Kế toán, kiểm toán - Chapter 12: Monitoring and auditing ais

Chapter 12Monitoring and Auditing AISCopyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.Learning ObjectivesLO#1 Understand the risks involved with computer hardware and software.LO#2 Understand and apply computer-assisted audit techniques.LO#3 Explain continuous auditing in AIS.12-2Computer hardware and SoftwareOperating System (OS) (the most important system software)Database SystemsLocal Networks (LANs)Wide Area Networks (WANs)Virtual Private Networks (VPNs)Wireless NetworksRemote AccessLO# 112-3Operating System (OS)To ensure the integrity of the systemTo control the flow of multiprogramming and tasks of scheduling in the computer To allocate computer resources to users and applications To manage the interfaces with the computer LO# 112-4Operating System (OS) (Contd.)Five fundamental control objectives:Protect itself from usersProtect users from each otherProtect users from themselvesBe protected from itselfBe protected from its environment Operating system security should be included as part of IT governance in establishing proper policies and procedures for IT controls. LO# 112-5Database SystemsA database is a shared collection of logically related data which meets the information needs of a firm. A data warehouse is a centralized collection of firm-wide data for a relatively long period of time. Operational databases is for daily operations and often includes data for the current fiscal year only.Data mining is the process of searching for patterns in the data in a data warehouse and data analyzing these patterns for decision making. (OLAP)Data governance is the convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm.LO# 112-6LANsA local area network (LAN): a group of computers, printers, and other devices connected to the same network that covers a limited geographic range. LAN devices include hubs and switches. --hubs (broadcasts through multiple ports) --switches (provides a path for each pair of connections) --Switches provide a significant improvement over hubs LO# 112-7WANs Wide area networks (WANs) link different sites together, transmit information across geographically and cover a broad geographic area. --to provide remote access to employees or customers --to link two or more sites within the firm --to provide corporate access to the Internet routers and firewallsLO# 112-8WANs (Contd.)Routers: connects different LANs, software-based intelligent devices, examines the Internet Protocol (IP) addressFirewalls: a security system comprised of hardware and software that is built using routers, servers, and a variety of software; allows individuals on the corporate network to send/receive a data packet from the Internet. Virtual Private Network (VPN)LO# 112-9Wireless Networks A Wireless Network is comprised of two fundamental architectural components: access points and stations. An access point logically connects stations to a firm’s network.A station is a wireless endpoint device equipped with a wireless Network Interface Card (NIC).LO# 112-10Wireless Networks (Contd.)Benefits of using wireless technology:--Mobility --Rapid deployment--Flexibility and Scalability --Confidentiality--Integrity --Availability--Access Control --Eavesdropping--Man-in-the-Middle --Masquerading--Message Modification --Message Replay--Misappropriation --Traffic Analysis--Rogue Access Point LO# 112-11Security Controls in Wireless NetworksManagement Controls--management of risk and information system securityOperational Controls--protecting a firm’s premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party usersTechnical Controls--primarily implemented and executed through mechanisms contained in computing related equipments LO# 112-12Computer-assisted Audit Techniques (CAATs)CAATs are imperative tools for auditors to conduct an audit in accordance with heightened auditing standards. Generally Accepted Auditing Standards (GAAS) are broad guidelines regarding an auditor’s professional responsibilitiesInformation Systems Auditing Standards (ISASs) provides guidelines for conducting an IS/IT audit (issued by ISACA)According to the Institute of Internal Auditors’ (IIA) professional practice standard section 1220.A2, internal auditors must consider the use of computer-assisted, technology-based audit tools and other data analysis techniques when conducting internal audits. LO# 212-13Use CAATs in Auditing SystemsTest of details of transactions and balancesAnalytical review proceduresCompliance tests of IT general and application controlsOperating system and network vulnerability assessments Application security testing and source code security scansPenetration TestingTwo approaches:Auditing around the computer (the black-box approach)Auditing through the computer (the white-box approach)LO# 212-14Auditing around the computer (the black-box approach)First calculating expected results from the transactions entered into the systemThen comparing these calculations to the processing or output resultsThe advantage of this approach is that the systems will not be interrupted for auditing purposes. The black-box approach could be adequate when automated systems applications are relatively simple.LO# 212-15Auditing through the computer (the white-box approach) The white-box approach requires auditors to understand the internal logic of the system/application being tested. The auditing through the computer approach embraces a variety of techniques: test data technique, parallel simulation, integrated test facility (ITF), and embedded audit module. LO# 212-16Generalized Audit Software (GAS)Frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis. Directly read and access data from various database platformsprovides auditors an independent means to gain access to data for analysis and the ability to use high-level, problem-solving software to invoke functions to be performed on data files. --Audit Control Language (ACL) --Interactive Date Extraction and Analysis (IDEA)LO# 212-17Continuous AuditLO# 312-18Fraud Schemes and Corresponding Proposed Alarms under Continuous AuditsLO# 312-19Implementation of Continuous AuditingExtensible Markup Language (XML)Extensible Business Reporting Language (XBRL)Database management systemsTransaction logging and query toolsData warehousesData mining or computer-assisted audit techniques (CAATs)LO# 312-20Implementation of Continuous Auditing (Contd.)Non-technical barriers and technical challenges existA general template that a steering team or the internal audit function can use: --Evaluate the overall benefit and cost --Develop a strategy --Plan and design how to implement continuous auditing --Implement continuous auditing --Performance monitoring LO# 312-21