KAS 3083: Topic 1

OVERVIEW OF IS AUDITING

LEARNING OUTCOMES
Overview of IS Auditing
1. The Need for Control and Audit of IS
2. Definition and objectives of IS auditing
3. Effects of computers on traditional internal
control principle
4. Auditors evidence collection & evidence
evaluation functions
5. Foundations of IS auditing

Need for Control & Audit of

Computers
Computers assists organization to process
data and provide information for decision
making.
The use of computers has to be controlled.
Organization must control and audit computerbased IS because the costs of errors and
irregularities is high.
7 majors reasons to establish a function to
examine controls and audit of computers.

Factors Influencing an Organization

toward Control and Audit of Computers

costs of
incorrect
decision
making

controlled
evolution of
computer
user

organizational
costs of data loss

costs of
computer
abuse

value of computer
hardware, software
and personnel
high costs of
computer
error

Organizations

control and audit of computers

maintenance
of privacy

Organizational Costs of Data

Loss
Data is a resource which provides an
organization with an image of itself,
environment, history and future.
Accurate data increases an organizations
ability to adapt and survive in a changing
environment but
If the data is inaccurate the organization will
suffer significant losses

Incorrect Decision Making

High quality decisions require:
HIGH QUALITY DATA and HIGH
QUALITY DECISION RULES.
Accurate data depends on the types of
decisions
Accurate decision rules depends on
the types of decision.

Costs of Computer Abuse

Development of IS audit function is needed
because of computer abuse.
Major types of computer abuse

Hacking - unauthorized electronic access to a computer

Viruses - programs which attach themselves to
computer files to disrupt operations or damage data or
programs
Illegal physical access to computer facilities
Abuse of privileges

Computer abuse lead of some consequences

Costs of Computer Abuse

Types of consequences of computer abuse

Destruction of assets
Theft of assets
Modification of assets
Privacy violations
Disruption of operations
Unauthorized use of assets
Physical harm to personnel

Losses are higher than from conventional fraud

Numbers and types of threats seem to be increasing
Organizations are not well prepared
Deterrent security and administrative countermeasures
can be effective
Laws governing abuse are evolving

Value of Computer Hardware, Software &

Personnel

Data, computer hardware, software and

personnel are important to organization.
Loss or damage to hardware can be costly value of assets and cost of disruption of service
Investment in software, disruption of business,
confidential information, proprietary secrets
Personnel - scarcity, training cost, unique
knowledge, disruption in service, loss of
competitive advantage

High Costs of Computer Error

Automatic performance of critical functions

in society
Cost of computer errors is high such as loss
of life or damage environment.
Organizations held liable for
the consequences of
computer errors

Maintenance of Privacy
Data is collected about us
taxation, credit, medical, educational,
employment, residence, spending habits

People concerned the impact on personal

privacy to be a human right

Controlled Evolution of Computer

Use
Conflicts arise on how computer technology
should be used:
use of computers in control over weapon systems
use of computers to control working life and
environment

Use of technology produce social problems

Governments, professional bodies, pressure
groups, organizations and individual must
concerned with evaluating and monitoring how to
deploy computer technology.

IS Auditing
IS auditing is the process of collecting and
evaluating evidence to determine whether;

A computer safeguards assets;

Maintains data integrity;
Allows organizational goals to be achieved effectively;
Uses resources efficiently.

IS auditing supports traditional audit

objectives, effectiveness and efficiency
objectives- external and internal auditor.
IS audit ensure that organizations complies
with regulation, rule and conditions.

Information Systems Auditing

The impact of IS audit function on organizations

Improved
safeguarding
of assets

Organizations
Improved data
integrity

Improved
system
effectiveness

Effectiveness
Auditing

Effectiveness Metrics

Improved
systems
efficiency
- Efficiency Metrics

Compliance with regulations, rules or conditions

Effects of Computers on Internal

Controls
Separation of duties
Separation of duties does not always apply
Delegation of authority and responsibility
Delegation authority and responsible is difficult
Some resources are shared among multiple users.
Difficult to trace who is responsible when error occur
Competent and trustworthy personnel
Difficult to have competent and trustworthy IS personnel high
turnover, therefore substantial power given to IS personnel
System of authorizations
2 types of authorization to execute transaction
general and specific authorizations
Manual system- procedure authorization examine by auditors, BUT
computer system is within the computer program.
Difficult to assess the authority assigned consistent to management.

Effects of Computers on Internal

Controls
Adequate documents and records
Manual system adequate documents and records need to provide
an audit trail BUT computer system documents might not be used.
No visible audit or management trail needed.
NOT all computer systems are well designed, some does not
provide adequate access control and logging facilities to ensure
preservation of an accurate and complete audit trail.
Physical control over assets and records
Critical in both systems but different concentration of the IS assets
and records.
Manual systems records are maintained in different physical
location BUT computer system records are maintained in a single
site.
Losses of IS assets and records increases when computer abuse
arise.

Effects of Computers on Internal

Controls
Adequate management supervision
Manual supervision on employee is straightforward BUT computer
systems might be remotely.
Supervisory controls built into the computer systems to controls
leverage the technology
Develop Agreement between management and subordinates
Independent checks on performance
Manual systems, independent checks carried out to detect errors
and irregularities by employee BUT in computer systems
independent checks are less value.
Computer system always follows the program code designated in a
computer system to authorized, accurate and complete.
Computer recorded accountability with assets
Manual systems, the basic data by employee is prepared for
comparison BUT computer systems software is used to prepare data.

Effects of Computers on Auditing

Changes to evidence collection
More complex control technology
Rapid evolution of control technology
Lag in the development of audit tools
System Reliability and Controls Reliability?

Changes to evidence evaluation

Is the control reliable?
It is difficult to trace the effect of a weakness in a
shared data environment
Greater consequence of errors
Consequences of control strength or weaknesses?

Foundations of IS Auditing
IS auditing as an intersection of other disciplines.

Knowledge and
experience with IC
techniques
Control
Philosophy

Understand better
ways to manage
system
development

Traditional
Auditing

Computer
Science

Technical
knowledge

Information
Systems
Auditing
IS
Management

Behavioral
Science

Understand
condition leads to
system failure due
to human factors

IT Auditors Roles
What do IT auditors do?
Ensure IT governance by assessing risks and monitoring
controls over those risks
Works as either internal or external auditor
Works on many kind of audit engagements
Evidence Collection by performing -Test of Control
and Substantive Test
Financial vs. IT Audits
IT auditors may work on financial audit engagements
IT auditors may work on every step of the financial audit
engagement
Standards, such as SAS No. 94, guide the work of IT auditors
on financial audit engagements
IT audit work on financial audit engagements is likely to
increase as internal control evaluation becomes more
important

Role of IT Auditors in the Financial Audit Process ?

Develop an understanding of the client and perform preliminary audit work
Develop Audit Plan
Evaluate the IC system
Determine degree of reliance on IC

Perform Substantive Testing

Review work and issue audit report

Conduct follow-up work

TOC

IT Audit Skills
College education IS, computer science,
accounting
Certifications CPA, CFE, CIA, CISA, CISSP, and
special technical certifications
Technical IT audit skills specialized technologies
General personal and business skills
Professional Groups and Certifications Alphabet
Soup
ISACA CISA, CISSP
IIA CIA
ACFE CFE
AICPA CPA and CITP

Structuring an IT Audit
AICPA Standards and Guidelines GAAS,
SAS, and SSAE
IFAC Guidelines harmonized or common
international accounting standards and
guidelines
ISACA standards, guidelines, and procedures
includes CobiT and audit standards

Summary
Organization must control and audit computer based IS
because the costs of errors and irregularities is high
IS audit function is used to safeguards assets, maintain data
integrity, achieve systems effectiveness and efficiency.
Computer based IS do not undermine the traditional internal
control principles
Collecting evidence on the reliability of internal control in
computer based IS are more in types, complex and critical.
Evaluating the reliability of controls in computer based IS are
more complex.
Many of the principles in IS auditing similar as the traditional
auditing, computer science, management and behavioral
science.

 IT Auditing is a growing field.

Technology is changing daily and increasingly
impacting businesses. The need of auditing is also
increasingly important.
Accounting scandals in recent years point to a
need for more monitoring and oversight.
So, as IT is becoming more complex and
pervasive, the need for auditing is also on the
rise.. Thus, IT auditors are going to be in demand..

References & Recommended

Readings
Weber, A. R. (1999) Information System Control and
Audit, Prentice-Hall, NJ
Hunton, E. J., Bryant M. S. & Barranoff, A.N. (2004) Core
Concept of Information Technology Auditing, Wiley,
USA
Kadam, A (2004) A Career as Information Systems
Auditor, Available from:
http://www.networkmagazineindia.com/200312/securedview
01.shtml
Wescott, R (2006) Job Roles Into the Spotlight: IT Audit
Managers, Certification Magazine, February, pp 30-33 &
pp39-40
Cora, R.R (2000) Basic Concepts of Information
Systems Auditing, Available from:
Vasant, R. & Uma G.G. (1998) Information systems audits:
What's in it for executives?, Information Strategy: The
Executive's Journal, Summer98, Vol. 14 Issue 4, pp22-27

The End
Thank You!