College of Finance, Management and Development

Department of Public Financial Management and Accounting

Advanced Auditing and EDP

(ACFN6111)

By
Enyew A. (PhD)
 Course contents
2

Chapter One: Introduction to EDP Auditing

Chapter Two: International Auditing Standards
Chapter Three: Performance Audit
Chapter Four: Consideration internal control in IT
Environment
Chapter Five: auditing IT governance controls
Chapter Six: auditing operating system and networks
Chapter Seven: auditing database system
Chapter Eight: auditing the revenue cycle
Chapter Nine: auditing the expenditure cycle
Module delivery methods

 Lecture- face to face (Probably via Zoom)

 Case analysis
 Reflective activity
 Jigsaw
 Article Review
 Question and answer
 Assessment
4

 Individual Assignment …....20%

 Group Assignment ……..…20%
 Test ………………………20%
 Final Exam ………………..40%
 Total ………………………100%
 Chapter One: Introduction to EDP
5
Auditing
 After studying this chapter, you should:
 Define auditing and its characteristics

 Explain ethical principles governing the auditor’s

professional responsibilities
 Explain the types of audit and auditor

 Discuss the generally accepted auditing standards

 Explain the need and scope of an EDP audit

 Identify and explain the objectives and the control device

of IT control
 Explain the objectives of systems development audits
 Definition of Auditing
6

 Auditing is the accumulation and evaluation of

evidence about information to determine and report on
the degree of correspondence between the information
and established criteria.

 Auditing typically refers to financial statement audits

or an objective examination and evaluation of a
company’s financial statements – usually performed
by an external third party.
 Features or Characteristics of Auditing
7

 Systematic Approach: Auditing is purposeful and

logical performed based on prescribed methods
 Obtaining and evaluating evidence: Persuasive audit
evidence is required in auditing. Auditors also audit
more subjective information, such as the effectiveness
of computer systems and the efficiency of
manufacturing operations.
 Assertions about Economic actions and events: In
any audit engagement, an auditor is given financial
statements and other disclosures by management.
 Characteristics of Auditing…Cont’d
8
 Ascertain the degree of correspondence
between the assertions and established criteria:
Typically, auditors and the entities being audited
agree on the criteria well before the audit starts.
 Established criteria: The criteria for evaluating

information is either GAAP or IFRS.

 Communicating the results: Auditors will
ultimately communicate their findings to
interested users through their final audit report.
 Characteristics of Auditing…Cont’d
9

 Auditors’ independence: Auditing can be done by a

competent and independent person.
 True and fair: the phrase ‘true and fair’ in the
auditors’ report signifies that the auditor is required
to express as to whether the state of affairs and the
results of the entity as ascertained by him in the
course of audit are truly and fairly represented in
the accounts under audit.
10
Cont’d……….
 Evidence is any information used by the auditor to
determine whether the information being audited is
stated in accordance with the established criteria.
 Evidence takes many different forms, including:
 Electronic and documentary data about
transactions
 Written and electronic communication with

outsiders
 Observations by the auditor

 Oral testimony of the auditee

11
Cont’d………..
 To satisfy the purpose of the audit;
 Auditors must obtain a sufficient quality and

volume of evidence.
 Auditors must determine the types and amount

of evidence necessary and evaluate whether the

information corresponds to the established
criteria.
 Auditing Principles
12

 The auditor should comply with the Code of Ethics

for Members issued by the International Federation
of Accountants.
 Ethical principles governing the auditor’s
professional responsibilities are:
 Independence - freedom from conditions that

threaten the ability of audit activity

 Integrity - fair dealing and truthfulness.
 Objectivity - an impartial, unbiased attitude and

avoid any conflict of interest.

 Cont’d……...
13
 Professional competence and due care - possess the
knowledge and skills, and apply due care needed to perform
their individual responsibilities.
 Confidentiality - Clients expect the business affairs to be
kept confidential by their auditors.
 Professional behavior - Auditors should behave with
courtesy and consideration towards all with whom they
come into contact with during the course of performing
their work.
 Technical standards - carry out the professional work with
proper regard for the technical professional standards
expected of them.
 Auditing Standards
14

 Auditing Standards are general guidelines to aid

auditors in fulfilling their professional responsibilities
in the audit of historical financial statements.
 The broadest guidelines available to auditors are the
10 GAAS, which were developed by the AICPA.
 The 10 GAAS fall into three categories:
 General standards

 Standards of field work

 Reporting standards
15
Cont’d……….
 The general standards stress the important
personal qualities that the auditor should possess.

 The standards of field work concern evidence

accumulation and other activities during the actual
conduct of the audit.

 The reporting standards require the auditor to

prepare a report on the financial statements taken
as a whole, including informative disclosures;
16
 Types of audits
17

 Auditors perform different types of audits. Mainly

there are four types of audits:
1. External (Financial statement) audit,
2. Operational/performance audit,
3. Compliance audit and
4. Forensic audit.
 Financial Statement Audit
18

 This type of audit is conducted to determine whether the overall

financial statements such as income statement, balance sheet,
statements of retained earnings and cash flow statements are
stated in conformity with generally accepted accounting
principles
 The assumption underlying an audit of financial statements is
that different groups will use these statements for different
purposes.
 Therefore, the contribution of an independent auditor is to give
credibility to financial statements.
 Credibility means that the financial statements can be
believed; that is they can be relied upon by outsiders.
 Performance Auditing
19

 It is an independent and objective examination of

organization systems, programs with regard to one or
more of the three aspects; economy, efficiency and
effectiveness, aiming to lead to improvements.
 The economy of activities in accordance with sound

administrative principles and practices, and

management policies;
 The efficiency of utilization of human, financial and

other resources;
 The effectiveness of performance in relation to the

achievement of the objectives of the audited entity;

 Compliance Audit
20

 This type of audit helps to determine whether the

auditee is following specific procedures or rules
set out by some higher authority such as
management, government, board of directors etc.
 The performance of compliance audit is dependent
upon the existence of verifiable data and of
recognized criteria or standards established by an
authoritative body.
 A familiar example is the audit of an income tax
return by an auditor of the Inland Revenue Authority
(IRA).
 Forensic audit
21

 A forensic audit’s purpose is the detection of a wide

variety of fraudulent activities. Some of the
examples where forensic audit might be conducted
include:
 Business or employee fraud
 Criminal investigations
 Shareholders and partners disputes
 Business economic losses
 Matrimonial disputes.
 Reflective Activity, 5 minutes
22

 List and discuss the Types of

Auditors
 EDP Auditing
23
 EDP system manages the daily business transactions
and strategic accounting records in order to meet
the challenge of fierce international competition.
 EDP audit focuses on the computer-based aspects of
an organization’s information system; and modern
systems employ significant levels of technology. For
example,
 Transaction processing is automated and performed

in large part by computer programs.

 Source documents, journals, and ledgers that

traditionally were paper-based are now digitized and

stored in relational databases.
 Cont’d………..
24

 EDP auditor:
 Accountant raised to a Computer System Major or a
CPA (Certified Public Accountants),
 CISA (Certified Information Systems Auditor),
 CISM (Certified Information Systems Manager),
 Networking, Hardware, Software, Information
Assurance, Cryptography
 Some one who knows everything an accountant does
plus everything a BS/MS does about Computer System
and Computer Security - Not likely to exist
 EDP Audit Scope
25
 The scope of an EDP audit often varies, but can involve
any combination of the following:
 Organizational - Examines the management control

over IT and related programs, policies, and processes

 Compliance - Pertains to ensuring that specific

guidelines, laws, or requirements have been met

 Application - Involves the applications that are

strategic to the organization, for example those

typically used by finance and operations
 Technical - Examines the IT infrastructure and data

communications
26
Cont’d………
 EDP audit address the risk exposures within IT
systems and assess the controls and integrity of
information systems.
 EDP Audit addresses
 Are passwords difficult to crack?
 Are there access control lists in place on network devices to
control who has access to shared data?
 Are there audit logs to record who accesses data?
 Are the audit logs reviewed?
 Are the security settings for operating systems in accordance
with accepted industry practices?
 Cont’d…………
27
 Have all unnecessary applications and computer
services been eliminated for each system?
 Are these operating systems and commercial
applications patched to current levels?
 How is backup media stored? Who has access to
it? Is it up-to-date?
 Is there a disaster recovery plan? Have the
participants and stakeholders ever rehearsed the
disaster recovery plan?
 Cont’d………
28

 Have custom-built applications been written with

security in mind?
 How have these custom applications been tested
for security flaws?
 How are configuration and code changes
documented at every level? How are these records
reviewed and who conducts the review?
 IT controls
29
 They are designed to ensure that the controls are
sufficient to:
 Prevent fraud, misuse, and/or loss of financial

data/transactions,
 Enable speedy detection if and when such problems

occur, and
 Promote effective action

 There are two broad groupings of IT controls:

1) Application controls, and
2) General controls
 IT controls: Application controls
30
 The objectives of application controls are to ensure the
validity, completeness, and accuracy of financial
transactions. These controls are designed to be
application-specific.
 Applicable or key controls are the controls that are
fundamental to ensure that the values on the balance
sheet are accurate and reliable.
 All monetary transaction must be initialized, authorized,
implemented, documented, controlled, reported, and
validated using key controls
 Examples of Applicable control
31

 A cash disbursements batch balancing routine that

verifies that the total payments to vendors reconciles
with the total postings to the accounts payable
subsidiary ledger.
 An account receivable check digit procedure that
validates customer account numbers on sales
transactions.
 A payroll system limit check that identifies and flags
employee time card records with reported hours
worked in excess of the predetermined normal limit.
 IT controls: General Control
32
 The general controls are so named because they are not
application-specific but, rather, apply to all systems.
 General controls have other names in other frameworks,
including general computer controls and information
technology controls.
 Whatever name is used, they include controls over IT
governance, IT infrastructure, security and access to
operating systems and databases, application acquisition
and development, and program change procedures.
 General controls (GC) include…
33

 Operating system controls

 Data management controls
 Organizational structure controls
 Systems development controls
 Systems maintenance controls
 Computer center security and control
 Internet and Intranet controls
 Electronic data interchange (EDI) controls
 Personal computer controls
 GC: Operating system controls
34
 Operating system objective: verify that the
security policy and control procedures are rigorous
enough to protect the operating system against:
 Hardware failure
 Software efforts
 Destructive acts by employees or hackers
 Virus infection
 Access controls:
 Privilege controls
 Password control
 Virus control
 Fault tolerance control
 GC: Data management controls
35

 Data management objective:

 Protect against unauthorized access to or
destruction of data and inadequate data backup.
 Controls:
 Access - encryption, user authorization tables,

inference controls and biometric devices are a few

examples
 Backup - grandfather-father-son and direct access

backup; recovery procedures

 GC: Organizational structure controls
36

 Organizational structure objectives:

 Determine whether incompatible functions have

been identified and segregated in accordance

with the level of potential exposure
 Determine whether segregation is sustained

through a working environment that promotes

formal relationships between incompatible tasks
 Controls:
 Review organizational & systems
documentation, observe behavior, and review
database authority tables
 GC: Systems Development
37
Control
Systems development objectives: ensure that...
 SDLC activities are applied consistently and in

accordance with management’s policies

 The system as originally implemented was free from

material errors and fraud

 The system was judged to be necessary and justified at

various checkpoints throughout the SDLC

 System documentation is sufficiently accurate and

complete to facilitate audit and maintenance activities

 Cont’d……..
38

Controls:
 Systems authorization techniques
 Good development procedures
 Internal audit team participation
 Appropriate testing of system
 GC: Systems maintenance control
39

Systems maintenance objectives:

 Detect unauthorized program maintenance and
determine that...
 Maintenance procedures protect applications from

unauthorized changes
 Applications are free from material errors
 Program libraries are protected from unauthorized

access
 Cont’d………….
40

Controls:
 Authorization requirements for program
maintenance
 Appropriate documentation of changes
 Adequate testing of program changes
 Reconciling program version numbers
 Review programmer authority table
 Test authority table
 GC: Computer center security and
control
41

Computer center objectives: assure that...

 Physical security controls are adequately protect the

organization from physical exposures.

 Insurance coverage on equipment is adequate to compensate

for the destruction and damage.

 Operator documentation is adequate to deal with routine

operations as well as system failures.

 The disaster recovery plan is adequate and feasible.

Controls:
 Well-planned physical layout
 Backup and disaster recovery planning
 Review critical application list
 GC: Internet & Intranet Control
42

Internet & Intranet objectives: assure that

communication controls...
 Can detect and correct messages loss due to
equipment failure
 Can prevent and detect illegal access both
internally and from the Internet
 Make useless any data that are successfully
captured by a perpetrator
 Are sufficient to preserve the integrity and security
of data connected to the network
 Cont’d………….
43

Controls:
 Equipment failure: line checks (parity & echo), and

backups
 Subversive threats: access controls, encryption of

data, and firewalls

 Message control: sequence numbering,
authentication, transaction logs, request-response
polling
 GC: EDI Control
44

EDI objectives: assure that...

 Transactions are authorized, validated, and in

compliance with organizational policy

 No unauthorized organizations gain access to data

base records
 Authorized trading partners have access only to

approved data
 Adequate controls are in place to ensure a

complete EDI transactions

 Systems Development Audits
45

 Systems Development is responsible for analyzing

user needs and for designing new systems to satisfy
those needs.
 The participants in system development activities
include systems professionals, end users, and
stakeholders.
 Systems professionals include systems analysts,

database designers, and programmers who design

and build the system.
 Gather facts about the user’s problem, analyze the
facts, and formulate a solution.
 Cont’d………..
46

 End users are those for whom the system is built.

 They are the managers who receive reports from the
system and the operations personnel who work
directly with the system as part of their daily
responsibilities.
 Stakeholders are individuals inside or outside the firm
who have an interest in the system, but are not end
users.
 They include accountants, internal auditors,
external auditors, and others who oversee systems
development.
 Audit Objectives related to Systems Development

47

 Verify that SDLC activities are applied consistently

and in accordance with management’s policies.
 Determine that the system as originally implemented
was free from material errors and fraud.
 Confirm that the system was judged to be necessary
and justified at various checkpoints throughout the
SDLC.
 Verify that system documentation is sufficiently
accurate and complete to facilitate audit and
maintenance activities.
 Cont’d……….
48

 Select a sample of completed projects & review the

documentation for evidence of compliance with policies.
 Specific points for review should include determining the:
 User and computer services management properly

authorized the project.

 A preliminary feasibility study showed that the project

had merit.
 A detailed analysis of user needs was conducted that

resulted in alternative general designs.

 A cost–benefit analysis was conducted.
 Cont’d……….
49

 The project’s documentation shows that the detailed

design was an appropriate and accurate solution to the
user’s problem.
 Test results show that the system was thoroughly tested
at both the individual module and the total system level
before implementation.
 There is a checklist of specific problems detected
during the conversion period, along with evidence that
they were corrected in the maintenance phase.
 Systems documentation complies with organizational
requirements and standards.
50

The End!

Thank you!