Auditing & IT Flashcards
INTERNAL CONTROL FOR IT
Auditing Internal Control in a company’s IT environment helps to:
- Plan the rest of audit
- Looks for shorter audit trails that may expire
- Problem with Auditing IT: less documentation
INTERNAL CONTROL FOR IT
Assess the level of Control Risk:
- Unauthorized access to systems or data is more difficult to catch
- Systems access controls adds another layer to separation of duties analysis
- Focus should be on the general controls
- Any new systems developments
- Current systems changes
- Program/Data access changes
- Program/Data access changes
Audit of IT is NOT required
- Audit of IT is NOT required when Controls are redundant to another department
- The system doesn’t appear to be reliable, and testing controls wouldn’t be an efficient use of time
- Costs > Benefit
Audit of IT
Audit of IT can be performed without directly interacting with the system if:
- System isn’t complex/complicated
- System output is detailed
Database Admin
- Maintains Database
- Restricts Access
- Responsible for IT Internal Control
Systems Analyst
- Recommends changes or upgrades
- Liaison between IT and users
Librarian
- Responsible for Disc storage
- Holds System Documentation
Generalized Audit Software
- Uses computer speed to quickly sort data and files, which leads to a more efficient audit
- Compatible with different client IT systems
- Extracts evidence from client databases
- Tests data without auditor needing to spend time learning the IT system in detail
- Client-tailored or commercially produced
Structured Query Language (SQL)
- Relational Database
- Group of related spreadsheets
- Retrieves information through Queries
Data Definition Language
- Defines a database
- Gives information on database structure
- Maintains tables
- Can be joined together
- Establishes database constraints
Data definition language is used to define a database, including creating, altering, and deleting tables and establishing various constraints
Data Manipulation Language
- Data Manipulation Language (DML)
- Auditor needs information, so client uses DML to get the information needed
Data Control Language
- Controls a database
- Restricts access
Check Digits
- Check Digits
- Makes it more difficult for a fraudulent account to be set up or go undetected
Code Review
- Tests a program’s processing logic
- Advantageous because auditor gains a greater understanding of the program
Limit Test
Examines data and looks for reasonableness using upper and lower limits
Test Data Method
- Auditor processes data with client’s computer
- Fake transactions are used to test program control procedures
- Each control needs to only be tested once
- Problem - Fake data could combine with real data
Operating systems logs
Auditor can review logs to see which applications were run and by whom
Access Security Software
- Helpful in online environments
- Restricts computer access
- May use encryption
Library Management Software
Logs any changes to system/applications etc
Embedded Audit Modules
- Embedded Audit Modules
- Enable continuous monitoring in an audit environment that is changing
- Weakness: requires implementation into the system design
- Collects information based on some criteria and can be analyzed at a later time (necessary because the audit environment is continually changing)
Audit Hook
Application instruction that gives auditor controlover the application to grab transactions for analysis
Transaction tagging
Auditor tags transactions and traces them through the system
Extended records
Adds audit data to financial records to assist in audit trail creation
Real Time Processing
- Destroys prior data when updated
- aka “Destructive Updating
- Requires well-documented Audit Trail
Requires well-documented Audit Trail
If the auditor only audits the outputs of a computer system and doesn’t also audit the software applications, an error in the applications could be missed
Compiler
Software that translates source program (similar to English) into a language that the computer can understand
Parallel Simulation
- Client data is processed using Generalized Audit Software (GAS)
- Sample size can be expanded without significantly increasing the audit cost
- GAS output compared to client output
Data manipulation language
Data manipulation language is composed of commands used to maintain and query a database, including updating, inserting in, modifying and querying (asking for data)
Data control language
Data control language is composed of commands used to control a database, including controlling which users have various privileges (e.g., who is able to read from and write to various portions of the database)
Five Trust Services Principles
Five Trust Services principles are
- Security
- Availability
- Processing Integrity
- Online Privacy
- Confidentiality
IT on Internal Control
The following factors related to control activities may impact an auditor’s consideration of the effect of IT on internal control.
a. Information processing. Two areas in which control activities can be affected by computer processing are authorization of transactions and the maintenance of adequate documents and records. Authorization procedures in many computer systems are a part of the computer program. Thus, there is increased potential for unauthorized individuals to gain access to sensitive accounting information. Concerning the maintenance of adequate documentary evidence, auditors must be aware that the traditional audit trail may not be available due to the fact that the IT system does not provide a hard copy of source documents.
b. Segregation of duties. Adequate controls must be established within the IT department to compensate for the lack of segregation of duties that would normally be available in a manual system.
c. Physical controls. In an IT department, access to assets is often possible through the computer system. As such, the need for enhanced physical controls is of great importance in an IT environment. It is also important to have adequate backup for computer files, as their destruction or damage could result in significant problems for a business entity.
