460 likes | 774 Views
Information Systems Auditing. Information Systems Environment: Why are Control and Auditability Important?. Introduction.
E N D
Information Systems Environment: Why are Control and Auditability Important?
Introduction • In today’s business environment, there is increasing reliance on information systems to support business needs. Auditing provides “independent and objective assurance that information is processed in a safe and sound manner; that operations are efficient, effective, and adequate; and that information assets are safeguarded.
The Business Environment • Business Strategy & Operations • Business partnerships, • Multiple distribution channels • Get products to market faster • Mergers, downsizing • Technologically • Heavy reliance on technology to be competitive • E-commerce via Internet
The IT Environment • Increase system quality and functionality • Improve service levels • Decrease delivery time • More reliance on IT vendors and their strategies
Business Risks • Activities or events that might interfere with meeting business objectives • Probability or likelihood that loss will occur • Measure of loss if it occurs
Business Risks • Inherent (environmental) • Fraud • Lost opportunities • Loss of competitiveness
IT Risks • Unauthorized access • Inaccurate • Unreliable information • System unavailability
Information Systems Audit Defined “The process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintain data integrity, allows organizational goals to be achieved and determine the efficient use of resources”
Business Needs • Organizations must Control and Audit Computer-Based Information Systems • Must have Procedures to detect errors and irregularities. • Must have Procedures to contain cost of Controls and Development.
Need for Controls The Organization must protect itself from: • Corruption of Data and Database • Poor decision making due to poor quality information • Losses due to abuse • Loss of hardware, software and personnel • Maintenance of Privacy
Computer Abuse • Hacking • Viruses • Illegal Physical Access • Abuse of Privileges
Consequence of Abuse • Destruction of Assets • Theft of Assets • Modification of Assets • Privacy violations • Disruption of operations • Un-authorized use of assets • Physical harm to Personnel
The Information Systems Audit Function • Used to safeguard Assets • Maintain Data Integrity • Achieve system efficiency
Asset Safeguarding • Hardware • Software • Facilities • Personnel (Knowledge) • Data files and systems documentation • Supplies
Data Integrity • Completeness • Soundness • Accuracy • Conciseness
Value of Data Integrity • Value to Decision Makers • Extent of data sharing • Value to competitors • Compliance Issues
Effectiveness • Achieving stated objective • Satisfaction of users needs
Efficiency - Performance Index • Timeliness – Provide user responses • Throughput – Performance over time • Utilization – Time system is busy • Reliability - Availability
Auditors Judgment • Must use a model of workload system • Must be aware of the cost of the evaluation • System may not yet be operational • Model used must correctly simulate the real system and environment
Internal Controls • Separation of Duties • Delegation of Authority and Responsibility • Competent Personnel • System Authorization • Document and Records
Internal Controls • Management Supervision • Independent Checks on Performance • Accountability of Assets
Effects of Computers on Auditing • Change in evidence collection • Change in evidence evaluation
Information Systems Auditing • Traditional Auditing • Information Systems Management • Behavioral Science • Computer
Nature of Controls Auditors have to evaluate the reliability of controls. They therefore have to have an understanding of the control environment and the system of controls.
Nature of Controls Controls fall into three categories: • Preventive • Detective • Corrective
Purpose of Controls • Decreasing the probability of a loss occurring • Limiting the losses if they occur.
Dealing with Complexity • Break systems into subsystems • Determine the reliability of each subsystem. (Decomposing or Factoring)
Types of Subsystems-Management • Top Management • Information Systems Management • Systems Development • Programming • Data Administration • Quality Assurance • Security Administration • Operations Management
Types of Subsystems-Application • Input • Communications • Processing • Database • Output
Assessing Subsystem Reliability • Controls at the higher or subsystem level • Cost/Benefit analysis
Inherent Risk Factors • Financial Systems • Strategic Systems • Critical Operations • Technologically Advanced Systems
Audit Procedures • Gaining Understanding of Internal Controls • Test of Controls • Substantive Test of Transactions • Substantive Test of Details of Balances
Information technology Global operations Human capital Understanding of the Client’s Business and Industry What are some factors that have increased the importance of understanding the client’s business and industry?
Understanding of the Client’s Business and Industry Understand client’s business and industry. Industry and external environment Business operations and processes Management and governance Objectives and strategies Measurement and performance
Industry and External Environment What are some reasons for obtaining an understanding of the client’s industry and external environment? 1. Risks associated with specific industries 2. Inherent risks common to all clients in certain industries 3. Unique accounting requirements
Planning the Audit • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
Types of Test • Existence • Occurrence • Completeness • Rights and Obligations • Valuation and Allocation • Presentation and Disclosure
Completing the Audit Opinion • Disclaimer • Adverse • Qualified • Unqualified
Auditing Around the Computer • Straightforward logic • Batched transactions • Processing is mainly sorting and data input • Clear Audit Trail • Constant System
Auditing Through the Computer • Inherent risks associated with Computer Applications • More difficult to do extensive direct examination of input and output in high volume systems. • Significant parts of the control system are embedded in the computer system. • Processing logic may be complex. • Cost/Benefit considerations may leave significant gaps in the controls and visible audit trail.
Leave the Technology to the TECKIES? Questions????????????????