Analyzing the CIS Environment Risk Assessment of the CIS Environment

Identify the business processes, criticality. The automation of business processes. To identify where should there be control points. To analyze processes against internal control. Effectiveness of internal control. Benefits of internal control. Efficiency of operations. Risk Management Overview Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is within acceptable limits at an acceptable cost. At a high level, this is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls. Extracted from CISM Review Course, 2005 Risk is a feature of business life and since it is impractical and uneconomical to eliminate all risks, every organization has a level of risk it will accept. Faced with risk, organizations have four strategic choices:

Terminate the activity giving rise to risk Transfer risk to another party Reduce risk by using of appropriate control measures or mechanisms Accept the risk Risk Analysis Framework Risk Management Process main elements Establish context Identify risks Analyze risks Evaluate risks Treat risks Monitor and Review Communicate and consult

Understanding the CIS Environment CIS, Financial Management Systems or Integrated Accounting Systems

What are the CIS application systems available. How does management utilizes CIS. On a daily or monthly basis, for decision-making. For financial reporting, performance measurement. Effectiveness of the various application systems integration. Characteristics of computerized accounting system

Financial Management Systems Monitoring, Controlling, Reporting & Decision Making Sales, Purchasing, Inventory Marketing Acc Payable Acc Receivable Bad Debts Depreciation P&L Understanding the CIS Environment CIS Processing operational source of data, e.g transaction records, customer records, inventory records,

Recording of transactions and records Processing of such records Producing documents such as invoices, receipts Recording financial data Reporting status of transactions and records CIS Processing results of operations or administrative accounting in accordance with accounting policies and procedures

Lack of physical documentation, source records for transactions (audit trail) Lack of evidence on supervisory check / verification processes Issues in storage and retrieval of transactional records Changes in processing, storage and communication of financial data v 2 Lecture Objectives Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs THE EFFECT OF CIS IN GENERAL AND ITS IMPACT ON INTERNAL CONTROL 2 Understanding the CIS Environment This first part outlines the following:

Internal Control

The Internal Control Environment Impact of CIS on Internal Control Internal Control DEFINITION Internal control is a companys system, defined and implemented under its responsibility. It comprises a set of resources, patterns of conduct, procedures and actions adapted to the individual characteristics of each company which:

contributes to the control over its activities, to the efficiency of its operations and to the efficient utilization of its resources, and enables it to take into consideration, in an appropriate manner, all major risks, be they operational, financial or compliance. COSO1 defines internal control as: A process, effected by an organizations board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations. Internal control is a companys system, defined and implemented under its responsibility, which aims to ensure that:

Laws and regulations are complied with; The instructions and directional guidelines fixed by Executive Management or the Management Board are applied; The companys internal processes are functioning correctly, particularly those implicating the security of its assets; Financial information is reliable; and generally, contributes to the control over its activities, to the efficiency of its operations and to the efficient utilisation of its resources. Framework: IIA Website COSO Internal Control Integrated Network Internal Control Components Internal Control

An organisation comprising a clear definition of responsibilities, with suitable resources and competencies and supported by appropriate procedures, information systems, tools and practices;

The in-house dissemination of relevant and reliable information, the awareness of which enables everyone to exercise their responsibilities; A system for identifying and analysing the main identifiable risks in relation to the company s objectives and for ensuring that procedures exist for managing those risks; Risk identification

The company identifies the main identifiable risks, both internal and external, which could have an impact on the likelihood of it meeting the objectives it has fixed for itself. This identification

process, which is on-going, should cover those risks which could have a significant impact on its situation. Risk analysis

This involves taking into consideration the likelihood of the risks occurring and their potential seriousness, as well as considering the environment and existing control measures. These different

elements are not static, on the contrary, they form part of the risk management process. Risk management procedures Executive Management or the Management Board, supported by a risk management function, if there is one, should define risk management procedures. Control activities proportionate to the implications of each individual process and designed to reduce the risks that could affect the company s ability to achieve its objectives; Nature of Control vs Impact

On-going monitoring of the internal control system together with a regular review of the way it is operating. COSO Monitoring Process

Another useful complement to the monitoring tools can be to keep an active watch on internal control best practices. Monitoring, together with the best practices watch, culminate, where required, in the implementation of corrective actions and adjustments to the internal control system. Executive Management or the Management Board should assess the parameters for informing the Board of the main results of the monitoring and reviews thus performed. Interrelationships of CobiT Controls in CIS Environment Impact on Internal Control environment An example of impact of Internal Control in CIS would be the application of IT Controls. IT Control Components The audit process provides a formal structure for addressing IT controls within the overall system of internal controls. Figure 1, The Structure of IT Auditing, below, divides the assessment into a logical series of steps. The internal auditors role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal auditors interact with the people responsible for controls and must pursue continuous learning and reassessment as new technologies emerge and the organizations opportunities, uses, dependencies, strategies, risks, and requirements change. Assessing IT Controls GTAG1 IT Control Components IT controls encompass those processes that provide assurance for information and information services and help mitigate the risks associated with an organizations use of technology.

These controls range from written corporate policies to their implementation within coded instructions; from physical access protection to the ability to trace actions and transactions to the individuals who are responsible for them; and from automatic edits to reasonability analysis for large bodies of data. IT Controls BUSINESS AND IT CONTROLS The enterprises system of internal controls impacts IT at three leve ls:

At the executive management level, business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the board and communicated throughout the enterprise. The IT control environment is directed by this toplevel set of objectives and policies.

At the business process level, controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls.

However, some controls within the business process remain as manual procedures, such as authorisation for transactions, separation of dutiesand manual reconciliations. Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and application controls.

To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on application controls. For example, poor change management could jeopardise (accidentally or deliberately) the reliability of automated integrity checks. 3v2 Lecture Objectives

Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs TYPES OF CONTROL IN A CIS ENVIRONMENT 3 Understanding the CIS Environment This third part outlines the following:

Types of Control in CIS Environment General Controls Application Controls Controls in CIS Environment

In a CIS Environment, there are generally 2 categories of controls, General CIS Environmental Controls and Application System Controls Firstly, these controls are to address the computerized environment and secondly, there are specific controls to address the different business applications in such an environment. General Controls in CIS Environment These are usually defined as:

Data Centre or Computer Operations controls System Development controls System Security controls (access security) General Application System / Software controls; acquisition, development and maintenance The objective is to ensure Confidentiality, Integrity and Availability of information. General Controls in CIS Environment Data Centre or Computer Operation Controls These are primarily controls that relate to data processing security and controls. These controls relate to the security of the data centre, batch processing of data, backups and custody of storage media. It is also important that such an environment is not accessed by unauthorized persons such as programmers and hackers as this could compromised the data integrity. Software Development Controls These are controls that ensure all program changes are duly authorized. Unauthorized changes can be due to attempts to defraud by exempting accounts from being processed or processed in an improper manner, inconsistent with authorized policies and procedures. System Security Controls (Access Security) These are controls that provides privileges or rights of access to specific individual or group of persons in accordance with their tasks and job functions. Improper assignment of such access rights can result in unauthorized access to data and other information and resources. System Security Controls (Access Security) Access Security Control These include physical protection of computer equipment, software and data and also loss of assets and information through theft and unauthorised use. For example, special room for computer and equipments or separate building and accessible to the room or building must be limited to the authorised personnel only. Also includes recovery procedures for lost data. Example: Financial Institutions. Application Software Development, Acquisition and Maintenance Controls These are controls that ensure any software acquired to be of specific standards for integration and installation purposes into the current systems. Any non-compliance may result in incompatible software acquired or failure of integration.

Application system acquisition, development and maintenance controls Application system; for example an accounting system for reporting and decision-making. Controls on these is critical for ensuring the reliability of information processing. It might be better to have involvement of internal and external auditors in early stage to design the system to ensure proper control incorporate to the system. These are usually defined as:

Controls over input source or primary data Controls over processing processing data and updating masterfiles. Control over output results of processing or updating, e.g. change in total, balances, transactions. The objective is to ensure or preserve data integrity. These are usually defined as: Input Controls These are usually controls over source documents and can be in both physical and virtual forms. Physical would be in form of restricted access or custody, serially pre-numbered, controlled items. Virtual can be that upon keying in the systems assigns unique identification codes, transaction codes, etc. Input Controls To ensure the following:

To ensure the transactions properly authorised before being processes by the computer. To ensure transactions are accurately converted into machine readable form and recorded in the computer data files. To ensure the transactions are not lost, added, duplicated and modified. To ensure incorrect transactions are rejected, corrected and re-submit. These are usually defined as: Processing Controls These controls are in form of e.g. batch numbers, control totals, hash totals, hash count, system assigned prefixes or suffixes to transaction numbers. These controls will ensure that there are no unauthorized or fraudulent transactions inserted in the output or transaction li stings. These are usually defined as: Processing Controls Control over processing and computer data files

To ensure that all transactions keyed in are being processed by the computer and data files are properly stored and secured. Processing errors are identified and corrected in a timely basis. These are usually defined as:

Output Controls These are similar to processing controls but they are for output purposes to ensure accuracy and reliability of data generated. With the output reports or listings generated or output files, there will be similar processing checks in form of control totals, hash counts, suffixes, integrity identifier codes generated. These are usually defined as: Output Controls Designed to provide reasonable assurance that:-

Result of processing are accurate Access to output is restricted to authorised personnel Output is provided to appropriate authorised personnel on a timely basis Issuing of Purchase Requisition to Acccepting the Purchase Invoice Segregation of duties between the user department ordering the goods, the goods received

department, the procurement department and the accounts department Before issuing the purchase order, the buying department should check that the user

department is authorised to purchase the goods that have requested. Goods are only purchased from authorised supplier. If it is a new supplier, validation of that

supplier should be done before the order. Issuing of Purchase Requisition to Acccepting the Purchase Invoice contd Must be independent check from buying department on the quality, price and service of the

supplier. The purchase order should be keyed into computer by procurement department, sent to

supplier, user department and accounts department. Accounts department upon receipt of purchase invoice, match with purchase order. User department check the goods against requisitions and specifications.

Business, General & Application Controls Application Controls Versus IT General Controls

It is important to understand the relationship and difference between application controls and Information Technology General Controls (ITGCs). Otherwise, an application control review may not be scoped appropriately, thereby impacting the quality of the audit and its coverage. ITGCs apply to all systems components, processes, and data present in an organization or systems environment. The objectives of these controls are to ensure the appropriate development and implementation of applications, as well as the integrity of program and data files and of computer operations. Information Technology General Controls

The most common ITGCs are:

Logical access controls over infrastructure, applications, and data. System development life cycle controls. Program change management controls. Physical security controls over the data center. System and data backup and recovery controls. Computer operation controls Difference Because application controls relate to the transactions and data pertaining to each computerbased application system, they are specific to each individual application. The objectives of application controls are to ensure the completeness and accuracy of records, as well as the validity of the entries made to each record, as the result of program processing. In other words, application controls are specific to a given application, whereas ITGCs are not. Nature of Application Controls Cost effective and efficient means to manage risk Reliant on the effectiveness on the IT general control environment Approach varies for complex versus non-complex environments Benefits of Application Controls Reliability Reduces likelihood of errors due to manual intervention Benchmarking Reliance on IT general controls can lead to concluding the application controls are effective year

to year without re-testing

Time and cost savings Typically application controls take less time to test and only require testing once as long as the

IT general controls are effective Sample Detailed Review Program

Suggested tests Test input controls to ensure transactions are added into and accepted by the application,

processed only once and have no duplications Test processing controls to ensure transactions are accepted by the application, processed with

valid logic, carried through all phases of processing and updated to the correct data files Conclusion

Application controls are a cost effective and efficient means to manage risk. Internal auditors should determine that their organizations application controls are designed appropriately and operating effectively. Consider benchmarking as a way to further reduce the testing effort 4 v 2 Lecture Objectives

Understanding the CIS environment The effect of computerization in general and on internal controls Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs AUDITING IN A CIS ENVIRONMENT 4 This fourth part outlines the following:

How does the CIS Environment affects auditing Auditors skill and competency Risk assessment Audit planning Audit procedures AUDIT APPROACH Auditing takes place usually after the risk analysis or evaluation and the implementation of internal controls. The purpose is to ensure that all risks are adequately addressed, shortcomings and weaknesses are duly reported on continuous basis. Identified and understood the environment. What are the risks and controls in such an environment? What are the specific application controls in such an environment? To review such risks and controls and plan an audit. Auditing in CIS environment

The auditor need to consider how CIS environment affects the audit. The overall audit objective and scope does not change but the use of CIS have changed the processing, storage and communication of financial information and also may affect internal control of an entity.

CIS may affect the audit process on the following: Skill and Competence Planning Risk assessment, i.e. assessment of inherent risk and control risk Audit procedures Procedures in obtaining understanding accounting and internal control, i.e. audit around computer. Performing test of control and substantive test, i.e. audit through computer. AUDIT SKILL & COMPETENCY

Skill and Competence

Auditor should have sufficient knowledge of CIS to plan, direct, supervise and review work performed. The auditor needs:1. Obtain sufficient understanding of the accounting and internal control affected by the CIS environment 2. Determine the effect of CIS on the procedures to assess the audit risk 3. Able to design and perform appropriate test of control and substantive test 4. If required, auditor may seek for assistance of the expert.

In addition, according to The IIAs International Standards for the Professional Practice of Internal Auditing (Standards) specifically Standards 1220 and 1210.A3 internal auditors need to apply the care and skill of a reasonably prudent and competent auditor, as well as have the necessary knowledge of key IT risks, controls, and audit techniques to perform their assigned work, although not all internal auditors are expected to have the expertise of an auditor whose primary responsibility is IT. Design of Controls

Another valuable service internal auditors can provide during a new system implementation or significant upgrade is an extension of the independent risk assessment. More specifically, auditors can assist management with the design of controls to mitigate the risks identified during the risk assessment. The internal auditors assigned to this activity should be a part of the implementation team, not an adjunct.

Therefore, the tasks, time, and number of internal audit resources required for the design of application controls need to be built into the overall project plan. Controls Testing

If the implementation team has designed and deployed controls based on the risk assessment, or without the benefit of one, internal auditors can provide value by independently testing the application controls.

This test should determine if the controls are designed adequately and will operate effectively once the application is deployed. If any of the controls are designed inadequately or do not operate effectively, auditors should present this information along with any recommendations to management to prevent the presence of unmanaged risks when the application is fully deployed. Application Reviews

Transactional and support applications require control reviews from time to time based on their significance to the overall control environment. The frequency, scope, and depth of these reviews should vary based on the applications type and impact on financial reporting, regulatory compliance, or operational requirements, and the organizations reli ance on the controls within the application for risk management purposes. AUDIT RISK ASSESSMENT Assess Risk

The auditor should use risk assessment techniques to identify critical vulnerabilities pertaining to the organizations reporting, and operational and compliance requirements when developing the risk assessment review plan. These techniques include: The reviews nature, timing, and extent.

 The critical business functions supported by application controls. The extent of time and resources to be expended on the review. In addition, auditors should ask four key questions when determining the reviews appropriate scope: 1. What are the biggest organization wide risks and main audit committee concerns that need to be assessed and managed while taking management views into account? 2. 3. 4. Which business processes are impacted by these risks? Which systems are used to perform these processes? Where are processes performed When identifying risks, auditors may find it useful to employ a top-down risk assessment to determine which applications to include as part of the control review and what tests need to be performed.

For instance, Figure 1 outlines an effective methodology for identifying financial reporting risks and the scope of the review. Please note this illustration does not represent the only way to conduct all types of risk assessment. Risk Assessment The nature of the risk in CIS environment includes:n Lack of transaction trail. Audit trail may available for the short period or not in the form of

computer readable form. Or if the transaction is too complex and high volume, errors may embedded in applications program logic and difficult to detect on a timely basis. n n Lack of segregation of duties. Many of control procedures are performed by separate Potential for errors and irregularities. Potential for human error and unable to detect the individual in manual systems but may not in CIS. error may be greater in CIS. Also the potential of unauthorised access to data without visible evidence may be greater in CIS than manual system. Furthermore, decreased human involvement in handling transaction in CIS can reduce check and balance activities that may cause error unable to detect. Risk Assessment The nature of the risk in CIS environment includes:Initiation or execution of transaction. CIS may have capabilities to execution transaction automatically. For example calculation of depreciation. The authorization for transaction is not available. Lack of visible output. Certain transaction or result may not be printed. Thus, the lack of visible output may result in the need to access data retained on files readable only by computer. Ease of access to data and computer programs. Data and computer programs can be accessed and altered at the computer or from the remote location. Therefore, auditor should review the appropriate control measure to prevented unauthorised access and alteration of the data. What can go wrong?

Availability, security, integrity, confidentiality, effectiveness and efficiency

Type of risks Pervasive: impact the enterprise as a whole Specific risks Consider three dimensions Each company will have a unique risk profile IT-related risk is not static , but changing dynamically Proliferation: when evaluating IT-related risk, keep in mind its additive nature Consider impact and likelihood Traditional risk assessment process may not be suitable for IT risk assessment IT Risk assessment process should Be performed in depth every year, not just an update of the prior year. Considers all the layers of the IT environment. Considers both static and dynamic risks. Not strictly be based on interviews, but use other discovery techniques. Be supplemented with the appropriate level of analysis after discovery. Be performed by the appropriate personnel.

AUDIT PLANNING

After completing the risk evaluation and determining the scope of the review, auditors need to focus on the development and communication of the detailed review plan. The first step in developing the detailed review plan is to create a planning memorandum that lists the following application control review components: All review procedures to be performed. Any computer-assisted tools, techniques used & how they are used. Sample sizes, if applicable. Review items to be selected. Timing of the review.

When preparing the memorandum, all of the required internal audit resources need to be included on the planning team. This is also the time when IT specialists need to be identified and included as part of the planning process.

After completing the planning memorandum, the auditor needs to prepare a detailed review program. When preparing the review program, a meeting should be held with management to discuss:

 Managements concerns regarding risks. Previously reported issues. Internal auditings risk and control assessment. A summary of the reviews methodology. The reviews scope. How concerns will be communicated. Planning In Planning, auditor should obtain an understanding the significance and complexity of CIS activities and the availability of data for use in the audit. The understanding include:1. 1. The volume of transaction that would make users difficult to identify and correct errors. 2. The computer automatically generates transactions direct from/to another application. Example: From production department automatically inventory information. 3. 4. 5. The Computer performs complicated computations of financial information. Transactions are exchanged electronically with other organization. Organization structure of entity also may changed. For example: IT department as part of the

structure and responsible for control application of CIS as a whole. 6. The availability of data such as source document, computer data files and other evidential matter

that may required by the auditor. 1. 1. The assessment of risk. The auditor should obtain an understanding of CIS environment may influence the assessment of inherent and control risk. 2. The potential for use of CAATs. The case of processing large quantities of data using computers may provide the auditor with opportunity to apply general or specialized CAAT in execution of audit test. AUDIT PROCEDURES Business Process Method

In the previous chapter, the business process method was identified as being the most widely used for application control review scoping. In todays world, many transactional applications are integrated into an ERP system. Because business transactions that flow through these ERP systems can touch several modules along their life cycle, the best way to perform the review is to use a business process or cycle approach (i.e., identifying the transactions that either create, change, or delete data within a business process and, at a minimum, testing the associated input, processing, and output application controls). Documentation Techniques

In addition to the documentation standards used by internal auditors, the following are suggested approaches for documenting each application control. Flowcharts

Flowcharts are one of the most effective techniques used to capture the flow of transactions, associated application and manual controls used within an end-to-end business process, because they illustrate transaction flows. Process Narratives

Process narratives are another technique available to document business process transaction flows with their associated applications & best used as a documentation tool for relatively noncomplex business processes and IT environments. Audit procedures The auditors specific objective do not change whether the accounting data is processed manually or by the computer. However, method of applying audit procedures to gather evidence may different. Auditor may perform audit procedures manually or use CAAT or combination of both. Auditing around the computer Auditor does not examine the computer processing but perform procedures to obtain understanding accounting and internal control:-

Emphasis on ensuring the completeness, accuracy and validity of information by comparing the output reports with the input documents

To ensure the effectiveness of input controls and output controls To ensure the adequacy of segregation of duties Auditing through the computer Auditor performing test of control and substantive test. For example: test data enable the

auditor to examine the computer processing, internal control of the client CIS. Auditor may used use CAAT in this procedures. CAAT helps auditor in organizing, analyzing

and extracting computerized data and re-performing computation and other processing. Executing IT Auditing

Normal Audit process Consider IT audit by using frameworks and standards, such as COSO, CoBIT, ISO27001/17799

5 v 2 Lecture Objectives Understanding the CIS environment The effect of computerization in general and on internal controls

Types of general & application controls used in CIS processes The audit process in a CIS environment To know the techniques of auditing using CAATs COMPUTER AS AN AUDIT TOOL AND COMPUTER-ASSISTED AUDIT TECHNIQUES 5 Understanding the CIS Environment This part outlines the following:

The use of the computer as an audit tool Audit software purpose Factors to consider upon choosing one Audit software: off-the-shelf or development of such software? Using Audit software The use of computer as an Audit Tool Auditor take laptops to the clients premises for use as an audit tool to perform various audit task, such as:1. 1. Spreadsheets

Trial balance and lead schedule Time and cost budgeting Analytical procedures Audit documentation, e.g. audit confirmation Audit programme preparation Documentation of internal control Preparation of flowchart Communication and Reports Select sample for testing Analyse result, by means of explanation to population as a whole 1. 1. Word processor 1. 1. Statistical Packages 1. 1. CAATs Computer-assisted Audit Techniques

Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an application control review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period.

In these situations, it would be impossible to obtain adequate information in a format that can be reviewed without the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).

Using CAATs IS Auditing Guideline G3

CAATs include many types of tools and techniques, such as generalised audit software, customised queries or scripts, utility software, software tracing and mapping, and audit expert systems.

CAATs may be used in performing various audit procedures including: Tests of details of transactions and balances Analytical review procedures Compliance tests of IS general controls Compliance tests of IS application controls Penetration testing

Decision Factors for Using CAATs When planning the audit, the IS auditor should consider an appropriate combination of manual techniques and CAATs. In determining whether to use CAATs, the factors to be considered include:

Computer knowledge, expertise, and experience of the IS auditor Availability of suitable CAATs and IS facilities Efficiency and effectiveness of using CAATs over manual techniques Time constraints Integrity of the information system and IT environment Level of audit risk Pre-requisites of Using CAATs Connectivity and Access to Data The first prerequisite for using audit software is access to data. The auditor needs to obtain access to the live production data. The auditor then needs to obtain read only access to the files/tables that hold the data and can transfer the data files to the notebook computer. Once this is done, the audit software can use the data files and perform the audit. It is necessary to ensure that the data that are downloaded are the actual copy from the real production data. Knowledge of the Application and Data The IS auditor needs to know technical details of the platform on which the application is built. Knowledge of the files or tables in which the data reside also is necessary. The auditor needs to get the file description and the data field types. If certain codes are used in the tables, the corresponding description of the codes also needs to be known. Audit Skills and Identifying the Concerns After the data are downloaded and ready for analysis by the audit software, the auditor needs to know what control concerns are to be tested and validated. This is probably even more basic than the skill needed to download the data. Audit software has many features but the features cannot perform an audit on their own.

The auditor has to design the procedures and tests. The tests that the auditor carries out are designed using the knowledge of the application, the business rules behind the function and the findings of the application review. The kind of tests that are run will vary with the applications. For example, in a procurement audit, the auditor may download the purchase order and related files and perform analysis of prices. In a financial accounting application, the auditor may analyze expenses on dollar value, revenue expenditure, account head, and department or cost code. In a banking application, the auditor may verify interest payments using the audit software. In a sales application, the correctness of product prices or incentives may be analyzed. It is the audit skill of determining what is to be verified and tested, coupled with the knowledge of the business and the application, that makes the software actually do the audit work. Issues

The first-time deployment of audit software in any organization is not without pain. Problems will occur in almost all areas, beginning with the reluctance of the IS staff. Following this are obtaining access to the production data, fearing that the audit software may interfere with the processing, the improper processing of downloads, the incorrect input of file definitions and so on.

Investing in training on the audit software is essential and this cost should be considered while purchasing the software. The training should not be confined to the commands and menus in the software but must include real-life exercises using one of the applications running in the organization.

It also would help if the trainer is not strictly an IT person, but has some audit background, too. Although the first attempt at using audit software is painstaking, there need be no doubts on the benefits and gains of continued deployment, so the need is to persevere and win through the initial difficulties with help from the IS department and the trainer. Computer-Assisted Audit Techniques (CAATs)

ISA 401 Auditing in a CIS Environment discusses some of the uses of CAATs in the following condition: The absence of input document or lack of visible audit trail The effectiveness of efficiency of auditing procedures may be improved through the use of

CAATs.

Normally being used by big auditing firm for the their big clients. Common type of CAATs are Audit Software and Test Data. Audit Software: computer programs used for audit purposes to examine the contents of the clients file. Audit software are used during substantive testing to determine the reliability of accounting controls and integrity of computerised accounting records. Typical testing includes:-

Calculation checks, check addition, select high value, negative value Detecting violation of system rules e.g. the program checks all accounts on sales ledger to

ensure that no customer has a balance above credit limit Detecting unreasonable items e.g. check that no customers are allowed trade discount of

more than 50% stocks Selecting items for audit testing e.g. obtain the sample to sent confirmation. Completeness checks e.g. checking continuity of sales invoices to ensure they are all Conducting new calculations and analyses e.g. obtain analysis of static and slow moving

accounted for.

Factors that the auditor to consider in deciding whether to use CAATs:If no visible evidence available and the only way is CAATs Cost that associated with CAATs The extent of the ability of CAATs to perform test on various financial statements items. Time. Report need to be produced by the auditors within comparatively short time period. In

such cases it may be more efficient to use CAATs. The condition of hardware (computer) and the ability to support CAATs. Audit Software Package Programs or Generalised Audit Software (GAS) Written Programs or Custom Audit Software. Audit Software (Continue): Package programs are generalized computer programs designed to perform data processing

functions such as read and extract data from entitys computer files or database for further audit testing, perform calculation, selecting sample and provide report. For example, application of package program on Account Receivables. 1st step: Set audit objectives, i.e. to test accuracy of AR, select sample for confirmation and print out confirmation and monthly statement of selected sample. 2nd Step: Design the application, i.e. identify data and design format of confirmation. 3rd Step: Ensure package program able to read data 4th Step: Process the application, i.e. access the entitys AR database with package program. The program will process automatically according to the instruction 5th Step: Evaluate the result. i.e. verify output, review confirmation letter and monthly statement and sent confirmation. Audit Software (Continue):

Written program is audit software written by the auditors for specific audit tasks and it is

necessary when the entitys CIS system is not compatible with Generalized Audit Software. It is good to develop if the auditor can use it in doing auditing for the future. However, it is expensive, take longer time to develop and need modification for every time an entitys change their system. Auditor also need an IT expert to help in developing the program.

Common type of CAAT are Audit Software and Test Data Test Data: data used by the auditor to test the operation of the enterprises computer program. The auditor uses test data primarily for testing the application controls in the entitys comput er

programmes. For example: Auditor creates a set of simulated data which include both valid data and invalid

data. Then, the auditor manually calculates the result from the simulated data. With the simulation data entered into the entitys computer program, the valid data should be

properly processed and invalid data should be identified as error. The results are compared to the auditors predetermined result. Another example: Unauthorized password may be used in an attempt to gain entry, transaction

with incorrect coding and transaction with non-existing customer or suppliers. These to ensure that the system is properly rejects invalid transactions Potential benefit of using CAATs

Audit Time may be saved Ability to scrutinize large volume of data Eliminate manual casting, cross casting Less manual procedures The auditor does not necessarily have to be present at clients office Review and finalizing time may be reduced With data volumes growing and management expectations on assurances becoming more specific, random verifications and testing do not yield the desired value. The use of audit software ensures 100 percent scrutiny of transactions in which there is audit interest, and pointed identification and zeroing in on erroneous/exceptional transactions, even when data volumes are huge. And all this can be done in a fraction of the time required with manual methods.

Another advantage of the audit software is the uniform user friendly interface that the audit software presents to the auditor for performing all the tasks, irrespective of the data formats or the underlying technology used by the application. The audit software also maintains logs of the tests done for review by peers and seniors, and advanced features allow the programming of certain macros and routines that can further enhance audit speeds and efficiency. OTHER ASPECTS OF IT ASSURANCE, SECURITY & GOVERNANCE IT Assurance Performing audit over IT resources IT Security Securing IT resources IT Governance Understanding and Commitment of the Board and Management

SOURCES MIA Handbook on International Audit Guidelines Information Security and Control Association website (http://www.isaca.org) Institute of Internal Auditors website (http://www.theiia.org) Certified Fraud Examiners Handbook Federal Reserve website Information Security sites; SANS, CCCure, etc. Information Security manuals, standards; NIST, ITIL, CoBIT, IEC/ISO 27001