Monitoring and Auditing AIS - McGraw Hill Higher Education

Download Report

Transcript Monitoring and Auditing AIS - McGraw Hill Higher Education

Chapter 12
Monitoring and
Auditing AIS
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Learning Objectives
• LO#1 Understand the risks involved with computer
hardware and software.
• LO#2 Understand and apply computer-assisted audit
techniques.
• LO#3 Explain continuous auditing in AIS.
12-2
LO# 1
Computer hardware and Software
• Operating System (OS) (the most important
system software)
• Database Systems
• Local Networks (LANs)
• Wide Area Networks (WANs)
• Virtual Private Networks (VPNs)
• Wireless Networks
• Remote Access
12-3
LO# 1
Operating System (OS)
• To ensure the integrity of the system
• To control the flow of multiprogramming and
tasks of scheduling in the computer
• To allocate computer resources to users and
applications
• To manage the interfaces with the computer
12-4
LO# 1
Operating System (OS) (Contd.)
Five fundamental control objectives:
• Protect itself from users
• Protect users from each other
• Protect users from themselves
• Be protected from itself
• Be protected from its environment
Operating system security should be included as part of
IT governance in establishing proper policies and
procedures for IT controls.
12-5
LO# 1
Database Systems
• A database is a shared collection of logically related data
which meets the information needs of a firm.
• A data warehouse is a centralized collection of firm-wide
data for a relatively long period of time.
• Operational databases is for daily operations and often
includes data for the current fiscal year only.
• Data mining is the process of searching for patterns in the
data in a data warehouse and data analyzing these patterns
for decision making. (OLAP)
• Data governance is the convergence of data quality, data
management, data policies, business process management,
and risk management surrounding the handling of data in a
firm.
12-6
LO# 1
LANs
• A local area network (LAN): a group of computers,
printers, and other devices connected to the same
network that covers a limited geographic range.
• LAN devices include hubs and switches.
--hubs (broadcasts through multiple ports)
--switches (provides a path for each pair of
connections)
--Switches provide a significant improvement over
hubs
12-7
LO# 1
WANs
• Wide area networks (WANs) link different sites
together, transmit information across geographically
and cover a broad geographic area.
--to provide remote access to employees or
customers
--to link two or more sites within the firm
--to provide corporate access to the Internet
routers and firewalls
12-8
LO# 1
WANs (Contd.)
• Routers: connects different LANs, software-based
intelligent devices, examines the Internet Protocol
(IP) address
• Firewalls: a security system comprised of hardware
and software that is built using routers, servers, and
a variety of software; allows individuals on the
corporate network to send/receive a data packet
from the Internet.
• Virtual Private Network (VPN)
12-9
LO# 1
Wireless Networks
• A Wireless Network is comprised of two
fundamental architectural components: access
points and stations.
• An access point logically connects stations to a firm’s
network.
• A station is a wireless endpoint device equipped with
a wireless Network Interface Card (NIC).
12-10
LO# 1
Wireless Networks (Contd.)
Benefits of using wireless technology:
--Mobility
--Rapid deployment
--Flexibility and Scalability
--Confidentiality
--Integrity
--Availability
--Access Control
--Eavesdropping
--Man-in-the-Middle
--Masquerading
--Message Modification
--Message Replay
--Misappropriation
--Traffic Analysis
--Rogue Access Point
12-11
Security Controls in Wireless
Networks
LO# 1
• Management Controls--management of risk and
information system security
• Operational Controls--protecting a firm’s premise
and facilities, preventing and detecting physical
security breaches, and providing security training to
employees, contractors, or third party users
• Technical Controls--primarily implemented and
executed through mechanisms contained in
computing related equipments
12-12
LO# 2
Computer-assisted Audit Techniques (CAATs)
• CAATs are imperative tools for auditors to conduct an
audit in accordance with heightened auditing standards.
• Generally Accepted Auditing Standards (GAAS) are broad
guidelines regarding an auditor’s professional
responsibilities
• Information Systems Auditing Standards (ISASs) provides
guidelines for conducting an IS/IT audit (issued by ISACA)
• According to the Institute of Internal Auditors’ (IIA)
professional practice standard section 1220.A2, internal
auditors must consider the use of computer-assisted,
technology-based audit tools and other data analysis
techniques when conducting internal audits.
12-13
LO# 2
Use CAATs in Auditing Systems
• Test of details of transactions and balances
• Analytical review procedures
• Compliance tests of IT general and application controls
• Operating system and network vulnerability assessments
• Application security testing and source code security scans
• Penetration Testing
Two approaches:
• Auditing around the computer (the black-box approach)
• Auditing through the computer (the white-box approach)
12-14
LO# 2
Auditing around the computer (the black-box
approach)
• First calculating expected results from the
transactions entered into the system
• Then comparing these calculations to the processing
or output results
• The advantage of this approach is that the systems
will not be interrupted for auditing purposes. The
black-box approach could be adequate when
automated systems applications are relatively simple.
12-15
LO# 2
Auditing through the computer (the white-box
approach)
• The white-box approach requires auditors to
understand the internal logic of the system/application
being tested.
• The auditing through the computer approach embraces
a variety of techniques: test data technique, parallel
simulation, integrated test facility (ITF), and embedded
audit module.
12-16
LO# 2
Generalized Audit Software (GAS)
• Frequently used to perform substantive tests and is
used for testing of controls through transactionaldata analysis.
• Directly read and access data from various database
platforms
• provides auditors an independent means to gain
access to data for analysis and the ability to use highlevel, problem-solving software to invoke functions
to be performed on data files.
--Audit Control Language (ACL)
--Interactive Date Extraction and Analysis (IDEA)
12-17
LO# 3
Continuous Audit
12-18
LO# 3
Fraud Schemes and Corresponding
Proposed Alarms under Continuous Audits
12-19
LO# 3
Implementation of Continuous Auditing
•
•
•
•
•
•
Extensible Markup Language (XML)
Extensible Business Reporting Language (XBRL)
Database management systems
Transaction logging and query tools
Data warehouses
Data mining or computer-assisted audit
techniques (CAATs)
12-20
LO# 3
Implementation of Continuous Auditing
(Contd.)
• Non-technical barriers and technical challenges exist
• A general template that a steering team or the
internal audit function can use:
--Evaluate the overall benefit and cost
--Develop a strategy
--Plan and design how to implement continuous
auditing
--Implement continuous auditing
--Performance monitoring
12-21