Information systems audit n control introduction.ppt
- 1. Information Systems Audit and Control: INFO438 Felex Madzikanda Department of Information and Marketing Science Midlands State University madzikandaf@msu.ac.zw 0774810683
- 2. Administration lectures, assignments and tests worth 30% Final examination, three hours worth 70%
- 3. Overview of EDP Auditing • EDP Auditing: Is the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, achieves organizational goals effectively, and consumes resources efficiently.
- 4. Need for control and audit of computers • Organizational costs of data loss • Incorrect decision making • Computer abuse • Value of computer hardware, software and personnel • High costs of computer error • Privacy • Controlled evolution of computer use
- 5. Effects of EDP on Internal Controls • Seperation of duties • Delegation of authority and responsibility • Competent and trustworthy personnel • System authorizations • Adequate documents and records • Physical control of assets and records • Adequate management supervision • Independent checks on performance • Comparing recorded accountability with assets
- 6. Effects of EDP on Auditing Changes to evidence collection • Auditors confront a complex range of internal control technology • Auditors need EDP systems to collect evidence Changes to evidence evaluation • Due to complexity, there is difficulty to evaluate the consequences of a control strength and weakness • Auditors are much stressed in that errorneous programs will always execute incorrectly, errors are generated at high speed, and the costs to correct and rerun programs can be high
- 7. Effects of EDP on Auditing • Computer program errors can involve extensive redesign and reprogramming – auditors must ensure controls are sufficient
- 8. Foundations of EDP Auditing • Traditional auditing – (internal control techniques, control totals, philosophy) • Information systems mgt – (techniques of project mgt, documentation and standards, structured programming) • Computer science – (reliability theory and control theory have been the basis for designing secure systems) • Behavioral science
- 9. Foundations of EDP Auditing EDP AUDITING Information Systems management Computer Science Traditional Auditing Behavioural Science
- 10. Conducting an EDP Audit Dealing with complexity (1) Given the purpose of the edp audit, factor the system to be evaluated into subsystems(Management subsystems and application subsystems) (2) Identify the components that perform the basic activities in each subsystems(hardware, software, people, transmission media)
- 11. Conducting an EDP Audit (3) Evaluate the reliability with which each component executes its activities(archieved by several Controls: Below are some of the major classes of controls) • authenticity • accuracy – validation checks, overflow checks, financial controls • completenes – validation, record sequence #s
- 12. Conducting an EDP Audit • Redundancy – to ensure a data item is processed only once • Privacy – encryption, passwords, inference • Audit Trails – two types i.e. accounting and operations audit trail. • Existence – attempt to ensure the ongoing availability of all system resources
- 13. Conducting an EDP Audit • Asset safeguarding – ensure that resources within a system are protected from destruction or corruption • Effectiveness – to ensure that systems achieve their goals e.g. Post audits • Efficiency controls – to ensure a system uses minimum resources to achieve its goals e.g logs of resource consumption, perfomance monitoring using h/w and s/w monitors
- 14. Conducting an EDP Audit (4) Determine the reliability of each subsystem and the implications of each subsystem's level of reliability for the overall level of reliability in the system.
- 15. Conducting an EDP Audit Overview of steps in an EDP Audit (1)Preliminary review phase • the objective of the preliminary review is to obtain the information necessary for the auditor to make a decision on how to proceed with the audit. • Review of management and application controls
- 16. Conducting an EDP Audit • primary means of evidence collection are interviews, observations and reviews of documentations. • In conclusion the auditor will decide to: a) Withdraw from the audit
- 17. Conducting an EDP Audit b) Perform a detailed review of the internal control system with the expectation that reliance can be placed upon the internal control system and the scope and extent of substantive testing can be reduced as a consequence. c) Decide not to rely on the internal control s .
- 18. Conducting an EDP Audit (2) Detailed Review Phase • Objective is to obtain the information necessary for the auditor to have an in-depth understanding of the controls used in the computer installation • Detailed review of management and application controls • Means of evidence are interviews, observations and reviews of documentations.
- 19. Conducting an EDP Audit • In conclusion the auditor must evaluate whether the controls established reduce the expected losses to an acceptable level. (3) Compliance Testing Phase • objective is to determine whether the or not the system of internal controls operates as it is purported to operate. • Use of computer-assisted evidence collection techniques to determine the existence and reliability of controls.
- 20. Conducting an EDP Audit • In conclusion, the auditor evaluates the internal control system in light of the evidence collected on the reliability of individual controls. (4) Review and Testing of User(compensating) Controls • Users may carefully reconcile their own control totals with those produced as output from application systems programs.
- 21. Conducting an EDP Audit • From external audit view point, evaluating compensating controls may be a more cost effective way of completing the audit. • Compensating controls may represent a duplication of controls (5) Substantive Testing Phase • Objective is to obtain sufficient evidence so the auditor can make a final judgment on whether or not material losses have occurred or could occur during computer data processing.
- 22. Conducting an EDP Audit • The five types of substantive tests are to identify erroneous processing, assess the quality of data, identify inconsistent data, tests to compare data with physical counts, confirmation of data with outside sources. • Much of these tests require computer support.
- 23. Conducting an EDP Audit Some Major Audit Decisions (1) Evaluation Judgement • it is made at the end of every phase. • Questions are what controls are critical to the audit and how they should be tested for compliance, what extent of substantive testing is needed and finally whether or not the system has satisfactorily safeguarded assets, maintained data integrity, archieved system effectiveness and efficiency.
- 24. Conducting an EDP Audit (2)Timing of Audit procedures • Some auditors argue that little change is needed to the traditional schedule of interim work, end of period work, and post-period- end work. • Some edp auditors argue both external and internal auditors should, at a minimum, review and evaluate the design of computer controls at various major check points in the system development process.
- 25. Conducting an EDP Audit • Some auditors emphasize audit participation in the design phase of the edp systems( with this approach,audits will be performed at 3 stages in the life cycle of a system) analysis Design implementation operation review
- 26. Conducting an EDP Audit Why the design phase?
- 27. Conducting an EDP Audit (3)Audit use of the computer • Brings in two approaches: auditing around the computer and auditing through the computer. (a)Auditing around the computer • It is arriving at an audit opinion through examining the internal control system for a computer installation and the input and output only for the application systems.
- 28. Conducting an EDP Audit Suitability • When system is simple • The system uses generalized software that is well tested and used widely by many installations • The system logic is straight forward • Controls can be mentained through the normal methods e.g. Seperation of duties and mgt supervision
- 29. Conducting an EDP Audit • The task environment is relatively constant and few stresses are placed on the system (b)Auditing through the computer • the auditor can use the computer to test: I. The logic and controls existing with in the system and II. The records produced by the system.
- 30. Conducting an EDP Audit Suitability • The application system processes large volumes of input and produces large volumes of output • The logic of the system is complex • Significant parts of the internal control system are embedded in the computer system • Cost-benefit considerations
- 31. Conducting an EDP Audit (4)Selecting Application Systems for Audit • as a general rule the auditor should select for audit those application systems most critical to the continued existence of the organization. (a)User audits as a selection basis • Control clerks in the user area responsible for gathering and batching source data, error correction, and error resubmission often know the fundamental weaknesses in an application system.
- 32. Conducting an EDP Audit (b)Application system characteristics • High risk system, technologically advanced systems, high cost systems • Auditors should also perform a cyclical review of systems that seem to function well. This review examines ways of improving these systems.
Editor's Notes
- #14: Regular monitoring of user satisfaction, periodic cost/benefit analysis, monitoring of frequency of use – system effectiveness System efficiency – regular interviews with system users.