You are on page 1of 16

Chapter 1

Attestation services services performed by external auditors to express an

opinion regarding the presentation of financial statements
Audit Objective: assuring fair presentation of financial statements
Product: formal written report that expresses the opinion about the reliability of
the assertions

Advisory to improve effectiveness and efficiency of the clients operations

- unbounded unlike attestation (bounded by to examine, review and apply agreedupon procedures)

Internal audit financial audit, test if the operation is in compliance with the orgs
policies, orgs compliance with legal obligations
Internal audit assist external audit for audit efficiency and lessen the audit fees
Factors to consider whether to rely on internal audit:
1) Independence of internal auditors (controller cant, BOD can)
2) Competence of internal auditors
Audit committee must be outsiders

Financial Statement Assertions

- completeness
- occurrence
- classification
- accuracy
- cutoff
Balances: CVPRE
- completeness
- valuation
- presentation and disclosure
- rights and obligations
- existence
Presentation and disclosure
- completeness
- occurrence
- rights and obligations

- classification and understandability

- accuracy and valuation
Audit Risk model
Stages of an audit


Planning and Risk identification

Obtaining Evidence
a. Strategy and risk assessment
i. Test of control
b. Execution
i. Substantive procedures
1. Analytical Procedures
2. Test of Details
Conclusion and Reporting

Modifying Principles

Management Responsibility
Methods of data processing
(1) possibility of error
(2) circumvention
(3) management override
(4) changing conditions
Reasonable assurance

COSO Framework
1) Control Environment
a. Integrity and ethical values of management
b. Structure of the organization
c. Participation of the organizations board of directors and the audit
d. Managements philosophy and operating style
e. Procedures for delegating responsibility and authority
f. Managements methods for assessing performance
g. External influences
h. Organizations policies and practices for managing its human resources
2) Risk Assessment
3) Control Activities
a. Transaction Authorization
b. Segregation of Duties
i. Authorization and Processing
ii. Record keeping and asset custody
iii. Incompatible functions (/ Supervision)
4) Monitoring
5) Information and Communication

Chapter 2
Primary Service Areas: Database Administration, Data Processing, Systems
Development and Maintenance
Database Administration maintaining data resources in a central location
shared by the end users
Data Processing manages the computer resources used to perform the day-today processing of transactions
Data Conversion transcribes transaction data from hard-copy source
documents into computer input
Computer Operations electronic files are processed by the central computer
Data Library provides safe storage for the off-line datafiles; can be backups
or current data file
Systems Development and Maintenance
System development analyzing user needs and designing new systems to
satisfy those needs
System maintenance responsibility for keeping it current with user needs
Segregation of Incompatible IT Functions
(1) Systems Development from Computer Operations
(2) Database Administration from Other Functions
(3) New Systems Development from Maintenance
a. Inadequate Documentation
b. Program Fraud
Risks associated:
1) Inefficient Use of Resources
a. Mismanagement of organization-wide IT resources by end users
b. Operational inefficiency as the tasks are being performed redundantly
c. Incompatible hardware and software among end-user functions
2) Destruction of Audit Trails
3) Inadequate Segregation of Duties
4) Hiring Qualified Professionals
5) Lack of Standards
Advantages of DDP
1) Cost reductions
2) Improved cost control responsibility
3) Improved user satisfaction
a. Users want to control the resources that influence their profitability

b. Users want systems professionals to be responsive to their specific

c. Users want to become more actively involved in developing and
implementing their own systems
6) Back-up Flexibility
Controlling the DDP Environment Implement a Corporate IT Function

Central Testing of Commercial Software and Hardware

User Services
Standard-Setting Body
Personnel Review

Audit Objective: To verify that the structure of the IT function is such that
individuals in incompatible areas are segregated in accordance with the level of
potential risk and in a manner that promotes a working environment
Audit Procedures:
1) Review relevant documentation
2) Review systems documentation and maintenance records
3) Verify that computer operators do not have access to the operational details
of a systems internal logic
4) Determine that segregation policy is being followed in practice
1) Review relevant documentation
2) Verify that corporate policies and standards for systems design,
documentation, and hardware and software acquisition are published and
provided to distributed IT units
3) Verify that compensating controls are employed when segregation of duties is
economically infeasible
4) Review systems documentation to verify that applications, procedures, and
databases are designed and functioning in accordance with corporate

Physical Location
Air Conditioning
Fire Suppression
a. Automatic and manual alarms should be placed in strategic locations
around the installation
b. There must be an automatic fire extinguishing system that dispenses
the appropriate type of suppressant for the location
c. Manual fire extinguishers should be placed at strategic locations

d. The building should be of sound construction to withstand water

damage caused by fire suppression equipment.
e. Fire exits should be clearly marked and illuminated during a fire
6) Fault Tolerance the ability of the system to continue operation when part of
the system fails because of hardware failure, application program error, or
operator error
a. Redundant arrays of independent disks the lost data are
automatically reconstructed from the redundant components stored on
the other disks
b. Uninterruptible power supplies
Audit Objectives:
1) Physical security controls are adequate to reasonably protect the organization
from physical exposures
2) Insurance coverage on equipment is adequate to compensate the organization
for the destruction of, or damage to, its computer center
DISASTER RECOVERY PLAN (short-term document that should not attempt to
restore the organizations data processing facility)
1) Identify critical applications
- The company must concentrate on restoring those applications that are
critical to the short-term survival of the organization
- Focus on cash flows to satisfy short-term obligations
- The business people should supervise this step
2) Creating a Disaster Recovery Team
- Task responsibility must be clearly defined and communicated to the
personnel involved
- Traditional control concerns do not apply in this setting
3) Providing Second-Sire Backup
- Mutual Aid Pact: an agreement between two or more organizations (with
compatible computer facilities) to aid each other with their data
processing needs in the event of a disaster
- Empty Shell: agreement wherein the company buys or leases a building
that will serve as a data center; shell is ready to receive hardware the
temporary user needs to run essential systems
- Recovery Operations Center: fully equipped backup data center that many
companies share
- Internally Provided Backup
4) Specify backup and off-site procedures
- Operating System Backup: If only will be using a backup that needs an OS;
data librarian would be the key person
- Application Backup: create copies of the critical applications
- Backup Datafiles: databases should be copied daily
- Backup Documentation: system documentation for critical applications
should be backed up and stored off-site along with the applications
- Backup Supplies and Source Documents: backup supplies that are needed
in the critical applications
- Testing the DP: should be performed periodically


Core Competency Theory: Focus on the companys core business and

outsource non-core areas such as IT functions
Transaction Cost Economics: retain specific non-core IT assets

1) Failure to Perform: once a company outsource its IT function, its performance
becomes linked to the vendors performance
2) Vendor Exploitation: Dependency of the client to the vendor may threaten the
clients long-term flexibility, agility, and competitiveness and result in even
greater vendor dependency
3) Outsourcing Costs Exceed Benefits
4) Reduced Security
5) Loss of Strategic Advantage

Chapter 3

The computers control program

Allows users and their applications to share and access common computer

Three Main Tasks

1) It translates high-level languages into machine-level language that the
computer can execute
2) Allocates computer resources to users, workgroups, and applications
3) Manages the tasks of job scheduling and multiprogramming
Five Fundamental Control Objectives





protect itself from users

protect the users from each other
protect the users from themselves
be protected from itself
be protected from its environment

Operating System Security




Involves policies, procedures, and controls that determine who can access
the operating system, which resources they can use, and what actions
they can take
Log-On Procedure
Access Token: contains key information about the user, including privileges
granted to the user; used to approve all actions the user attempts during the
Access Control List: assigned to each IT resource which controls access to te
Discretionary Access Privileges: resource owners privileges in DDPs which
allow them to grant access privileges to other users

Operating System Integrity

Exposure comes from:
1) Privileged personnel who abuse their authority
2) Individuals who browse the operating system to identify and exploit security
3) Individuals who intentionally insert computer viruses or other forms of
destructive programs into the operating system
Operating System Controls and Audit Tests
1) Controlling Access Privileges: management should ensure that individuals are
not granted privileges that are incompatible with their assigned duties;
privileges should be carefully administered and closely monitored for
compliance with organizational policy and principles of internal control

Audit Objectives: to verify that access privileges are granted in a manner that
is consistent with the need to separate incompatible functions and is in
accordance with the organizations policy
Audit Procedures:
(1) Review the organizations policies for separating incompatible functions
and ensure that they promote reasonable security
(2) Review the privileges of a selection of user groups and individuals to
determine if their access rights are appropriate for their job descriptions and
(3) Review personnel records to determine whether privileged employees
undergo an adequately intensive security clearance check
Review employee records to determine whether users have formally
acknowledged their responsibility to maintain the confidentiality of company
(4) Review the users permitted log-on times
2) Password Control
Contra-security behaviors:
(1) Forgetting passwords and being locked out of the system
(2) Failing to change passwords on a frequent basis
(3) The post-it syndrome
(4) Simplistic passwords
A. Reusable Passwords: should be changed regularly and disallow weak
B. One-Time Passwords: users password changes continuously
Audit Objective: to ensure that the organization has an adequate and
effective password policy for controlling access to the operating system
3) Controlling Against Malicious and Destructive Programs
Audit Objective: to verify that effective management policies and procedures
are in place to prevent introduction and spread of destructive programs,
including viruses, worms, back doors, logic bombs, and Trojan horses
4) System Audit Trail Controls
(1) Keystroke Monitoring: involves recording both the users keystrokes and
systems responses
(2) Event Monitoring: summarizes key activities related to system resources
Audit Trail Objectives
(1) Detecting Unauthorized Access
(2) Reconstructing Events: audit trail analysis can be used to reconstruct the
steps that led to events such as systems failures
(3) Personal Accountability: can be used to monitor user activity at the lowest
level of detail
Audit Objectives: to ensure that the established system audit trail is adequate
for preventing and detecting abuses, reconstructing key events that precede
systems failures and planning resource allocation

Internet Risks
1) IP Spoofing a form of masquerading to gain unauthorized access to a web
server and/or perpetrate an unlawful act without revealing ones identity
2) Denial of Service Attack an assault on a Web server to prevent it from
servicing its legitimate users
a. SYN Flood Attack: accomplished by not sending the final
acknowledgement to the server
b. Smurf Attack: using ping
c. DDos: may take the form of SYN Flood or Smurf attack but massively
Controlling Risks from Subversive Threats
1) Firewall: a system that enforces access control between two networks
(1) Network level: provide efficient but low-security access control;
designed to facilitate the free flow of information rather than
restrict it; does not explicitly authenticate outside users
(2) Application level: provide a higher level of customizable
network security but hey add overhead to connectivity; can
perform sophisticated functions such as user authentication
2) Controlling Denial of Service Attacks
(1) Smurf Attack: can program its firewall to ignore all communication from
the attacking site
(2) SYN flood: internet hosts must program their firewalls to block outbound
message packets that contain invalid internal IP addresses; security
software for targeted sites that scan for half-open connections
(3) DDos: instrument prevention systems that employ deep packet inspection
3) Encryption: the conversion of data into a secret code for storage in databases
and transmission over networks
Key: a mathematical value that the sender selects
Algorithm: the procedure of shifting each letter in the cleartext (original)
message the number of positions that the key value indicates
(1) Private Key Encryption
a. Advance encryption standard
b. Triple-DES encryption
i. EE3 three keys for encoding
ii. ED3 one key for encrypting, decoding, and encrypting the
garbled message
(2) Public Key Encryption: one for encrypting (public) and one for decoding
4) Digital Signatures: an electronic authentication that cannot be forged; proves
that the message received was not tampered
5) Digital Certificate: to verify the senders identity

Public key infrastructure: constitutes the policies and procedures for

administering the public key encryption
(1) A certification authority that issues and revokes digital certificates
(2) A registration authority that verifies the identity of certificate applicant
(3) A certification repository which is a publicly accessible database that
contains current information about current certificates and a certification
revocation list of certificates that have been revoked and the reasons for
6) Message Sequence Numbering: a sequence number is inserted in each
7) Message Transaction Log: should record the user ID, the time of access, and
the terminal location or telephone number from which the access originated
8) Request-Response Technique: a control message from the sender and a
response from the receiver are sent at periodic, synchronized intervals
9) Call-Back Device: require the dial-in user to enter password and be identified
Controlling Risks
1) Line Errors
a. Echo Check: involves the receiver of the message returning the
message to the sender
b. Parity Check: incorporates an extra bit into the structure of a bit string
when it is created or transmitted

the intercompany exchange of computer-processible business information

in standard format

Benefits of EDI
1) Data Keying: EDI reduces or even eliminates the need for data entry
2) Error reduction: firms using EDI see reductions in data keying errors, human
interpretation and classification errors, and filing errors
3) Reduction of paper: the use of electronic envelopes and documents drastically
reduces the paper forms in the system
4) Postage: mailed documents are replaced with much cheaper data transmissions
5) Automated Procedures: EDI automates manual activities
6) Inventory Reduction: EDI reduces lag time that promotes inventory accumulation
Transaction Authorization and Validation
(1) VANs have the capability of validating passwords and user ID codes for the
vendor by matching these against a valid customer file
(2) Before being converted, the translation software can validate the trading

partners ID and password against a validation file in the firms database

(3) Before processing, the trading partners application software references the valid
customer and vendor files to validate the transaction
Access Control

To function smoothly, EDI trading partners must permit a degree of access

to private data files that would be forbidden in a traditional environment

EDI Audit Trail


There is no traditional audit trail in an EDI system

Maintain a control log instead, which records the transactions flow
through each phase of the EDI system

Audit Objectives:
1) All transactions are authorized, validated, and in compliance with the trading
partner agreement
2) No unauthorized organizations gain access to database records
3) Authorized trading partners have access only to approved data
4) Adequate controls are in place to ensure a complete audit trail of all EDI

Chapter 4
Flat-File Approach

Data files that contain records with no structured relationships to other

Promotes a single-user view approach whereby end users own their data
files rather than share them with other users
Data files are structured to suit specific needs of the owner or primary
user of the data
Data Redundancy contributes to three significant problems: data
storage, data updating, and currency of information
Task-Data Dependency: users can only decide with the information he
currently has

Database Approach

Centralizes the organizations data into a common database that is shared

by other users
This is controlled by a database management system (DBMS): a
special software system that is programmed to know which data elements
each user is authorized to access

Key Features of Database Environment

1) Database Management System: provides a controlled environment to
assist (or prevent) access to database and to efficiently manage the data
a. Program Development: DBMS contains application development
b. Backup and Recovery: DBMS periodically makes backup copies of the
physical database
c. Database usage reporting: this feature captures statistics on what the
data are being used, when they are used, and who uses them
d. Database access: to permit authorized access
Three software modules that facilitate this task
(1) Data Definition Language: a programming language used to
define the database to the DBMS; identifies the names and the
relationship of all data elements, records, and files that
constitute the database
Three levels of Database Views
1. Internal or Physical View: lowest level of representation;
physical storage
2. Conceptual/Logical View: describes the entire database;
represents the database logically and abstractly stored
3. External/User View: defines the users section of the
database that the user is authorized to access
2) Users: how users access database

(1) Data Manipulation Language: the proprietary programming

language that a particular DBMS uses to retrieve, process, and
store data
(2) Query Language: an ad hoc access methodology for extracting
information from a database; permits end users and
professional programmers to access data in the database
directly without the need for conventional programs

3) Database Administrator
- Responsible for managing the database resource
- Functions of the Database Administrator
o Database Planning
o Database Design
o Database Implementation
o Database Operation and Maintenance
o Database Growth and Change
o Creation and maintenance of Data Dictionary: describes every data
element in the database
4) Physical Database
o Data Structures: allows records to be located, stored, and retrieved,
and enables movement from one record to another
Data organization: refers to the way records are physically
arranged on the secondary storage device; may either be
sequential or random
Data access methods: technique used to locate records and
to navigate through database
o Criteria that influence the selection of data structure:
Rapid file access and data retrieval
Efficient use of disk storage space
High throughput for transaction processing
Protection from data loss
Ease of recovery from system failure
Accommodation of file growth
5) DBMS Models
- An abstract representation of the data about the entities, including
resources, events, and agents
o Hierarchical constructed of sets that describe the relationship
between two linked files; parent and child structure or tree structure
A parent record may have one or more child records
No child records can have more than one parent
o Network permits a child record to have multiple parents
o Relational portrays data in the form of two-dimensional tables
Characteristics of properly designed tables
All occurrences at the intersection of a row and a
column are a single value

Attribute values in any column must all be of the same

Each column in a given table must be uniquely named
Each row in the table must be unique in at least one


1) Centralized Database: retaining the data in a central location; remote IT units
send requests for data to the central site; central site performs the functions
of a file manager that services the data needs of remote sites
2) Distributed Databases
a. Partitioned Database approach: splits the central database into
segments of partitions that are distributed to their primary users
o Advantages:
Having data stored at local sites increases users control
Transaction processing response time is improved by
permitting local access to data and reducing the volume of
data that must be transmitted between IT units
Partitioned databases can reduce the potential effects of a
o Works best for organizations that require minimal data sharing
among their distributed IT units
o Deadlock Phenomenon mutual exclusion to the data resource,
and the transactions are in a wait state until the locks are
Deadlock Resolution: terminating the transactions to
complete the processing of other transactions; the
terminated transactions will be reinitiated
Factors considered in terminating transactions:
The resources currently invested in the transaction
The transactions stage of completion
The number of deadlocks associated with the
b. Replicated Databases: high degree of data sharing; common data
are replicated at each IT unit size
Controlling and Auditing Data Management Systems
1) Access Controls
a. User views: subset of total database that defines the users data
domain and provides access to the database
b. Database Authorization table: contains rules that limit the actions a
user can take
c. User-defined procedures: allows the user to create a personal security
program or routine to provide more positive user identification than a
single password
d. Data encryption: produces highly sensitive stored data thus making it
unreadable to an intruder browsing the database

e. Biometric devices
f. Inference controls: prevent users from interfering, through query
features, specific data values that they otherwise are unauthorized to
2) Backup Controls
Flat-file Environment
a. Sequential/GPC Backup Technique
b. Direct Access File Backup
c. Off-Site Storage: the backups made from the two approaches should be
stored off-site
a. Backup
b. Transaction Log: provides an audit trail of all processed transactions
c. Checkpoint Feature: suspends all data processing while the system
reconciles the transaction log and the database change log against
the database
d. Recovery module: uses the logs and backup files to restart the
system after a failure

Chapter 5