9b. audit and security

7/28/2019 9B. Audit and Security

1/14

12-03-20

AUDITINGWhat does an

auditor do?

What is

AUDITING?

What is AUDITING?

Auditing is the accumulation

and evaluation of evidence

about information to

determine and report on the

degree of correspondencebetween the information and

established criteria.


2/14

12-03-20

Types of Audits

Two broad categories of

audits

Internal Audit

External Audit

Definition of Internal Auditing

Several definitions a systematic process of objectively obtaining and

evaluating assertions about economic actions andevents to ascertain the degree of correspondencebetween these assertions and established criteria andcommunicating the results to interested users.

an independent activity, established by managementto examine and evaluate the organizations riskmanagement processes and systems of control, andto make recommendation for the achievement of

company objectives.

An independent appraisal activity established

within an organisation as a service to it. It is a

control which functions by examining and

evaluating the adequacy and effectiveness of

other controls. The investigative techniques

developed are applied to the analysis of the

effectiveness of all parts of an entity'soperations and management.

The need for internal audit

The scale, diversity and complexity of thecompany's activities

The number of employees

Cost-benefit considerations

Changes in the organizational structures,reporting processes or underlying information

systems Changes in key risks

Problems with internal control systems

An increased number ofunexplained orunacceptable events


3/14

12-03-20

Objectives of internal audit

Review of the accounting and internal control

systems

Examination of financial and operating

information

Review of the economy, efficiency and

effectiveness of operations.

Review of compliance with laws, regulations

and other external requirements

Review of the safeguarding of assets

Review of the implementation of corporate

objectives.

Identification of significant business and

financial risks (Risk management)

Special investigations

Features of internal audit

Independence

Appraisal

Types of Audits

Operational/management/efficiency/value for

money audit: (monitoring of management's

performance at every level)

Systems audit: (testing and evaluation of the

internal controls)

Transactions audit

Social audit

Management investigations


4/14

12-03-20

Audit tests

Compliance test

Substantive test

Compliance Testing

Compliance tests are defined as those test which seek toprovide audit evidence on both the effectiveness of thecontrols and that internal control procedures are beingapplied as prescribed.

Compliance tests seek evidence that the internalcontrols are being applied as prescribed

E.g. Internal Control Questionaire

Compliance Testing

Auditors test internal controls in order to establish whetherthey are operating effectively throughout the period underreview.

If controls are operating effectively, auditors can reduce thelevel of substantive testing on transactions and balances

that would otherwise be required.

In testing internal controls, auditors are checking to ensurethat the stated control has been applied.

Compliance Testing -

Example

For example, auditors may check that there is a gridstamp on a sales invoice with various signatures inside itthat show that the invoice has been approved by thecredit controller, that it has been checked for arithmeticalaccuracy, that the price has been checked, and that it hasbeen posted to the sales ledger.

The signatures provide audit evidence that the control hasbeen applied.Auditors are not checking to ensure that theinvoice is, in fact, correct. This would be a substantivetest. Nevertheless, it is possible to perform tests of controland substantive tests on the same document at the sametime.


5/14

12-03-20

Substantive Testing

Substantive tests are defined as those test of transactions andbalances, and other procedures such as analytical review whichseek to provide audit evidence as to the completeness, accuracyand validity of the information contained in the accounting recordsor in the financial statements. Substantive tests are concernedwith confirming the accuracy of the figures. They are usedto discover errors and omissions. They include:

-the vouching of transactions, the checking of postings, thechecking of casts and calculations

- the reconciliation of bank accounts and subsidiary ledgers

- the verification by appropriate means of all account balances- analytical review of final account balances

Substantive Testing

Search for unrecorded liabilities

Confirm accounts receivable to ensure theyare not overstated

Determine the correct value of inventory, andensure they are not overstated

Determine the accuracy of accruals forexpenses incurred, but invoices not yetreceived (also revenues if appropriate)

Accountability

IA is accountable to Audit committee and BOD

The auditor needs access to all parts of the

organisation

The auditor should be free to comment on the

performance of management

The auditor's report may need to be actioned

at the highest level to ensure its effective

implementation

Independence

Auditor must be and must be seen

independent

Objectivity, probity and honesty

The internal auditor should not install new

procedures or systems, neither should he

engage in any activity which he would

normally appraise, as this might compromise

his independence


6/14

12-03-20

Limitations of internal audit

Independence

Resources

External Audit

A periodic examination of the accounting recordsconducted by an independent third party, toassess whether they have been properlymaintained are accurate and comply withestablished principles, legislation and accountingstandards.

External auditors will attempt to establishwhether the accounts give a true and fair view ofthe financial state of the organisation.

External auditing can act as an additionalpreventative control measure.

INTERNAL VS EXTERNAL AUDIT

INTERNAL EXTERNAL

REASON Activity designed to add

value and improve an

organ. Operations

To enable auditors to

express an opinion on the

financial statements

REPORTING TO BOD / people charged

with governance such as

Audit Committee

To shareholders or

members of the Co on the

true and fairness of the

accounts

RELATING TO Relates to the operations

of the organisation

Relates to the FS

concerned with the financial

records that underlie these.

RELATIONSHIP

WITH THE CO

Often the employees

Can be outsourced

Independent of the Co. and

its management

Appointed by the

shareholders

INTERNAL VS EXTERNAL AUDIT

Primarily interest in the

truth and fairness of the

accounts and to express an

opinion on his audit work.

May have a number of

aims, incl. Internal control

systems and management

info sys, risk management

AIM

Determined by statute (co.

act 1965)

Laid by ManagementSCOPE - extent of

work carried out

EXTERNALINTERNAL


7/14

12-03-20

IT systems security

and safety

Security

If you love something, then you care about itand you protect it

Security, in information management terms,means the protection of data from accidentalor deliberate threats which might causeunauthorized modification, disclosure ordestruction of data, and the protection of theinformation system from the degradation ornon-availability of services.

Security can be subdivided into a number of

aspects.

Prevention

Detection

Deterrence

Recovery procedures

Correction procedures

Threat avoidance

Physical threats

Physical threats to security may be natural or

man made. They include:

Fire: fire alarms to detect and fire extinguishers

Water: water proof ceilings

Weather: some location are vulnerable

Lightening: UPS

Terrorist activity

Accidental damage


8/14

12-03-20

Physical Access Controls

How can physical access security be achieved?

placing computer equipment in locked rooms andrestricting access to authorized personnel

having only one or two entrances to the computerroom

requiring proper employee ID

requiring that visitors sign a log

installing locks on PCs

Intruder Alarms

Security controls

The protection of data from accidental or

deliberate threats which might cause

unauthorized modification, disclosure or

destruction of data, and the protection of the

information system from the degradation or

non-availability of services

Risks to data such as human error, technical

error, natural disaster, fraud, and commercial

espionage etc

Integrity controls

Data integrity in the context of security is

preserved when data is the same as in source

documents and has not been accidentally or

intentionally altered, destroyed or disclosed.

Systems integrity refers to system operation

conforming to the design specification despiteattempts (deliberate or accidental) to make it

behave incorrectly.

Input controls

Input controls should ensure the accuracy,

completeness and validity of input

Data verification involves ensuring data

entered matches source documents

Authorizations enforce managements policies

with respect to transactions flowing into the

general ledger system


9/14

12-03-20

Data validation involves ensuring that data

entered is not incomplete or unreasonable.

E.g.:

Check digits: check digit is usually a number

included in an account number that is calculated

from the other numbers in it

Control totals. For example, a batch total totaling

the entries in the batch.

Hash totals. a sum that is meaningless except for

internal control purposes (e.g., sum of customer

account numbers)

Examples of Edit Tests (ProgrammedChecks)

Validity Check (e.g., M = male, F = female)

Limit Check (e.g., hours worked do not exceed 40 hours)

Reasonableness Check (e.g., increase in salary is reasonablecompared to base salary)

Field Check (e.g., numbers do not appear in fields reserved forwords)

Sequence Check (e.g., successive input data are in someprescribed order)

Range Check (e.g., particular fields fall within specified ranges- pay rates for hourly employees in a firm should fall between$8 and $20)

Relationship Check (logically related data elements are

compatible - employee rated as hourly gets paid at a ratewithin the range of $8 and $20)

Processing controls

Processing controls should ensure the

accuracy and completeness of processing.

Programs should be subject to development

controls and to rigorous testing. Periodic

running of test data is also recommended.

Examples of Processing Controls

Manual Cross-Checks - include checking the

work of another employee, reconciliations

and acknowledgments

File and Program Changes - to ensure thattransactions are posted to the properaccount, master files should be checked forcorrectness, and programs should bevalidated


10/14

12-03-20

Output controls

Output controls should ensure the accuracy,

completeness and security of output. The

following measures are possible.

Investigation and follow-up of error reports and

exception reports

Batch controls to ensure all items processed and

returned

Controls over distribution/copying of output

Labeling of disks/tapes

Examples of Asset AccountabilityControls

Subsidiary ledgersprovide a cross-check on the accuracyof a control account (e.g. Debtors Ledger)

Reconciliations compare values that have been computedindependently(e.g. Debtors Ledger against Debtors control ACin the GL)

Acknowledgment procedures transfer accountability ofgoods to a certain person

Logs and Registers help account for the status and use ofassets

Reviews & Reassessments are used to re-evaluatemeasured asset values

Back-up controls

Back-up controls aim to maintain system and

data integrity

A back-up and archive strategy should

include:

Regular back-up of data (at least daily)

Archive plans

A disaster recovery plan including off-site storage

Archiving

Archiving data is the process of moving data

from primary storage, such as a hard disk, to

tape or other portable media for long-term

storage.

If archived data is needed, it can be restored

from the archived tape to a hard disk


11/14

12-03-20

Passwords and logical access systems

A password is a set of characters which may

be allocated to a person, a terminal or a

facility which is required to be keyed into the

system before further access is permitted.

A logical access system can prevent access to

data and program files, by measures such as

Identification of the user, Checks on user

authority and Authentication of user identity

Administrative controls

Personnel selection is important as posts such asComputer security officer, Databaseadministrator, Senior systems analyst must betrustworthy.

Measures to control personnel:

Careful recruitment

Systems logs

Job rotation and enforced vacations

Review and supervision

Segregation of duties among data capture and data

entry, system analysis and programming

Audit trail

An audit trail shows who has accessed a

system and the operations performed.

A clear audit trail is needed to enable

individual transactions to be traced, to

provide support in general ledger balances, to

prepare financial reports and to correcttransaction errors or lost data

Identifying errors and detecting frauds

Systems integrity with a PC

Password protected

Use additional passwords for important files

Physical access controls, for example door

locks activated by swipe cards or PIN numbers,

to prevent access into the room(s) where the

computers are kept.


12/14

12-03-20

Systems integrity with a LAN and WAN

Viruses

Must be protected with anti-virus software

Dedicated land lines for data transfer and

encryption software may be required (WAN).

Contingency controls

A contingency is an unscheduled interruption

of computing services that requires measures

outside the day-to-day routine operating

procedures.

A contingency plan is necessary in case of a

major disaster, or if some of the security

measures discussed elsewhere fail.

Disaster Recovery Plan Every organization should have a disaster

recovery plan so that data processing

capacity can be restored as smoothly and

quickly as possible in the event of a major

disaster.

What are the objectives of a recovery plan?

1 Minimize the extent of the disruption,damage, and loss.

2 Temporarily establish an alternative means

of processing information.

Disaster Recovery Plan

3 Resume normal operations as soon as

possible.

4 Train and familiarize personnel with

emergency operations.


13/14

12-03-20

General Controls

General controls concern the overall

environment of transaction processing.

They comprise the following:

the plan of data processing organization

general operating procedures

equipment control features

equipment and data-access controls

General Controls

A company designs general controls to ensure

that its overall computer system is stable and

well managed.

The following are categories ofgeneral

controls:

1 Developing a security plan

2 Segregation of duties within the systems

function

General Controls

3 Project development controls

4 Physical access controls

5 Logical access controls

6 Data storage controls

7 Data transmission controls8 Documentation standards

9 Minimizing system downtime

General Controls

10 Disaster recovery plans

11 Protection of personal computers and

client/server networks

12 Internet controls


14/14

12-03-20

Application Controls

Application controls are specific to individual applications.

Application controls pertain directly to the transactionprocessing systems. The objectives of application controlsare to ensure that all transactions are legitimatelyauthorizedand accurately recorded, classified,processed, and reported

Application controls are categorized as follows:

input

processing

output

Application Controls

Application controls may also be classified as

follows:

preventive

detective

corrective

General vs Application Controls

A company designs general controls to

ensure that its overall computer

system is stable and well managed.

Application controlsprevent, detectand correct errors in transactions as

they flow through the various stages of

a specific data processing program.

9b. audit and security

Documents