of 137
7/25/2019 ADM 4346 Accounting Information Systems Auditing
1/137
ADM 4346:
Dont worry about chapter 3 4 5 8 or other readings
List and describe questions
For chapter 10
Use words from the slides when possible
ContentsSlide 1 - Accounting Information Systems and the Accountant - Chapter 1...........................................................2
Slide 2 - Information Technology and Accounting Information Systems - Chapter 2.............................................14
Slide 3 - Data Modelling - Chapter 3 age.............................................................................................. 23
Slide ! - Data"ase #rgani$ing% Manipulating and &orms and 'eports - Chapter !-( age..................................30
Slide ! "ocumentin# $ccountin# %nformation S&stems ! Chapter ' ( )a#e.................................3*
Slide ' ! $ccountin# %nformation S&stems and +usiness )rocesses ! Chapter , ( )a#e.................2Slide - ! %ntroduction to %nternal Control S&stems ! Chapter - ( )a#e...........................................*
Slide 10 ! Computer Controls for r#ani/ations and $%Ss ! Chapter 10 ( )a#e 311.......................,2
Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11A Page..................*1
Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11B Page ..................*-
Slide 11 - Inormation !echnology Auditing - Chapter 1" Page....................................10'
Slide 11 - #eveloping and Implementing E$ective AISs - Chapter 1% Page................120
7/25/2019 ADM 4346 Accounting Information Systems Auditing
2/137
Slide 1 - Accounting Information Systems and the Accountant - Chapter 1
Learning Objecties
Explain the differences between the terms:
Systems, information systems, information technology, and accounting informationsystems.
Explain how information technology (IT)
Influences accounting systems
Supports the use of business intelligence (e.g. dashboards and scorecards) and
Is changing financial reporting (e.g. !"#$)
Show why auditors pro%ide a %ariety of assurance ser%ices
"e more aware of ad%ances in accounting information systems "e familiar with
Suspicious acti%ity reporting and
&areer opportunities that combine accounting and IT 'nowledge and s'ills
!hat is a "yste#$
&onsists of
eople, Tools and b*ects
7/25/2019 ADM 4346 Accounting Information Systems Auditing
3/137
&an be:
+anual
artial or fully automated
!hat Are Accounting %n&or#ation "yste#s$
Accounting %n&or#ation "yste# 'A%"(:
collection of data, processing procedures, and outputs
creates needed information for users
can be manual or computeried
ser%es internal and external users
Accounting %n&or#ation "yste#s
)!hats *ew in A%"$
"ustainabi+ity ,eporting 'M%%(
+easuring non-financial performance
ualitati%e as well as /uantitati%e information
Impacts on income and future performance
-he Accountants .ha++enge
7/25/2019 ADM 4346 Accounting Information Systems Auditing
4/137
/roide in&or#ation to support:
0ecision-ma'ing
"usiness and go%ernment processes
1ccounting and finance
2on-accountants in planning and control
Accounting %n&or#ation "yste#s
3ulfills three important business functions:
&ollect and store data about organiational acti%ities, resources and personnel
Transform data into information so management can plan, execute, control and e%aluateacti%ities, resources and personnel
ro%ide ade/uate controls to safeguard the organiation4s assets and data
1IS also supports non-financial business processes:
"upp+y chain #anage#ent 5 in%entory le%el, demand trends, supplier relationship
management
Mar0eting5 sales management, forecasts and summaries customer relationship
management
1u#an ,esources 5 wor'force planning, employment recruitment, retention and
de%elopment, and payroll
/roduction5 in%entory summaries, product cost analysis, material re/uirements
planning
2inance5 cash and asset management, multi-company management, credit card
transactions
1ow A%" Adds a+ue
1IS can add %alue to the organiation by:
6. Impro%ing /uality and reducing costs of products or ser%ices.
7. Impro%ing efficiency
8. Sharing 'nowledge
9. Impro%ing efficiency and effecti%eness of supply chain
. Impro%ing the internal control structure
;. Impro%ing decision ma'ing
7/25/2019 ADM 4346 Accounting Information Systems Auditing
5/137
A%" %nteractions
Data s %n&or#ation
Data s %n&or#ation
0ata
7/25/2019 ADM 4346 Accounting Information Systems Auditing
6/137
Information
!hat is Data$ &acts
7/25/2019 ADM 4346 Accounting Information Systems Auditing
7/137
Data 2or#atted into %n&or#ation
Data Ana+ytics: design your own report
7/25/2019 ADM 4346 Accounting Information Systems Auditing
8/137
)%n&or#ation %ntegrity and a+ue ',A-.,(
7/25/2019 ADM 4346 Accounting Information Systems Auditing
9/137
)%n&or#ation "yste#s
%n&or#ation and 7usiness Decisions
7/25/2019 ADM 4346 Accounting Information Systems Auditing
10/137
"usiness processes get things done.
These processes are a set of structured acti%ities that are performed by people, machines, orboth to achie%e a specific goal.
Information and 'ey decisions result from these business processes.
)A%" ,e+ationship with 7usiness Decisions
rganiation goals, ob*ecti%es, culture, IT influence the 1IS and %ice %ersa.
-he %n&or#ation Age
%- a #ajor &orce in society
&onsumer technology enables online shopping, communications and education
&omputers enable changes in commerce
now+edge wor0ers
roduce, analye, manipulate, and distribute information
3ocus on business acti%ities
1ccountants ha%e always been 'nowledge wor'ers
-rends in %-
e-&ommerce 5 buying and selling on Internet
e-"usiness 5 conducting all aspects of business o%er the Internet
E# (enterprise resource planning)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
11/137
Information sources, systems and applications for all business systems 5 accessible by
all business functions
&loud &omputing
0ata storage
Infrastructure and platform
1pplication
)!hats *ew in A%"$
"uspicious Actiity ,eporting '"A,(
?sed by ban's and certain other financial institutions
0etailed reporting on %arious financial transactions
&ombats money laundering, funding terrorism
S1# basically affects any place money can be laundered.
2orensic accounting9 goern#enta+ accountants9 and terroris#
&ombines s'ills of in%estigation, accounting, and auditing
See's patterns in financial data
ro%ides indicators of fraud, money laundering, financial support of terrorism
Traces arms and chemical orders to final destination
&ombats cyber terrorism
)"uspicious Actiity ,eporting
S1# laws re/uire accountants to report /uestionable transaction to the +inister of 3inance
3I2T#1& (2inancial Transactions and ,eports Analysis .entre of &anada) 5 authoritybased on the roceeds of &rime (+oney $aundering) and Terrorist 3inancing 1ct.
b*ecti%e is to implement specific measures to detect and deter money
laundering and the financing of terrorist acti%ities to facilitate the in%estigation orprosecution of money laundering and terrorist financing offences.
Institutions affected: ban's, bro'er dealers, money ser%ice businesses (e.g.
currency traders), casinos and card clubs, commodity traders, insurancecompanies and mutual funds.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
12/137
Accounting and %- 2igure ;6
IT impacts all ma*or areas of accounting practice
-he Accounting .yc+e 2igure ; not =1lb> or 1b>)
7. 120 C # logic
8. Hoin tables properly
9. 2ame /ueries systematically (not ry6, ry7)
. Selecti%e data fields 5 meet your re/uirements
.reating the Buery
7/25/2019 ADM 4346 Accounting Information Systems Auditing
36/137
Buery Answer
Designing ,eports
6. Select underlying tables (data sources) and fields
7. Indicate grouping le%els if re/uired (e.g. by pro%ince)
8. Indicate sort fields (e.g. by customer name)
9. 2ame and sa%e report
. +odify report as desired (e.g. add graphics, colour)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
37/137
Discussion
6. Identify the data files and relations would be re/uired to %erify that all Bendor In%oice (1C)amounts agree with receipted amounts (i.e. ?nit cost in 1C e/uals unit price in the in%entoryfile).
3inal output should include the following fields: %endor number, name and addressproduct number, product description, product class, class description and unit price.
7. 0raw the relationship diagram showing the data files and the foreign 'eys.
8. Identify the controls that should be in place to ensure amounts are e/ual.
,ecord Layouts &or -ab+es
A.L De#o
0emo of 1&$
#elate command
3ilter
.reating "i#p+e 2or#s
-wo options &or creating si#p+e &or#:
6. 0esign from scratch using ="lan' 3orm>
7. Enter the appropriate settings in the 3orm @iard
7/25/2019 ADM 4346 Accounting Information Systems Auditing
38/137
2or# !iCard: 2irst "creen 2igure 54a
2or# !iCard: "econd "creen 2igure 54b
7/25/2019 ADM 4346 Accounting Information Systems Auditing
39/137
2or# !iCard: -hird "creen 2igure 54c
.reating "i#p+e 2or#s
A&ter &or# is created9 custo#iCe it
3orm controls are ob*ects such as textboxes and labels
"ound controls are textboxes, drop down boxes
?nbound controls are labels, pictures
roperty sheet window can customie a control
&ontrol source property
ey -er#s
0ata definition language (00$)
0ata manipulation language (0+$)
0ata /uery language (0$)
0ata type
3ield properties
Input mas's
uery
#eferential integrity
Schema
Structured /uery language (S$)
Balidation rule
7/25/2019 ADM 4346 Accounting Information Systems Auditing
40/137
=ercise 5;
Buantity ,eceied Buantity Ordered
ou ha%e determined that there is no control to ensure that the /uantity recei%ed is what wasordered. 1s a result, the uantity #ecei%ed can be more than the uantity rdered
Identify three people who could ta'e ad%antage of this control wea'ness and how they
could do so.
3or each identify a benefit - @hy might they do soQ
3or each - what would be an appropriate controlQ
1o#ewor0 Assign#ent
Droups
&omplete on "lac'board (9-; per group)
Select case (first-come-first-ser%ed)
Exercise -6:
uantity #ecei%ed U uantity rdered
Slide ! "ocumentin# $ccountin# %nformation S&stems ! Chapter '
( )a#eLearning Objecties
1fter reading this chapter you will:
?nderstand why documenting an 1IS is important to the organiation and its auditors
"e able to create simple data flow diagrams and document flowcharts and explain how they
describe the flow of data in 1ISs
"e able to create simple system flow diagrams and process maps and interpret these diagrams
0escribe how program flowcharts and decision tables help document 1ISs
0escribe software for documenting 1ISs
)Docu#entation
0ocumentation includes flowcharts, narrati%es, etc. that describe the inputs, processing and outputsof the 1IS. 0ocument is important:
6. 0epicts how a system wor's
7. Training users
8. 0esigning new systems
9. &ontrolling system de%elopment and maintenance costs
. Standardiing communication with others
;. 1uditing 1ISs
. 0ocumenting business processes
K. &omplying with regulation such as &-S!
7/25/2019 ADM 4346 Accounting Information Systems Auditing
41/137
P. Establishing accountability
1long with control
+a'es it easier to do a lot of these things.
/ri#ary Docu#entation Methods
Systems are fre/uently deficient in documentation due to implementation pressures
3our common documentation methods: 0ata flow diagrams
0ocument flowcharts
System flowcharts
rocess maps
Data 2+ow Diagra#s
ses
In systems de%elopment process
Tool for analying an existing system
0escribes sources and destinations of data
-ypes
&ontext
hysical
$ogical
-ypes o& D2Ds
.ontet Diagra#s
7/25/2019 ADM 4346 Accounting Information Systems Auditing
42/137
Data 2+ow Diagra#s
/hysica+ Data 2+ow Diagra#s
3ocus on physical entities, tangible documents, and reports flowing through the system
Include same inputs and outputs as predecessor context diagram
$ist *ob titles of employees
1re simple, more readable, and easier to interpret
7/25/2019 ADM 4346 Accounting Information Systems Auditing
43/137
Data 2+ow Diagra#s
Logica+ Data 2+ow Diagra#s
Identify what participants do
"ubbles indicate a tas' the system performs
7/25/2019 ADM 4346 Accounting Information Systems Auditing
44/137
Data 2+ow Diagra#s
- ou ha%e more information and things are bro'en down (logical flow of information)
- &ircles instead of showing employees and their *ob titles is showing *obs that are being
performed
Deco#position
Exploding of data flow diagrams to show more detail
$e%el G data flow diagrams exploded into successi%e le%els of detail
$e%el 6 data flow diagrams
8.6 5 &ompute gross pay
8.7 5 &ompute payroll deductions
7/25/2019 ADM 4346 Accounting Information Systems Auditing
45/137
Data 2+ow Diagra#s
- 1ll of that needs to be done to process pay che/ues
- It4s always an action
-ypes o& 2+owcharts
0ocument: shows the flow of documents and data for a process, useful in e%aluating internal controls
Systems: depicts the data processing cycle for a process
rogram: illustrates the se/uences of logic in the system process
).reating Data 2+ow Diagra#s
=a#p+e Le#onade stand
"teps:
6. &reate a list of business transactions
7. &onstruct &ontext $e%el 030(identifies system and entities)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
46/137
8. &onstruct $e%el G 030(identifies manageable sub processes )
9. &onstruct $e%el 6- n 030(identifies actual data flows and data stores )
&reate a list of business transactions
&ustomer rder
Ser%e roduct
&ollect ayment
roduce roduct
Store roduct
rder #aw +aterials
ay for #aw +aterials
ay for $abor
&reate a list of functional acti%ities
7/25/2019 ADM 4346 Accounting Information Systems Auditing
47/137
.ontet Lee+ Data 2+ow Diagra#
Lee+ E Data 2+ow Diagra#
7/25/2019 ADM 4346 Accounting Information Systems Auditing
48/137
/rocess Deco#position
7/25/2019 ADM 4346 Accounting Information Systems Auditing
49/137
Lee+ ; Data 2+ow Diagra#
Docu#ent 2+ows basic sy#bo+s Do not need to 0now &or #idter# ea#
7/25/2019 ADM 4346 Accounting Information Systems Auditing
50/137
Drawing a Docu#ent 2+owchart
Steps:
6. Identify =who>
7. Identify the documents
8. Identify where documents are created, processed, and used
"i#p+e Docu#ent 2+owchart
7/25/2019 ADM 4346 Accounting Information Systems Auditing
51/137
"yste# 2+owchart "y#bo+s
"i#p+e "yste# 2+owchart
7/25/2019 ADM 4346 Accounting Information Systems Auditing
52/137
7usiness /rocess Diagra# /reparation
"uild swim lanes
) Identify areas of responsibility for each person in%ol%ed in process 5 list across top or
side of page
0iagram e%ents or tas's
) Se/uence of e%ents (in order from top to bottom and left to right)
0raw documents
) 0ocuments and reports created or used in process
0raw data files
) 0ata files created or used in the process) 0otted lines with arrows indicate direction information flows
"i#p+e /rocess Map
7/25/2019 ADM 4346 Accounting Information Systems Auditing
53/137
=ercise 6;
In groups of 8-9 - de%elop a process map for oneof the following:
) urchase of a house or car
) #ental of an apartment
) ther - your choice
Identify:
) Aey layers (at least 8)
) E%ents and documents
) Aey control points
) 3or each control point identify data analysis tests
/urchase o& 1ouse
7/25/2019 ADM 4346 Accounting Information Systems Auditing
54/137
2+owchart -oo+s
+icrosoft
Bisio
oweroint
@ord
&1SE tools
Bariety of other software 5 online, free
ey -er#s
&1SE (&omputer-assisted software engineering) tools
&ontext diagram
0ata flow diagrams (030s)
0ecision table
0ecomposition
0ocument flowchart
7/25/2019 ADM 4346 Accounting Information Systems Auditing
55/137
End-user computing
Draphical documentation
Hob stream
$e%el G data flow diagram
$e%el 6 data flow diagram
$ogical data flow diagrams
b*ect oriented software
hysical data flow diagram
rocess maps
rogram flowcharts
#apid application de%elopments
Sandwich rule
Scope
Signed chec'list
Structure programming
System flowcharts
1o#ewor0 Assign#ent
roblem ;-67 p. 7G6
&ase analysis ;-76 p.7G
Slide ' ! $ccountin# %nformation S&stems and +usiness )rocesses !
Chapter , ( )a#eLearning Objecties
1fter reading this chapter you will:
"e able to describe the steps in the financial accounting process and the role of 1IS in eachstep
"e able to demonstrate the use of Hournals and ledgers to assist in processing accountingtransactions
#ecognie different types of coding systems used by 1ISs
?nderstand why planning an 1IS starts with the design of the outputs in order to meet theuser4s information needs
#ecognie the ob*ecti%es and map the inputs and outputs of the sales and purchasing process
7usiness /rocess 2unda#enta+s
The fundamentals of accounting are embedded in modern 1IS:
Hournals
7/25/2019 ADM 4346 Accounting Information Systems Auditing
56/137
$edgers
Trial "alance
3inancial Statement
Enable the accounting cycle from transaction recording to financial reporting
2inancia+ Accounting .yc+e "teps
6. #ecord transaction in *ournal
7. ost *ournal entries to ledger
8. repare unad*usted trial balance
9. ost and record ad*usting *ournal entries
. repare ad*usted trial balance
;. repare financial statements
. #ecord and post-closing *ournal entries
K. repare a post-closing trial balance
A%" 2inancia+ Accounting .yc+e
).oding "yste#s
.ode -ypes:
+nemonic (e.g. S, +, $, !$)
1lphanumeric 5 uses letters and numbers
"e>uence5 se/uential set of numbers (e.g. customer accounts)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
57/137
7+oc05 se/uent codes with bloc's of number reser%ed for specific purposes
Froup5 lead portion of se/uential code (e.g. first 7 of product code is product type)
?se those two code types whene%er possible.
Identify all the current assets with a 6 and all in%estments by loo'ing for 67.
2inancia+ Accounting .yc+e
)-he "a+es /rocess
Sales rocess
"egins with customer order
Ends with collection of cash
rimary b*ecti%es of Sales rocess
rocess sales or other re%enues in a timely and efficient manner
7/25/2019 ADM 4346 Accounting Information Systems Auditing
58/137
&ollect cash in a timely and efficient manner
Objecties
Trac' sales of goodsCser%ices to &ustomers
3ill customer orders and maintain customer records
"illing and collection of payments for goodsCser%ices
3orecast sales and cash receipts
%nputs
Sales rder
Sales In%oices
#emittance 1d%ice
Shipping 2otice
0ebitC&redit +emo
Outputs
3inancial Statement Info
&ustomer "illing Statement
1ging #eport
"ad 0ebt #eport
&ash #eceipts 3orecast
&ustomer $isting
Sales #eport 1nalysis
)-hreats and .ontro+s "a+es /rocess
7/25/2019 ADM 4346 Accounting Information Systems Auditing
59/137
/urchase /rocess
Objecties
Trac' purchase of goodsCser%ices from Bendors
Trac' amounts owed and ma'e timely accurate payments
+aintain %endor records and &ontrol in%entory
3orecast purchases and cash outflows
%nputs
urchase In%oice
urchase re/uisition
urchase order
Bendor listing
#ecei%ing report
"ill of lading C pac'ing slip
0ebitCcredit memo
Outputs
3inancial Statement Info
Bendor che/ues
&he/ue #egister
0iscrepancy reports
&ash re/uirements forecast
7/25/2019 ADM 4346 Accounting Information Systems Auditing
60/137
Sales analysis reports
-hreats and .ontro+s /urchase /rocess =ercise
7/25/2019 ADM 4346 Accounting Information Systems Auditing
61/137
"usiness process management
&ustomer relationship management
0iscrepancy reports
Exception report
Droup code
+nemonic code
2umeric code
urchasing process
#3I0 tags
Sales process
Se/uence code
Supply chain
1o#ewor0 Assign#ent
Droup topics (first-come-first ser%ed)
Topic
Short description of what will be addressed
&ase analysis -6; pp. 79G-796
Slide - ! %ntroduction to %nternal Control S&stems ! Chapter - (
)a#eLearning Objecties
1fter reading this chapter you will:
"e familiar with the primary control framewor's
"e familiar with an internal control system and its components
?nderstand the importance of enterprise-ris' assessment and its impact on internal controls
?nderstand the importance of &S and &"IT
"e able to identify the differences between pre%enti%e, detecti%e and correcti%e controls
?nderstand %arious methods use to analye internal control decisions
.ontro+s
&ontrols in a computer information system reflect the policies, procedures, practices and
organiational structures designed to pro%ide reasonable assurance that ob*ecti%es will be
achie%ed.
The controls in a computer system ensure effecti%eness and efficiency of operations, reliability
of financial reporting and compliance with the rules and regulations
%nterna+ .ontro+s
7/25/2019 ADM 4346 Accounting Information Systems Auditing
62/137
Internal control describes the policies, plans and procedures implemented by management to:
rotect assets
Ensure accuracy and completeness of financial information
+eet business ob*ecti%es
)%nterna+ .ontro+ "yste# "Ar==.
+ethods and measures to achie%e the following four ob*ecti%es:
Safeguard assets
&hec' the accuracy and reliability of accounting data
romote and impro%e operational efficiency
Enforce adherence with management policies
7/25/2019 ADM 4346 Accounting Information Systems Auditing
63/137
A 3;H@;
Errors in the design, maintenance or monitoring of IT controls
IT personnel may not completely understand how the IT system and how it processes
transactions
A 3;H@@
Edit routines in programs designed to identify and report transactions that exceed certain
limits may be disabled or o%erwritten
/+anning /hase .onsiderations
A 3;H3E
@hat IT ris's can result in misstatements in financial reportsQ
A 3;H3;
0o you ha%e the necessary s'ills on the audit team or do you need an IT 1udit specialistQ
).ontro+ 2ra#ewor0s
&S
3ramewor' for enterprise internal controls (control-based approach)
&S-E#+
Expands &S framewor' ta'ing a ris'-based approach
&"IT
3ramewor' for IT controls
+ostly loo'ed at through IT perspecti%e
ull up a set of controls abo%e to test a system.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
64/137
.O"O .ontro+ .o#ponents
The control en%ironment 5 standards, processes and structures that pro%ide the framewor' -
includes the organiational structures, the ethical %alues of the company and expectations ofrigor in performance measures.
#is' assessment 5 identifying and assessing ris's that could impact the achie%ement ofob*ecti%es.
&ontrol acti%ities 5 actions to ensure that management efforts to mitigate ris' are carried out.This includes authoriations, %erifications and business performance re%iews.
Information and communication 5 the generation of information and its dissemination bothwithin and outside of the company.
+onitoring acti%ities 5 chec's to see if internal control is wor'ing
).o#ponents o& .O"O 2ra#ewor0s
7/25/2019 ADM 4346 Accounting Information Systems Auditing
65/137
&S-E#+ expands some areas of &S (in red). 3or example the coco beans for fla%ouringchocolate due to internal strife, competition for bean, weather, etc.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
66/137
analying the ris's
implementing cost-effecti%e measures to 1%oid, +itigate, or Transfer ris's
,is0 Assess#ent
#is' is assessed from two perspecti%es:
$i'elihood
robability that the e%ent will occur
Impact
Estimate potential loss if e%ent occurs
,is0 ,esponses )',A"A(
#educe
Implement effecti%e internal control
1ccept
0o nothing, accept li'elihood and impact of ris'
Share
"uy insurance, outsource, or hedge
1%oid
0o not engage in the acti%ity
.ontro+ Actiities ea#p+es
1udit Trail
ersonnel policies and procedures
Separation of duties (authoriing, recording and custody)
hysical protection of assets (in%entory, document and cash controls)
#e%iew of operating performance
Monitoring %nterna+ .ontro+ "yste#s
Establish a foundation for monitoring
Tone-at-the-top
1ssignment of monitoring roles
"aseline for ongoing monitoring and e%aluation
0esign and Execution
rioritie ris's
&onclusions about the effecti%eness of controls are supported
Identify internal controls
Information on the operation of 'ey controls
Execute effecti%e, efficient monitoring
7/25/2019 ADM 4346 Accounting Information Systems Auditing
67/137
1ssess and report results
E%aluate identified wea'nesses or deficiencies in controls
#eport results to appropriate personnel and "oard of 0irectors
3ollow-up if needed
.O7%- 2ra#ewor0 )'"n.e%&1aF(
&urrent framewor' %ersion is &"IT
"ased on the following principles:
+eeting sta'eholder needs
&o%ering the enterprise end-to-end
1pplying a single, integrated framewor'
Enabling a holistic approach
Separating go%ernance from management
).O7%- /rincip+e )'7r%r%p=i(
VIT Do%ernance Institute (Vnot to signify importance)
&"IT loo's at framewor'
.O7%-5 "eparates Foernance &ro# Manage#ent
7/25/2019 ADM 4346 Accounting Information Systems Auditing
68/137
.O7%- Do#ains '/oAiDsMe(
@E;; .O7%- ersion 5
&ontrol b*ecti%es for Information and related Technology (&"IT)
Denerally accepted IT control ob*ecti%es
7/25/2019 ADM 4346 Accounting Information Systems Auditing
69/137
3ocuses on execution of IT operations
Bal IT: a go%ernance framewor' for IT
Tightly integrated with &"IT
7/25/2019 ADM 4346 Accounting Information Systems Auditing
70/137
is the susceptibility of an account balance or class of transactions to error that could be
material, assu#ing that there were no re+ated interna+ accounting contro+s
#esidual ris'
Is the ris' that remains after management implements internal controls or some other
type of ris' response
&ontrol ris'
is the ris' that error that could occur in an account balance or class of transactions andcould be material, will not be preented or detected on a ti#e+y basis by thesyste# o& interna+ accounting contro+s
0etection ris'
is the ris' that an auditorIs procedures wi++ +ead hi# to conc+ude that an errorin
an account balance or class of transactions that could be material, does not eistwhen in &act such error does eist
)-ypes o& .ontro+s )'/D.(
re%enti%e controls
0eter problems from occurring (e.g. firewall to pre%ent unauthoried access to networ')
0etecti%e controls
1lert managers when pre%enti%e control fails (e.g. %ariance report)
&orrecti%e controls
rocedures used to sol%e, correct or reco%er from a problem (e.g. bac'up copies of
critical data)
If someone gets through firewall you need detecti%e controls to tell you. ou then need to fix it withcorrecti%e control.
=a#p+es o& .ontro+ Actiities
&ommon control acti%ities include:
Dood audit trail
Sound personnel policies and practices
Separation of duties
hysical protection of assets
#e%iews of operating performance
).ontro+s ea#p+es
/reentie
hysical safeguard and access restriction controls (human, financial, physical and
information assets)
1uthoriation and 1ppro%als
Segregation of duties
"usiness systems integrity and continuity controls (e.g. system de%elopment process,change controls, security controls, systems bac'up and reco%ery)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
71/137
asswords and authentication
Edit chec's on 'ey fields
Encryption C 0ecryption
1nti-%irus software
&ontrol access to physical facilities
"eparation o& Duties
/urpose
Structure of wor' assignments so one employee4s wor' chec's the wor' of another
"eparate re+ated actiities
&ustody of assets
1uthoriing transactions
#ecording transactions
,is0 increases i& two or #ore o& these are co#bined
/hysica+ /rotection o& Assets
=stab+ish accountabi+ity with custody docu#ents
%nentory contro+s
Stored in safe location with limited access
?tiliation of recei%ing and issuance reports
Docu#ent contro+s
rotecting %aluable organiational documents
&orporate charter, ma*or contracts, blan' che/ues, and TSE registration statements
.ontro+s ea#p+es
2o internal control unit on &orrecti%e side (mista'e)
Discussion H;
7/25/2019 ADM 4346 Accounting Information Systems Auditing
72/137
3or each topic below identify pre%enti%e, detecti%e and correcti%e controls:
) 3orestry (forest fires)
)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
73/137
&an use matrix to assist in decision ma'ing.
,is0 ? .ontro+ Matri
3or each ris', determine the controls that should mitigate the ris'. Identify controls as: -pre%enti%e 0 5 detecti%e or & 5 correcti%e.
The matrix can identify unnecessary controls or ris's that are not being mitigated.
=ercise H@
3or the following flow diagram
identify the controls (c6-&66) represented by triangles
3or each control
0etermine whether control is pre%enti%e, detecti%e or correcti%e
0etermine whether controls is manual or automated
7/25/2019 ADM 4346 Accounting Information Systems Auditing
74/137
/rocess .ontro+s
7/25/2019 ADM 4346 Accounting Information Systems Auditing
75/137
.ontro+s
$imitations of controls:
) Hudgement
) "rea'downs
) +anagement o%erride
)&ollusion
) perational expediency
Discussion
Identify mitigation strategies or controls for each of the control limitations:
) Hudgement
) "rea'downs
) +anagement o%erride
) &ollusion
) perational expediency
ey -er#s
&ontrol en%ironment
&ontrol ob*ecti%es for information related technology (&"IT)
&orporate go%ernance
&orrecti%e controls
&ommittee of Sponsoring rganiations (&S)
0etecti%e controls
Enterprise ris' management (E#+)
Expected loss
Ideal control
Internal control
perational audits
#is' assessment
Sarbanes-xley 1ct (S!)
S1S P9
Separation of duties
1o#ewor0 Assign#ent
.ase Ana+ysis:
&ase P-6P p. 8GP and
7/25/2019 ADM 4346 Accounting Information Systems Auditing
76/137
&ase P-7G pp. 8GP - 86G
Slide 10 ! Computer Controls for r#ani/ations and $%Ss ! Chapter
10 ( )a#e 3111fter reading this chapter you will:
"e able to describe control ob*ecti%es related to IT and understand how these ob*ecti%es areachie%ed.
"e able to identify enterprise-le%el controls and understand why they are essential forcorporate go%ernance.
0iscuss the importance of general controls for IT and why these should be considered when
designing and implementing 1ISs.
"e able to identify IT general security and controls issues for wireless technology, networ'edcomputers, and personal computers.
Anow what input, processing and output controls are and be familiar with specific examples ofcontrol procedures in each of these categories.
).o#puter .ontro+s
-hree broad categories:
Enterprise le%el controls focus on firm wide issues
IT general controls apply to all information systems
1pplication controls are to pre%ent, detect, and correct errors in processing transactions
=nterpriseLee+ .ontro+s
Enterprise controls are those that affect the entire organiation and influence the effecti%eness ofother controls.
-he Jtone at the topK Additiona+ i#portant contro+s are:
&onsistent policies and procedures
Such as formal codes of conduct and fraud pre%ention policies. 3or example, a companymay re/uire all employees to periodically sign a formal code of conduct stipulating thatcomputer resources are to be used only for appropriate business purposes and any actsof fraud or abuse will be prosecuted. This is similar to the computer acceptable usagepolicies that are usually read and signed as soon as an employee *oins an organiation.
+anagement4s ris' assessment process
&entralied processing and controls
&ontrols to monitor results of operations
&anadian ublic 1ccounting "oard (&1") agreement of guidance issued by ?S - ublic
&ompany 1ccounting %ersight "oard (&1")
@e identified a number of these controls in &hapter P: management4s ethical %alues,philosophy, assignment of authority and responsibility, and the effecti%eness of the board of
directors. The &1" agreed with this guidance and issued notice to the &anadian audit firms tobe aware of these changes.
1dditional controls that are also %ery important include the following:
W &onsistent policies and procedures
7/25/2019 ADM 4346 Accounting Information Systems Auditing
77/137
W +anagement4s ris' assessment process.
W &entralied processing and controls.
W &ontrols to monitor results of operations.
W &ontrols to monitor other controls, including acti%ities of the internal audit function,the audit committee, and self-assessment programs.
W The period-end financial reporting process.
W "oard-appro%ed policies that address significant business control and ris'management practices.
,is0 Assess#ent and "ecurity /o+icies
Aey issues for de%eloping a security policy:
E%aluate information assets and identify threats to these assets
1ssess both internal and external threats
erform a ris' assessment
0etermine whether information assets are under, oer, or ade>uate+yprotected
&reate a team for drafting security policies
Implement the policies throughout the organiation
0e%elop policy compliance measures and enforce policies
+anage the policies
%ntegrated "ecurity &or the OrganiCation
-rend is to #erge physica+ and +ogica+ security
hysical measures protect firm4s facilities, resources, and data stored on physical media
$ogical measures limit access to system and information to authoried indi%iduals
Integrated security combines physical and logical elements. 2eed comprehensi%e
security policy to protect confidentiality, integrity, and a%ailability
%ntegrated "ecurity "yste#
/hysica+ "ecurity
3acility monitoring (e.g. sur%eillance, cameras, guards)
1ccess controls to facilities, data centres, computers (e.g. biometrics, access cards)
1larm systems (fire, water, humidity, power fluctuations, burglar)
Shred sensiti%e documents
roper storage and disposal of hard dri%e and electronic storage media
Secure storage of bac'up copies of data and master copies of critical software
Logica+ "ecurity
e-I0s and passwords
System authentication
7/25/2019 ADM 4346 Accounting Information Systems Auditing
78/137
"iometrics
$og of logon attempts
1pplication-le%el fire walls
1nti-%irus and anti-spyware software
Intrusion detection systems
Encryption for data in transit
Smart cards
)%- Fenera+ .ontro+s )'A/.(
IT Deneral &ontrols primarily ensure that:
6. 1ccess to program and data is granted only to authoried users
7. 0ata and systems are protected from change, theft or loss
8. 0e%elopment of, and changes to, computer programs are authoried, tested, andappro%ed before their use
IT is trying to find the right mix abo%e. 0o we ma'e changes that are re/uired, authoried, testedQThe person who does that can4t be the one implementing.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
79/137
Access to Data9 1ardware9 and "o&tware
Li#it +ogica+ access to syste#s through:
Strong passwords
K or more characters in lengthXor longer
0ifferent types of characters (letters, numbers, symbols)
"iometric identification
0istincti%e user physical characteristics (%oice patterns, fingerprints, facial
patterns, retina prints)
"ecurity
@ireless
0ata encryption
Birtual pri%ate networ'
2etwor's
#outing %erification procedures
7/25/2019 ADM 4346 Accounting Information Systems Auditing
80/137
Securely transmits encrypted data between sender and recei%er
Sender and recei%er ha%e the appropriate encryption and decryption 'eys.
"ecurity
Safeguards for &s, laptops and tablets
"ac'up contents regularly
assword protect de%ices
Encrypt sensiti%e de%ices
1nti-%irus software
hysical storage 5 cables and security de%ices
Separation of 0uties
Separate 1ccounting and Information processing systems from other systems
Separate responsibilities within IT en%ironment
.ontro+s &or *etwor0s
.ontro+ prob+e#s
Electronic ea%esdropping
7/25/2019 ADM 4346 Accounting Information Systems Auditing
81/137
se o& co#puter accounts
Each user has account and uni/ue password
"iometric identification adds security
%denti&ying suspicious behaiour
rotect against fraudulent employee actions
+onitor suspicious beha%ior and red flags such as la%ish spending
Safeguard files from intentional and unintentional errors. (;PJ of database breaches
were because of internal culprits)
2i+e "ecurity .ontro+s
/rotect &i+es &ro# accidenta+ or intentiona+ abuse:
Ensure programs access correct files
"ac' up critical files
+a'e sure only authoried changes
Identify files for processing through file labels
Disaster ,ecoery
/rocess and procedures to resu#e business &o++owing disruptie eent
2ocus on essentia+ techno+ogies &or dai+y operations
Disaster ,ecoery /+an 'D,/( shou+d inc+ude
0isaster reco%ery team
"ac' up and disaster reco%ery sites (hot, flying-start, and cold site alternati%es)
)Aai+abi+ity .ontro+s '2/L/7Drp7cp(
3ault tolerance
?se of redundant components
re%enti%e maintenance
0ata center location and design
ut in best possible place, not in disaster ones.
#aised floorC1ir conditioning
3ire suppression
?ninterruptible power supply (?S)
Surge protection
atch management and anti%irus software
"ac'up procedures
Incremental bac'up
&opies only items that ha%e changed since last partial bac'up
0ifferential bac'up
7/25/2019 ADM 4346 Accounting Information Systems Auditing
82/137
&opies all changes made since last full bac'up
0isaster reco%ery plan (0#)
rocedures to restore organiation4s IT function
&old site C
7/25/2019 ADM 4346 Accounting Information Systems Auditing
83/137
/rocessing Data =ntry .ontro+s
2ie+d chec0
&haracters in a field are proper type
"ign chec0
0ata in a field is appropriate sign (positi%eCnegati%e)
Li#it chec0
Tests numerical amount against a fixed %alue
,ange chec0
Tests numerical amount against lower C upper limits
"iCe chec0
Input data fits into the field
.o#p+eteness chec0
Berifies that all re/uired data is entered
a+idity chec0
&ompares data from transaction file to that of master file to %erify existence
,easonab+eness test
&orrectness of logical relationship between two data items
.hec0 digit eri&ication
#ecalculating chec' digit to %erify data entry error has not been made
7atch processing
Se/uence chec'
Test of batch data in proper numerical or alphabetical se/uence
"atch totals
Summarie numeric %alues for a batch of input records
3inancial total
7/25/2019 ADM 4346 Accounting Information Systems Auditing
84/137
2i+e +abe+s
Ensures correct and most updated file is used
,eca+cu+ation o& batch tota+s
.ross&ooting
Berifies accuracy by comparing two alternati%e ways of calculating the same total
eroba+ance tests
3or control accounts (e.g., payroll clearing)
!riteprotection #echanis#s
rotect against o%erwriting or erasing data
.oncurrent update contro+s
re%ent error of two or more users updating the same record at the same time
Output .ontro+s
?ser re%iew of output
#econciliation
rocedures to reconcile to control reports (e.g. general ledger 1C# account reconciled to1C# subsidiary ledger)
External data reconciliation
0ata transmission controls
=ercise ;E;
1ccounts ayable 5 duplicates
&riteria: Same %endor, in%oice number, in%oice date and amount
1n audit found 6+ in duplicates because of wea'nesses in the controls o%er duplicates
3or each criteria 5 identify a possible control wea'ness which would allow duplicates to
happen and recommend a control impro%ement.
Bendor name in master file. If there4s poor control in master file you ha%e %endor4s with multiple
names and suddenly you4%e bro'en test for duplicates. &ontrol is to restrict access.
ey -er#s
1pplication controls
"atch control total
"usiness continuity planning ("&)
&old C
7/25/2019 ADM 4346 Accounting Information Systems Auditing
85/137
Input controls
Integrated security
IT general control
utput controls
hysical security
processing controls
Security policies
?ninterrupted power supply (?S)
Balidity test
Birtual pri%ate networ' (B2)
1o#ewor0 Assign#ent
Case analysis 1&-"1 pp' %(% %((
1. %dentif& and brie& eplain the problems he +i# Corporation could eperience with
respect to the condentialit& of information and records in the new s&stem.
here doesnt seem to be an& condentialit& as not onl& stores and warehouses can access the
information s&stem but also laptops and handhelds. 5hile for the former there ma& be
restrictions for some personnel its not the case for all of them. his means if the& e6er lose
access to their de6ices or someone else was to use them the& could access condential
information. Furthermore remote terminals could allow access to condential data b&
unauthori/ed personnel. he restrictions themsel6es are upon certain reports which means of
e6er&thin# listed such as compan& records7 personnel information7 etc7 etc there could be a lot of
sensiti6e information a6ailable to an&one who can access the s&stem.
2. 8ecommend measures he +i# Corporation could incorporate into the new s&stem that
would ensure the condentialit& of information and records in this new s&stem.
here needs to be a mi of ph&sical and lo#ical securities within the new s&stem to ensure
condentialit& of information and records. )h&sical securities such as facilit& monitorin# such as
sur6eillance and #uards and access controls such as access cards would ma9e the remote
terminals a lot more secure. Li9ewise lo#ical securit& such as e!%"s and passwords alon# with
s&stem authentication could ma9e accessin# the s&stem with laptops and handhelds much more
secure. $dditionall& a lo# of whos accessin# the condential information is important as it can
hold people accountable in case of a breach of securit&. %t could also indicate there were
attempts to access condential information if there were too man& lo# on attempts. here also
needs to be policies in place such as time restrictions on access to the s&stem so that in thee6ent someone does snea9 onto the s&stem the& dont ha6e a lot of time to #o throu#h the
condential information.
3. 5hat safe#uards can he +i# Corporation de6elop to pro6ide ph&sical securit& for its :a;
computer equipment7 :b; data7 and :c; data processin# centre facilitiesuantities
=#p+oyees in co++usion with endors9 custo#ers9 or third parties
) ayment of inflated or fictitious in%oices
) Issuance of inflated or fictitious credit notes
) In%oices for goods not recei%ed or ser%ices not performed
) referred pricing or deli%ery
) &ontract bid rigging
) Theft or use of customer lists and proprietary information
Sometimes the controls are such that collusion is re/uired.
Examples of asset misappropriation by employees in collusion with %endors or customers include:
) 3ictitious credit notes
) referred pricing or payment terms
) &ontract bid rigging
7/25/2019 ADM 4346 Accounting Information Systems Auditing
102/137
) Theft of third party information
!hy do these re>uire co++usionQ 5 how does the fraudster benefitQ
!hat cou+d you do to rig the contract bidding process$ 5dateCamount
!hat cou+d you do to create pre&erred pricing or pay#ent ter#s$
!hat is the adantage to you$ )))
endors
) Inflated or fictitious in%oices
) Short shipments or substitution of lower /uality goods
) In%oices for goods not recei%ed or ser%ices not preformed
.usto#ers
) 3alse claims for damaged or returned goods or short shipments
"ut not all frauds are committed by employees. Bendors and customers can be the perpetrator of
fraud without any in%ol%ement of employees:
fictitious in%oices
inferior goods
false claims or damaged goods or short shipments
=a#p+e sa+e o& printer cartridges &ree or +owest price
!hat did this sche#e re+y on$
no authority re>uired +ow do++ar ite#
rush at year end to spend
+ots o& inoices at yearend
persona+ greed get so#ething &or nothing
desire to sae got #oney
.orruption
) "ribery of
) &ompanies
) ri%ate indi%iduals
) ublic officials
) #eceipt of 'ic'bac's, bribes, gratuities
) 1dding and abetting of fraud by others
&orruption includes:
) "ribery and gratuities to &ompanies ri%ate indi%iduals or ublic officials
) #eceipt of bribes, 'ic'bac's, and gratuities.
) 1iding and abetting fraud by other parties (e.g., customers, %endors).
7/25/2019 ADM 4346 Accounting Information Systems Auditing
103/137
!hen and why #ight this occur$
!hat about pay#ents to get ensure that your per#it gets approed$
&anadian 3oreign 1nti-&orruption $aw was amended in Hune 7G68 to ha%e new pro%isions which
significantly increase penalties for and the scope of indi%idual and corporate liability for bribery of
foreign public officials. The amended &orruption of 3oreign ublic fficials 1ct introduces a form of
=boo's and records> offence in relation to falsifying boo's and records for the purpose of bribing a
foreign public official.
@hereas =facilitation payments> were permitted under the pre%ious law, this exception is now sub*ect
to elimination by an rder of &abinet to be made at a future date to be determined. 3acilitation
payments are payments made to expedite or secure performance by a foreign public official of an act
of a routine nature, such as issuing a permit, processing official documentsor pro%isioning public
ser%ices, such as power supply or police protection.
2inancia+ "tate#ent 2raud
Intentional manipulation of financial statement to:
) +isstated #e%enue
) Inappropriately reported expenses
) +as'ed disclosures
) &oncealment of ac/uisitions
) Inappropriate balance sheet amounts
Executi%es coo' the boo's, as they say, by fictitiously inflating re%enues, recogniing re%enues before
they are earned, closing the boo's early (delaying current period expenses to a later period),
o%erstating in%entories or fixed assets, and concealing losses and liabilities.
The Treadway &ommission recommended &our actionsto reduce the possibility of fraudulentfinancial reporting:
Establish an organiational en%ironment that contributes to the integrity of the financial
reporting process. (Tone-at-the 5Top)
Identify and understand the factors that lead to fraudulent financial reporting.
1ssess the ris' of fraudulent financial reporting within the company.
0esign and i#p+e#ent interna+ contro+s to pro%ide reasonable assurance that fraudulent
financial reporting is pre%ented.
Do you 0now o& any ea#p+es o& this happening in recent years$$$$$$
=nron9 !or+d.o#9
!hy did these happen$ shareho+der earnings?epectations
"A" GHH
&onsideration of 3raud in 3inancial Statement 1udit
?nderstand 3raud
0iscuss ris' of material fraudulent misstatements
7/25/2019 ADM 4346 Accounting Information Systems Auditing
104/137
btain information
Identify, assess, and respond to ris's
E%aluate results of audit tests
0ocument and communicate findings
Incorporate a technology focus
S1S PP- &onsideration of 3raud in 3inancial Statement 1udit
&omputer fraud - S1S PP re/uires auditors to:
?nderstand 3raud
0iscuss ris' of material fraudulent misstatements
btain information
Identify, assess, and respond to ris's
E%aluate results of audit tests
0ocument and communicate findings
"ut S1S PP also re/uires audits to incorporate a technology focus 5 auditors ha%e to use technology
to define fraud-auditing and IT auditing procedures.
This is expanded in S1S P9 which we will co%er in chapter P.
,is0 =a#p+es
7/25/2019 ADM 4346 Accounting Information Systems Auditing
105/137
S1S PP defines %arious ris' factors and can be used as when assessing the ris' of fraudulent financial
reporting and other fraudulent acts. In particular, it outlines ris' factors, including:
Manage#ent =niron#ent
) 1re financial targets too ambitious and the conse/uences of failure highQ '=nron(
) 1re performance measures unrealistic 5 e.g. increase mar'et share by 6GJ e%ery
/uarter or increase shareholder %alue by 7GJ e%ery year.
) +anagement style 5 not willing to accept failure.
These types of pressures can increase the ris' that an employee will o%erstate performance to
achie%e targets.
Types of analysis suggested include: re%iewing production figures for accuracy re%iew next period 5
after bonuses ha%e been awarded 5 and loo' for returns. $$$$$ Others $$$$$
.o#petitie %ndustry 5 with rapidly changing technology (*orte+9 77) can lead to in%entory
becoming obsolete 5 and if not re-e%aluated 5 lead to o%erstatement on the financial report. &hec'
for data and impact of last in%entory e%aluation. $oo' at in%entory turno%er. $ Others $
=#p+oyee ,e+ationships5 hiring of family member or gi%ing contracts to relati%es. ne test is to
match employee and %endor address 'prob+e#s with this approach$ 1ow cou+d you i#proe
it$( ou can also compare trends across years 5 totals by contracting officer 5 %endor 5 loo' at
sudden increases or decreases. $$ Others $$
Attractie Assets 5 if your company has attracti%eCeasily transportable items (hi-tech) 5 then you
are at ris'. Test in%entory controls and loo' at trends in reorder /uantity. $$ Others $$
%nterna+ .ontro+s
) 2ew organiation structures and systems 5 the pre%ious manual system may ha%e had
mitigating controls often it is assumed that new computer systems will contain all the
7/25/2019 ADM 4346 Accounting Information Systems Auditing
106/137
necessary controls 5 but sometimes these aren4t e%en turned on. Therefore, you should test
'ey controls. $$$ Others $$$$
7usiness ,eengineering
) #e-organiation 5 particularly downsiing 5 can lead to issues around separation of duties $$$
Others $$$$
-oo #uch -rust
) insufficient monitoring and few audits 5 particularly in purchasing. E%en companies that ha%e
E# systems often don4t initiate three-way matching. $$$ Others $$$$
Examine these ris' factors can help you complete a 3raud #is' 1ssessment of different areas of the
company.
.o#puter .ri#e9 2raud9 =thics and /riacy .hapter ;;7 @
Dee+oping a 2raud %nestigation /+an
1ll the time with fraud:
0efine ob*ecti%es of in%estigation
0efine the indicators of fraud
Identify the re/uired data sources and analysis techni/ues
btain and safeguard the re/uired data
Test the integrity and completeness of the data
erform analysis
&hallenge your assumptions and %erify to source documents
@hen fraud is suspected you need to enhance the fraud monitoring plan and de%elop a more detailed
fraud in%estigation plan
why are you performing the analysis and what are you loo'ing for - including stating the
possible symptoms of the fraud
specifies the re/uired data - single year or se%eral one business unit or more also describes
the expected results.
determines the data source and which fields are re/uired data owners and programmers
determine the best methods for obtaining the data file formats transfer mechanisms and
how you will safeguard the data
1ssesses the integrity and completeness of the data
outlines the tests to be performed, the follow up analyses.
@hen performing the analysis, it is important to drill down into the data 5 challenging the
assumptions and results. In cases of suspected fraud, the auditor must %erify to source or compare
with other sources.
The 3raud lan is a li%ing document - does not constrain your analyses, but pro%ides a structure and
a purpose.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
107/137
%#portant to get sign o&&9 you #ay want to con&er the corporate +awyer
Discussion ;;@
ou ha%e been informed that someone in 1C# has changed the system parameters so customers can
ha%e an outstanding balance that is more than their credit limit.
0e%elop a fraud detection plan to deter#ine i& this is happening. 1nswer the following:
@hat is the ob*ecti%e of the analysisQ
@hat are the expected results if controls are wor'ingQ
@hat is the source of the data and re/uired fieldsQ
@hat analysis will be performedQ
If the controls are not wor'ing 5 what additional analysis should be performed and
whyQ
)%dentica+ Buestion on 2ina+s
2raud ,is0:#umors that someone in 1C# has changed the system parameters such that customers
can ha%e an outstanding balance that is more than their credit limit. In groups 5 de%elop a fraudmonitoringCdetection plan by answering
@hat is the purpose of the analysisQ to eri&y the ba+ances on custo#er accounts.
@hat are the expected resultsQ the outstanding ba+ance shou+d be +ess than ;;EN o& the
custo#ers credit +i#it
@hat is the source of the dataQ the A?, &i+e &or outstanding a#ountsP the custo#er &i+e &or
credit +i#its
@hat analysis will be performedQ ca+cu+ate outstanding ba+ance &or each custo#er and
co#pare this with the credit +i#it and high+ight cases where the ba+ance is #ore than
;;EN o& the +i#it
!hats net$ The results of the analysis will be %erified to the customer file and further analysis will
be performed to loo' at sales by salesman for the problem accounts to see if there are trends.
!hy$ - fa'e customers to meet sales /uota.
!hat e+se$- someone is stealing the 1C# - confirm balances with customers.
)))))))))))))))))))) ;E #inutes ))))))))))))))))))))))))))))))))))))
Objectie: Berify that &ontrols to ensure GCs "al Z 6GJ $imit are wor'ing
Expectations if &ontrols are wor'ing: 2o customer has "al U 6GJ limit
Source of 0ata
@e need customer number for the foreign 'ey and the purchases and the payments
0oing it within a certain time period then within the curren tperiod
@e also need customer master file, the limit and customer numberand a+so +i#it
Ana+ysis: 7y custo#ers no and ca+cu+ate o?s 7a+ Q
!hat e+se$ %- contro+ shou+d re&use purchases at a certain ti#e Loo0 at root cause the
caused the contro+ to brea0
7/25/2019 ADM 4346 Accounting Information Systems Auditing
108/137
%t cou+d a+so be so#eone in receiing raising the custo#ers +i#it .usto#er pays bac0 but
the person stea+s @EE out o& th ;EEE
%denti&y -he&t
The minimum information re/uired to impersonate someone is simply their name, but access to the
following can cause real damage:
3ull name
0ate of birth
Social Insurance 2umber
3ull address
+other4s maiden name
?ser name C asswords to websites
our identity can be stolen simply by someone using your name (for example, at a party 5
someone gi%es the person they ha%e been tal'ing to 5 and don4t want to see again - your
name and number).
7/25/2019 ADM 4346 Accounting Information Systems Auditing
109/137
0i%ert your mail
?se identify to obtain a false health care card or passport.
Discussion ;;3
In groups:
0escribe fi%e methods a fraudster could use to obtain your identify.
0escribe a mitigation strategy or control for each.
Describe &ie #ethods a &raudster cou+d obtain your identi&y
0umpster di%ing 5 ban' C credit card statements, phone C water C hydro bills
Steal letters from your mailbox
ic' your poc'et
Hob offers (online or in newspapers) 5 re/uire resume and personal info
S'imming cards 5 swiping de%ice to capture card details
Internet
hishing 5 directed email as'ing you to %erify account info
7/25/2019 ADM 4346 Accounting Information Systems Auditing
110/137
Identify theft
Intrusion testing
ri%acy policy
Social engineering
Slide 11 - Inormation !echnology Auditing - Chapter 1"
Page
1o#ewor0
&ase ;.6 5
7/25/2019 ADM 4346 Accounting Information Systems Auditing
111/137
Deneral use software 5 Excel and 1ccess
Deneralied audit software 5 1&$
Statistics, duplicates, sort, summarie
1utomated wor'papers
Denerate trial balances
+a'e ad*usting entries
erform consolidations
&onduct analytical procedures
3acilitate consistency across team members
3acilitate timely re%iew and wor'flow
0ocument audit procedures and conclusions
.o#puterAssisted Audit -echni>ues
Three broad categories of computer-assisted techni/ues to test controls:
1uditing around the computer
1uditing with the computer
1uditing through the computer
Auditing Around the .o#puter
Ta'e a sample of transactions being entered into the system
&alculate the expected results
&ompare to system output
Auditing !ith the .o#puter
&omputer-assisted audit techni/ues
Deneralie 1udit Software (D1S) 5 such as 1&$
Specialied pac'ages
S$
7/25/2019 ADM 4346 Accounting Information Systems Auditing
112/137
0irect access to tables or system extracts
#un analysis routines to test 'ey controls
Auditing -hrough the .o#puter
Test processing steps, programing logic, edit routine and controls
Techni/ues include:
Test dec' or test data
Integrated test facility (IT3)
arallel simulation
Test of program change controls
rogram comparison
,eiew o& "yste#s "o&tware
System software controls:
6. perating system software
7. ?tility programs 5 sorting and copying
8. rogram libraries 5 controls and monitor storage of programs
9. 1ccess control software 5 controls access to programs and data files
.ontinuous Auditing
#eal-time assurance
Embedded audit modules
Exception reporting Transaction tagging
Snapshot techni/ue
&ontinuous and intermittent simulation
,is07ased 2ra#ewor0
Steps to determine where and what to audit:
Identify fraud and errors (threats) that can occur that affect each ob*ecti%e and assess
the probability and impact of the ris' occurring
Identify control procedures (pre%ent, detect, correct the ris'sCthreats)
E%aluate control procedures to determine if control exists and is wor'ing as intended
and chec' for compensating controls
0etermine effect of control wea'nesses and identify and recommend control procedures
that should be in place
Major "teps in the Auditing /rocess
6. 1udit planning
7/25/2019 ADM 4346 Accounting Information Systems Auditing
113/137
@hy, how, when, and who
Establish scope and ob*ecti%es of the audit identify ris'
7. &ollection of audit e%idence
8. E%aluation of e%idence
9. &ommunication of results
. Audit /rocess
Audit /+anning Actiities
ro*ect Initiation
7/25/2019 ADM 4346 Accounting Information Systems Auditing
114/137
ro*ect assignment
ro*ect announcement
pening meetings
#is' 1ssessment
&onduct initial research
0e%elop an understanding of the ob*ecti%es of the area being audited
Identify ris's to the area4s ob*ecti%es
0etermine area of audit focus
Audit Objecties and "cope
b*ecti%es 5 broad statements de%eloped to define the audit4s intended
accomplishment.
Scope 5 answers the /uestion what will be audited. It delineates the boundaries of the
audit.
Audit /rogra#
utlines the wor' to be performed during the audit
Includes:
&riteria 5 @hat should be
+ethodology and 1pproach
-i#e and ,esource =sti#ates
S'ill set, of auditors, training, tra%el, locations, etc
Audit .onduct Actiities
7/25/2019 ADM 4346 Accounting Information Systems Auditing
115/137
/i+ot "ites
To %alidate the plans approach
=ntry Meetings
To introduce the audit and the team
Father =idence
Standards of E%idence
Types of E%idence
+ethods of Dathering E%idence
#eliance on wor' of others
7rie&ings or =it Meetings
2o surprises approach
3indings
&riteria 5 what should be
&ondition 5 what is
&ause 5 why did it happen
Effect 5 so what
#ecommendation 5 what should be done
3indings are trac'ed on finding sheets
3indings are used to de%elop conclusions for each ob*ecti%e
Dee+op !or0ing /apers
7/25/2019 ADM 4346 Accounting Information Systems Auditing
116/137
1ll supporting documentation to conclusions and results
Standard index used
"uperisory ,eiew
Balidation of e%idence
Initial uality 1ssurance
Audit ,eporting Actiities
.+osing .on&erences
2o surprises approach
Ensure we are aware of all rele%ant e%idence
"uy-in
Dra&ting ,eports
Balidate facts
Solicit a management action plan
1ssess management action plan
&ommunicate audit results
Manage#ent ,esponse
&lient responses to recommendations
/resentation to Audit .o##ittee
ro%ide copy of report for recommendation for appro%al
7/25/2019 ADM 4346 Accounting Information Systems Auditing
117/137
2ina+ ,eports
&ommunications - reports, briefing notes, etc
/ub+ish ,eports
Betted (1TI) and translated
Transparency
2o++owup Actiities
Audit .onsistency
7/25/2019 ADM 4346 Accounting Information Systems Auditing
118/137
%n&or#ation "yste#s Audit
IT audit ob*ecti%es:
6. rotect o%erall system security (e.g. computer e/uipment, programs, and data)
7. 1ccurate and complete processing of transactions, records, files, and reports
8. re%ent, detect, or correct inaccurate or unauthoried source data
9. 1ccurate, complete, and confidential data files
. rogram de%elopment, ac/uisition and modifications properly planned and authoried
Oera++ "yste# "ecurity
.ontro+ /rocedures
Information security plan
$imiting physical and logical access to e/uipment and systems
0ata storage and transmission controls
1nti-%irus software and procedures and firewalls
3ault tolerant design file bac'up and reco%ery and disaster reco%ery
re%enti%e maintenance
Insurance 5 casualty and business interruption
.ontro+ -ests
#e%iew information security and disaster reco%ery plans and results of tests
#e%iew and %erify policies and procedures
hysical and logical access
7/25/2019 ADM 4346 Accounting Information Systems Auditing
119/137
3ile bac'up and reco%ery
0ata storage and transmission
Berify use of firewalls and %irus protection software and procedures
Berify effecti%eness of data encryption and data transmission controls
Berify monitoring and effecti%e use of system logs
.o#puter /rocessing
.ontro+ /rocedures
0ata editing routines
#econciliation and batch totals
Error correction procedures
perating documentation and manuals
7/25/2019 ADM 4346 Accounting Information Systems Auditing
120/137
Data 2i+es
.ontro+ /rocedures
Storage 5 secure physical and logical access
@rite protection and update controls
Encryption for confidential data
ff-site bac'up
&hec'point and rollbac' procedures
.ontro+ -ests
#e%iew physical and logical access controls
Berify preparation and off-site storage
#econcile master file with control totals
Berify encryption and file handling procedures
/rogra# Ac>uisition9 Dee+op#ent and Maintenance
.ontro+ /rocedures
$icense agreements and management authoriation for program de%elopment and
ac/uisition
Testing and user acceptance procedures
System documentation
+anagement authoriation for program modification
&hange 5 documentation C separation of duties
$ogical access controls
.ontro+ -ests
Berify license agreements and test for management authoriation for program
de%elopment and ac/uisition
#e%iew system de%elopment documentation
Test system authoriation and appro%als
#e%iew test specifications, dec's, results and user acceptance results
Berify logical access and separation of duties
Berify program modification appro%al procedures, testing and user acceptance
*etwor0 .o##unication and "ecurity .ontro+s
Sensiti%e information in the networ' should be protected
The critical networ' de%ices such as routers, switches and modems protected from physical
damage and configuration and in%entories maintained
7/25/2019 ADM 4346 Accounting Information Systems Auditing
121/137
&hanges to networ' configuration authoried, documented and a threat ris' assessment
re%iewed after any changes.
The networ' operation monitored for any security irregularity and formal procedures in place
for identifying and resol%ing security problems.
hysical access to communications and networ' sites controlled and restricted and
communication and networ' systems controlled and restricted to authoried indi%iduals.
2etwor' diagnostic tools, e.g., spectrum analyer protocol analyer used on a need basis.
3irewalls to isolate an organisationNs data networ' from any external networ' and to limit
networ' connecti%ity from unauthorised use.
1ll firewalls sub*ected to thorough test for %ulnerability prior to being put to use and at
regularly thereafter.
The internal networ' of the organiation physically and logically isolated from the Internet and
any other external connection.
1ll web ser%ers for access by Internet users isolated from other data and host ser%ers and
procedures established for allowing connecti%ity of the computer networ' or computer system
to any outside system or networ'
2etwor's that operate at %arying security le%els isolated from each other
The suitability of new hardwareCsoftware assessed before connecting the same to the
organiationNs networ'.
2etwor' should be monitored and appropriate follow up of any unusual acti%ity or pattern of
access should be in%estigated promptly
Secure 2etwor' +anagement Systems should be implemented to monitor functioning of the
computer networ'.
The system must include a mechanism (e.g., intrusion detection system) for alerting the
2etwor' 1dministrator of possible breaches in security, e.g., unauthorised access, %irus
infection and hac'ing.
nly authoried and legal software should be used
-ypica+ %- Audit Docu#entation
lanning and preparation of the audit scope and ob*ecti%es
0escription andCor wal'throughs on the scoped audit area
1udit program
1udit steps performed and audit e%idence gathered
@hether ser%ices of other auditors and experts were used and their contributions
1udit findings, conclusions and recommendations
+anagement response
1udit documentation relation with document identification and dates (your cross-reference of
e%idence to audit step)
7/25/2019 ADM 4346 Accounting Information Systems Auditing
122/137
0raft and final copies of report issued
E%idence of audit super%isory re%iew
%- Audit
#is's
b*ecti%e
Scope
1udit program
0ata collection and analysis
@hat
7/25/2019 ADM 4346 Accounting Information Systems Auditing
123/137
8. rocessing integrity 5 complete, timely and accurate
9. &onfidentiality C online pri%acy 5 protection of personal information
. rotection of information designated as secret or confidential
Each of the principles and criteria are organied and presented in four broad areas:
/o+icies
The entity has defined and documented its policies rele%ant to the particular principle.
.o##unications
The entity has communicated its defined policies to authoried users.
/rocedures
The entity uses procedures to achie%e its ob*ecti%es in accordance with its defined
policies.
Monitoring
The entity monitors the system and ta'es action to maintain compliance with its defined
policies
=ercise ;@;
7/25/2019 ADM 4346 Accounting Information Systems Auditing
124/137
ey -er#s
1uditing 5 around, through and with the computer
1utomated wor'ing papers
&1 @ebTrust
&omputer assisted audit techni/ues (&11Ts)
3raud triangle
Deneral use software
Deneral audit software (D1S)
Information system ris' assessment
IT auditing
arallel simulation
rogram change control
7/25/2019 ADM 4346 Accounting Information Systems Auditing
125/137
#is'-based audit
Test data
Third party assurance ser%ices
Trust ser%ices
Slide 11 - #eveloping and Implementing E$ective AISs -
Chapter 1% Page1o#ewor0
&ase P.7 5
7/25/2019 ADM 4346 Accounting Information Systems Auditing
126/137
oor planning can lead to:
Systems that do not meet users4 needs 5 causes frustration, resistance and e%en sabotage
System that are not flexible enough to meet business re/uires and are ultimately scrapped
&ost o%erruns
Time delays to complete pro*ect
Systems addressing the wrong problems
2o top management appro%al or support for new systems
Systems that are difficult and costly to maintain
"yste# Ana+ysis
Examine system in depth
Deneral system goals
Top management systems goals
perating management goals
0ata gathering
#e%iew existing documentation 5flowcharts, dictionaries, process maps, procedure
manuals, chart of accounts, etc
bser%e current system in operation
?se /uestionnaires and sur%eys
#e%iew internal control procedures
Inter%iew system participants 5 users, managers and operations
"yste# 2easibi+ity =a+uation
&omparison of alternati%e proposals
6. Technical feasibility 5 hardware, software, interfaces
7. perational feasibility 5 compatibility with current operating en%ironment
8. Schedule feasibility 5 time to implementation
9. $egal feasibility 5 complies with laws and regulations such as financial reporting re/uirements
and contractual obligations
. Economic feasibility 5 anticipated benefits and pro*ected costs
Detai+ed "yste# Design
rocesses to be performed in re%ised system (what and by whom)
0ata elements 5 name, sie, format, source, importance
0ata structure 5 how data elements will be organied into logical records
Inputs 5 descriptions of content, source, and responsibilities
utputs 5 description of purpose, fre/uency and distribution
7/25/2019 ADM 4346 Accounting Information Systems Auditing
127/137
0ocumentation 5 descriptions of system and subsystems
&onstraints 5 description
&ontrols 5 to reduce ris' of errors and irregularities in the input, processing and output stages
#eorganiations 5 changes to business functions, staffing le%els or responsibilities
Ma0eor7uy
#3 E%aluation 5 consider each of the proposed systems:
erformance capability
&ost C "enefit
+aintainability
&ompatibility with existing systems
Bendor support
Training of employees and systems personnel
Testing and Implementation support
+aintenance
"ac'up systems
?ser support 5 a%ailability, language
"yste# %#p+e#entation
hysical site
3unctional changes
Select and assign personnel
Train personnel
1c/uire and install computer e/uipment
Establish internal controls
&on%ert data files
1c/uire computer software
Test computer software
&on%ert to new system 5 direct, parallel, or modular2o++owup and Maintenance
ost-Implementation #e%iew
Top management and operating management satisfaction
?ser satisfaction
E%aluate control procedures 5 functioning properly
bser%ation 5 efficiency and effecti%eness
7/25/2019 ADM 4346 Accounting Information Systems Auditing
128/137
E%aluate computer processing functions 5 data capture, preparation and processing 5
for efficiency and effecti%eness
utput 5 meeting management and regulatory re/uirements
"yste# .hange Manage#ent
"yste# .hange /hases
7/25/2019 ADM 4346 Accounting Information Systems Auditing
129/137
ey -er#s
&hange management
&on%ersion: direct, parallel, or modular
&ritical path
3easibility e%aluation: technical, operational, schedule, economic, and legal
+a'e-or-buy decisions
#3 e%aluation
Scope creep
Structured design
System maintenance
Systems analysis
Systems de%elopment life cycle (S0$&)
Systems implementation
Turn'ey system
@hat-if analysis
7/25/2019 ADM 4346 Accounting Information Systems Auditing
130/137
Slide 11 - Accounting on the Internet - Accounting and
Enterprise Sot+are - Chapters 1( 1 PageLearning Objecties
1fter reading these chapters you will:
?nderstand basic Internet concepts: T&CI, ?#$, web page addresses
1ppreciate why electronic communication is useful to accountants
Anow why !"#$ is important to financial reporting and E0I is important to 1ISs
?nderstand some examples of cloud computing and the difference between business-to-
consumer and "7" e-commerce
1ppreciate pri%acy and security issues,
Anow why business use firewalls, proxy ser%ers and encryption and understand digital
signatures and time-stamping techni/ues
?nderstand the differences among %arious types of accounting and enterprise software
"e able to explain how the %arious functions wor' in E#s and understand the architecture
and use of a centralied database in E#s
"e able to describe the relationship between business process re-engineering and E#
implementation
#ecognie when an organiation needs a new 1IS and the process to select an E#
%nternet 7asic .oncepts
?#$ 5 ?niform resource allocator (domain address)
I 1ddress 5 internet protocol address
7G.697.686.G.G. (geographicCorganisationCcomputer groupCcomputer)
T&CI 5 transmission control protocolCinternet protocol is the basic communication language or
protocol of the Internet.
Intranet 5 communication networ' internal to a company
Extranet 5 enable selected outside users to access corporate intranets
RML and R7,L
!+$ 5 Extensible mar'up language
Supports general financial reporting and the exchange of financial information between
trading partners
?ser can define own tags (extensible)
!+$ tags actually describe the data rather than simply indicate how to display it.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
131/137
!"#$ 5 Extensible "usiness #eporting $anguage
Standardied tags for describing financial information in documents (subset of !+$)
!"#$-enabled software will automatically insert !"#$ tags in financial files
R7,L
Adantages
1bility to transfer financial information is a standard format 5 facilitatescommunications between suppliers, buyers, shippers
Standardied financial filing (SE& re/uired &S1 optional)
?ni/uely defines the data 5 e%en if reported in se%eral places always has same tags
Express relationships as formulas (assets L liabilities Y e/uity)
Exchange of information across platforms and technologies
Disadantages
#e/uires users to learn and conform to standards
#e/uires user to conform to changing specifications
2o re/uirement for auditors to pro%ide assurance on !"#$ filings
%nternet and 7usiness
E-business
Does beyond e-commerce and deep into the processes and cultures of an
enterprise. Includes: email, soliciting %endor bids, e-payments, electronic
exchange of data, and a host of cloud-computing ser%ices
E-commerce
"uying and selling of goods and ser%ices electronically between businesses, business
and go%ernment, business and customer
=+ectronic 7usiness
Electronic 0ata Interchange (E0I)
Transmission of information o%er high-speed data communications channels e.g. #3s,
purchase orders, bills of lading, freight bills, sales in%oices, payment remittance forms
E-ayment
paying for a goods or ser%ices electronically (e.g. ayal)
E-@allets
Software application (customer 5 %endor) to store consumers info (e.g. &redit card
numbers)
=.o##erce
0efinition:
1 type of business model, or segment of a larger business model, that enables a firm or
indi%idual to conduct business o%er an electronic networ', typically the internet.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
132/137
1ttributes:
Birtual stores (websites) selling directly to customers
1llows customers to create own order forms, shipping labels, and payment documents
Discussion
E-commerce creates opportunities and ris's.
@hat are three ris's to a retailerQ
@hat are three ris's to customersQ
7usinessto7usiness '7@7(
"usiness buying and selling goods and ser%ices to each other o%er the Internet
Shortens time from purchase to deli%ery
urchase from %endors around the world
Expedite internal paperwor'
#eal-time data
DS trac'ing 5 status and deli%ery times
.+oud .o#puting
urchase of computing ser%ices o%er the Internet
rocessing ser%ices
Software (SaaS) e.g. tax preparation
@ed hosting (aaS)
"ac'up ser%ices
Educational ser%ice
"usiness phone ser%ices
ayroll ser%ices
1d%antages
1ccess to specialied expertise
&ost sa%ings 5 only pay for ser%ices consumed
Speed
1%oid pea' loading problems
Birtual remote bac'up
ay as you go
"ecurity on the %nternet
3irewalls
Duards against unauthoried access to company computers.
7/25/2019 ADM 4346 Accounting Information Systems Auditing
133/137
Inclusion 5 access control list (1&$) of accepted I addresses
Exclusion 5 re*ects messages from 'nown threat addresses
0enial of Ser%ice (0S) attac's 5 o%erwhelm system resources
Spoofing 5 mas/uerading as an authoried user
7/25/2019 ADM 4346 Accounting Information Systems Auditing
134/137
Secret 'ey cryptography 5 single 'ey shared by two communicating parties
ublic 'ey encryption 5 re/uires each party to use a pair of publicCpri%ate encryption
'eys
Sending party uses public 'ey to encrypt message
#ecei%ing party uses second 'ey to decode the message
0igital Signature C 0igital &ertificate
Encoded Fsignatures4 or Fcertificates4 e.g. BeriSign
0igital Time-Stamping
Time and date of transmission, filing or data entry
%ntegrated Accounting "o&tware
rocesses all types of accounting transactions through entire accounting process: general and special
*ournals, such as sales and purchases, as well as in%entory and payroll - may also include *ob
costing, purchasing, in%oicing, and fixed assets
Small and +edium Enterprises
commercial accounting software pac'ages
+idrange and $arge scale accounting software
e.g. Sage 5 +1SPG and +icrosoft 0ynamics D
rocess transactions in multiple currencies
Specialied 1ISs
e.g. for dental or medical offices, schools, and niche businesses
=nterprise!ide %n&or#ation "yste#sAey features 5 integration and central database
Integration includes:
1ccounting
3inance
Supply chain
Strategic planning
&ustomer relationship
7/25/2019 ADM 4346 Accounting Information Systems Auditing
135/137
Adantages o& =,/ "yste#
Impro%ed flow of the information - stored in a centralied database and can be accessed by
all areas of the organiation (i.e., Sales enters data about a customer and the info
automatically is a%ailable to 1ccounting for in%oicing)
0ata captured once - resol%es data redundancy and integrity problems
Impro%e access of control of the data through security settings
Impro%e decision ma'ing - standardiation of procedures and reports
Dlobal and supply chain integration
#educe in%entory in%estment impro%ed asset management
Disadantages o& =,/ "yste#
7/2