CHAPTER 1 – AUDITING, ASSURANCE, AND INTERNAL External VS Internal:

CONTROL External auditing:

• Independent auditor (CPA)
Auditing is a systematic process of objectively obtaining • Independence
and evaluating evidence regarding assertions about • Required by SEC for publicly-traded companies
economic actions and events to ascertain the degree of • Referred to as a “financial audit”
correspondence between those assertions and • Represents interests of outsiders, “the public”
establishing criteria and communicating the results to (e.g., stockholders)
interested users. • Standards, guidance, certification governed by
government bodies
External auditing Objective is that in all material Internal auditing:
respects, financial statements are a fair representation of • Auditor (often a CIA or CISA)
organization’s transactions and account balances. • Is an employee of organization imposing
independence on self?
The attest service is an engagement in which a • Optional per management requirements
practitioner is engaged to issue, or does issue, a written
• Broader services than financial audit; (e.g.,
communication that expresses a conclusion about the
operational audits)
reliability of a written assertion that is the responsibility
• Represent interests of the organization
of another party.
• Standards, guidance, certification governed by
IIA and ISACA
Advisory services are professional services offered by
public accounting firms to improve their client
Financial Audits
organizations’ operational efficiency and effectiveness.
• An independent attestation performed by an
expert (i.e., an auditor, a CPA) who expresses an
Internal auditing independent appraisal function
opinion regarding the presentation of financial
established within an organization to examine and
statements
evaluate its activities as a service to the organization
• Key concept: Independence
• Financial Audits
• {Should be} Similar to a trial by judge
• Operational Audits
• Culmination of systematic process involving:
• Compliance Audits
o Familiarization with the organization’s
• Fraud Audits
business
• IT Audits
o Evaluating and testing internal controls
o CIA
o Assessing the reliability of financial data
o IIA
• Product is formal written report that expresses
an opinion about the reliability of the assertions
IT audits provide audit services where processes or data,
in financial statements; in conformity with GAAP
or both, are embedded in technologies.
• Subject to ethics, guidelines, and standards of
ATTEST definition
the profession (if certified)
• Written assertions
o CISA
• Practitioner’s written report
o Most closely associated with ISACA
• Formal establishment of measurement criteria
• Joint with internal, external, and fraud audits
or their description
• Scope of IT audit coverage is increasing
o Limited to:
• Characterized by CAATTs
o Examination
• IT governance as part of corporate governance
o Review
o Application of agreed-upon procedures
Fraud audits provide investigation services where
anomalies are suspected, to develop evidence to support
or deny fraudulent activities.
• Auditor is more like a detective
• No materiality
• Goal is conviction, if sufficient evidence of fraud
exists (CFE, ACFE)
ASSURANCE
• Professional services that are designed to
improve the quality of information, both
financial and non-financial, used by decision-
makers
IT Audit Groups in “Big Four”
• IT Risk Management
• I.S. Risk Management
• Operational Systems Risk Management
• Technology & Security Risk Services
• Typically a division of assurance services

Auditing standards
• Set by PICPA
• Authoritative
• Ten Generally Accepted Auditing Standards Audit Phases
(GAAS) 1. Planning
• Three categories: 2. Obtaining evidence
o General Standards • Tests of Controls
o Standards of Field Work • Substantive Testing
o Reporting Standards
• CAATTs
• Analytical procedures
3. Ascertaining reliability
• MATERIALITY
4. Communicating results
• Audit opinion

AUDIT RISK FORMULA

AUDIT RISK:
• The probability that the auditor will give an
inappropriate opinion on the financial
statements: that is, that the statements will
contain materials misstatement(s) which the
auditor fails to find
INHERENT RISK:
• The probability that material misstatements
have occurred
o Material vs. Immaterial
Audits
• Includes economic conditions, etc.
• Systematic process
• Relative risk (e.g., cash)
• Five primary management assertions, and CONTROL RISK:
correlated
• The probability that the internal controls will fail
• audit objectives and procedures [Table 1.2]
to detect material misstatements
o Existence or Occurrence
DETECTION RISK:
o Completeness
• The probability that the audit procedures will fail
o Rights & Obligations
to detect material misstatements
o Valuation or Allocation
• Substantive procedures
o Presentation or Disclosure
AUDIT RISK MODEL The IT Environment
• AR = IR * CR * DR • There has always been a need for an effective
• example inventory with: internal control system.
IR=40%, CR=60%, AR=5% (fixed) • The design and oversight of that system has
.05 = .4 * .6 * DR typically been the responsibility of accountants.
... then DR= 20.83% • The I.T. Environment complicates the paper
• Why is AR = 5%? systems of the past.
• What is detection risk? o Concentration of data
• Can CR realistically be 0? o Expanded access and linkages
• Relationship between DR and substantive o Increase in malicious activities in
procedures systems vs. paper
• Relationship between tests of controls and o Opportunity that can cause
substantive tests management fraud (i.e., override)
• Illustrate higher reliability of the internal
controls and the Audit Risk Model
o What happens if internal controls are
more reliable than last audit?
o Last year: .05 = .4 * .6 * DR [DR = 0.2083]
o This year: .05 = .4 * .4 * DR [DR = 0.3125]
The more reliable the internal controls, the
lower the CR probability; thus the lower the DR
will be, and fewer substantive tests are
necessary.
• Substantive tests are labor intensive

The Relationship Between TOC and Substantive Testing

• Tests of Controls are audit procedures
performed to test the operating effectiveness of
controls in preventing or detecting material Internal Control
misstatements at the relevant assertion level. • Policies, practices, procedures designed to:
• Substantive testing is the stage of an audit when o safeguard assets
the auditor gathers evidence as to the extent of o ensure accuracy and reliability
misstatements in client’s accounting records or o promote efficiency
other information. o measure compliance with policies

Role of Audit Committee Modifying Assumptions

• Selected from board of directors 1. Management responsibility
• Usually three members 2. Reasonable assurance
• Outsiders (S-OX now requires it) • no I.C.S. is perfect
• Fiduciary responsibility to shareholders • benefits => costs
• Serve as independent check and balance system 3. Methods of data processing
• Interact with internal auditors • Objectives same regardless of DP method
• Hire, set fees, and interact with external auditors • Specific controls vary w/ different technologies
4. Limitations
• Resolved conflicts of GAAP between external
auditors and management • Possibility of error
• Management override
What is an IT Audit? • Possibility of circumvention
Most accounting transactions to be in electronic form • Changing conditions
without any paper documentation because electronic
storage is more efficient. These technologies greatly
change the nature of audits, which have so long relied on
paper documents.
EXPOSURES AND RISK Physical Controls
• Exposure • Transaction authorization
• Risks o Example:
• Types of risk ▪ Sales only to authorized
o Destruction of assets customer
o Theft of assets ▪ Sales only if available credit limit
o Corruption of information or the I.S. • Segregation of duties
o Disruption of the I.S. o Examples of incompatible duties:
▪ Authorization vs. processing
The PDC Model [e.g., Sales vs. Auth. Cust.]
• Preventive controls ▪ Custody vs. recordkeeping [e.g.,
• Detective controls custody of inventory vs. DP of
• Corrective controls inventory]
▪ Fraud requires collusion [e.g.,
separate various steps in
process]
• Supervision
o Serves as compensating control when
lack of segregation of duties exists by
necessity
• Accounting records (audit trails)
• Access controls
o Direct (the assets)
o Indirect (documents that control the
assets)
o Fraud
o Disaster Recovery
• Independent verification
o Management can assess:
▪ The performance of individuals
▪ The integrity of the AIS
▪ The integrity of the data in the
records

IT Controls
• Application Control - ensure the validity,
completeness, and accuracy of financial
transactions
• General Control - apply to all systems
CHAPTER 2 – AUDITING IT GOVERNANCE CONTROLS Database Administration
• Database administrator – responsible for the security
Information Technology Governance and integrity of the database
• Relatively new subset of corporate governance
that focuses on the management and Data Processing
assessment of strategic IT resources. • Manages the computer resources used to perform the
• Key objectives of IT governance are: day to-day processing of transactions.
o to reduce risk • Data conversion - transcribes transaction data
o ensure that investments in IT resources from hard-copy source documents into
add value to the corporation. computer input
• Computer Operations - the electronic files
IT Governance Control issues produced in data conversion are later processed
1. Organizational structure of the IT function by the central computer
2. Computer center operations • Data Library - room adjacent to the computer
3. Disaster recovery planning center that provides safe storage for the off-line
data files.
1. Structure of the Information Technology Function
• The centralized approach and the distributed Systems Development and Maintenance
approach • Systems professionals include systems analysts,
• Central data processing database designers, and programmers who
o All data processing is performed by one design and build the system. Systems
or more large computers housed at a professionals gather facts about the user’s
central site that serves users throughout problem, analyze the facts, and formulate a
the organization solution. The product of their efforts is a new
o The IT service function is usually treated information system.
as a cost center whose operating costs • End users are those for whom the system is built.
are charged back to the end users. They are the managers who receive reports from
the system and the operations personnel who
work directly with the system as part of their
daily responsibilities
• Stakeholders are individuals inside or outside the
firm who have an interest in the system, but are
not end users. They include accountants,
internal auditors, external auditors, and others
who oversee systems development.

Segregation of Incompatible IT Functions

1. Separate transaction authorization from transaction
processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals
such that short of collusion between two or more
individuals fraud would not be possible.

Separating Systems Development from Computer

Operations
Systems development and maintenance professionals
should create (and maintain) systems for users, and
should have no involvement in entering data, or running
applications (i.e., computer operations).
Separating Database Administration from Other formal, rather than casual, relationships need to
Functions exist between incompatible tasks.
The DBA function is responsible for a number of critical Audit Procedures for Centralized IT function
tasks pertaining to database security, including creating 1. Review relevant documentation, including the
the database schema and user views, assigning database current organizational chart, mission statement,
access authority to users, monitoring database usage, and job descriptions for key functions, to
and planning for future expansion. determine if individuals or groups are
performing incompatible functions.
Separating New Systems Development from 2. Review systems documentation and
Maintenance maintenance records for a sample of
• The systems analysis group works with the users applications. Verify that maintenance
to produce detailed designs of the new systems. programmers assigned to specific projects are
• The programming group codes the programs not also the original design programmers.
according to these design specifications 3. Verify that computer operators do not have
o Inadequate documentation access to the operational details of a system’s
o Program Fraud internal logic. Systems documentation, such as
systems flowcharts, logic flowcharts, and
The Distributed Model program code listings, should not be part of the
• An alternative to the centralized model operation’s documentation set.
• Involves reorganizing the central IT function into 4. Through observation, determine that
small IT units that are placed under the control segregation policy is being followed in practice.
of end users. Review operations room access logs to
• The IT units may be distributed according to determine whether programmers enter the
business function, geographic location, or both. facility for reasons other than system failures.
Audit Procedures for Distributed IT function
Risk Associated with DDP 1. Review the current organizational chart, mission
• Inefficient Use of Resources statement, and job descriptions for key functions
• Destruction of Audit Trails to determine if individuals or groups are
• Inadequate Segregation of Duties performing incompatible duties.
• Hiring Qualified Professionals 2. Verify that corporate policies and standards for
systems design, documentation, and hardware
• Lack of Standards
and software acquisition are published and
provided to distributed IT units.
Advantages of DDP
3. Verify that compensating controls, such as
• Cost Reductions
supervision and management monitoring, are
• Improved Cost Control Responsibility
employed when segregation of incompatible
• Improved User Satisfaction
duties is economically infeasible.
• Backup Flexibility 4. Review systems documentation to verify that
applications, procedures, and databases are
Controlling the DDP Environment designed and functioning in accordance with
Implement a Corporate IT Function corporate standards.
• Central Testing of Commercial Software and
Hardware 2. The Computer Center
• User services • Physical location
• Standard-setting bodies • Construction
• Personnel Review • Access
Audit Objective • Air conditioning
• The auditor’s objective is to verify that the • Fire Suppression
structure of the IT function is such that
• Fault Tolerance
individuals in incompatible areas are segregated
in accordance with the level of potential risk and
in a manner that promotes a working
environment. This is an environment in which
Audit Objectives • The empty shell or cold site plan is an
• The auditor must verify that: arrangement wherein the company buys or
o Physical security controls are adequate leases a building that will serve as a data center.
to reasonably protect the organization • A recovery operations center (ROC) or hot site
from physical exposures is a fully equipped backup data center that many
o Insurance coverage on equipment is companies share
adequate to compensate the • Internally provided Back up
organization for the destruction of, or
damage to, its computer center Management’s Disaster Recovery Plan
Audit Procedures Audit Objective
• Tests of Physical Construction • The auditor should verify that management’s
• Tests of the Fire Detection System disaster recovery plan is adequate and feasible
• Tests of Access Control for dealing with a catastrophe that could deprive
• Tests of Raid the organization of its computing resources.
• Tests of the Uninterruptible Power Supply Audit Procedure
• Tests for Insurance Coverage • Site back-up plan
• Critical Application List
3. Disaster Recovery Planning • Software Backup
• Disasters such as earthquakes, floods, sabotage, • Data Backup
and even power failures can be catastrophic to • Backup Supplies, Documents, and
an organization’s computer center and Documentation
information systems • Disaster Recovery Team
• Disaster Recovery Plan (DRP) - comprehensive
statement of all actions to be taken before, Outsourcing the IT Function
during, and after any type of disaster • Outsource their IT functions to third-party
o Identify critical applications vendors who take over responsibility for the
o Create a disaster recovery team management of IT assets and staff and for
o Provide site backup delivery of IT services, such as data entry, data
o Specify backup and off-site storage center operations, applications development,
procedures applications maintenance, and network
management
Identify Critical Applications • Benefits of IT outsourcing include
• First essential element of DRP o improved core business performance,
• Must concentrate on restoring those o improved IT performance (because of
applications that are critical to the short-term the vendor’s expertise)
survival of the organization. o reduced IT costs.
• The task of identifying critical items and
prioritizing applications requires the active Risk Inherent to IT Sourcing
participation of user departments, accountants, • Failure to Perform
and auditors. • Vendor Exploitation
• Outsourcing Costs Exceed Benefits
Creating a Disaster Recovery Team • Reduced Security
• Depends on timely corrective action • Loss of Strategic Advantage
• The team members should be experts in their
areas and have assigned tasks. Audit Implications of IT Outsourcing
Statement on Auditing Standard No. 70 (SAS 70) is the
Providing Second-site Backup definitive standard by which client organizations’
• A mutual aid pact is an agreement between two auditors can gain knowledge that controls at the third-
or more organizations (with compatible party vendor are adequate to prevent or detect material
computer facilities) to aid each other with their errors that could impact the client’s financial statements.
data processing needs in the event of a disaster.
CHAPTER 3 – SECURITY PART 1: AUDITING OPERATING Audit procedures relating to access privileges
SYSTEMS AND NETWORKS • Review the organization’s policies for separating
incompatible functions
Operating Systems • Review the privileges of a selection of user
Perform three main tasks: groups and individuals to determine if their
• translates high-level languages into the machine- access rights are appropriate for their job
level language descriptions and positions
• allocates computer resources to user • Review personnel records to determine whether
applications privileged employees undergo an adequately
• manages the tasks of job scheduling and intensive security clearance check in compliance
multiprogramming with company policy
• Review employee records to determine whether
Requirements for Effective Operating Systems users have formally acknowledged their
Performance responsibility to maintain the confidentiality of
• OS must protect itself from users company data
• OS must protect users from each other • Review the users’ permitted log-on times
• OS must protect users from themselves
• OS must be protected from itself 2. Password Control
• OS must be protected from its environment • Common forms of contra-security behavior
o Such as power failures and other include:
disasters • Forgetting passwords and being locked out of
the system.
Operating Systems Security • Failing to change passwords on a frequent basis.
Log-On Procedure • The Post-it syndrome, whereby passwords are
• first line of defense written down and displayed for others to see.
• user IDs and passwords • Simplistic passwords that a computer criminal
• If login failed, do not reveal whether the ID or the easily anticipates
password caused the failure
• For more than five failed attempts, lock the Reusable Passwords
system • User defines the password to the system once
Access Token and then reuses it to gain future access.
• contains key information (ID, password, group, • Quality depends on the password itself
privilege) about the user • Management actions:
Access Control List o require passwords be changed regularly
• defines access privileges of users and disallow weak passwords
Discretionary Access Control o use extensive databases of known weak
• allows user to grant access to another user passwords to validate the new password
and disallow weak ones
Operating System Controls and Audit Tests
• Controlling Access Privileges One-Time Passwords
• Password Control • the user’s password changes continuously
• Controlling Against Malicious and Destructive • Common implementation
Programs o PIN + random generated password
• System Audit Trail Controls o Additional device (with display such as:
mobile phone) is usually needed to
1. Controlling Access Privileges generate one time password
Audit objectives relating to access privileges
• verify that access privileges are granted in a Audit objectives
manner that is consistent with the need to • to ensure organization has an adequate and
separate incompatible functions and is in effective password policy for controlling access
accordance with the organization’s policy to the OS
Audit procedure • Use antiviral software (also called vaccines) to
• Verify that all users are required to have examine application and operating system
passwords. programs
• Verify that new users are instructed in the use of
passwords and the importance of password Audit objectives
control. • verify that effective management policies and
• Review password control procedures to ensure procedures are in place to prevent the
that passwords are changed regularly. introduction and spread of destructive
• Review the password file to determine that weak programs, including viruses, worms, back doors,
passwords are identified and disallowed. logic bombs, and Trojan horses
• Verify that the password file is encrypted and
that the encryption key is properly secured. Audit procedures
• Assess the adequacy of password standards such • Determine those operations personnel have
as length and expiration interval. been educated
• Review the account lockout policy and • Verify that new software is tested on
procedures workstations prior to being implemented on the
host or network server.
3. Controlling Against Malicious and Destructive • Verify that the current version of antiviral
Programs software is always up-to-date
• Corporate losses data corruption and
destruction, degraded computer performance, 4. System Audit Trail Controls
hardware destruction, violations of privacy, and • System audit trails are logs that record activity at
the personnel time devoted to repairing the the system, application, and user level
damage. • Audit trails typically consist of two types of audit
• Example of malicious & destructive programs: logs:
viruses, worms, logic bombs, back doors, and o Detailed logs of individual keystrokes
Trojan horses ▪ recording both the user’s
keystrokes and the system’s
Threats can be reduced through a combination of responses
technology controls and administrative procedures: o Event-oriented logs
• Purchase software only from reputable vendors, ▪ summarizes key activities
factory-sealed packages. related to system resources
• Issue an entity-wide policy pertaining to the use ▪ Event logs: IDs of all users
of unauthorized software or illegal (bootleg) accessing the system; the time
copies of copyrighted software. and duration of a user’s session;
• Examine all upgrades to vendor software for programs that were executed
viruses before they are implemented. during a session; and the files,
• Inspect all public-domain software for virus databases, printers, and other
infection before using resources accessed
• Establish entity-wide procedures for making • Audit trail support security objectives in:
changes to production programs. o detecting unauthorized access to the
• Establish an educational program to raise user system,
awareness o facilitating the reconstruction of events,
• Install all new applications on a stand-alone and;
computer and thoroughly test them with o promoting personal accountability.
antiviral software prior to implementing them on • Information contained in audit logs is useful to
the mainframe or LAN accountants in measuring the potential damage
• Routinely make backup copies of key files and financial loss associated with application
• Limit users to read and execute rights only errors, abuse of authority, or unauthorized
access by outside intruders.
• Require protocols that explicitly invoke the
operating system’s log-on procedures to bypass
Trojan horses
Audit objectives cannot receive and process business
• ensure that audit trail system is adequate for transactions
preventing & detecting abuses, reconstructing • Other malicious programs: viruses, worms, logic
key events that precede systems failures, & bombs, and Trojan horses pose a threat to both
planning resource allocation Internet and Intranet users

Audit procedures Three Common Types of DOS Attacks

• verify that the audit trail in OS has been activated • SYN Flood – when the three-way handshake
according to organization policy needed to establish an Internet connection
• use general-purpose data extraction tools for occurs, the final acknowledgement is not sent by
accessing archived log files to search conditions: the DOS attacker, thereby tying-up the receiving
unauthorized or terminated user; periods of server while it waits.
inactivity; etc. • Smurf – the DOS attacker uses numerous
• select a sample of security violation cases and intermediary computer to flood the target
evaluate their disposition to assess the computer with test messages, ―pings‖.
effectiveness of the security group • Distributed DOS (DDOS) – can take the form of
Smurf or SYN attacks, but distinguished by the
Internet and Intranet Risks vast number of ―zombie‖ computers hi-jacked
The communications component is a unique aspect of to launch the attacks.
computer networks:
• different than processing (applications) or data Risks from Equipment Failure
storage (databases) Include:
Network topologies –configurations of: • Disrupting, destroying, or corrupting
• communications lines (twisted-pair wires, transmissions between senders and receivers
coaxial cable, microwaves, fiber optics) • Loss of databases and programs stored on
• hardware components (modems, multiplexers, network servers
servers, front-end processors)
• software (protocols, network control systems) Controlling Risks from Subversive Threats
Firewalls
Intranet Risks • a system that enforces access control between
Interception of network messages two networks
• Sniffing confidential data such as passwords, • Only authorized traffic between the organization
confidential e-mails, and financial data files and the outside is allowed to pass through the
Access to corporate databases firewall
• Central database increases the risk that an • Types:
employee will view, corrupt, change, or copy o Network-level firewalls: screening
data such as customer listings, credit card router that examines the source and
information, recipes, formulas, and design destination addresses
specifications o Application-level firewalls: run security
Privileged employees applications called proxies
• middle managers, who often possess access Controlling DOS Attacks
privileges that allow them to override controls, • Controlling for three common forms of DOS
are most often prosecuted for insider crimes attacks:
• Reluctance to prosecute o Smurf attacks—organizations can
o fear of negative publicity program firewalls to ignore an attacking
site, once identified
Internet Risks to Businesses o SYN flood attacks—two tactics to defeat
• IP spoofing: masquerading to gain access to a this DOS attack
Web server and/or to perpetrate an unlawful act ▪ Get Internet hosts to use
without revealing one’s identity firewalls that block invalid IP
• Denial of service (DOS) attacks: assaulting a addresses
Web server to prevent it from servicing users ▪ Use security software that scan
particularly devastating to business entities that for half-open connections
 o DDos attacks–many organizations use Request-response technique – a control message forms
Intrusion Prevention Systems (IPS) that the sender and a response from the receiver are sent at
employ deep packet inspection (DPI) periodic, synchronized intervals.
▪ IPS works with a firewall filter • The timing of the messages should follow a
that removes malicious packets random pattern that will be difficult for the
from the flow before they can intruder to determine and circumvent
affect servers and networks
▪ DPI searches for protocol non- Call-back devices – receiver calls the sender back at a
compliance and employs pre-authorized phone number before transmission is
predefined criteria to decide if a completed
packet can proceed to its
destination Audit objectives, to verify the security and integrity of
Encryption financial transactions by determining that network
• The conversion of data into a secret code for controls
storage and transmission • can prevent and detect illegal access both
• Encryption algorithms use keys internally and from Internet
o Typically 56 to 128 bits in length • will render useless any data that a perpetrator
o The more bits in the key the stronger the successfully captures
encryption method. • are sufficient to preserve the integrity and
physical security of data connected to the
Two general approaches to encryption: network
Private key encryption
• Advance encryption standard (AES), uses a single Audit procedures
key known to both the sender and the receiver 1. Review the adequacy of the firewall in balancing
of the message control and convenience.
• Triple Data Encryption Standard (DES), uses • Flexibility. The firewall should be flexible enough
three keys to accommodate new services
• Techniques: EEE3 & EDE3 • Proxy services. Adequate proxy applications
Public key encryption should be in place to provide explicit user
• uses two different keys: one for encoding authentication to sensitive services,
messages and the other for decoding them applications, and data.
• each recipient has a private key that is kept • Filtering. The firewall should specify which
secret and a public key that is published services the user is permitted to access
• Segregation of systems. Systems that do not
Digital signature – electronic authentication technique require public access should be segregated from
to ensure that the Internet.
• transmitted message originated with the • Audit tools. The firewall should provide a
authorized sender thorough set of audit and logging tools that
• message was not tampered with after the identify and record suspicious activity.
signature was applied • Probe for weaknesses. Periodically probe the
firewall for weaknesses just as a computer
Digital certificate – like an electronic identification card Internet hacker would do
used with a public key encryption system 2. Verify that an intrusion prevention system (IPS) is in
• Verifies the authenticity of the message sender place for organizations that are vulnerable to DDos
attacks, such as financial institutions.
Message sequence numbering – sequence number used 3. Review security procedures governing the
to detect missing messages administration of data encryption keys.
4. Verify the encryption process by transmitting a test
Message transaction log – listing of all incoming and message and examining the contents at various points
outgoing messages to detect the efforts of hackers along the channel between the sending and receiving
locations.
5. Review the message transaction logs to verify that all
messages were received in their proper sequence.
6. Test the operation of the call-back feature by placing Audit Objectives
an unauthorized call from outside the installation. • Verify that controls are in place to protect data,
programs, and computers from unauthorized
Controlling Risks from Equipment Failure access, manipulation, destruction, and theft.
• The most common problem in data • Verify that adequate supervision and operating
communications is data loss due to line error procedures exist to compensate for lack of
• Controls: segregation between the duties of users,
o Echo Check - the receiver returns the programmers, and operators.
message to the sender • Verify that backup procedures are in place to
o Parity Check - incorporates an extra bit prevent data and program loss due to system
(the parity bit) into the structure of a bit failures, errors, and so on.
string when it is created or transmitted • Verify that systems selection and acquisition
Audit objectives procedures produce applications that are high
• verify the integrity of the transactions by • quality, and protected from unauthorized
determining that controls are in place to detect changes.
and correct message loss due to equipment • Verify that the system is free from viruses and
failure. adequately protected to minimize the risk of
Audit procedures becoming infected with a virus or similar object.
• select a sample of messages from the transaction Audit Procedures
log and examine them for garbled content • Observe PCs are physically anchored to reduce
caused by line noise the opportunity of theft.
• verify that all corrupted messages were • Verify from organizational charts, job
successfully retransmitted descriptions, and observation that programmers
of accounting systems do not also operate those
PC Systems Risks and Controls systems.
OS weaknesses • Determine that multilevel password control is
• minimal security for data files and programs used to limit access to data and applications and
• data stored on microcomputers that are shared that the access authority granted is consistent
by multiple users are exposed to unauthorized with the employees’ job descriptions.
access, manipulation, and destruction • If removable or external hard drives are used,
Weak access control the auditor should verify that the drives are
• Logon procedures is usually active only when the removed and stored in a secure location when
computer is booted from the hard drive not in use.
• How about booting from CD-ROM? • Select a sample of backup files and verify that
Inadequate segregation of duties backup procedures are being followed.
• Computers are shared among end users • Select a sample of PCs and verify that their
• Operator may also act as developer commercial software packages were purchased
Risk of Theft from reputable vendors and are legal copies.
• PCs and laptops are easy to steal • Review the organization’s policy for using
• Policy for managing sensitive data antiviral software
Weak backup procedures
• disk failure, is the primary cause of data loss in
PC environments
• End users should back up their own PC, but
mostly they lack of experience
Risk of virus infection
• ensure that effective antivirus software is
installed on the PCs and kept up-to-date
Multilevel password control
• When computers are shared among employees
• each employee is required to enter a password
to access his or her applications and data.
CHAPTER 4 – SECURITY PART 2: AUDITING DATABASE sequence of records in a file. Only one internal
SYSTEMS view.
Conceptual view/ Logical view (schema): Describes the
Flat-File Approach entire database logically and abstractly rather than
• Associated with large, older legacy systems still physically. Only one conceptual view.
in use today. External view/ User view (subschema): Portion of
• Promotes a single-user view approach where database each user views. May be many distinct users.
end users own rather than share data files.
• Separate data sets for each user leads to data Data Manipulation Language (DML)
redundancy which causes problems with: • DML is the proprietary programming language
o Data storage: Commonly used data that a particular DBMS uses to retrieve, process,
duplicated multiple times within the and store data to / from the database.
organization. • Entire user programs may be written in the DML,
o Data updating: Changes must be made or selected DML commands can be inserted into
separately for each user. If updating fails universal programs, such as COBOL and
problem of currency of information with FORTRAN.
users having outdated information. • Can be used to ‘patch’ third party applications to
o Task-data dependency: Users cannot the DBMS
obtain additional information as needs
change. Informal Access: Query Language
• Query is an ad hoc access methodology for
Database Approach extracting information from a database.
• Access to the data resource is controlled by a • Users can access data via direct query which
database management system (DBMS). requires no formal application programs.
• Centralizes organization’s data into a common • IBM’s Structured Query Language (SQL) has
database shared by the user community. emerged as the standard query language.
• All users have access to data they need which • Query feature enhances ability to deal with
may overcome flat-file problems. problems that pop-up but poses an important
• Elimination of data storage problem: No data control issue.
redundancy. • Must ensure it is not used for unauthorized
• Elimination of data updating problem: Single database access
update procedure eliminates currency of
information problem. Functions of the Database Administrator (DBA)
• Elimination of task-data dependency problem:
Users only constrained by legitimacy of access
needs.

DBMS Features and Data Definition Language

Program Development – Applications may be created by
programmers and end users.
Backup and Recovery - Copies made during processing.
Database Usage Reporting - Captures statistics on
database usage (who, when, etc.).
Database Access - Authorizes access to sections of the
database.
Data definition language used to define the database to
the DBMS on three levels (views)

Database Views
Internal view/ Physical view: Physical arrangement of
records in the database.
• Describes structures of data records, linkage
between files and physical arrangement and
The Physical Database • Usefulness of model is limited because no child
• Lowest level and only one in physical form. record can have more than one parent which
• Magnetic sports on metallic coated disks that leads to data redundancy
create a logical collection of files and records.
• Data structures are bricks and mortar of The Relational Model
database. • Difference between this and navigational models
• Allows records to be located, stored, and is the way data associations are represented to
retrieved. the user.
• Two components: organization and access • Relational model portrays data in two-
methods. dimensional tables with attributes across the top
• The organization of a file refers to way records forming columns.
are physically arranged on the storage device - • Intersecting columns to form rows are tuples
either sequential or random. which are normalized arrays of data similar to
• Access methods are programs used to locate records in a flat-file system.
records and to navigate through the database. • Relations are formed by an attribute common to
both tables in the relation
Database Terminology
Entity: Anything organization wants to capture data Centralized Databases in a Distributed Environment
about. • Data retained in a central location.
Record Type: Physical database representation of an • Remote IT units send requests to central site
entity. which processes requests and transmits data
Occurrence: Related to the number of records of back to the requesting IT units.
represented by a particular record type. • Actual processing of performed at remote IT
Attributes: Defines entities with values that vary (i.e. unit.
each employee has a different name). • Objective of database approach it to maintain
Database: Set of record types that an organization needs data currency with can be challenging.
to support its business processes. • During processing, account balances pass
through a state of temporary inconsistency
Associations where values are incorrect.
Record types that constitute a database exist in relation • Database lockout procedures prevent multiple
to other record types. Three basic record association: simultaneous access to data preventing
• One-to-one: For every occurrence of Record potential corruption.
Type X there is one (or zero) of Record Type Y.
• One-to-many: For every occurrence of Record Distributed Databases: Partitioned Databases
Type X, there are zero, one or many occurrences • Splits central database into segments distributed
of Record Type Y. to their primary users.
• Many-to-many: For every occurrence of Record • Advantages:
Types X and Y, there are zero, one or many o Users’ control increased by having data
occurrences of Record Types Y and X, stored at local sites.
respectively. o Improved transaction processing
response time.
The Hierarchical Model o Volume of transmitted data between IT
• Basis of earliest DBAs and still in use today. units is reduced.
• Sets that describe relationship between two o Reduces potential data loss from a
linked files. disaster.
• Each set contains a parent and a child. o Works best for organizations that
• Files at the same level with the same parent are require minimal data sharing among
siblings. units.
• Tree structure with the highest level in the tree
being the root segment and the lowest file in a
branch the leaf.
• Also called a navigational database.
The Deadlock Phenomenon • If partitioned, what is the allocation of the data
• Occurs when multiple sites lock each other out segments among the sites?
of the database, preventing each from • Choices impact organization’s ability to maintain
processing its transactions. database integrity, preserve audit trails, and
• Transactions in a “wait” state until locks have accurate records.
removed.
• Can result in transactions being incompletely Controlling and Auditing Data Management Systems
processed and database being corrupted. • Controls over data management systems fall into
• Deadlock is a permanent condition that must be two categories.
resolved with special software that analyzes and • Access controls are designed to prevent
resolve conflicts. unauthorized individuals from viewing,
• Usually involves terminating one or more retrieving, corrupting or destroying data.
transactions to complete processing of the other • Backup controls ensure that the organization can
in deadlock. recover its database in the event of data loss.
• Preempted transactions must be reinitiated
Access Controls
Distributed Databases: Replicated Databases • User views (subschema) is a subset of the
• Effective for situations with a high degree of data database that defines user’s data domain and
sharing, but no primary user. access.
• Common data replicated at each site, reducing • Database authorization table contains rules that
data traffic between sites. limit user actions.
• Primary justification to support read-only • User-defined procedures allow users to create a
queries. personal security program or routine.
• Problem is maintaining current versions of • Data encryption procedures protect sensitive
database at each site. data.
• Since each IT unit processes its own transactions, • Biometric devices such as fingerprints or retina
common data replicated at each site affected by prints control access to the database.
different transactions and reflect different • Inference controls should prevent users from
values. inferring, through query options, specific data
values they are unauthorized to access.
Concurrency Control
• Database concurrency is the presence of Audit Procedures for Testing Database Access Controls
complete and accurate data at all user sites. • Verify DBA personnel retain responsibility for
• Designers need to employ methods to ensure authority tables and designing user views.
transactions processed at each site are • Select a sample of users and verify access
accurately reflected in the databases of all the privileges are consistent with job description.
other sites. • Evaluate cost and benefits of biometric controls.
• Commonly used method is to serialize • Verify database query controls to prevent
transactions which involves labeling each unauthorized access via inference.
transaction by two criteria: • Verify sensitive data are properly encrypted.
• Special software groups transactions into classes
to identify potential conflicts. Backup Controls in the Database Environment
• Second part of control is to time-stamp each • Since data sharing is a fundamental objective of
transaction. the database approach, environment is
vulnerable to damage from individual users.
Database Distribution Methods and the Accountant • Four needed backup and recovery features:
Many issues and trade-offs in distributing databases. • Backup feature makes a periodic backup of
Basic questions to be addressed: entire database which is stored in a secure,
• Centralized or distributed data? remote location.
• If distributed, replicated or partitioned? • Transaction log provides an audit trail of all
• If replicated, total or partial replication? processed transactions.
 • Checkpoint facility suspends all processing while 3. A growing demand from businesses that are too
system reconciles transaction log and database small to afford in-house systems’ development
change log against the database. staff
• Recovery module uses logs and backup files to 4. The trend toward downsizing of organizational
restart the system after a failure. units and the resulting move toward the
distributed data processing environment
Audit Procedures for Testing Database Access Controls
• Verify backups are performed routinely and Types of Commercial Systems
frequently. Turnkey Systems
• Backup policy should balance inconvenience of • General Accounting Systems
frequent activity against business disruption • Special-Purpose Systems
caused by system failure. • Office Automation Systems
• Verify that automatic backup procedures are in Backbone Systems
place and functioning and that copies of the Vendor-Supported Systems
database are stored off-site.
Advantages and Disadvantages of Commercial Software
CHAPTER 5 – SYSTEMS DEVELOPMENT AND PROGRAM Advantages:
CHANGE ACTIVITIES • Implementation Time
• Cost
Participants in Systems Development • Reliability
• Systems professionals Disadvantages:
• End users • Independence
• Stakeholders • The need for customized systems
• Accountants/Auditors • Maintenance

Why are Accountants and Auditors Involved with SDLC? Systems and Development Life Cycle (SDLC)
1. The creation of the information system entails Objectives and sequence: activities are logical and
significant financial transactions generally accepted by experts in the systems community,
2. More pressing concern for accountants and and are generally treated as “best practices” for systems
auditors is with the nature of the products that development.
emerge from the SDLC
New systems development – involves conceptual steps
How are Accountants Involved with the SDLC? that can apply to any problem-solving process:
1. Accountants are users • Identify the problem
2. Accountants participate in systems development • Understand what needs to be done
as members of the development team • Consider alternative solutions
3. Accountants are involved in systems • Select the best solution
development as auditors • Implement the solution

Information Systems Acquisition Systems maintenance – constitutes the organization’s

Organizations usually acquire information systems in two program change procedures. It begins once the seven
ways: phases are complete and the system is fully
1. They develop customized in-house through implemented.
formal systems development activities and
2. They purchase commercial system from PHASE 1 – Systems Planning
software vendors Objective: link individual system projects or applications
to the strategic objectives of the firm.
Trends in Commercial Systems
1. Low cost of general commercial software as Who should do systems planning?
compared to customized software • Chief executive officer
2. The emergence of industry-specific vendors who • Chief financial officer
target their software to the needs of particular • Chief information officer
types of businesses
 • Senior management from user areas PHASE 2 – Systems Analysis
• Internal auditor • It is actually a two-step process involving (1) a
• Senior management from computer services survey of the current system and (2) an analysis
of the user’s needs
Responsibilities of a Steering Committee • It is the foundation for the rest of the SDLC
• Resolving conflicts that arise from new systems • The deliverable from this phase is a format
• Reviewing projects and assigning priorities systems analysis report, which presents the
• Budgeting funds for systems development finidngs of the analysis and recommendations
• Reviewing the status of individual projects under for the new system
development
• Determining at various checkpoints The Survey Step
• Disadvantage of Surveying the Current System
Strategic Systems Planning o Current physical tar pit
• It involves the allocation of systems resources at o Thinking inside the box
the macro level • Advantage of Surveying the Current System
• It usually deals with a time frame of 3 to 5 years o Identifying what aspects of the old
• This process is similar to budgeting resources for system should be kept
other strategic activities, such as product o Forcing systems analysts to fully
development, plant expansions, market understand the system
research, and manufacturing technology o Isolating the root of problem systems

Why Perform Strategic Systems Planning? Gathering Facts

• A plan that changes constantly is better than no • Data sources
plan at all • Users
• Strategic planning reduces the crisis component • Data stores
in systems development • Processes
• Strategic systems planning provides • Data flows
authorization control for the SDLC • Controls
• Cost management • Transaction volumes
• Error rates
Project Planning • Resource costs
• The purpose of project planning is to allocate • Bottlenecks and redundant operations
resources to individual applications within the
framework of the strategic plan Fact-Gathering Techniques
• The basic purpose of project planning is to • Observation
allocate scarce resources to specific projects • Task Participation
• The product of this phase consists of two formal • Personal interviews
documents: the project proposal and the project o Open ended questions
schedule o Questionnaires
• Reviewing key documents
The Auditor’s Role in Systems Planning
• Auditors routinely examine the systems planning The Analysis Step
phase of the SDLC. Planning greatly reduces the • Systems analysis is an intellectual process that is
risk that an organization has produces commingled with fact gathering. The analyst is
unneeded, inefficient, ineffective, and simultaneously analyzing as he or she gathers
fraudulent systems. Therefore, both internal and facts. The mere recognition of a problem
external auditors are interested in ensuring that presumes some understanding of the norm or
adequate systems planning takes place. desired state.
• Systems Analysis Report – marks the conclusion
of the systems analysis phase; presents to
management or the steering committee the
survey finding, the problems identified with the
 current system, the user’s needs, and the PHASE 4 – System Evaluation and Selection
requirements of the new system. • It is an optimization process that seeks to
identify the best system
The Auditor’s Role in Systems Analysis • This decision represents a critical juncture in the
• The accountant/ auditor should be involved in SDLC. At this point, there is a great deal of
the needs analysis of the proposed system to uncertainty about the system, and a poor
determine if it is a good candidate for advanced decision here can be disastrous
audit features and, if so, which features are best • The purpose of a formal evaluation and selection
suited for the system. procedure is to structure this decision-making
process and thereby reduce both uncertainty
PHASE 3 – Conceptual Systems Design and the risk of making a poor decision. The
The purpose of the conceptual design phase is to evaluation and selection process involves to
produce several alternative conceptual systems that steps:
satisfy the system requirements identified during o Perform a detailed feasibility study
systems analysis. o Perform a cost-benefit analysis

Two approached to conceptual systems design: Perform a Detailed Feasibility Study

• The structured approach • Technical Feasilibility
• The object-oriented approach • Economic Feasilibility
• Legal Feasilibility
The Structured Design Approach • Operational Feasilibility
• It is a disciplined way of designing systems from • Schedule Feasilibility
the top down
• It consists of starting with the “big picture” of the Perform a Cost-Benefit Analysis
proposed system that is gradually decomposed 1. Identify costs
into more and more detail until it is fully o One-time costs
understood o Recurring costs
• Under this approach, the business process under 2. Identify benefits
design is usually documented by data flow and o Tangible benefits (increase revenue,
structure diagrams reduce costs)
o Intangible benefits
The Object-Oriented Approach 3. Compare costs and benefits (NPV, payback
• It is to build information systems from reusable method)
standard components of objects
• This approach may be equated to the process of Prepare Systems Selection Report
building an automobile • It is the deliverable product of the systems
• The concept of reusability in central to the selection process
object-oriented approach to systems design • This formal document consists of a revised
feasibility study, a cost-benefit analysis, and a list
The Auditor’s Role in Conceptual Systems Design and explanation of intangible benefits for each
• The auditor is a stakeholder in all financial alternative design. On the basis of this report,
systems and, thus, has an interest in the the steering committee will select a single
conceptual design stage of the system. The system that will go forwards to the next phase of
auditability of a system depends in part on its the SDLC – the detailed design.
design characteristics. Some computer auditing
techniques require systems to be designed with The Auditor’s Role in Evaluation and Selection
special audit features that are integral to the The primary concern for auditors is that the economic
system. These audit features must be specified feasibility of the proposed system is measures as
at the conceptual design stage. accurately as possible. Specifically, the auditor should
ensure five things:
1. Only escapable costs are used in calculation of
cost savings benefits
 2. Reasonable interest rates are used in measuring PHASE 7 – System Implementation
present values of cash flows In the system implementation phase of the systems
3. One time and recurring costs are completely and development process, database structures are created
accurately reported and populated with data, equipment is purchased and
4. Realistic useful lives are used in comparing installed, employees are trained, the system is
competing projects documented, and the new system is installed.
5. Intangible benefits are assigned reasonable
financial values Testing the Entire System
• The procedure involves processing hypothetical
PHASE 5 – Detailed Design data through the system
The purpose of the detailed design phase is to produce a • The outputs of the system are the reconciled
detailed description of the proposed system that both with predetermined results, and the test is
satisfies the system requirements identifies during documented to provide evidence of the system’s
systems analysis and is in accordance with the performance
conceptual design. • Finally, when those conducting the tests are
satisfied with the results, they should then
Perform a System Design Walkthrough complete a formal acceptance document
• After completing the detailed design, the
development team usually performs a system Documenting the System
design walkthrough to ensure that the design is The system’s documentation provides the auditor with
free from conceptual errors that could become essential information about how the system works. The
programmed into the final system. Many firms documentation requirements of three groups – systems
have formal, structured walkthroughs conducted designers and programmers, computer operators, and
by a quality assurance group end users – are particular importance.
• Designer and programmer documentation
Review System Documentation • Operator documentation
The detailed design report documents and describes the • User documentation (user handbook, online
system to this point. The report includes the following: documentation)

Converting the Databases

Database conversion is a critical step in the
implementation phase. This is the transfer of data from
its current form to the format or medium required by the
new system. The degree of conversion depends on the
technology leap from the old system to the new one.
• Precautions:
PHASE 6 – Application Programming and Testing o Validation
• Procedural languages o Reconciliation
• Event-driven languages o Backup
• Object-oriented programming
Converting to the New System
Modular Programming • The process of converting from the old system to
• Benefits associated with modular programming: the new one is called the cutover.
o Programming efficiency • A system cutover will usually follow one of the
o Maintenance efficiency three approaches:
o Control o Cold turkey
o Phased
Test the Application Software o Parallel operation
• Testing methodology
• Testing offline before deploying online The Auditor’s Role in System Implementation
• Test data External auditors are prohibited by SOX legislation from
direct involvement in systems implementation.
However, as the preceding discussion has already
suggested, the role of internal auditors in the detailed • User and computer services management
design and implementation phases should be significant. properly authorized the project
Being a stakeholder in all financial systems, internal • A preliminary feasibility study showed that the
auditors should lend their expertise to this process to project had merit
guide and shape the finished system. Specifically, • A detailed analysis of user needs was conducted
internal auditors may get involved in the following ways: that resulted in alternative general designs
• Provide technical expertise • A cost-benefit analysis was conducted using
• Specify documentation standards reasonably accurate figures
• Verify control adequacy and compliance with • The project’s documentation shows that the
SOX detailed design was an appropriate and accurate
solution to the user’s problem
Post-Implementation Review
• The review is conducted by an independent Controlling Systems Maintenance
team to measure the success of the system and • Maintenance authorization, testing, and
of the process after the dust has settled. documentation
• The post-implementation review of a newly • Source program library controls
installed system can provide management with The worse-case situations: no controls
insights into ways to improve the process for o Access to programs is completely
future systems. It can also provide auditors (both unrestricted
internal and external) with evidence regarding o Because of these control weaknesses,
the adequacy of the SDLC in general and the risks programs are subject to unauthorized
associated with a particular system. changes

PHASE 8 – Systems Maintenance A Controlled SPL Environment

• Systems maintenance is a formal process by • To control the SPL, protective features and
which application programs under go changes to procedures must be explicitly addressed, and
accommodate changes in user needs this requires the implementation of an SPL
• Maintenance represents a significant resource management system (SPLMS).
outlay compared to initial development costs. • This software is used to control four routine but
Over a system’s life span, as much as 80 to 90 critical functions:
percent of its total cost may be incurred in the o Storing programs on the SPL
maintenance phase. o Retrieving programs for maintenance
Costing New Systems Development purposes
• Systems Authorization Activities o Deleting obsolete programs from the
• User Specification Activities library, and
• Technical Design Activities o Documenting program changes to
• Internal Audit Participation provide an audit trail of the changes
• User Test and Acceptance Procedures
Audit Objectives Related to System Maintenance
Audit Objectives Related to New Systems Development • Detect unauthorized program maintenance
• Verify that SDLC activities are applied (which may have resulted in significant
consistently and in accordance with processing errors or fraud
management’s policies • Determine that
• Determine that the system as originally o Maintenance procedure protect
implemented was free from material errors and applications from unauthorized changes
fraud o Applications are free from material
• Confirm that the system was judged to be errors
necessary and justified at various checkpoints o Program libraries are protected from
throughout the SDLC unauthorized access
• Verify that system documentation is sufficiently
accurate and complete to facilitate audit and Audit Procedures Related to System Maintenance
maintenance activities. Identify Unauthorized Changes
• Reconcile program version numbers
 • Confirm maintenance authorization Revenue Cycle
Identify Application Errors • time lag between the two due to credit
• Reconcile the source code • relations with customers:
• Review test results physical component (sales order processing)
• Retest the program financial component (cash receipts)
Test Access to Libraries
• Review programmer authority tables Manual System Accounting Records
• Test authority table Source Documents - used to capture and formalize
transaction data needed for transaction processing
CHAPTER 6 – TRANSACTION PROCESSING AND Product Documents - the result of transaction processing
FINANCIAL REPORTING SYSTEMS OVERVIEW Turnaround Documents - a product document of one
system that becomes a source document for another
Financial transaction - an economic event that affects system
the assets and equities of the firm, is reflected in its
accounts, and is measured in monetary terms. Journals - a record of chronological entry
• special journals - specific classes of transactions
IMAGINE YOU ARE MONITORING THE OPERATION OF that occur in high frequency
SAN MIGUEL CORPORATION • general journal - nonrecurring, infrequent, and
• How many transactions does it process daily dissimilar transactions
from sales to customers, collections of Ledger - a book of financial accounts
receivables, conversion of its raw materials into • general ledger - shows activity for each account
final products, payment of regular expenses, listed on the chart of accounts
purchase of stocks, payment to employees? • subsidiary ledger - shows activity by detail for
• Volume of transaction is huge. each account type

Similar types of transactions are grouped together into

three transaction cycles:
• the expenditure cycle
• the conversion cycle
• the revenue cycle

Expenditure Cycle
• time lag between the two due to credit
• relations with suppliers:
physical component (acquisition of goods)
financial component (cash disbursements to the
supplier)

Conversion Cycle
• the production system (planning, scheduling,
and control of the physical product through the
manufacturing process)
• the cost accounting system (monitors the flow
of cost information related to production)
Computer-Based System System Flowcharts
• The audit trail is less observable in computer- • illustrate the relationship among processes and
based systems than traditional manual systems. the documents that flow between them
• The data entry and computer programs are the • contain more details than data flow diagrams
physical trail. • clearly depict the separation of functions in a
• The data are stored in magnetic files. system
• are used to represent the relationship between
Computer Files the key elements--input sources, programs, and
Master File - generally contains account data (e.g., output products--of computer systems
general ledger and subsidiary file) • depict the type of media being used (paper,
Transaction File - a temporary file containing magnetic tape, magnetic disks, and terminals)
transactions since the last update • in practice, not much difference between
Reference File - contains relatively constant information document and system flowcharts
used in processing (e.g., tax tables, customer addresses)
Archive File - contains past transactions for reference
purposes

Documentation Techniques
• Documentation in a CB environment is necessary
for many reasons.
• Five common documentation techniques:
o Entity Relationship Diagram
o Data Flow Diagrams
o Document Flowcharts
o System Flowcharts
o Program Flowcharts

Entity Relationship Diagram (ERD)

• A documentation technique to represent the
relationship between entities in a system. Modern Systems versus Legacy Systems
• The REA model version of ERD is widely used in Modern systems characteristics:
AIS. REA uses 3 types of entities: • client-server based and process transactions in
o resources (cash, raw materials) real time
o events (release of raw materials into the • use relational database tables
production process) • have high degree of process integration and data
o agents (inventory control clerk, vendor, sharing
production worker) • some are mainframe based and use batch
processing
Cardinalities • Some firms employ legacy systems for certain
Represent the numerical mapping between entities: aspects of their data processing.
• One-to-one o Accountants need to understand legacy
• One-to-many systems.
• Many-to-many Legacy systems characteristics:
• mainframe-based applications
Data Flow Diagrams • batch oriented
• use symbols to represent the processes, data • early legacy systems use flat files for data storage
sources, data flows, and entities in a system • later legacy systems use hierarchical and
• represent the logical elements of the system network databases
• do not represent the physical system • data storage systems promote a single-user
environment that discourages information
integration
Database Backup Procedures • generally require greater resources than batch
• Destructive updates leave no backup. processing since they require dedicated
• To preserve adequate records, backup processing capacity; however, these cost
procedures must be implemented, as shown differentials are decreasing
below: • oftentimes have longer systems development
o The master file being updated is copied time
as a backup.
o A recovery program uses the backup to
create a pre-update version of the
master file.

Computer-based Accounting System

Two broad classes of systems:
• batch systems
• real-time systems

1. Batch Processing
A batch is a group of similar transactions that are
accumulated over time and then processed together.

The transactions must be independent of one another Why do so many AIS use Batch Processing?
during the time period over which the transactions are • AIS processing is characterized by high-volume,
accumulated in order for batch processing to be independent transactions, such are recording
appropriate. cash receipts checks received in the mail.
• The processing of such high-volume checks can
A time lag exists between the event and the processing. be done during an off-peak computer time.
• This is one reason why batch processing maybe
Steps in Batch Processing/ Sequential Files done using real-time data collection.
• Keystroke - source documents are transcribed by
clerks to magnetic tape for processing later Use of coding in AIS
• Edit Run - identifies clerical errors in the batch • Concisely represent large amounts of complex
and places them into an error file information that would otherwise be
• Sort Run - places the transaction file in the same unmanageable
order as the master file using a primary key • Provide a means of accountability over the
• Update Run - changes the value of appropriate completeness of the transactions processed
fields in the master file to reflect the transaction • Identify unique transactions and accounts within
• Backup Procedure - the original master a file
continues to exist and a new master file is • Support the audit function by providing an
created effective audit trail
Advantages of Batch Processing
• Organizations can increase efficiency by Sequential Codes
grouping large numbers of transactions into • Represent items in sequential order
batches rather than processing each event • Used to prenumber source documents
separately. • Track each transaction processed
• Batch processing provides control over the • Identify any out-of-sequence documents
transaction process via control figures. • Disadvantages:
o arbitrary information
2. Real-time Systems o hard to make changes and insertions
• process transactions individually at the moment
the economic event occurs
• have no time lag between the economic event
and the processing
Block Codes • validate collected transactions/ maintain
• Represent whole classes by assigning each class accounting controls (e.g., equal debits and
a specific range within the coding scheme used credits)
for chart of accounts • process transaction data
o The basis of the general ledger o post transactions to proper accounts
• Allows for the easy insertion of new codes within o update general ledger accounts and
a block transaction files
o Don’t have to reorganize the coding o record adjustments to accounts
structure • store transaction data
• Disadvantage: • generate timely financial reports
o arbitrary information
GLS Database
Group Codes General ledger master file
• Represent complex items or events involving two • principal FRS file based on chart of accounts
or more pieces of data using fields with specific General ledger history file
meaning • used for comparative financial support
• For example, a coding scheme for tracking sales Journal voucher file
might be 04-09-476214-99, meaning: • all journal vouchers of the current period
04 – Store number Journal voucher history file
09 – Dept number • journal vouchers of past periods for audit trail
476214 – Item number Responsibility center file
99 – Sales person • financial data by responsibility centers for MRS
• Disadvantages: Budget master file
o arbitrary information • budget data by responsibility centers for MRS
o overused
GLS Reports
Alphabetic Codes General ledger analysis:
• Used for many of the same purposes as numeric • listing of transactions
codes • allocation of expenses to cost centers
• Can be assigned sequentially or used in block and • comparison of account balances from prior
group coding techniques periods
• May be used to represent large numbers of items • trial balances
o Can represents up to 26 variations per Financial statements:
field • balance sheet
• Disadvantage: • income statement
o arbitrary information • statement of cash flows
Managerial reports:
Mnemonic Codes • analysis of sales
• Alphabetic characters used as abbreviations, • analysis of cash
acronyms, and other types of combinations • analysis of receivables
• Do not require users to memorize the meaning Chart of accounts: coded listing of accounts
since the code itself is informative – and not
arbitrary Potential Risks in the GL/FRS
o NY = New York • Improperly prepared journal entries
• Disadvantages: • Unposted journal entries
o limited usability and availability
• Debits not equal to credits
• Subsidiary not equal to G/L control accounts
IS Function of GLS
• Inappropriate access to the G/L
General ledger systems should:
• Poor audit trail
• collect transaction data promptly and accurately
• Lost or damaged data
• classify/code data and accounts
• Account balances that are wrong because of
unauthorized or incorrect journal vouchers
 XML: eXtensible Markup Language
GL/FRS Control Issues XML is a meta-language for describing markup
Transaction authorization - journal vouchers must be languages. Extensible means that any markup language
authorized by a manager at the source dept can be created using XML.
Segregation of duties – G/L clerks should not: • includes the creation of markup languages
• have recordkeeping responsibility for special capable of storing data in relational form, where
journals or subsidiary ledgers tags (formatting commands) are mapped to data
• prepare journal vouchers values
• have custody of physical assets • can be used to model the data structure of an
Access controls: organization’s internal database
• Unauthorized access to G/L can result in errors,
fraud, and misrepresentations in financial XBRL: eXtensible Business Reporting Language
statements. • XBRL is an XML-based language for standardizing
• Sarbanes-Oxley requires controls that limit methods for preparing, publishing, and
database access to only authorized individuals. exchanging financial information, e.g., financial
Accounting records - trace source documents from statements.
inception to financial statements and vice versa • XBRL taxonomies are classification schemes.
Independent Verification:
• G/L dept. reconciles journal vouchers and Implications of Accounting
summaries. Audit implication f o r XBRL
Two important operational reports used: • taxonomy creation: incorrect taxonomy results
• journal voucher listing – details of each journal in invalid mapping that may cause material
voucher posted to the G/L misrepresentation of financial data
• general ledger change report – the effects of • validation of instance documents: ensure that
journal voucher postings on G/L accounts appropriate taxonomy and tags have been
applied
GL/FRS Using Database Technology • audit scope and timeframe: impact on auditor
Advantages: responsibility as a consequence of real-time
• immediate update and reconciliation distribution of financial statements
• timely, if not real-time, information
Removes separation of transaction authorization and
Processing
• Detailed journal voucher listing and account
activity reports are a compensating control
Centralized access to accounting records
• Passwords and authorization tables as controls

HTML: Hyper Text Markup Language

Format used to produce webpages
• defines the page layout, fonts, and graphic
elements
• used to lay out information for display in an
appealing manner like one sees in magazines and
newspapers
• using both text and graphics (including pictures)
appeals to users
Hypertext links to other documents on the Web
• Even more pertinent is HTML’s support for
hypertext links in text and graphics that enable
the reader to ‘jump’ to another document
located anywhere on the World Wide Web.