9b. audit and security
TRANSCRIPT
-
7/28/2019 9B. Audit and Security
1/14
12-03-20
AUDITINGWhat does an
auditor do?
What is
AUDITING?
What is AUDITING?
Auditing is the accumulation
and evaluation of evidence
about information to
determine and report on the
degree of correspondencebetween the information and
established criteria.
-
7/28/2019 9B. Audit and Security
2/14
12-03-20
Types of Audits
Two broad categories of
audits
Internal Audit
External Audit
Definition of Internal Auditing
Several definitions a systematic process of objectively obtaining and
evaluating assertions about economic actions andevents to ascertain the degree of correspondencebetween these assertions and established criteria andcommunicating the results to interested users.
an independent activity, established by managementto examine and evaluate the organizations riskmanagement processes and systems of control, andto make recommendation for the achievement of
company objectives.
An independent appraisal activity established
within an organisation as a service to it. It is a
control which functions by examining and
evaluating the adequacy and effectiveness of
other controls. The investigative techniques
developed are applied to the analysis of the
effectiveness of all parts of an entity'soperations and management.
The need for internal audit
The scale, diversity and complexity of thecompany's activities
The number of employees
Cost-benefit considerations
Changes in the organizational structures,reporting processes or underlying information
systems Changes in key risks
Problems with internal control systems
An increased number ofunexplained orunacceptable events
-
7/28/2019 9B. Audit and Security
3/14
12-03-20
Objectives of internal audit
Review of the accounting and internal control
systems
Examination of financial and operating
information
Review of the economy, efficiency and
effectiveness of operations.
Review of compliance with laws, regulations
and other external requirements
Review of the safeguarding of assets
Review of the implementation of corporate
objectives.
Identification of significant business and
financial risks (Risk management)
Special investigations
Features of internal audit
Independence
Appraisal
Types of Audits
Operational/management/efficiency/value for
money audit: (monitoring of management's
performance at every level)
Systems audit: (testing and evaluation of the
internal controls)
Transactions audit
Social audit
Management investigations
-
7/28/2019 9B. Audit and Security
4/14
12-03-20
Audit tests
Compliance test
Substantive test
Compliance Testing
Compliance tests are defined as those test which seek toprovide audit evidence on both the effectiveness of thecontrols and that internal control procedures are beingapplied as prescribed.
Compliance tests seek evidence that the internalcontrols are being applied as prescribed
E.g. Internal Control Questionaire
Compliance Testing
Auditors test internal controls in order to establish whetherthey are operating effectively throughout the period underreview.
If controls are operating effectively, auditors can reduce thelevel of substantive testing on transactions and balances
that would otherwise be required.
In testing internal controls, auditors are checking to ensurethat the stated control has been applied.
Compliance Testing -
Example
For example, auditors may check that there is a gridstamp on a sales invoice with various signatures inside itthat show that the invoice has been approved by thecredit controller, that it has been checked for arithmeticalaccuracy, that the price has been checked, and that it hasbeen posted to the sales ledger.
The signatures provide audit evidence that the control hasbeen applied.Auditors are not checking to ensure that theinvoice is, in fact, correct. This would be a substantivetest. Nevertheless, it is possible to perform tests of controland substantive tests on the same document at the sametime.
-
7/28/2019 9B. Audit and Security
5/14
12-03-20
Substantive Testing
Substantive tests are defined as those test of transactions andbalances, and other procedures such as analytical review whichseek to provide audit evidence as to the completeness, accuracyand validity of the information contained in the accounting recordsor in the financial statements. Substantive tests are concernedwith confirming the accuracy of the figures. They are usedto discover errors and omissions. They include:
-the vouching of transactions, the checking of postings, thechecking of casts and calculations
- the reconciliation of bank accounts and subsidiary ledgers
- the verification by appropriate means of all account balances- analytical review of final account balances
Substantive Testing
Search for unrecorded liabilities
Confirm accounts receivable to ensure theyare not overstated
Determine the correct value of inventory, andensure they are not overstated
Determine the accuracy of accruals forexpenses incurred, but invoices not yetreceived (also revenues if appropriate)
Accountability
IA is accountable to Audit committee and BOD
The auditor needs access to all parts of the
organisation
The auditor should be free to comment on the
performance of management
The auditor's report may need to be actioned
at the highest level to ensure its effective
implementation
Independence
Auditor must be and must be seen
independent
Objectivity, probity and honesty
The internal auditor should not install new
procedures or systems, neither should he
engage in any activity which he would
normally appraise, as this might compromise
his independence
-
7/28/2019 9B. Audit and Security
6/14
12-03-20
Limitations of internal audit
Independence
Resources
External Audit
A periodic examination of the accounting recordsconducted by an independent third party, toassess whether they have been properlymaintained are accurate and comply withestablished principles, legislation and accountingstandards.
External auditors will attempt to establishwhether the accounts give a true and fair view ofthe financial state of the organisation.
External auditing can act as an additionalpreventative control measure.
INTERNAL VS EXTERNAL AUDIT
INTERNAL EXTERNAL
REASON Activity designed to add
value and improve an
organ. Operations
To enable auditors to
express an opinion on the
financial statements
REPORTING TO BOD / people charged
with governance such as
Audit Committee
To shareholders or
members of the Co on the
true and fairness of the
accounts
RELATING TO Relates to the operations
of the organisation
Relates to the FS
concerned with the financial
records that underlie these.
RELATIONSHIP
WITH THE CO
Often the employees
Can be outsourced
Independent of the Co. and
its management
Appointed by the
shareholders
INTERNAL VS EXTERNAL AUDIT
Primarily interest in the
truth and fairness of the
accounts and to express an
opinion on his audit work.
May have a number of
aims, incl. Internal control
systems and management
info sys, risk management
AIM
Determined by statute (co.
act 1965)
Laid by ManagementSCOPE - extent of
work carried out
EXTERNALINTERNAL
-
7/28/2019 9B. Audit and Security
7/14
12-03-20
IT systems security
and safety
Security
If you love something, then you care about itand you protect it
Security, in information management terms,means the protection of data from accidentalor deliberate threats which might causeunauthorized modification, disclosure ordestruction of data, and the protection of theinformation system from the degradation ornon-availability of services.
Security can be subdivided into a number of
aspects.
Prevention
Detection
Deterrence
Recovery procedures
Correction procedures
Threat avoidance
Physical threats
Physical threats to security may be natural or
man made. They include:
Fire: fire alarms to detect and fire extinguishers
Water: water proof ceilings
Weather: some location are vulnerable
Lightening: UPS
Terrorist activity
Accidental damage
-
7/28/2019 9B. Audit and Security
8/14
12-03-20
Physical Access Controls
How can physical access security be achieved?
placing computer equipment in locked rooms andrestricting access to authorized personnel
having only one or two entrances to the computerroom
requiring proper employee ID
requiring that visitors sign a log
installing locks on PCs
Intruder Alarms
Security controls
The protection of data from accidental or
deliberate threats which might cause
unauthorized modification, disclosure or
destruction of data, and the protection of the
information system from the degradation or
non-availability of services
Risks to data such as human error, technical
error, natural disaster, fraud, and commercial
espionage etc
Integrity controls
Data integrity in the context of security is
preserved when data is the same as in source
documents and has not been accidentally or
intentionally altered, destroyed or disclosed.
Systems integrity refers to system operation
conforming to the design specification despiteattempts (deliberate or accidental) to make it
behave incorrectly.
Input controls
Input controls should ensure the accuracy,
completeness and validity of input
Data verification involves ensuring data
entered matches source documents
Authorizations enforce managements policies
with respect to transactions flowing into the
general ledger system
-
7/28/2019 9B. Audit and Security
9/14
12-03-20
Data validation involves ensuring that data
entered is not incomplete or unreasonable.
E.g.:
Check digits: check digit is usually a number
included in an account number that is calculated
from the other numbers in it
Control totals. For example, a batch total totaling
the entries in the batch.
Hash totals. a sum that is meaningless except for
internal control purposes (e.g., sum of customer
account numbers)
Examples of Edit Tests (ProgrammedChecks)
Validity Check (e.g., M = male, F = female)
Limit Check (e.g., hours worked do not exceed 40 hours)
Reasonableness Check (e.g., increase in salary is reasonablecompared to base salary)
Field Check (e.g., numbers do not appear in fields reserved forwords)
Sequence Check (e.g., successive input data are in someprescribed order)
Range Check (e.g., particular fields fall within specified ranges- pay rates for hourly employees in a firm should fall between$8 and $20)
Relationship Check (logically related data elements are
compatible - employee rated as hourly gets paid at a ratewithin the range of $8 and $20)
Processing controls
Processing controls should ensure the
accuracy and completeness of processing.
Programs should be subject to development
controls and to rigorous testing. Periodic
running of test data is also recommended.
Examples of Processing Controls
Manual Cross-Checks - include checking the
work of another employee, reconciliations
and acknowledgments
File and Program Changes - to ensure thattransactions are posted to the properaccount, master files should be checked forcorrectness, and programs should bevalidated
-
7/28/2019 9B. Audit and Security
10/14
12-03-20
Output controls
Output controls should ensure the accuracy,
completeness and security of output. The
following measures are possible.
Investigation and follow-up of error reports and
exception reports
Batch controls to ensure all items processed and
returned
Controls over distribution/copying of output
Labeling of disks/tapes
Examples of Asset AccountabilityControls
Subsidiary ledgersprovide a cross-check on the accuracyof a control account (e.g. Debtors Ledger)
Reconciliations compare values that have been computedindependently(e.g. Debtors Ledger against Debtors control ACin the GL)
Acknowledgment procedures transfer accountability ofgoods to a certain person
Logs and Registers help account for the status and use ofassets
Reviews & Reassessments are used to re-evaluatemeasured asset values
Back-up controls
Back-up controls aim to maintain system and
data integrity
A back-up and archive strategy should
include:
Regular back-up of data (at least daily)
Archive plans
A disaster recovery plan including off-site storage
Archiving
Archiving data is the process of moving data
from primary storage, such as a hard disk, to
tape or other portable media for long-term
storage.
If archived data is needed, it can be restored
from the archived tape to a hard disk
-
7/28/2019 9B. Audit and Security
11/14
12-03-20
Passwords and logical access systems
A password is a set of characters which may
be allocated to a person, a terminal or a
facility which is required to be keyed into the
system before further access is permitted.
A logical access system can prevent access to
data and program files, by measures such as
Identification of the user, Checks on user
authority and Authentication of user identity
Administrative controls
Personnel selection is important as posts such asComputer security officer, Databaseadministrator, Senior systems analyst must betrustworthy.
Measures to control personnel:
Careful recruitment
Systems logs
Job rotation and enforced vacations
Review and supervision
Segregation of duties among data capture and data
entry, system analysis and programming
Audit trail
An audit trail shows who has accessed a
system and the operations performed.
A clear audit trail is needed to enable
individual transactions to be traced, to
provide support in general ledger balances, to
prepare financial reports and to correcttransaction errors or lost data
Identifying errors and detecting frauds
Systems integrity with a PC
Password protected
Use additional passwords for important files
Physical access controls, for example door
locks activated by swipe cards or PIN numbers,
to prevent access into the room(s) where the
computers are kept.
-
7/28/2019 9B. Audit and Security
12/14
12-03-20
Systems integrity with a LAN and WAN
Viruses
Must be protected with anti-virus software
Dedicated land lines for data transfer and
encryption software may be required (WAN).
Contingency controls
A contingency is an unscheduled interruption
of computing services that requires measures
outside the day-to-day routine operating
procedures.
A contingency plan is necessary in case of a
major disaster, or if some of the security
measures discussed elsewhere fail.
Disaster Recovery Plan Every organization should have a disaster
recovery plan so that data processing
capacity can be restored as smoothly and
quickly as possible in the event of a major
disaster.
What are the objectives of a recovery plan?
1 Minimize the extent of the disruption,damage, and loss.
2 Temporarily establish an alternative means
of processing information.
Disaster Recovery Plan
3 Resume normal operations as soon as
possible.
4 Train and familiarize personnel with
emergency operations.
-
7/28/2019 9B. Audit and Security
13/14
12-03-20
General Controls
General controls concern the overall
environment of transaction processing.
They comprise the following:
the plan of data processing organization
general operating procedures
equipment control features
equipment and data-access controls
General Controls
A company designs general controls to ensure
that its overall computer system is stable and
well managed.
The following are categories ofgeneral
controls:
1 Developing a security plan
2 Segregation of duties within the systems
function
General Controls
3 Project development controls
4 Physical access controls
5 Logical access controls
6 Data storage controls
7 Data transmission controls8 Documentation standards
9 Minimizing system downtime
General Controls
10 Disaster recovery plans
11 Protection of personal computers and
client/server networks
12 Internet controls
-
7/28/2019 9B. Audit and Security
14/14
12-03-20
Application Controls
Application controls are specific to individual applications.
Application controls pertain directly to the transactionprocessing systems. The objectives of application controlsare to ensure that all transactions are legitimatelyauthorizedand accurately recorded, classified,processed, and reported
Application controls are categorized as follows:
input
processing
output
Application Controls
Application controls may also be classified as
follows:
preventive
detective
corrective
General vs Application Controls
A company designs general controls to
ensure that its overall computer
system is stable and well managed.
Application controlsprevent, detectand correct errors in transactions as
they flow through the various stages of
a specific data processing program.