UNIT XII

Computer Auditing
Issues
 COVERAGE

1. Nature of Computer Auditing 2. Controls in a Computer-

◇ Definition based Information System
◇ Origin
◇ Nature
◇ Scope
◇ Change

More info on how to use this template at www.slidescarnival.com/help-use-presentation-template

This template is free to use under Creative Commons Attribution license. You can keep the Credits slide
or mention SlidesCarnival and other resources used in a slide footer.

2
 Hello!
This presentation is prepared by:
Kryss Clyde T. Tabligan & Christine Jessa Valeza
Submitted to:
PROF. ESPERANZA P. SAN JUAN
Dean, College Of Business And Accountancy

3
 1.
Nature of Computer
Audit

Let’s first define what

computer auditing is.
 “
As it is increasingly difficult to
distinguish between IT and
business areas, many
organisations now require that
all business auditors have an
awareness of computer audit.

5
 “
DEFINITION
noun. a statement of the
exact meaning of a word,
especially in a dictionary.

6
 What is Computer Auditing?

Computer auditing is a systematic and logical process that follows a

risk based approach to determine whether the information systems of
an entity, including its detailed information technology processes,
controls and activities, will achieve its IT objectives and will thereby
ultimately enable the organisation to achieve their organisational
goals.

7
 What is Computer Auditing?
However, the term “computer audit” can mean many different things
to different organisations. What may be regarded as computer auditing
in one organisation, and very much the realm of the specialist
computer auditor, may be undertaken by business auditors in another
similar organisation. For example, computer audit may be restricted to
auditing systems software in one organisation, whilst areas such as
auditing systems under development may be the responsibility of the
business auditor. Similarly, in some organisations, it is not uncommon
for the role of computer audit to be extended to include the review of
clerical procedures and the production of compliance based audit work
programmes for field auditors, thereby providing a wider systems audit
service.
8
 WHAT IS THE ROLE OF A
COMPUTER AUDITOR?

The role of the computer auditor is

to provide senior management with
an independent and objective
assurance as to the level of
security applied within the IT
environment. As an integral part of
the audit process, computer
auditors will also provide advice
and it is in this area that duplication
and overlap may arise.

9
 WHAT ARE THE CHALLENGES
FACED BY A COMPUTER
AUDITOR?

A key challenge for computer

auditors is to keep up to date with
the constant and rapid
developments in IT. Continuous
training and development is
essential. Successful computer
auditing is based upon a foundation
of technical excellence. Without
this, computer auditors are limited
in their ability to audit effectively
and to provide a valuable service to
the organisation.
10
 “
ORIGIN
noun. the point or place
where something begins,
arises, or is derived.

11
 How did Computer Audit begin?
The absence of a common definition of computer audit may, in part, be
due to the relative newness of computer audit. The history of traditional
auditing or inspection can be traced back many hundreds of years. In
contrast, computer audit is a relatively recent development. It was not
until the late 1970’s that the majority of major organisations in the UK
established a computer audit capability for the first time. The use of IT in
business is also a relatively recent development. The father of modern
day computing is generally regarded as being Charles Babbage, who
produced his Difference Calculator in 1833. It was not until the outbreak
of the Second World War and the widespread development of valve
technology, that the 1st Generation computers were used. Even then, it
was many years later that they became common place in business.
12
 “
NATURE
noun. the basic or inherent
features of something,
especially when seen as
characteristic of it.

13
 Nature of Internal Auditing
There are a number of significant risks associated with the processing
of IT systems. It is important, therefore, that high standards of security
and control are maintained to minimise the potential impact on the
organisation.

Computer fraud and abuse can have a detrimental effect on an

organisation. Periodic surveys undertaken by organisations such as
the NCC (National Computing Centre) and the Audit Commission
indicate the following common instances of computer fraud and abuse:

14
 Nature of Computer Audit
• unauthorised disclosure of confidential information
• unavailability of key IT systems
• unauthorised modification/destruction of software
• unauthorised modification/destruction of data
• theft of IT hardware and software
• use of IT facilities for personal business

15
 Nature of Computer Audit
When considering computer audit, it should be noted that the basic
control objectives and principles do not change. The manner in which
those objectives are achieved, however, does change fundamentally.
Specifically, there is a need for greater preventative controls rather
than a reliance on the more detective and corrective control
mechanisms which would usually be found in manual systems. The
development of on-line real time systems, where the immediacy of
processing can result in millions of pesos being transferred away in a
funds transfer system, requires a robust level of security.

16
 “
SCOPE
noun. the extent of the area
or subject matter that
something deals with or to
which it is relevant.

17
 What is the Scope of Computer Auditing?
The following describe the main areas of computer audit activity:
• systems under development
• live applications
• IT infrastructure
• audit automation
The extent to which these areas are reviewed and the depth to which
they are examined will vary. Key to the performance of audit work is a
comprehensive risk based evaluation which should determine the
amount of audit resource required and should also assist in determining
an assessment of a satisfactory level of security and control.

18
 “
CHANGE
noun. a new or refreshingly
different experience.

19
DOES COMPUTER AUDIT CHANGE AS TIME PASSES?
Computer audit operates in a climate of constant and rapid change.
Computer auditors are continually faced with the prospect of faster,
smaller and cheaper IT systems. An analogy that is frequently used to
describe the rapid development of IT, is if aviation had developed at
the same rate, man would have landed on the moon in 1922. IT is a
dynamic area which in turn, requires a dynamic and flexible control
structure.

20
 2.
CONTROLS IN A
COMPUTER BASED
INFORMATION
SYSTEM
What are the controls in
a computer based
information system?
 GENERAL
CONTROLS

22
 GENERAL CONTROLS
 A company designs general controls to ensure that its overall
computer system is stable and well managed.
 The following are categories of general controls:
1. Project development controls
2. Physical access controls
3. Logical access controls
4. Data storage controls
5. Data transmission controls
6. Documentation standards

23
 Project Development Controls
⬗ To minimize failures, the basic principles of responsibility
accounting should be applied to the AIS function.
⬗ What key elements are included in project development control?
1. Long-range master plan
2. Project development plan
3. Data processing schedule
4. Assignment of responsibility
5. Periodic performance evaluation
6. Post-implementation review
7. System performance measurements
 Physical Access Controls
⬗ How can physical access security be achieved?
– placing computer equipment in locked rooms and
restricting access to authorized personnel
– having only one or two entrances to the computer
room
– requiring proper employee ID
– requiring that visitors sign a log
– installing locks on PCs
 Logical Access Controls
⬗ Users should be allowed access only to the data they are
authorized to use and then only to perform specific authorized
functions.
⬗ What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
 Data Storage Controls
⬗ Information is generally what gives a company a competitive edge
and makes it viable.
⬗ A company should identify the types of data maintained and the
level of protection required for each.
⬗ A company must also document the steps taken to protect data.
 Data Storage Controls
⬗ A properly supervised file library is one essential means of
preventing loss of data.
⬗ A file storage area should also be protected against fire, dust,
excess heat, or humidity.
⬗ Following are types of file labels that can be used to protect data
files from misuse:
– external labels
– internal labels (volume, header, trailer)
 Data Transmission Controls
⬗ Data Transmission Controls take on added importance in
organizations that utilize electronic data interchange (EDI) or
electronic funds transfer (EFT).
⬗ In these types of environments, sound internal control is achieved
using the following control procedures:
◇ Physical access to network facilities should be strictly
controlled.
◇ Electronic identification should be required for all authorized
network terminals.
◇ Strict logical access control procedures are essential, with
passwords and dial-in phone numbers changed on a regular
basis.
 Data Transmission Controls
◇ Encryption should be used to secure stored data as well as
data being transmitted.
◇ Details of all transactions should be recorded in a log that is
periodically reviewed.
APPLICATION
CONTROLS

31
 APPLICATION CONTROLS

 The primary objective of application controls is to ensure the

accuracy of a specific application’s inputs, files, programs, and
outputs.
 There are five categories of application controls, namely:
1. Source data controls
2. Input validation routines
3 On-line data entry controls
4 Data processing and file maintenance controls
5 Output controls

32
 Source Data Controls

 There are a number of source data controls that regulate the

accuracy, validity, and completeness of input:
 key verification
 check digit verification
 prenumbered forms sequence test
 turnaround documents
 authorization

33
 Input Validation Routines

⬗ Input validation routines are programs that check the validity and
accuracy of input data as it is entered into the system.
⬗ These programs are called edit programs.
⬗ The accuracy checks they perform are called edit checks.
⬗ What are some edit checks used in input validation routines?

34
 Input Validation Routines

◇ sequence check
◇ field check
◇ sign check
◇ validity check
◇ limit check
◇ range check
◇ reasonableness test

35
 On-Line Data Entry Controls
⬗ The goal of on-line data – compatibility tests
entry controls is to ensure – Prompting
the accuracy and integrity of – Preformatting
transaction data entered – completeness check
from on-line terminals and – automatic transaction
PCs. data entry
– transaction log
⬗ What are some on-line data
– clear error messages
entry controls?
– data checks
– user ID numbers and
passwords
36
 Data Processing and File Maintenance Controls

⬗ What are some of the more common controls that help preserve
the accuracy and completeness of data processing?
– data currency checks
– default values
– data matching
– exception reporting

37
38
Thanks!
Any questions?

39