Chapter 12

Monitoring
and
Auditing AIS

Copyright © 2014 McGraw­Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw­Hill Education.


Learning Objectives
•

•

•

LO#1 Understand the risks involved with
computer hardware and software.
LO#2 Understand and apply computer-assisted
audit techniques.
LO#3 Explain continuous auditing in AIS.

12-2


LO# 1

Computer hardware and
Software
•

Operating System (OS) (the most
important system software)

•

Database Systems

•

Local Networks (LANs)

•

Wide Area Networks (WANs)

•

Virtual Private Networks (VPNs)

•

Wireless Networks

•

Remote Access

12-3



LO# 1

Operating System (OS)
•

•

•

•

To ensure the integrity of the system
To control the flow of multiprogramming
and tasks of scheduling in the computer
To allocate computer resources to users
and applications
To manage the interfaces with the
computer
12-4


LO# 1

Operating System (OS) (Contd.)
Five fundamental control objectives:
•

Protect itself from users

•


Protect users from each other

•

Protect users from themselves

•

Be protected from itself

•

Be protected from its environment

Operating system security should be included as
part of IT governance in establishing proper policies
and procedures for IT controls.
12-5


LO# 1

Database Systems
•

•

•


A database is a shared collection of
logically related data which meets the
information needs of a firm.
A data warehouse is a centralized
collection of firm-wide data for a relatively
long period of time.
Operational databases is for daily
operations and often includes data for the
current fiscal year only.
12-6


LO# 1

LANs
•

•

A local area network (LAN): a group of
computers, printers, and other devices
connected to the same network that
covers a limited geographic range.
LAN devices include hubs and switches.

--hubs (broadcasts through multiple
ports)
--switches (provides a path for each pair
of
connections) 12-7



LO# 1

WANs
•

Wide area networks (WANs) link different sites
together, transmit information across
geographically and cover a broad geographic
area.
--to provide remote access to employees or
customers
--to link two or more sites within the firm
--to provide corporate access to the Internet
routers and firewalls
12-8


LO# 1

WANs (Contd.)
•

•

•

Routers: connects different LANs, softwarebased intelligent devices, examines the Internet
Protocol (IP) address

Firewalls: a security system comprised of
hardware and software that is built using routers,
servers, and a variety of software; allows
individuals on the corporate network to
send/receive a data packet from the Internet.
Virtual Private Network (VPN)
12-9


LO# 1

Wireless Networks
•

•

•

A Wireless Network is comprised of two
fundamental architectural components: access
points and stations.
An access point logically connects stations to a
firm’s network.
A station is a wireless endpoint device equipped
with a wireless Network Interface Card (NIC).

12-10


LO# 1


Wireless Networks (Contd.)
Benefits of using wireless technology:
--Mobility

--Rapid deployment

--Flexibility and Scalability--Confidentiality
--Integrity

--Availability

--Access Control

--Eavesdropping

--Man-in-the-Middle

--Masquerading

--Message Modification
--Misappropriation
--Rogue Access Point

--Message Replay
--Traffic Analysis
12-11


LO# 1


Security Controls in Wireless
Networks
•

•

•

Management Controls--management of risk
and information system security
Operational Controls--protecting a firm’s
premise and facilities, preventing and detecting
physical security breaches, and providing
security training to employees, contractors, or
third party users
Technical Controls--primarily implemented and
executed through mechanisms contained in
computing related equipments
12-12


LO# 2

Computer-assisted Audit
Techniques (CAATs)
•

•


•

•

CAATs are imperative tools for auditors to
conduct an audit in accordance with heightened
auditing standards.
Generally Accepted Auditing Standards (GAAS)
are broad guidelines regarding an auditor’s
professional responsibilities
Information Systems Auditing Standards (ISASs)
provides guidelines for conducting an IS/IT audit
(issued by ISACA)
According to the Institute of Internal Auditors’
12-13
(IIA) professional practice standard section


LO# 2

Use CAATs in Auditing Systems
•

Test of details of transactions and balances

•

Analytical review procedures

•


•

•

•

Compliance tests of IT general and application
controls
Operating system and network vulnerability
assessments
Application security testing and source code security
scans
Penetration Testing

Two approaches:

12-14


LO# 2

Auditing around the computer
(the black-box approach)
•

•

•


First calculating expected results from the
transactions entered into the system
Then comparing these calculations to the
processing or output results
The advantage of this approach is that the
systems will not be interrupted for auditing
purposes. The black-box approach could be
adequate when automated systems applications
are relatively simple.
12-15


LO# 2

•

Auditing through the
computer (the white-box
approach)
The white-box approach requires auditors to
understand the internal logic of the
system/application being tested.

•

The auditing through the computer approach
embraces a variety of techniques: test data
technique, parallel simulation, integrated test
facility (ITF), and embedded audit module.


12-16


LO# 2

•

•

•

Generalized Audit Software
(GAS)

Frequently used to perform substantive tests
and is used for testing of controls through
transactional-data analysis.
Directly read and access data from various
database platforms
provides auditors an independent means to gain
access to data for analysis and the ability to use
high-level, problem-solving software to invoke
functions to be performed on data files.
--Audit Control Language (ACL)
12-17
--Interactive Date Extraction and
Analysis


LO# 3


Continuous Audit

12-18


LO# 3

Fraud Schemes and Corresponding
Proposed Alarms under Continuous
Audits

12-19


LO# 3

Implementation of
Continuous Auditing
•

•

Extensible Markup Language (XML)
Extensible Business Reporting Language
(XBRL)

•

Database management systems


•

Transaction logging and query tools

•

Data warehouses

•

Data mining or computer-assisted audit
techniques (CAATs)
12-20


LO# 3

Implementation of
Continuous Auditing (Contd.)
•

•

Non-technical barriers and technical
challenges exist
A general template that a steering team or
the internal audit function can use:
--Evaluate the overall benefit and cost
--Develop a strategy

--Plan and design how to implement
continuous auditing
12-21

--Implement continuous auditing