and generates
warnings for repeated access failure
(b) Programmers should not have access to input data or application programs that are currently used
(c) Computer operators should be restricted only to the application programs currently being used
(d) Computer operators should be limited access only to operations manual (instructions for processing
programs) and not detailed program documentations.
d. Data and Procedural Controls
1) Data control group receives all data for processing, ensures complete recording, and follow up errors,
determine that data are corrected and resubmitted by user department and verify output distribution
2) Processing Controls
a) Written manual of systems and procedures for all computer operation
b) Back-up and recovery
i. Grandfather-father-son principle of retention – a back-up system employed in batch
processing that enable reproduction of destroyed or lost master files from multiple (3)
generations of master files
ii. Snapshots – daily picture (copy) of the data files taken and retained until the weekly file is
prepared which are retained until the annual files is created
c) Contingency processing
i. Reciprocal agreement/Mutual aid pact
ii. Internal Site
iii. Hot Site – back-up centers that are already installed with equipment
iv. Cold Site – back-up centers that are ready for equipment to be brought in
d) File Protection Rings – enables writing to a magnetic tape only when the ring is on the magnetic tape.
This controls operator error by writing data on tapes containing critical information.
e) Internal and External Labels – provides identification of files to avoid destruction
e. Monitoring controls
Monitoring of key IT performance indicators
Internal/external IT audits
2. IT Application Controls – control policies and procedures that relate to specific use of the system in order to
provide reasonable assurance that all transactions are authorized, recorded, and are processed completely,
accurately and on a timely basis.
1) Controls over inputs
a) Limit test – test of reasonableness of a filed of data using predetermined upper and lower limit
b) Validity test – a comparison of data against a master file or table for accuracy
c) Self-checking digit – contains redundant information permitting accuracy check
d) Completeness check – processing will not continue unless all data required are supplied
e) Control total – the total of one filed of information for all items in a batch
Item (Record) count – a count of the number of items or transactions being input in a given
batch
Financial total – the total of the amount of all items in a batch
Hash total – a total of one field of information for all items in a batch that no intrinsic
meaning
f) Menu driven input – contains set of menus or Q&A that guides the user completion of all the required
data
g) Field check – ensures that the proper character is supplied in a given field
h) Field size check – ensures that the data supplied is within the number of digits or string of characters
required for the field.
i) Logic tests – rejects data encoded which are illogical and inconsistent
2) Controls over processing
3) Controls over output
Auditing in an IT Environment
1. The overall objective and scope of an audit, including auditor’s responsibilities, does not change in an IT
environment.
2. An IT environment may affect:
a. Auditor’s consideration of internal control, which include an assessment of computerized as well as
manual controls
b. Auditor’s assessment of control risk
c. Procedures to be performed in considering internal control and performing substantive test
Unauthorized access to data that may result in destruction of data or improper changes to data,
including the recording of unauthorized or non-existent transactions, or inaccurate recording of
transactions. Particular risks may arise where multiple users access a common database.
The possibility of IT personnel gaining access privileges beyond those necessary to perform their
assigned duties by breaking down segregation of duties
Unauthorized changes to data in master files
Unauthorized changes to IT applications or other aspects of the IT environment
Failure to make necessary changes to IT applications or other aspects of the IT environment
Inappropriate manual intervention
Potential loss of data or inability to access data as required
1) Organizational structure
a. Concentration of functions and knowledge
b. Concentration of programs and data
2) Nature of processing
a. Lack of visible transaction trails
b. Ease of access to data and computer programs
3) Design and procedural aspects
a. Consistency of performance
b. System generated transaction
c. Programmed control procedures
d. Single transaction update of multiple or data base computer files
B. Test of Controls
It is more efficient to review the design of general controls before reviewing the application controls.
a) Auditing with the computer – the auditor uses the computer as an audit tool
b) Auditing through the computer – the auditor enters the client’s system and examines directly the computer
and its system and application software using CAATs
1) Factors to consider
a) Degree of technical competence in IT
b) Availability of CAATs and appropriate computer facilities
c) Impracticability of manual tests
d) Effectiveness and efficiency
e) Timing of tests
2) Tests of Controls using CAATs may be divided into the following categories of techniques:
a) Program analyses c) Continuous testing
b) Program testing d) Review of Operating Systems
Limitations: