Steps 2 Flashcards
Before an IS auditor can begin an audit of infrastructure or application systems,
the auditor must understand the environment.
Automated controls include
validation and edit checks, programmed logic func- tions, and controls.
Manual controls are those that auditors or staff manually verify, such as
the review of reconciliation reports, and exception reports.
The purpose of both automated and manual controls is to verify the following:
. The validity of data processed is ensured.
. The accuracy of data processed is ensured.
. The data is stored so that controls maintain the security of the data so that accuracy, validity, confidentiality, and integrity of the data is maintained.
. Processed data is valid and meets expectations.
Auditors can perform control checks by doing the following:
. Discovering and identifying application components so that transaction flow can be analyzed.
. Determining the appropriate audit procedures to perform tests to evaluate strengths and weaknesses of the application.
. Analyzing test results.
. Validating the results and reporting on the application’s effectiveness and efficiency. The results should also be measured against good programming standards and com- pared against management’s objectives for the application.
Setting the Scope of the Review
The audit engagement letter should set out clearly the types of matters that will be reviewed during the audit and the scope of such review.
Before controls can be examined, an auditor must
understand the business strategy and the business process.
To understand business objectives and strategy, start with
the company’s busi- ness plan.
Next, review
the long- and short-term goals
Finally, review
the organization’s goals.
After reviewing this background information,
examine process flow charts.
Next, review
application controls, data integrity controls, and controls for busi- ness systems.
When reviewing input controls, the auditor must
ensure that all transactions have been entered correctly. Whatever controls are used, they should be capable of checking that input is valid. This becomes important because in many automated systems, the output of one sys- tem is the input of another. In such situations, data should be checked to verify the informa- tion from both the sending and receiving applications.
types of authorization controls include these:
. Signatures on forms or documents approving a change.
. Password controls that are required to process a change.
. Client identification controls that allow only certain clients to authorize the change. As an example, the clerk at the local market cannot authorize a price override, yet the manager can by using their access login.
A batch control is a second type of input control. Batch controls combine
transactions into a group. This group then has a value assigned. The total of this transaction can be based on dol- lar amounts, total counts, total document numbers, or hash totals. This number should match the count in the receivables system.
Total dollar amounts verify
that each item totals up to the correct batched total amount.
Total item counts verify
the total counts match.
Total document numbers verify that the total number of .
documents in the batch equals the total number of documents processed. Documents could be invoices generated, orders, or any document count that is used to track accuracy
Hash totals are generated by
choosing a selected number of fields in a series of transactions. These values are computed again later to see if the numbers match. An incorrect value indicates that some- thing has been lost, entered incorrectly, or corrupted somehow.
Hash Totals
The use of hash totals is similar to how cryptographic hashing algrothims such as MD5 or SHA1 are used to verify integrity.
Batch Controls Be aware that the CISA exam might ask questions about what is considered a valid batch control.
Test candidates should understand each type and know that batch controls are used to detect loss, duplication, or corruption of data.
