Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is within acceptable limits at an acceptable cost. At a high level, this is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls. Show Extracted from CISM Review Course, 2005 Risk is a feature of business life and since it is impractical and uneconomical to eliminate all risks, every organization has a level of risk it will accept. Faced with risk, organizations have four strategic choices:
Risk Analysis Framework Risk Management Process – main elements – Establish context – Identify risks – Analyze risks – Evaluate risks – Treat risks – Monitor and Review – Communicate and consult Understanding the CIS Environment CIS, Financial Management Systems or Integrated Accounting Systems
Characteristics of computerized accounting system Financial Management Systems Monitoring, Controlling, Reporting & Decision Making Sales, Purchasing, Inventory Marketing Acc Payable Acc Receivable Bad Debts Depreciation P&L Understanding the CIS Environment CIS Processing – operational source of data, e.g transaction records, customer records, inventory records,
CIS Processing – results of operations or administrative accounting in accordance with accounting policies and procedures
2 v 2 Lecture Objectives Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs THE EFFECT OF CIS IN GENERAL AND ITS IMPACT ON INTERNAL CONTROL 2 Understanding the CIS Environment This first part outlines the following:
Internal Control DEFINITION Internal control is a company’s system, defined and implemented under its responsibility. It comprises a set of resources, patterns of conduct, procedures and actions adapted to the individual characteristics of each company which:
COSO1 defines internal control as: “A process, effected by an organization’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations.” Internal control is a company’s system, defined and implemented under its responsibility, which aims to ensure that:
and generally, contributes to the control over its activities, to the efficiency of its operations and to the efficient utilisation of its resources. Internal Control Framework: IIA Website COSO Internal Control Integrated Network Internal Control Components
Risk identification
Risk analysis
Risk management procedures
Control activities proportionate to the implications of each individual process and designed to reduce the risks that could affect the company s ability to achieve its objectives; Nature of Control vs Impact
COSO Monitoring Process
Interrelationships of CobiT Controls in CIS Environment Impact on Internal Control environment An example of impact of Internal Control in CIS would be the application of IT Controls. IT Control Components The audit process provides a formal structure for addressing IT controls within the overall system of internal controls. Figure 1, The Structure of IT Auditing, below, divides the assessment into a logical series of steps. The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal auditors interact with the people responsible for controls and must pursue continuous learning and reassessment as new technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change. Assessing IT Controls GTAG1 IT Control Components IT controls encompass those processes that provide assurance for information and information services and help mitigate the risks associated with an organization’s use of technology. These controls range from written corporate policies to their implementation within coded instructions; from physical access protection to the ability to trace actions and transactions to the individuals who are responsible for them; and from automatic edits to reasonability analysis for large bodies of data. IT Controls BUSINESS AND IT CONTROLS The enterprise’s system of internal controls impacts IT at three levels:
3 v 2 Lecture Objectives Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs TYPES OF CONTROL IN A CIS ENVIRONMENT 3 Understanding the CIS Environment This third part outlines the following:
Controls in CIS Environment In a CIS Environment, there are generally 2 categories of controls, General CIS Environmental Controls and Application System Controls Firstly, these controls are to address the computerized environment and secondly, there are specific controls to address the different business applications in such an environment. General Controls in CIS Environment These are usually defined as:
General Controls in CIS Environment Data Centre or Computer Operation Controls These are primarily controls that relate to data processing security and controls. These controls relate to the security of the data centre, batch processing of data, backups and custody of storage media. It is also important that such an environment is not accessed by unauthorized persons such as programmers and hackers as this could compromised the data integrity. Software Development Controls These are controls that ensure all program changes are duly authorized. Unauthorized changes can be due to attempts to defraud by exempting accounts from being processed or processed in an improper manner, inconsistent with authorized policies and procedures. System Security Controls (Access Security) These are controls that provides privileges or rights of access to specific individual or group of persons in accordance with their tasks and job functions. Improper assignment of such access rights can result in unauthorized access to data and other information and resources. System Security Controls (Access Security) Access Security Control These include physical protection of computer equipment, software and data and also loss of assets and information through theft and unauthorised use. For example, special room for computer and equipments or separate building and accessible to the room or building must be limited to the authorised personnel only. Also includes recovery procedures for lost data. Example: Financial Institutions. Application Software Development, Acquisition and Maintenance Controls These are controls that ensure any software acquired to be of specific standards for integration and installation purposes into the current systems. Any non-compliance may result in incompatible software acquired or failure of integration. Application system acquisition, development and maintenance controls Application system; for example an accounting system for reporting and decision-making. Controls on these is critical for ensuring the reliability of information processing. It might be better to have involvement of internal and external auditors in early stage to design the system to ensure proper control incorporate to the system. These are usually defined as:
The objective is to ensure or preserve data integrity. These are usually defined as: Input Controls These are usually controls over source documents and can be in both physical and virtual forms. Physical would be in form of restricted access or custody, serially pre-numbered, controlled items. Virtual can be that upon keying in the systems assigns unique identification codes, transaction codes, etc. Input Controls To ensure the following:
These are usually defined as: Processing Controls These controls are in form of e.g. batch numbers, control totals, hash totals, hash count, system assigned prefixes or suffixes to transaction numbers. These controls will ensure that there are no unauthorized or fraudulent transactions ‘inserted’ in the output or transaction listings. These are usually defined as: Processing Controls Control over processing and computer data files
These are usually defined as: Output Controls These are similar to processing controls but they are for output purposes to ensure accuracy and reliability of data generated. With the output reports or listings generated or output files, there will be similar processing checks in form of control totals, hash counts, suffixes, integrity identifier codes generated. These are usually defined as: Output Controls Designed to provide reasonable assurance that:-
Issuing of Purchase Requisition to Acccepting the Purchase Invoice – Segregation of duties between the user department ordering the goods, the goods received department, the procurement department and the accounts department – Before issuing the purchase order, the buying department should check that the user department is authorised to purchase the goods that have requested. – Goods are only purchased from authorised supplier. If it is a new supplier, validation of that supplier should be done before the order. Issuing of Purchase Requisition to Acccepting the Purchase Invoice cont’d – Must be independent check from buying department on the quality, price and service of the supplier. – The purchase order should be keyed into computer by procurement department, sent to supplier, user department and accounts department. – Accounts department upon receipt of purchase invoice, match with purchase order. – User department check the goods against requisitions and specifications. Business, General & Application Controls Application Controls Versus IT General Controls
Information Technology General Controls The most common ITGCs are:
Difference
Nature of Application Controls
Benefits of Application Controls
– Reduces likelihood of errors due to manual intervention
– Reliance on IT general controls can lead to concluding the application controls are effective year to year without re-testing
– Typically application controls take less time to test and only require testing once as long as the IT general controls are effective Sample Detailed Review Program
– Test input controls to ensure transactions are added into and accepted by the application, processed only once and have no duplications – Test processing controls to ensure transactions are accepted by the application, processed with valid logic, carried through all phases of processing and updated to the correct data files Conclusion
4 v 2 Lecture Objectives Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs AUDITING IN A CIS ENVIRONMENT 4 This fourth part outlines the following:
AUDIT APPROACH Auditing takes place usually after the risk analysis or evaluation and the implementation of internal controls. The purpose is to ensure that all risks are adequately addressed, shortcomings and weaknesses are duly reported on continuous basis. Identified and understood the environment. What are the risks and controls in such an environment? What are the specific application controls in such an environment? To review such risks and controls and plan an audit. Auditing in CIS environment
– Skill and Competence – Planning – Risk assessment, i.e. assessment of inherent risk and control risk – Audit procedures
AUDIT SKILL & COMPETENCY Skill and Competence
Design of Controls
Controls Testing
Application Reviews
AUDIT RISK ASSESSMENT Assess Risk
These techniques include: • The review’s nature, timing, and extent. • The critical business functions supported by application controls. • The extent of time and resources to be expended on the review. In addition, auditors should ask four key questions when determining the review’s appropriate scope:
2. Which business processes are impacted by these risks? 3. Which systems are used to perform these processes? 4. Where are processes performed
Risk Assessment The nature of the risk in CIS environment includes:- n Lack of transaction trail. Audit trail may available for the short period or not in the form of computer readable form. Or if the transaction is too complex and high volume, errors may embedded in application’s program logic and difficult to detect on a timely basis. n Lack of segregation of duties. Many of control procedures are performed by separate individual in manual systems but may not in CIS. n Potential for errors and irregularities. Potential for human error and unable to detect the error may be greater in CIS. Also the potential of unauthorised access to data without visible evidence may be greater in CIS than manual system. Furthermore, decreased human involvement in handling transaction in CIS can reduce “check and balance” activities that may cause error unable to detect. Risk Assessment The nature of the risk in CIS environment includes:- Initiation or execution of transaction. CIS may have capabilities to execution transaction automatically. For example calculation of depreciation. The authorization for transaction is not available. Lack of visible output. Certain transaction or result may not be printed. Thus, the lack of visible output may result in the need to access data retained on files readable only by computer. Ease of access to data and computer programs. Data and computer programs can be accessed and altered at the computer or from the remote location. Therefore, auditor should review the appropriate control measure to prevented unauthorised access and alteration of the data. What can go wrong? Availability, security, integrity, confidentiality, effectiveness and efficiency
– Pervasive: impact the enterprise as a whole – Specific risks
– Each company will have a unique risk profile – IT-related risk is not static , but changing dynamically – Proliferation: when evaluating IT-related risk, keep in mind its additive nature
– Be performed in depth every year, not just an update of the prior year. – Considers all the layers of the IT environment. – Considers both static and dynamic risks. – Not strictly be based on interviews, but use other discovery techniques. – Be supplemented with the appropriate level of analysis after discovery. – Be performed by the appropriate personnel. AUDIT PLANNING
• All review procedures to be performed. • Any computer-assisted tools, techniques used & how they are used. • Sample sizes, if applicable. • Review items to be selected. • Timing of the review.
• Management’s concerns regarding risks. • Previously reported issues. • Internal auditing’s risk and control assessment. • A summary of the review’s methodology. • The review’s scope. • How concerns will be communicated. Planning In Planning, auditor should obtain an understanding the significance and complexity of CIS activities and the availability of data for use in the audit. The understanding include:-
3. The Computer performs complicated computations of financial information. 4. Transactions are exchanged electronically with other organization. 5. Organization structure of entity also may changed. For example: IT department as part of the structure and responsible for control application of CIS as a whole. 6. The availability of data such as source document, computer data files and other evidential matter that may required by the auditor.
AUDIT PROCEDURES Business Process Method
Documentation Techniques
Flowcharts
Process Narratives
Audit procedures The auditor’s specific objective do not change whether the accounting data is processed manually or by the computer. However, method of applying audit procedures to gather evidence may different. Auditor may perform audit procedures manually or use CAAT or combination of both. Auditing around the computer Auditor does not examine the computer processing but perform procedures to obtain understanding accounting and internal control:-
information by comparing the output reports with the input documents
– Auditor performing test of control and substantive test. For example: “test data” enable the auditor to examine the computer processing, internal control of the client CIS. – Auditor may used use CAAT in this procedures. CAAT – helps auditor in organizing, analyzing and extracting computerized data and re-performing computation and other processing. Executing IT Auditing
– COSO, CoBIT, ISO27001/17799… 5 v 2 Lecture Objectives Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs COMPUTER AS AN AUDIT TOOL AND COMPUTER-ASSISTED AUDIT TECHNIQUES 5 Understanding the CIS Environment This part outlines the following:
The use of computer as an Audit Tool Auditor take laptops to the client’s premises for use as an audit tool to perform various audit task, such as:-
Computer-assisted Audit Techniques
Using CAATs – IS Auditing Guideline G3
• Tests of details of transactions and balances • Analytical review procedures • Compliance tests of IS general controls • Compliance tests of IS application controls • Penetration testing
Pre-requisites of Using CAATs Connectivity and Access to Data The auditor then needs to obtain “read only” access to the files/tables that hold the data and can transfer the data files to the notebook computer. Once this is done, the audit software can use the data files and perform the audit. It is necessary to ensure that the data that are downloaded are the actual copy from the real production data. Knowledge of the Application and Data The auditor needs to get the file description and the data field types. If certain codes are used in the tables, the corresponding description of the codes also needs to be known. Audit Skills and Identifying the Concerns This is probably even more basic than the skill needed to download the data. Audit software has many features but the features cannot perform an audit on their own. The auditor has to design the procedures and tests. The tests that the auditor carries out are designed using the knowledge of the application, the business rules behind the function and the findings of the application review. The kind of tests that are run will vary with the applications. For example, in a procurement audit, the auditor may download the purchase order and related files and perform analysis of prices. In a financial accounting application, the auditor may analyze expenses on dollar value, revenue expenditure, account head, and department or cost code. In a banking application, the auditor may verify interest payments using the audit software. In a sales application, the correctness of product prices or incentives may be analyzed. It is the audit skill of determining what is to be verified and tested, coupled with the knowledge of the business and the application, that makes the software actually do the audit work. Issues
Computer-Assisted Audit Techniques (CAATs)
– The absence of input document or lack of visible audit trail – The effectiveness of efficiency of auditing procedures may be improved through the use of CAATs.
Audit software are used during substantive testing to determine the reliability of accounting controls and integrity of computerised accounting records. Typical testing includes:- – Calculation checks, check addition, select high value, negative value – Detecting violation of system rules – e.g. the program checks all accounts on sales ledger to ensure that no customer has a balance above credit limit – Detecting unreasonable items – e.g. check that no customers are allowed trade discount of more than 50% – Conducting new calculations and analyses – e.g. obtain analysis of static and slow moving stocks – Selecting items for audit testing – e.g. obtain the sample to sent confirmation. – Completeness checks – e.g. checking continuity of sales invoices to ensure they are all accounted for.
– If no visible evidence available and the only way is CAATs – Cost that associated with CAATs – The extent of the ability of CAATs to perform test on various financial statements items. – Time. Report need to be produced by the auditors within comparatively short time period. In such cases it may be more efficient to use CAATs. – The condition of hardware (computer) and the ability to support CAATs.
– Package Programs or Generalised Audit Software (GAS) – Written Programs or Custom Audit Software.
– Package programs are generalized computer programs designed to perform data processing functions such as read and extract data from entity’s computer files or database for further audit testing, perform calculation, selecting sample and provide report. – For example, application of package program on Account Receivables.
– Written program is audit software written by the auditors for specific audit tasks and it is necessary when the entity’s CIS system is not compatible with Generalized Audit Software. It is good to develop if the auditor can use it in doing auditing for the future. However, it is expensive, take longer time to develop and need modification for every time an entity’s change their system. Auditor also need an IT expert to help in developing the program.
– The auditor uses test data primarily for testing the application controls in the entity’s computer programmes. – For example: Auditor creates a set of simulated data which include both valid data and invalid data. Then, the auditor manually calculates the result from the simulated data. – With the simulation data entered into the entity’s computer program, the valid data should be properly processed and invalid data should be identified as error. The results are compared to the auditor’s predetermined result. – Another example: Unauthorized password may be used in an attempt to gain entry, transaction with incorrect coding and transaction with non-existing customer or suppliers. These to ensure that the system is properly rejects invalid transactions Potential benefit of using CAATs ……
OTHER ASPECTS OF IT ASSURANCE, SECURITY & GOVERNANCE IT Assurance – Performing audit over IT resources IT Security – Securing IT resources IT Governance – Understanding and Commitment of the Board and Management SOURCES MIA Handbook on International Audit Guidelines Information Security and Control Association website (http://www.isaca.org) Institute of Internal Auditors’ website (http://www.theiia.org) Certified Fraud Examiners Handbook Federal Reserve website Information Security sites; SANS, CCCure, etc. Information Security manuals, standards; NIST, ITIL, CoBIT, IEC/ISO 27001 Advertisement Share this:Like this:Like Loading... 3 Comments » 3 Responses
|
