SlideShare a Scribd company logo

Information Systems Audit - week 1 lecture

Download as PPTX, PDF
Abdul-Rahman Mahmood, profile picture
Abdul-Rahman Mahmood

IS Audit week 1 lecture

Technology
1 of 66
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Abdul-Rahman Mahmood Assistant Professor, Computer Science, FAST-NU abdulrahman@nu.edu.pk reddit.com/user/alphapeeler alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com bqb-tsid-asp armahmood786@jabber.org alphapeeler alphapeeler@aim.com alphapeeler abdulmahmood-sss armahmood786 alphapeeler@icloud.com http://alphapeeler.sf.net/ pinterest.com/alphapeeler IS Audit & Control
About The Instructor https://alphapeeler.sourceforge.net/index4stu.html#about https://pk.linkedin.com/in/armahmood
 Operating Systems book  https://alphapeeler.sourceforge.net/index4stu.html#achievements_os  CEHv12 Mod020 – Cryptanalysis  https:// alphapeeler.sourceforge.net/index4stu.html#achievements_cryptana  AlphaPeeler Credited by other YouTubers  https://alphapeeler.sourceforge.net/index4stu.html#achievements_yt  Referred in Certified Ethical Hacking manuals  https:// alphapeeler.sourceforge.net/index4stu.html#achievements_ceh  Books and articles references  https:// alphapeeler.sourceforge.net/index4stu.html#achievements_books_artic les Student Life Achievements
Information Systems Audit - week 1 lecture
Information Systems Audit - week 1 lecture
Information Systems Audit - week 1 lecture
https://www.taylorfrancis.com/chapters/edit/10.1201/9781003508632-6/cryptanalysis-using-cryptool-alphapeeler-bishwajeet-pandey-keshav-kumar-pushpanjali-pandey-bakar
About The Course
Class Policies • •Attendance will be marked only if you are present in class. •Attendance: 80% is required to be able to sit in final exams. •Remaining 20% : sick leave, internship, job, emergencies, accidents or going to phoppo's house, or any reason. • Cross Section Attendance is not allowed Late Assignment Submission till after 1 week of actual deadline. (Marks deduction applies for late submission) • After 1 week submissions of assignment won’t be accepted. • All Submissions on Google forms, no email submission • Plagiarism will not be tolerated.
Reference books  IT Auditing: Using Controls to Protect Information Assets, 2nd Edition by Chris Davis, Mike Schiller with Kevin Wheeler.  Auditing Information Systems, Second Edition by Jack J. Champlain.  Information System Control and Audit by Ron Weber  CISA Review Manual 2010
Assessment  The course material builds your innovation skills cumulatively  Spot tests will be given periodically to assess your comprehension of the readings.  Class participation is graded based on student participation in practicum exercises.  There will be midterm and final examinations that are cumulative.  Midterm 30%  Assignment 10%  Final Exam 50%  Project 10%  Total 100%
Section A: fpmpz26 Section B: moqtiwa GCR codes (Section as on flex)
 Course Outline:  IS Audit charter, Polices, Procedures, Audit computer networks and communication, Auditing software development, Acquisition, Maintenance, Auditing IT infrastructure, Auditing Management and Organization, Business process re-engineering: IS audit proposal, report, evidence and follow-up, complaint to standard, Enterprise service agreement, Backup and procedures Course Catalogue - HEC
 After successful completion of this course students should be able to do auditing of information systems.  Develop and implement a risk-based IS audit strategy in compliance with IT Audit Standards, to ensure that key areas are included.  Plan specific audits to determine whether information systems are protected, controlled and provided value to the organization. Course Goals
 Conduct audits in accordance with IT audit standards to achieve planned audit objectives.  Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary.  Conduct follow-ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner. Course Goals
Introduction to Information System Audit
Auditing  An audit is an evaluation of an organization, system, process, project or product.  performed by a competent, independent, objective, and unbiased person or persons, known as auditors.  Purpose  Make an independent assessment based on management's representation of their financial condition (through their financial statements).  To ensure the operating effectiveness of the internal accounting system is in accordance with approved and accepted accounting standards / practices.  Evaluates the internal controls to determine if conformance will continue, and recommends necessary changes in policies, procedures or controls.  Auditing is a part of quality control certifications
Financial Audit  Is an assurance or attestation on financial statements provided by accounting firms, whereby the firm provides an independent opinion on published information.  Performed by firms of practicing accountants due to the financial reporting knowledge they require.  Internal auditors, do not attest to financial reports but focus mainly on the internal controls of the organization.  External auditors  US's Certified Public Accountant (CPA)  UK's Chartered Certified Accountant (ACCA) and Chartered Accountants  (A.F. Ferguson & Co. , KPMG Taseer Hadi & Co. , Moody International)
History  Independent auditing developed with the expansion of the British Empire in the 19th century  Prior to the 1930s, corporations were required neither to submit annual reports to government agencies or shareholders nor to have such reports audited.  The 1929 boom initiated to pressure for audit of publicly traded companies;  In the UK, the London Association of Accountants successfully campaigns for the right to audit companies in 1930  In the US, the Securities Exchange Act of 1934 required all publicly traded companies to disclose certain financial information, and that financial information be audited.  The establishment of the U.S. Securities and Exchange Commission (SEC) created a body to enforce the audit requirements.
History since 1980  The Pro-business Reagan administration in the US, and the Thatcher regime in the UK lifted many of the controls over the profession  Leading to abuses that resulted in the crashes of 1987 and 2001  Since then, the Sarbanes-Oxley Act (SOX) has forced an expansion of audit responsibility and driven up audit revenues (and costs)  One study estimated the net private cost of SOX to amount to $1.4 trillion in the US.  It is an econometric estimate of “the loss in total market value around the most significant legislative events”—i.e., the costs minus the benefits as perceived by the stock market as the new rules were enacted.
Audit Firms  The largest accounting firms (the 'Big 4' or ‘Final 4’) audit nearly all of large quoted/listed companies.  In addition to providing audits, they also provide other services including tax advice and strategic consultancy  The 5th largest firm, Grant Thornton, has only around 10% of the revenues of KPMG https://www.statista.com/statistics/250479/big-four-accounting-firms-global-revenue/
Worldwide Big 4 revenues  The revenues of the big accounting firms grew by a healthy 15% last year.  They are in effect, the back office of the global markets  They are a “private police force… hired, fired and paid for by company management”  The “big four” firms employ around half a million people
Worldwide Big 4 revenues Growth of 'Big 4' Revenues 30 40 50 60 70 80 90 100 110 120 130 2000 2002 2004 2006 2008 2010 2012 Year Revenues
 Planning and risk assessment.  Internal controls testing.  Substantive procedures Stages of an audit
Stages of an audit Planning and risk assessment  Timing: before year-end  Purpose:  to understand the business of the company and the environment in which it operates.  to determine the major audit risks (i.e. the chance that the auditor will issue the wrong opinion).  For example, if sales representatives stand to gain bonuses based on their sales, and they account for the sales they generate, they have both the incentive and the ability to overstate their sales figures, thus leading to overstated revenue.  In response, the auditor would typically plan to increase the precision of their procedures for checking the sales figures.
Stages of an audit Internal controls testing  Timing: before year-end  Purpose: to assess the internal control procedures  (e.g. by checking computer security, account reconciliations, segregation of duties). If internal controls are assessed as strong, this will reduce (but not entirely eliminate) the amount of 'substantive' work the auditor needs to do
Definitions  Balance Sheet : A financial statement that summarizes a company's assets, liabilities and shareholders' equity at a specific point in time. These three balance sheet segments give investors an idea as to what the company owns and owes, as well as the amount invested by shareholders.  The balance sheet adheres to the following formula:  Assets = Liabilities + Shareholders' Equity
Definitions  In accounting and finance, equity is the difference between the value of the assets/interest and the cost of the liabilities of something owned. For example, if someone owns a car worth $15,000 but owes $5,000 on that car, the car represents $10,000 equity.
Definitions  In financial accounting, a cash flow statement, also known as statement of cash flows, is a financial statement that shows how changes in balance sheet accounts and income affect cash and cash equivalents, and breaks the analysis down to operating, investing and financing activities.
Stages of an audit Substantive procedures  Timing: after year-end  Purpose: to check that the actual numbers in the Income Statement and Balance Sheet (and, where applicable, Statement of Changes in Equity and Cash Flow Statement) are reliable, by performing tests that use the numbers provided.  Methods:  where internal controls are strong, auditors typically rely more on Substantive Analytical Procedures (the comparison of sets of financial information, and financial with non-financial information, to see if the numbers 'make sense' and that unexpected movements can be explained)  where internal controls are weak, auditors typically rely more on Substantive Tests of Detail (selecting a sample of items from the major account balances, and finding hard evidence (e.g. invoices, bank statements) for those items
Audit Report Card  In 2005, 174 auditors were inspected by the Public Company Accounting Oversight Board (PCAOB)  almost half have been deemed to have some trouble doing their job satisfactorily.  On January 19th 2006, Grant Thornton became the latest.  Fifteen of its audits were found to have significant “deficiencies” and one client had to restate at least part of its financial statements as a result of the inspection.  Some audits by the “Big Four” accounting firms have also been found wanting (A few clients of each of the four restated their accounts)  At least 19 of PwC's audits, for instance, were found to include deficiencies.  Most of these failures resulted from accounting firms’ inability to properly audit computer based accounting systems
New Business Models  The business of providing high-end temporary accounting help is already worth $5 billion a year  Siegfried Group has seen Revenues sextuple in the past two years, to $73m.  In 2003 its core accounting business had just 15 clients; last year it had 100; by the end of May it had 155.  More than 50 of these are among America's largest companies.  Siegfried has even received business from a Big Four accounting firm.  Siegfried's astonishing growth is explained by what it does not do: consulting and auditing, the signature products of the big firms.  Siegfried is on the other side of the outsourcing boom: it is an insourcer.
What are Information Systems? (and why do auditors care?)
The Information Tech Industry  IT now represents 60% of expenditure in Fortune 500 companies  90% in Finance companies  Over $4 trillion annual expenditure (broadly defined)  Most of this is financial record keeping
How did we get here? Automated Clerks: 1963-1980  Back Office  Computers as automated accountants  Goals were efficiency and cost control  “Legacy” systems automated manual tasks  … but had no significant effect on management’s decision making
How did we get here? Empowerment: 1980-1995  Client / server systems enhanced the productivity of knowledge workers  Word processing, spreadsheets, and other tools  Fomented a “white-collar” revolution
How did we get here? Networking: 1995 onward  The Virtual Office (Global Marketplace)  Net and Web and internal networks integrate the separate activities of the firm  What were “islands of data” have become “knowledge nodes” accessible to the whole firm  … and the global marketplace
How did we get here? Embedding:2002-2010  Computers grow cheap, small and powerful  Morphing into a commodity platform  Which substitutes for all sorts of devices
How did we get here? Invisibility: c. 2020 The “The Web” becomes  an all-pervasive info presence,  Devices plug in and rewire on the fly  “Smart dust” monitors everything  The Rest?: Machines taking care of the work
Where are we ? Industry Structure, c. 2006 Information Technology Market Annual Expenditures ($US billion) Employees (thousand) Major Suppliers Operations & Accounting 500 2000 US, India Search & Storage 1000 5000 US Tools 300 300 US, Germany Embedded 1500 700 US, Japan, Korea, Greater China Communications 700 2000 US, Germany, Japan, Greater China Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion) US GDP ~$10 trillion (Pop: 300 million) * Gross domestic product (GDP) * The gross world product (GWP)
Where’s the Money? U.S. Output: Contribution to GDP (in billions) Other, $2,989 Services, $2,965 Manufacturing, $2,839 Information Technology, $534 Life Sciences, $712 Finance, $820
Operations & Accounting
Networks
Market Share of servers 2017 DB servers Servers OS https://www.differencebtw.com/difference-between-stand-alone-operating-systems-and-server-operating-systems/ Email servers
Problems: Malware and Spam 2016 https://www.statista.com/chart/10045/new-malware-specimen-and-share-of-windows-based-malware/
IT Industry Leaders
Europe’s Venture Capital Industries 2024 https://seedblink.com/2024-08-01-state-of-fundraising-in-q2-2024-key-findings-from-market-reports
IS Components Hardware & Software
Software & Hardware  Until the 1950s, there was no differentiation between the two  By the turn of the 21st century, they had both been commoditized  Most of the money in IT now goes into:  System customization (about 20%)  Data (around 75%)  Hardware Taxonomy: Central Processing Unit Memory Cache RAM / ROM Optical & Magnetic Media Peripheral Processor (Video, Bus, Etc.) Network Devices Fast Slow
Software Taxonomy Operating Systems Specialized O/S Network O/S Database O/S Utilities Programming Languages, Tools & Environments Utilities and Services Applications
Programming  Basically the core task in Information System  Languages:  Translate from human language (task specific)  To machine language (bits & bytes)  And back to human language  Today, these are just one part of a  Development environment  That keeps track of numerous design decisions.  What Machines do Well  High speed arithmetic  Massive storage and search  Repetitive, structured processes  Consequently they often have difficulty with many real world tasks
Applications Software Rules(1967:2000)  Proportion of total IT industry revenues  1967-2000 10 15 20 25 30 35 40 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 % Share Softw are Communications equipment Computer Hardw are Photocopying, office and accounting equipment
http://www.itcandor.com/cloud-forecast-q217/
IT’s Contribution to US GDP Growth 0 0.2 0.4 0.6 0.8 1 1.2 1950 1960 1970 1980 1990 2000 2010 Year IT Contribution to Real GDP Growth
How does IS change accounting?  They have shifted  away from the economics of shortage and resource allocation,  Towards an economics of increasing returns  information, attention and coordination
Accounting Data is increasingly Internet Traffic
Where IS and Audit Meet
What Auditors Need to Know about IS 1. IS Security 2. Utility Computing and IS Service Organizations 3. Physical Security 4. Logical Security 5. IS Operations 6. Controls Assessment 7. Encryption and Cryptography 8. Computer Forensics 9. New Challenges from the Internet: Privacy, Piracy, Viruses and so forth 10. Auditing and Future Technologies (RFID, Full Automation of Substantive and Control Tests)
Future Opportunities  Automated / Robot Auditors  Technologies:  Scanning,  Surveillance,  Logging and Analysis,  Forensics  Advantages:  Always ‘on’  Sample sizes large enough for reliability  No system ‘learning curve’; shared experience database  Objective, Not biased / unfavorable assessment
Organization of IS Audit study
IS Audit Programs What is IS Auditing? Why is it Important? What is the Industry Structure? Attestation and Assurance
Auditing External Real W orld Entities and Events that Create and Destroy Value Audit Report / Opinion Journal Entries 'Own ed ' A s s ets and Liabilities Reports: Statistic s Internal O perations of the Firm Ac c ounting System s Audit Program T ransac tions Transactions The P hysical Wo rld The P arallel (Logical) Wo rld of Accounting Ledgers: D atabases Auditing Corporate Law S u b st a n ti v e T e s ts T e sts o f T ra n sa c tio n s A t t e s t a t i o n A nalytical Tests
How Auditors Should Visualize Computer Systems Business Applic ation System s T ransac tion Flow s Asset Loss Risks (Internal Audits) Reporting Risks (External Audit) Control Proc ess Risks (Internal & External Audits) O perating System s (inc luding D BM S, netw ork and other spec ial system s) Hardw are Platform Physical and Logical Se curity Environm ent Audit O bje ctive s
The IS Auditor’s Challenge  Corporate Accounting is in a constant state of flux  Because of advances in Information Technology applied to Accounting  Information that is needed for an Audit is often hidden from easy access by auditors  Making computer knowledge an important prerequisite for auditing  IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
The Challenge to Auditing Presented by Computers  Transaction flows are less visible  Fraud is easier  Computers do exactly what you tell them  To err is human  But, to really screw up you need a computer  Audit samples require computer knowledge and access  Transaction flows are much larger (good for the company, bad for the auditor)  Audits grow bigger and bigger from year to year  And there is more pressure to eat hours  Environmental, physical and logical security problems grow exponentially  Externally originated viruses and hacking  are the major source of risk  (10 years ago it was employees)
The Challenge to Auditing Presented by The Internet  Transaction flows are External  External copies of transactions on many Internet nodes  External Service Providers for accounting systems  require giving control to outsiders with different incentives  Audit samples may be impossible to obtain  Because they require access to 3rd party databases  Transaction flows are intermingled between companies  Environmental, physical and logical security problems grow exponentially  Externally originated viruses and hacking  are the major source of risk  (10 years ago it was employees)

More Related Content

PPTX
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
PPTX
Chapter 1 auditing and internal control
jayussuryawan
 
PPT
Lecture 1 introduction-to_audit_and_assurance
yalumni
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
muhbetpbh
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
dtzyhwofd798
 
PPTX
Audits and Regulatory Compliance
someshwar mankar
 
PDF
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
nkmwinpran869
 
PPTX
Information Systems Audit - week 2 lecture
Abdul-Rahman Mahmood
 
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 1 auditing and internal control
jayussuryawan
 
Lecture 1 introduction-to_audit_and_assurance
yalumni
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
muhbetpbh
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
dtzyhwofd798
 
Audits and Regulatory Compliance
someshwar mankar
 
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
nkmwinpran869
 
Information Systems Audit - week 2 lecture
Abdul-Rahman Mahmood
 

Similar to Information Systems Audit - week 1 lecture (20)

PPTX
Unit 1. Introduction of audit.pptx
MinalBhandari2
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
priyanpref
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
radoclamyawt
 
PDF
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
dvtohuwyur782
 
PPT
Lecture 1 Intro to financial Analysis.ppt
AliHadi319773
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
noevjka97
 
PPT
Introduction-Financial-Statements-Audit.ppt
farhaniqbal75465
 
PPTX
METHODS OF AUDITING
Rikesh Chaurasia
 
PPT
Audit _Chapter 1.ppt
ZimMuhammadJunaeidHo
 
PPTX
CHAP 3 LEGAL, REGULATORY, AND PROFESSIONAL ENVIRONMENT.pptx
Shirley288621
 
PPTX
Argannoo Odiitii Auditing-Degu Desta (3).pptx
miadjafar463
 
PPTX
Audit & Investigation Presentation Module 1.pptx
MudugPrimaryandsecon
 
PDF
Solution Manual for Auditing and Assurance Services 17th by Arens
asfastian
 
PPT
AS.pptAS.pptAS.pptAS.pptAS.pptAS.pptAS.ppt
pradeepsarmaca1
 
PDF
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
gougelagooks
 
PDF
Solution Manual for Auditing and Assurance Services 17th by Arens
micxyzarija
 
PDF
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
folinoroscha
 
DOC
ACCOUNTING FOR AUDITING II COURSES UGdoc
seidjemal94
 
PDF
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
felicebonefieldhot
 
PDF
Solution Manual for Auditing and Assurance Services 17th by Arens
spaunevolamk
 
Unit 1. Introduction of audit.pptx
MinalBhandari2
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
priyanpref
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
radoclamyawt
 
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
dvtohuwyur782
 
Lecture 1 Intro to financial Analysis.ppt
AliHadi319773
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
noevjka97
 
Introduction-Financial-Statements-Audit.ppt
farhaniqbal75465
 
METHODS OF AUDITING
Rikesh Chaurasia
 
Audit _Chapter 1.ppt
ZimMuhammadJunaeidHo
 
CHAP 3 LEGAL, REGULATORY, AND PROFESSIONAL ENVIRONMENT.pptx
Shirley288621
 
Argannoo Odiitii Auditing-Degu Desta (3).pptx
miadjafar463
 
Audit & Investigation Presentation Module 1.pptx
MudugPrimaryandsecon
 
Solution Manual for Auditing and Assurance Services 17th by Arens
asfastian
 
AS.pptAS.pptAS.pptAS.pptAS.pptAS.pptAS.ppt
pradeepsarmaca1
 
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
gougelagooks
 
Solution Manual for Auditing and Assurance Services 17th by Arens
micxyzarija
 
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
folinoroscha
 
ACCOUNTING FOR AUDITING II COURSES UGdoc
seidjemal94
 
Auditing and Assurance Services A Systematic Approach 10th Edition Messier So...
felicebonefieldhot
 
Solution Manual for Auditing and Assurance Services 17th by Arens
spaunevolamk
 
Ad

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
A Presentation on Artificial Intelligence
memembruh336
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Approach and Philosophy of On baking technology
30anthuong17
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Ad

Information Systems Audit - week 1 lecture

  • 1. Abdul-Rahman Mahmood Assistant Professor, Computer Science, FAST-NU abdulrahman@nu.edu.pk reddit.com/user/alphapeeler alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com bqb-tsid-asp armahmood786@jabber.org alphapeeler alphapeeler@aim.com alphapeeler abdulmahmood-sss armahmood786 alphapeeler@icloud.com http://alphapeeler.sf.net/ pinterest.com/alphapeeler IS Audit & Control
  • 3.  Operating Systems book  https://alphapeeler.sourceforge.net/index4stu.html#achievements_os  CEHv12 Mod020 – Cryptanalysis  https:// alphapeeler.sourceforge.net/index4stu.html#achievements_cryptana  AlphaPeeler Credited by other YouTubers  https://alphapeeler.sourceforge.net/index4stu.html#achievements_yt  Referred in Certified Ethical Hacking manuals  https:// alphapeeler.sourceforge.net/index4stu.html#achievements_ceh  Books and articles references  https:// alphapeeler.sourceforge.net/index4stu.html#achievements_books_artic les Student Life Achievements
  • 9. Class Policies • •Attendance will be marked only if you are present in class. •Attendance: 80% is required to be able to sit in final exams. •Remaining 20% : sick leave, internship, job, emergencies, accidents or going to phoppo's house, or any reason. • Cross Section Attendance is not allowed Late Assignment Submission till after 1 week of actual deadline. (Marks deduction applies for late submission) • After 1 week submissions of assignment won’t be accepted. • All Submissions on Google forms, no email submission • Plagiarism will not be tolerated.
  • 10. Reference books  IT Auditing: Using Controls to Protect Information Assets, 2nd Edition by Chris Davis, Mike Schiller with Kevin Wheeler.  Auditing Information Systems, Second Edition by Jack J. Champlain.  Information System Control and Audit by Ron Weber  CISA Review Manual 2010
  • 11. Assessment  The course material builds your innovation skills cumulatively  Spot tests will be given periodically to assess your comprehension of the readings.  Class participation is graded based on student participation in practicum exercises.  There will be midterm and final examinations that are cumulative.  Midterm 30%  Assignment 10%  Final Exam 50%  Project 10%  Total 100%
  • 12. Section A: fpmpz26 Section B: moqtiwa GCR codes (Section as on flex)
  • 13.  Course Outline:  IS Audit charter, Polices, Procedures, Audit computer networks and communication, Auditing software development, Acquisition, Maintenance, Auditing IT infrastructure, Auditing Management and Organization, Business process re-engineering: IS audit proposal, report, evidence and follow-up, complaint to standard, Enterprise service agreement, Backup and procedures Course Catalogue - HEC
  • 14.  After successful completion of this course students should be able to do auditing of information systems.  Develop and implement a risk-based IS audit strategy in compliance with IT Audit Standards, to ensure that key areas are included.  Plan specific audits to determine whether information systems are protected, controlled and provided value to the organization. Course Goals
  • 15.  Conduct audits in accordance with IT audit standards to achieve planned audit objectives.  Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary.  Conduct follow-ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner. Course Goals
  • 17. Auditing  An audit is an evaluation of an organization, system, process, project or product.  performed by a competent, independent, objective, and unbiased person or persons, known as auditors.  Purpose  Make an independent assessment based on management's representation of their financial condition (through their financial statements).  To ensure the operating effectiveness of the internal accounting system is in accordance with approved and accepted accounting standards / practices.  Evaluates the internal controls to determine if conformance will continue, and recommends necessary changes in policies, procedures or controls.  Auditing is a part of quality control certifications
  • 18. Financial Audit  Is an assurance or attestation on financial statements provided by accounting firms, whereby the firm provides an independent opinion on published information.  Performed by firms of practicing accountants due to the financial reporting knowledge they require.  Internal auditors, do not attest to financial reports but focus mainly on the internal controls of the organization.  External auditors  US's Certified Public Accountant (CPA)  UK's Chartered Certified Accountant (ACCA) and Chartered Accountants  (A.F. Ferguson & Co. , KPMG Taseer Hadi & Co. , Moody International)
  • 19. History  Independent auditing developed with the expansion of the British Empire in the 19th century  Prior to the 1930s, corporations were required neither to submit annual reports to government agencies or shareholders nor to have such reports audited.  The 1929 boom initiated to pressure for audit of publicly traded companies;  In the UK, the London Association of Accountants successfully campaigns for the right to audit companies in 1930  In the US, the Securities Exchange Act of 1934 required all publicly traded companies to disclose certain financial information, and that financial information be audited.  The establishment of the U.S. Securities and Exchange Commission (SEC) created a body to enforce the audit requirements.
  • 20. History since 1980  The Pro-business Reagan administration in the US, and the Thatcher regime in the UK lifted many of the controls over the profession  Leading to abuses that resulted in the crashes of 1987 and 2001  Since then, the Sarbanes-Oxley Act (SOX) has forced an expansion of audit responsibility and driven up audit revenues (and costs)  One study estimated the net private cost of SOX to amount to $1.4 trillion in the US.  It is an econometric estimate of “the loss in total market value around the most significant legislative events”—i.e., the costs minus the benefits as perceived by the stock market as the new rules were enacted.
  • 21. Audit Firms  The largest accounting firms (the 'Big 4' or ‘Final 4’) audit nearly all of large quoted/listed companies.  In addition to providing audits, they also provide other services including tax advice and strategic consultancy  The 5th largest firm, Grant Thornton, has only around 10% of the revenues of KPMG https://www.statista.com/statistics/250479/big-four-accounting-firms-global-revenue/
  • 22. Worldwide Big 4 revenues  The revenues of the big accounting firms grew by a healthy 15% last year.  They are in effect, the back office of the global markets  They are a “private police force… hired, fired and paid for by company management”  The “big four” firms employ around half a million people
  • 23. Worldwide Big 4 revenues Growth of 'Big 4' Revenues 30 40 50 60 70 80 90 100 110 120 130 2000 2002 2004 2006 2008 2010 2012 Year Revenues
  • 24.  Planning and risk assessment.  Internal controls testing.  Substantive procedures Stages of an audit
  • 25. Stages of an audit Planning and risk assessment  Timing: before year-end  Purpose:  to understand the business of the company and the environment in which it operates.  to determine the major audit risks (i.e. the chance that the auditor will issue the wrong opinion).  For example, if sales representatives stand to gain bonuses based on their sales, and they account for the sales they generate, they have both the incentive and the ability to overstate their sales figures, thus leading to overstated revenue.  In response, the auditor would typically plan to increase the precision of their procedures for checking the sales figures.
  • 26. Stages of an audit Internal controls testing  Timing: before year-end  Purpose: to assess the internal control procedures  (e.g. by checking computer security, account reconciliations, segregation of duties). If internal controls are assessed as strong, this will reduce (but not entirely eliminate) the amount of 'substantive' work the auditor needs to do
  • 27. Definitions  Balance Sheet : A financial statement that summarizes a company's assets, liabilities and shareholders' equity at a specific point in time. These three balance sheet segments give investors an idea as to what the company owns and owes, as well as the amount invested by shareholders.  The balance sheet adheres to the following formula:  Assets = Liabilities + Shareholders' Equity
  • 28. Definitions  In accounting and finance, equity is the difference between the value of the assets/interest and the cost of the liabilities of something owned. For example, if someone owns a car worth $15,000 but owes $5,000 on that car, the car represents $10,000 equity.
  • 29. Definitions  In financial accounting, a cash flow statement, also known as statement of cash flows, is a financial statement that shows how changes in balance sheet accounts and income affect cash and cash equivalents, and breaks the analysis down to operating, investing and financing activities.
  • 30. Stages of an audit Substantive procedures  Timing: after year-end  Purpose: to check that the actual numbers in the Income Statement and Balance Sheet (and, where applicable, Statement of Changes in Equity and Cash Flow Statement) are reliable, by performing tests that use the numbers provided.  Methods:  where internal controls are strong, auditors typically rely more on Substantive Analytical Procedures (the comparison of sets of financial information, and financial with non-financial information, to see if the numbers 'make sense' and that unexpected movements can be explained)  where internal controls are weak, auditors typically rely more on Substantive Tests of Detail (selecting a sample of items from the major account balances, and finding hard evidence (e.g. invoices, bank statements) for those items
  • 31. Audit Report Card  In 2005, 174 auditors were inspected by the Public Company Accounting Oversight Board (PCAOB)  almost half have been deemed to have some trouble doing their job satisfactorily.  On January 19th 2006, Grant Thornton became the latest.  Fifteen of its audits were found to have significant “deficiencies” and one client had to restate at least part of its financial statements as a result of the inspection.  Some audits by the “Big Four” accounting firms have also been found wanting (A few clients of each of the four restated their accounts)  At least 19 of PwC's audits, for instance, were found to include deficiencies.  Most of these failures resulted from accounting firms’ inability to properly audit computer based accounting systems
  • 32. New Business Models  The business of providing high-end temporary accounting help is already worth $5 billion a year  Siegfried Group has seen Revenues sextuple in the past two years, to $73m.  In 2003 its core accounting business had just 15 clients; last year it had 100; by the end of May it had 155.  More than 50 of these are among America's largest companies.  Siegfried has even received business from a Big Four accounting firm.  Siegfried's astonishing growth is explained by what it does not do: consulting and auditing, the signature products of the big firms.  Siegfried is on the other side of the outsourcing boom: it is an insourcer.
  • 33. What are Information Systems? (and why do auditors care?)
  • 34. The Information Tech Industry  IT now represents 60% of expenditure in Fortune 500 companies  90% in Finance companies  Over $4 trillion annual expenditure (broadly defined)  Most of this is financial record keeping
  • 35. How did we get here? Automated Clerks: 1963-1980  Back Office  Computers as automated accountants  Goals were efficiency and cost control  “Legacy” systems automated manual tasks  … but had no significant effect on management’s decision making
  • 36. How did we get here? Empowerment: 1980-1995  Client / server systems enhanced the productivity of knowledge workers  Word processing, spreadsheets, and other tools  Fomented a “white-collar” revolution
  • 37. How did we get here? Networking: 1995 onward  The Virtual Office (Global Marketplace)  Net and Web and internal networks integrate the separate activities of the firm  What were “islands of data” have become “knowledge nodes” accessible to the whole firm  … and the global marketplace
  • 38. How did we get here? Embedding:2002-2010  Computers grow cheap, small and powerful  Morphing into a commodity platform  Which substitutes for all sorts of devices
  • 39. How did we get here? Invisibility: c. 2020 The “The Web” becomes  an all-pervasive info presence,  Devices plug in and rewire on the fly  “Smart dust” monitors everything  The Rest?: Machines taking care of the work
  • 40. Where are we ? Industry Structure, c. 2006 Information Technology Market Annual Expenditures ($US billion) Employees (thousand) Major Suppliers Operations & Accounting 500 2000 US, India Search & Storage 1000 5000 US Tools 300 300 US, Germany Embedded 1500 700 US, Japan, Korea, Greater China Communications 700 2000 US, Germany, Japan, Greater China Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion) US GDP ~$10 trillion (Pop: 300 million) * Gross domestic product (GDP) * The gross world product (GWP)
  • 41. Where’s the Money? U.S. Output: Contribution to GDP (in billions) Other, $2,989 Services, $2,965 Manufacturing, $2,839 Information Technology, $534 Life Sciences, $712 Finance, $820
  • 44. Market Share of servers 2017 DB servers Servers OS https://www.differencebtw.com/difference-between-stand-alone-operating-systems-and-server-operating-systems/ Email servers
  • 45. Problems: Malware and Spam 2016 https://www.statista.com/chart/10045/new-malware-specimen-and-share-of-windows-based-malware/
  • 47. Europe’s Venture Capital Industries 2024 https://seedblink.com/2024-08-01-state-of-fundraising-in-q2-2024-key-findings-from-market-reports
  • 49. Software & Hardware  Until the 1950s, there was no differentiation between the two  By the turn of the 21st century, they had both been commoditized  Most of the money in IT now goes into:  System customization (about 20%)  Data (around 75%)  Hardware Taxonomy: Central Processing Unit Memory Cache RAM / ROM Optical & Magnetic Media Peripheral Processor (Video, Bus, Etc.) Network Devices Fast Slow
  • 50. Software Taxonomy Operating Systems Specialized O/S Network O/S Database O/S Utilities Programming Languages, Tools & Environments Utilities and Services Applications
  • 51. Programming  Basically the core task in Information System  Languages:  Translate from human language (task specific)  To machine language (bits & bytes)  And back to human language  Today, these are just one part of a  Development environment  That keeps track of numerous design decisions.  What Machines do Well  High speed arithmetic  Massive storage and search  Repetitive, structured processes  Consequently they often have difficulty with many real world tasks
  • 52. Applications Software Rules(1967:2000)  Proportion of total IT industry revenues  1967-2000 10 15 20 25 30 35 40 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 % Share Softw are Communications equipment Computer Hardw are Photocopying, office and accounting equipment
  • 54. IT’s Contribution to US GDP Growth 0 0.2 0.4 0.6 0.8 1 1.2 1950 1960 1970 1980 1990 2000 2010 Year IT Contribution to Real GDP Growth
  • 55. How does IS change accounting?  They have shifted  away from the economics of shortage and resource allocation,  Towards an economics of increasing returns  information, attention and coordination
  • 56. Accounting Data is increasingly Internet Traffic
  • 57. Where IS and Audit Meet
  • 58. What Auditors Need to Know about IS 1. IS Security 2. Utility Computing and IS Service Organizations 3. Physical Security 4. Logical Security 5. IS Operations 6. Controls Assessment 7. Encryption and Cryptography 8. Computer Forensics 9. New Challenges from the Internet: Privacy, Piracy, Viruses and so forth 10. Auditing and Future Technologies (RFID, Full Automation of Substantive and Control Tests)
  • 59. Future Opportunities  Automated / Robot Auditors  Technologies:  Scanning,  Surveillance,  Logging and Analysis,  Forensics  Advantages:  Always ‘on’  Sample sizes large enough for reliability  No system ‘learning curve’; shared experience database  Objective, Not biased / unfavorable assessment
  • 60. Organization of IS Audit study
  • 61. IS Audit Programs What is IS Auditing? Why is it Important? What is the Industry Structure? Attestation and Assurance
  • 62. Auditing External Real W orld Entities and Events that Create and Destroy Value Audit Report / Opinion Journal Entries 'Own ed ' A s s ets and Liabilities Reports: Statistic s Internal O perations of the Firm Ac c ounting System s Audit Program T ransac tions Transactions The P hysical Wo rld The P arallel (Logical) Wo rld of Accounting Ledgers: D atabases Auditing Corporate Law S u b st a n ti v e T e s ts T e sts o f T ra n sa c tio n s A t t e s t a t i o n A nalytical Tests
  • 63. How Auditors Should Visualize Computer Systems Business Applic ation System s T ransac tion Flow s Asset Loss Risks (Internal Audits) Reporting Risks (External Audit) Control Proc ess Risks (Internal & External Audits) O perating System s (inc luding D BM S, netw ork and other spec ial system s) Hardw are Platform Physical and Logical Se curity Environm ent Audit O bje ctive s
  • 64. The IS Auditor’s Challenge  Corporate Accounting is in a constant state of flux  Because of advances in Information Technology applied to Accounting  Information that is needed for an Audit is often hidden from easy access by auditors  Making computer knowledge an important prerequisite for auditing  IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
  • 65. The Challenge to Auditing Presented by Computers  Transaction flows are less visible  Fraud is easier  Computers do exactly what you tell them  To err is human  But, to really screw up you need a computer  Audit samples require computer knowledge and access  Transaction flows are much larger (good for the company, bad for the auditor)  Audits grow bigger and bigger from year to year  And there is more pressure to eat hours  Environmental, physical and logical security problems grow exponentially  Externally originated viruses and hacking  are the major source of risk  (10 years ago it was employees)
  • 66. The Challenge to Auditing Presented by The Internet  Transaction flows are External  External copies of transactions on many Internet nodes  External Service Providers for accounting systems  require giving control to outsiders with different incentives  Audit samples may be impossible to obtain  Because they require access to 3rd party databases  Transaction flows are intermingled between companies  Environmental, physical and logical security problems grow exponentially  Externally originated viruses and hacking  are the major source of risk  (10 years ago it was employees)

Editor's Notes

  • #19: Securities and Exchange Commission of Pakistan What is the mission of the SECP? To develop an efficient and dynamic regulatory body that fosters principles of good governance in the corporate sector, ensures proper risk management procedures in the capital market, and protects investors through responsive policy measures and effective enforcement practices.
  • #20: Margaret Thatcher : Former British Prime Minister Margaret Hilda Thatcher, Baroness Thatcher, LG, OM, PC, FRS was a British stateswoman and politician who was the Prime Minister of the United Kingdom from 1979 to 1990 and the Leader of the Conservative Party from 1975 to 1990
  • #27: Shareholders' equity is the amount that the owners of a company have invested in their business. This includes the money they've directly invested and the accumulation of income the company has earned and that has been reinvested since inception.
  • #30: DEFINITION of 'Balance Sheet' A financial statement that summarizes a company's assets, liabilities and shareholders' equity at a specific point in time. These three balance sheet segments give investors an idea as to what the company owns and owes, as well as the amount invested by shareholders. In accounting and finance, equity is the difference between the value of the assets/interest and the cost of the liabilities of something owned. For example, if someone owns a car worth $15,000 but owes $5,000 on that car, the car represents $10,000 equity. In financial accounting, a cash flow statement, also known as statement of cash flows, is a financialstatement that shows how changes in balance sheet accounts and income affect cash and cashequivalents, and breaks the analysis down to operating, investing and financing activities.
  • #39: Human communication uses an insignificant portion of bandwidth
  • #40: Gross domestic product (GDP) is a monetary measure of the market value of all final goods and services produced in a period (quarterly or yearly) of time. The gross world product (GWP) is the combined gross national product of all the countries in the world. 
  • #41: The gross domestic product (GDP) is one of the primary indicators used to gauge the health of a country's economy.
  • #53: Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions, ostensibly for the purpose of improved operations and reduced budgetary expenditures through the reduction of directly-employed staff. IaaS : Infrastructure as a service (IaaS) is the on-demand availability of highly scalable computing resources as services over the internet.
  • #58: Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels. 
  • #64: state of flux: constantly changing : un accountable.