Auditing an IT Environment Flashcards
What is an IT Environment
Consists of IT applications and supporting IT infrastructures as well as the IT processes and personnel involved in those processes that an entity uses to support business operations and achieve business strategies
IT Application
Program or set of programs that is used in the initiation processing recording and reporting of transactions or information.
IT infrastructures
Comprises the network, operating system, and databases and their related hardware and software
IT Processes
Entity’s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations
Components of IT Infrastructure
- Database System
- Operating System
- Networks
Examples of Networks
- LAN- Local Area Network
- MAN- Metropolitan Area Network
- NAN- National Area Network
- WAN- Wide Area Network
- Internet
Hardware
Physical Devices or equipment used to accomplish data processing functions
Software
Consists of sets of instructions or programs that direct, control, and coordinates the operation of the hardware components
What is Risk arising from the use of IT (RAIT)
Susceptibility of information processing controls to ineffective design or operation or risk to the integrity of information in the information system due to ineffective design or operation of controls in the entity’s IT process
Entity Wide general Controls
- Strategies and Plans
- Segregation of Duties
- Policies and procedures
- Quality Assurance
- Risk Assessment Activities
- Training
- Internal Audit and Monitoring
General IT Controls
- Controls over IT changes
- IT Operations Controls
- Access Controls
Handled by a Chief Information Officer who supervises the operation of the department
Information System Management
Responsibilities within an Information Systems Department
- Information Systems Management.
- System Analysis
- Application Programming
- Database Administration
- Data Entry
- Computer Operation
- Program and File Library
- Data Control
- Telecommunication
- Quality Assurance
Types of Computer Systems
- Management Reporting Systems
- Transaction Processing Systems
Management Reporting System
Designed to help with the decision making process by providing access to computer daa
Transaction Processing Systems
Involved in the daily processing of transactions
Cold Site
Similar to a hotsite, but the customer provides and installs the equipment needed to continue operation
Hot Site
Commercial disaster recovery service that allows a business to continue computer operations in the event of a computer disaster
Gateway
A hardware and software solution that enables communications between two dissimilar networking systems or protocols.
General Controls
Control policies and procedures that relate to the overall computer information system
Application Controls
Control policies and procedures that relate to specific use of the system in order to provide reasonable assurance that all transactions are authorized, recorded, and are processed completely, accurately and on a timely basis
Examples of Application Controls
- Controls over input
- Controls over processing and computer data files
- Controls over output
Check digit
Adding an extra number at the end of each account number and subjected the new number to an algorithm
Blackbox Approach
Involves procedures generally performed in testing manual control structure
Focuses solely on the input documents and the IT output
Whitebox Approach
A. Auditing with the computer- uses computer of entity as an audit tool
B. Auditing through the computer- enters the client’s system and examines directly the computer and its system and application softwares
Categories of Computer-Assisted Auditing Techniques
- Program Analysis
- Program Testing
- Continuous testing
- Review of Operating Systems
Program Analysis
Technique which allows auditor to gain an understanding of the client’s program
Program Testing
Involves the use of auditor-controlled actual or simulated data. Also provides direct evidence about the operation of programs and programmed controls