1) Introduction to IS Auditing

Transcription

1 1) Introduction to IS Auditing a) Assurance Services: Independent professional services that improve the quality of information for decision makers. The common feature of all Assurance Services, including audit and attestation services, is the focus on improving the quality of information used by decision makers. i) Attestation: A type of assurance service in which the public accounting firm issues a written communication that expresses a conclusion about the reliability of a written assertion of another party. Eg. public accounting firm expressing an opinion on the reliability of the financial statements of an audit client. 3 Categories: (1) Audit of Historical Financial Statements, (2) Reviews of Historical Financial Statements: Less rigorous than an audit, less expensive and sometimes adequate. (3) Other Attestation Services: To qualify as an attestation service (as distinct from other assurance services), the engagement must involve written assurances on some accountability matter. ii) Auditing (and IS Auditing): The process by which a competent and independent person accumulates and evaluates evidence about quantifiable information related to a specific economic entity for the purpose of determining and reporting on the degree of correspondence between the quantifiable information and established criteria. (1) Difference Between Auditing and Accounting: Accountants may not be the people best equipped to undertake certain types of audit. (2) Types of Audit: (Audit: A review of an organization's financial statements.) (a) Performance audits (Operational Audits): Evaluate the efficiency and effectiveness of procedures and methods and to offer advice on how to improve these. It can be a review of just about any part of an organisation's (or individual's) operating procedures and methods (how they do things). Outcome aimed at entity s management. (b) Compliance Audits: Expresses an opinion by evaluating whether or not the auditee (the entity being audited) is complying with rules or procedures set down by some authority. Outcome aimed at external parties. (c) Audit of financial statements: Expresses an opinion of either the financial statements can be relied on or they cannot. Outcome aimed at external parties. (3) Types of Auditors: (Auditor: An Accountant) (a) Public Accountants (External Auditor): Employed by public accounting firms whose primary responsibility is the audit of financial statements of publicly traded companies. They must have appropriate qualifications and experience in the conduct of such audits. (b) Government Auditors: Generally responsible for auditing the financial activities of government. (i) Tax Auditors: Primarily involved in compliance audits aimed at insuring that organisations and individuals comply with the tax laws. (c) Internal Auditors: Employees of the firm that they audit, primarily to facilitate the efforts of the external auditors and thereby minimise external audit fees. They may be employed to reassure management that the firm s statements can be relied on. Also concerned with efficiency and effectiveness. (d) IS Auditor: Main role may be to facilitate the audit of financial statements, perhaps by evaluating the quality of the system of internal information systems controls or by facilitating access to computerbased information. Alternatively, the IS auditor may be internal to the organisation and involved in a diversity of performance and compliance type audits Eg. security reviews, IS management reviews, application reviews, etc. (4) IS auditing: The process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently (Ron Weber). Page 1

2 (5) Need for Control and Audit of Computers: (a) Increasing dependence on computers by individuals, organisations, businesses, institutions, governments, and societies (b) As the benefits of using computers have increased, the costs of losing them or of having them perform inappropriately have also increased. (c) Organisations have developed large portfolios of applications (assets) on which the organisation's ongoing, smooth operations are dependent. (d) Incorrect data, malfunctioning decision support systems, or erroneous decision rules in expert system can all lead to inappropriate management decisions causing negative effects on the organisation. (e) There exists substantial potential for using data for many purposes beyond those originally intended. (f) The Internet has exposed organisations without adequate security measures to potential hackers and virus attacks. (6) Effects of IS on Internal Controls (WHAT the auditor audits): (a) Separation of responsibilities (b) Clear delegation of authority and responsibility (c) Recruitment and training of high quality personnel (d) A system of authorizations (e) Adequate documents and records (f) Physical control over assets and records (g) Management supervision (h) Independent checks on performance (i) Periodic comparison of recorded accountability with assets. (7) Effects of IS on Auditing (HOW the auditor audits): (a) IS auditor remain current with the control technology (b) New technologies resulted in changes to the ways in which auditors gather and evaluate evidence. (8) Ideal IS auditor should be: Multidisciplinary (traditional audit, information systems management, behavioural science and computer science) and have a good balance of knowledge and experience with the audit process, the technology, with organisations and people and with information systems. (9) Conducting an IS Audit: (a) Controls: Mechanisms to prevent unlawful events from happening, detect these events after they happened, or correct the effects of these events. (b) Dealing with Complexity: (i) Functional Decomposition: Systems can be decomposed (factored) into a hierarchy of subsystems; and then results of this low level analysis can then be aggregated up the hierarchy to yield an overall assessment of the system's reliability. 1. Two ways to functionally decompose systems are: a. According to the managerial functions needed to process information; b. According to the application functions needed to process information. 2. Seven management subsystems identified in the decomposition approach: a. Top management and IS management b. Systems development management c. Programming management d. Data administration e. Quality assurance management f. Security administration g. Operations management Page 2

3 3. Information processing: Conceived of as being first associated with cycles, then application systems, and finally application subsystems. (ii) Finally, having identified application systems, these can be decomposed into six subsystems: a. Boundary subsystem b. Input subsystem c. Communication subsystem d. Processing subsystem e. Database subsystem f. Output subsystem (iii) Components: Physical units that perform the fundamental activities needed to accomplish a function. Components used in a computer system include hardware, software, people and transmission media. Subsystem functions are executed by components (10) Audit risks: Measures the risk of an auditor failing to detect actual or potential losses or account misstatements for an audit engagement. (11) Types of Audit Procedure: (a) Audit of financial statement balances (b) Evaluating the operational effectiveness and efficiency of information systems 2) Management Control Framework I : Top, Development and Programming Management a) Top Management Control: The auditor's primary objective in reviewing Management Control Framework is to assess whether or not management manages well. Because: i) Quality of management influences the quality of controls at the detail level. ii) Active participation of top management and the existence of high quality IS management are essential for the continuing successful development and implementation of computer systems. b) Management Functions: i) Planning: Involves determining the goals of the installation and the means of achieving these goals. 2 Types: (1) Strategic plan: (a) Long term plan; (b) Covers the next three to five years of operations; (c) Includes an assessment of the existing information systems, strategic directions for the alignment of the IS and business functions, and the development strategies of future IS. (2) Operational plan: (a) Short term plan; (b) Covers the next one to three years of operations; (c) Includes a progress report of existing IS plan Initiatives, new initiatives to be undertaken, and their implementation schedule. (3) Two models for IS planning (a) Strategic Grid model (McFarlan et al.'s (1983)) (b) Infusion Diffusion model and role of steering committee (Sullivan's (1985)) (4) Top management of the firm often participate in the IS planning process through a steering committee. (5) A major problem in developing a strategic plan is that it is always difficult to plan far into the future. ii) Organising: Involves providing facilities and grouping activities and personnel to accomplish the goals and objectives set out in the strategic and operational plans. (1) IS staff are grouped by function (centralised functional form): greater task specialisation is possible. (a) Maintenance programmers do maintenance programming. (b) Development programmers do development. (c) Systems analysts do systems analysis (2) IS staff are in end user department (decentralised end user form): IS personnel are closer to the users (a) They are responsible for maintenance, enhancements, development, interfacing with users, defining requirements, and so on, for the overall system(s) of the user department. Page 3

4 iii) Leading: Involves coordinating activities, providing support and guidance, and motivating personnel. iv) Controlling: Involves comparing actual performance with budgeted performance as a basis for adjusting actions. v) Major organisation design issue faced by IS and top management: is which functions to centralise or decentralise. vi) Organisational Structure Characteristics Based on the Extent of Task Uncertainty: (1) When there is high 'certainty' the structure should reflect: (a) A well defined hierarchy of authority; (b) Clear lines of authority; (c) Rigorous standards; (d) Well defined checkpoints on projects. (2) When there is greater uncertainty, one would expect to find: (a) A more complex structure; (b) Greater need for integration across organisational units; (c) Delegation of decision making; (d) Less formal lines of authority; (e) A greater need for information. (3) Examples of areas of possible greater uncertainty include: (a) Managing crafts people or artists; (b) Managing super programmers; (c) Managing a research and development operation. vii) Staff planning involves: (1) taking inventory of current staff; (2) determining future requirements; (3) assessing likely turnover; (4) planning how to fill positions. viii) Personnel Acquisition: Major activities in personnel acquisition include creating a job specification, deciding whether to recruit internally or externally, and deciding on sources of data for evaluation. ix) Personnel development involves establishing promotional and personal growth opportunities for employees. x) Personnel termination procedures are: (1) immediately inform management; (2) prepare a termination checklist; (3) arrange training for replacement; (4) assign to non critical area; (5) conduct an exit interview. xi) Evaluating the Leading Function: The leading function must attempt to gauge, if only superficially, management's ability to lead. Ineffective leading can result in system failure as surely as erroneous design. xii) Leadership styles should be matched with the IS personnel and their tasks and activities. xiii) The Means of Control (1) Methods standards: Define uniform practices and procedures for systems development and operation. (2) Performance standards: Describe the resource usage that should be expected from undertaking different activities within the computer installation. (3) Documentation standards serve four purposes: (a) inter task/phase communication (b) quality control and project control Page 4

5 (c) historical reference (d) instructional reference. (4) Project control standards (e.g. Microsoft Project) also help keep the project on track by specifying checkpoints for reviews and sign offs and subsequent procedures for variance monitoring. (5) Post audit standards should be enforced in regular post audits of IS. xiv) Mechanisms useful for controlling users of computer services include: (1) Review committee (2) Transfer pricing. c) When the auditor get involved in systems development: i) As a member of the development team, the IS auditor: (1) Collects evidence by observing the activities of others (2) Compares evidence against the normative model(s). ii) As a member of the post implementation review team, goals include: (1) Making recommendations for improving the development process (2) Reducing the extent of necessary substantive testing of application systems by being able to rely on the internal control system. iii) Part of a general audit team, his or her role involves: (1) Evaluating the systems development controls, in order to determine the extent of substantive testing required to form an audit opinion on the financial statements or system effectiveness and efficiency. d) Normative Models: i) System Development Life Cycle (SDLC): Weber presents us with an eight phase example of the traditional system development life cycle (SDLC) approach, as follows: 8 phases: (1) Feasibility study (2) Information analysis (3) System design (4) Program development (5) Procedures and forms development (6) Acceptance testing (7) Conversion (8) Operation and maintenance. ii) Socio technical Approach: Attempts to deal with the behavioural problems that arise from systems development. 5 Phases: (1) Diagnosis and entry, (2) Management of the change process, (3) System design (4) Adjustment of coordinating mechanisms, (5) Implementation. iii) Normative Model (The 13 phase ) is in effect a reconciliation of the SDLC and the socio technical approaches. Most of the activities of the SDLC approach are performed in this model, but the socio technical approach attempts to make the designer take a much broader and richer perspective of the design process. (1) Problem/Opportunity Definition (2) Management Of The Change Process (3) Entry And Feasibility Assessment (4) Analysis Of The Existing System (5) Formulation Of Strategic Requirements (6) Organisational And Job Design Page 5

6 (7) Information Processing Systems Design (8) Application Software Acquisition And Development (9) Hardware/System Software Acquisition (10) Procedures Development (11) Acceptance Testing (12) Conversion (13) Operation And Maintenance e) Program life cycle: 6 Phases: i) Planning: many important decisions must be made on how to proceed with the program life cycle. (1) Major Activities Includes: (a) determining resource requirements (b) choosing a design approach (c) choosing an implementation approach (d) choosing an integration and testing approach (e) determining software quality assurance measures (f) choosing program change control procedures (g) determining project team organisation. (2) Major audit concerns with the planning phase include: (a) Is the scope of planning activities adequate? (b) Is appropriate planning related documentation being developed and retained? (c) Are appropriate automated aids being used effectively where possible? ii) Control: it requires monitoring progress against plan and ensuring software released for production use is authentic, accurate and correct (1) Major audit concerns with the control phase include: (a) Are project management tools in place to monitor progress against plan? (b) Are program design techniques being effectively applied? iii) Design: for producing a set of specifications from which program development can proceed, are yet somewhat of a heuristic process. (1) Major audit concerns with the design phase include: (a) Are structured methodologies or other established methodologies (e.g. object oriented) being effectively applied? (b) Is appropriate documentation being generated in support of this phase? (c) Is appropriate checking of results taking place? (d) And again, are appropriate automated aids being used where possible? iv) Coding: Programmers (sometimes end users) translate the program design and specifications into code. (1) Major concerns of the auditor are: (a) Are the appropriate activities taking place, given the standards adopted (e.g. use of top down coding, use of structured programming techniques)? (b) Is the code being appropriately and adequately desk checked? (c) Is program documentation appropriate and adequate? (d) Are automated aids being used? v) Testing: testing is done throughout the life cycle. (1) Major activities of this phase include: (a) preparation of test data (b) program testing (c) documentation of test results (d) repairing of bugs identified through testing (e) final release of correct code. Page 6

7 (2) Major audit concerns regarding testing include: (a) Are modern testing techniques being used? (b) Is the amount and nature of testing being done adequate? (c) Are test designs and test results being appropriately documented? (d) Are formal procedures in place for the repair of code found to be faulty? (e) Are formal procedures in place for the release of programs into the next stages of the system development life cycle? (f) Are automated aids being effectively used? vi) Operation and maintenance: as programs are used over time, they require repair maintenance, adaptive maintenance and perfective maintenance. (1) Major audit concerns include: (a) Are formal procedures in place for identifying program deficiencies? (b) Are formal procedures in place for modifying programs? (c) Are there formal and appropriate controls over the release of corrected programs? (d) Are appropriate automated aids being effectively used? f) Organising The Programming Team i) Chief programmer teams (1) project based (2) reduced communications channels (3) task specialisation (4) lateral coordinating role. ii) Adaptive teams (1) no hierarchy of authority (2) leadership rotates (3) self organising (4) individuals versus roles (5) joint responsibility (6) no lateral librarian role (7) few in use. g) Managing the System Programming Group: 2 Types of Programmers i) Application Programmers: Involved in developing and maintaining application software. ii) Systems Programmers: Involved in the acquisition, development and maintenance of system software that provides general functionality to a range of application software (e.g. operating system software, utility software, security software). 3) Management Control Framework II : Data, Recourse, Operation & Quality Assurance Management a) The objectives to accomplish in managing a database are: i) Sharability: a database is shared, allowing access to the same data at virtually the same time. ii) Availability: a database is available to users when needed and in the required form. iii) Evolvability: able to respond to the changing needs of the business environment. iv) Database integrity: data must be accurate, complete and authentic, because an error in data affects all users. b) Data Administrator (DA) is involved with the logical analysis of data requirements and the effect of administrative and policy matters on the requirements. c) Database Administrator (DBA) is more focused on the physical and technical aspects of the database implementation, such as efficiency and operational issues of the database operation. Page 7

8 d) The main roles of a DA/DBA include: i) Resolving conflicting requirements among users; ii) Adopting a global perspective of organizational needs for current and future data requirements, to minimise suboptimisation of organisational goals; iii) Maintaining the availability of the database through user requirements for education, documentation and access tools; and iv) Ensuring data integrity controls are built into the requirements of the current users and future users. e) The justifications for the DA/DBA roles are: i) Two different skill sets are required to perform the roles competently administrative skills for DA and technical skills for DBA. ii) The amount of work for the two roles has grown substantially. It is therefore appropriate for the two roles to be segregated, the DA attending to the enduser aspects of data management and the DBA to define and manage the technical implementation of the database. f) Audit implications of centralised planning and control of data, and DA/DBA roles within its management control framework, are: i) DA/DBA has a good understanding of the strengths and weaknesses of the database environment because he or she works closely with users to identify their requirements, problems and concerns. ii) DA/DBA may assist the auditor by providing administrative and technical information about the database. DA may provide the auditor with the data structures; the DBA may provide database access tools. iii) The auditor can evaluate the DA/DBA roles in order to form a preliminary opinion on the quality of the database. g) The major functions of the DA/DBA include: i) Defining, creating, redefining and retiring data ii) Making the database available to users iii) Informing and servicing users iv) Maintaining database integrity v) Monitoring operations. h) For the DA role to be effective, it should be either (Ross, 1981): i) A staff function within the offices of top management or ii) A staff function reporting to the person responsible for the IS function. i) For Strategic or Turnaround organisations in the strategic grid, the DA position needs to be strategically placed in the organisational hierarchy and to be perceived as having the authority, responsibility and independence required for the DA role. j) For Support or factory quadrant organisations in the strategic grid, the DA role should be better placed as a staff function reporting to the person responsible for the IS function. The DA and DBA roles can be performed by a person within the IS department when there is insufficient justification for a separate DA role. k) Three Fundament possibilities for the organisational placement of the DBA role. i) DBA reports to the DA, Both the DA and DBA are located outside of the IS department: This may lead to difficulties that the DBA may encounter in the performance of the technical functions ii) DBA reports to the DA, who then reports to the IS executive, Both the DA and the DBA are located in the IS department: This eliminates problems of communication and coordination between the two roles. iii) DA and the DBA to report to the person responsible for the data resources management function, who then reports to the IS executive: best suited to factory and support organisations in the strategic grid. Page 8

9 l) Most important role for the DA and DBA In a decentralised and end user environment: To develop and promulgate data standards for end users and to ensure that end users comply with these standards. m) Data Repository System (DRS): Developed to provide more powerful facilities for defining the external and conceptual schemas and the internal schema needed to access the data. i) The implications for the auditor are: (1) If DRS is used properly, the auditor can have increased confidence in the reliability of controls over data and application systems. (2) The organisation may suffer serious consequences if the database definition on the DRS is lost or corrupted. Therefore, the DRS and database definition should be subjected to rigorous security, backup and recovery controls. (3) The existence of a DRS facilitates the audit process by providing adequate documentation on data definitions. (4) When a single, complete database definition exists for users and programs to access, auditors can be more confident of the consistency and currency of the data. n) Control Weaknesses over DA and DBA: i) If DA and DBA fail to perform their roles at a high level, the controls over the DBMS may be compromised. ii) Centralisation of power in the DA and DBA can increase the opportunities to perpetrate irregularities because it may violate the internal control principle of segregation of duties. iii) The DA and DBA have available tools for the performance of certain functions. The same tools can be used to override established controls and perpetrate fraud. o) Remedial Measures to overcome these weaknesses: i) Assign appropriate seniority to the position: The DA and DBA must hold a senior position within the IS department. ii) Separate duties to the extent possible: The duties of the DA and DBA should be segregated as far as possible but without any impairment of the role. iii) Maintain logs: The activities of the DA and DBA should be kept in Manual Logs and Machine Logs. iv) Training and rotation of duties: If the DA and DBA role is performed by a group of people, training and rotation of duties is appropriate to prevent personnel performing a single function for an extension of time and hence increase the risk of fraud perpetration. p) Operations Management: is responsible for the daily running of hardware and software facilities so that: i) The production application systems can accomplish their work. ii) The development personnel can design, implement and maintain the application systems. q) Other functions performed by the operations management group are: i) Security administration may be performed by the operations manager for smaller organisations when the security administration role is not sufficient to justify a separate position. ii) Operations management is responsible for advising top management on the likely resource requirements to support future operations of the IS installation for long range planning. r) Eight major Operations Functions: i) Computer operations: Govern the ways in which computer operators conduct the daily running of systems in either test or production mode on the hardware and software available. 3 sets of controls: (1) Operations controls: those that prescribe the functions computer operators should perform. The two sources of information; Standards Manual and Application System Run Manuals. (2) Scheduling controls: those that prescribe how hardware, software and data are to be used (3) Maintenance controls: those that prescribe how hardware is to be maintained Page 9

10 ii) Communications network control: Include long haul communication (Internet, Intranet, Wide Area Network) or local area communication (Local Area Network). (1) Major functions include: (a) starting and terminating network lines and processes within the network (b) monitoring network activity levels (c) performing backup of files saved in the network (d) increasing backup frequency (e) examining data transversing a communication line (f) down line loading data or programs to a terminal (g) implementing controls to prevent unauthorised access (e.g. password, firewalls). iii) Data preparation and entry: Not major functions of operations management any more iv) Production control: performs the following major functions: (1) receipt and dispatch of input and output (2) job scheduling (3) management of service level agreement with users (4) transfer pricing/chargeout control (5) acquisition of computer consumables. v) File library: an IS installation performs the following functions in the management of the organisationês library of machine readable files: (1) Storage media must be kept in a safe area to avoid disruptions to computer operations. (2) Files must be used only for the purposes intended. Control must be exercised over program files, data files and procedure (job control language) files. (3) The storage media used for files must be maintained in correct working order and disposed of properly if no longer required. (4) A file backup strategy and file retention strategy must be implemented. vi) Documentation and program library: Responsible for the: (1) safe custody of strategic and operational plans, application system documentation, application program documentation, systems software and utility program documentation, database documentation, operations manuals and standards manuals (in some instances, books and journals); (2) issuance of documentation to authorised personnel only; (3) maintaining adequate backup for documentation. vii) Help desk/technical support: helps users in their use of end user hardware and software and provides technical support for production application systems. viii) Capacity planning and Performance Monitoring: The operations manager is responsible for: (1) the preparation of a plan for monitoring overall system performance, (2) the identification of the data that must be obtained to accomplish this plan, (3) the choice of instruments needed to obtain the data, (4) ensuring the instruments are correctly implemented in place and working, (5) making decisions on how to improve system performance. s) Management of Outsourced Operations: Operations are outsourced when the organisation has no comparative advantage or limited expertise in the area. The operations manager's role involves monitoring the outsourcing contract for: i) the long term financial viability of the outsourcing vendor so that service will be continuously provided at a high level ii) compliance with the terms and conditions iii) the ongoing reliability of controls of the outsourcing vendor iv) disaster recovery procedures. Page 10

11 t) Quality Assurance (QA): The primary role of quality assurance management is to ensure that the IS produced achieve certain quality goals and that development, implementation, operation, and maintenance of IS comply with certain quality standards. i) Reasons QA functions emerged in organisations: (1) Increasingly, organisations are producing safety critical systems, e.g. air traffic control systems. (2) Users are becoming more demanding about the quality of the software they use to undertake their work. (3) Organisations are undertaking more ambitious IS projects that demand higher quality standards be met. (4) Organisations are becoming increasingly concerned about their liabilities if they produce and sell defective software. (5) Poor quality control in production and use of software can be costly in missed deadlines, resource consumption overruns, etc. (6) Improving the quality of IS is part of a worldwide trend to improve the quality of goods and services sold by organisations. ii) Major Functions of QA Personnel: Six Functions (1) developing quality goals for the IS function overall and for individual IS projects (2) developing, promulgating, and maintaining standards for the IS projects (3) monitoring compliance with QA standards (4) identifying areas for improvement (5) reporting to management (6) training personnel in QA standards and procedures iii) Organisational Considerations: QA function should be placed so the manager of the QA function reports to the executive who has overall responsibility for the information systems function. iv) Problems encountered when attempting to staff the QA function: (1) QA personnel need to be well trained and competent; otherwise, they will not command the respect of the IS personnel whose work they must evaluate. (2) QA personnel require a high level of interpersonal skills if they are to bring about a successful resolution to disputes that arise. (3) It is often difficult to attract competent staff to QA positions because development, implementation, operations, and maintenance work generally has higher prestige. v) Ways where Work of internal and external auditors might be changed by the existence of a QA function: (1) If the QA function is in place and working reliably, auditors might reduce the extent of the substantive testing they undertake. (2) QA personnel most likely will undertake more extensive testing of IS controls than auditors. Thus, auditors should be able to place higher reliance on controls when planning their audits. (3) Auditors can change the focus of their tests to ensuring the QA function works reliably instead of undertaking extensive direct tests of information systems controls. (4) The existence of a QA function evidences management commitment to control within their organisation. Overall, auditors should be able to assess control risk (and perhaps) inherent risk as lower. Page 11