Class Notes (1,100,000)
CA (650,000)
UW (20,000)
AFM (1,000)
AFM341 (40)
Lecture 14

AFM341 Lecture Notes - Lecture 14: Financial Audit, Regulatory Compliance, Internal Audit


Department
Accounting & Financial Management
Course Code
AFM341
Professor
Alec Cram
Lecture
14

This preview shows pages 1-3. to view the full 9 pages of the document.
Class 14: IT Audits
1
Last Class Recap
The concept of risk considers the possibility that an event will occur and adversely impact the
achievement of strategic, operations, reporting, or compliance objectives.
Risks can be managed through an ongoing process of frame, assess, monitor, and respond.
Considering the likelihood and impact of risks can be helpful during assessment.
IT controls can be categorized in a variety of ways, including GCC/BCC, implemented/operating,
and preventive/detective
Class Take-aways
External, internal, and 3rd party IT audits provide differing forms of assurance over
organizational IT use
IT audits are intertwined with financial statement audits; at least some procedures are
necessary in all but the smallest organizations
Among the many benefits of CAATs is the ability to analyze the full population of the data,
rather than only a sample
Auditing
Auditing is the process of obtaining and evaluating evidence regarding assertions about
economic actions and events in order to determine how well they correspond with established
criteria
A risk-based audit approach consists of:
Determine the threats (fraud and errors) facing the company
Identify control procedures (prevent, detect, correct the threats)
Evaluate control procedures
Review to see if control exists and is in place
Test controls to see if they work as intended
Determine effect of control weaknesses
Compensating controls
What is an IT audit?
An information technology (IT) audit is ‘the process of collecting and evaluating evidence of an
organization’s information systems, practices, and operations’
Results from IT audit can determine whether an information system safeguards assets,
maintains data integrity, achieves organizational goals effectively and consumes resources
efficiently’
Types of audits

Only pages 1-3 are available for preview. Some parts have been intentionally blurred.

2
Types of IT Audits
External IT Audit: Evaluates the extent that an information system supports the accurate,
complete, authorized, and reliable processing of financial transactions
3rd Party IT Audit: Evaluates specific internal IT controls of a service organization for adequacy
of design and operation
Internal IT Audit: Evaluates the extent that an information system creates value, performs
effectively/ efficiently, & satisfies the organization’s risk tolerance
Audit Scope Comparison
Areas of IT Audit
Defining IT Audit Scope
Setting the scope of the IT audit is critical, in terms of framing the IT assets and resources that
are within an engagement’s audit universe. This can include:

Only pages 1-3 are available for preview. Some parts have been intentionally blurred.

3
Interfaces
Applications
Databases
Storage
Operating systems
Hardware
Network
Telecommunications
IT Audit Objectives
Using the risk-based framework for an information systems audit allows the auditor to review
and evaluate internal controls that protect the system to meet each of the following objectives:
Protect overall system security (includes computer equipment, programs, and data)
Program development and acquisition occur under management authorization
Program modifications occur under management authorization
Accurate and complete processing of transactions, records, files, and reports
Prevent, detect, or correct inaccurate or unauthorized source data
Accurate, complete, and confidential data files
1. Overall Information System Security
Threats
Controls
Theft of hardware
Damage of hardware (accidental and
intentional)
Loss, theft, unauthorized access to
Programs
Data
Other system resources
Unauthorized modification or use of
programs and data files
Loss, theft, or unauthorized disclosure of
confidential data
Interruption of crucial business activities
Information security/protection plan
Limit physical access to computer
equipment
Limit logical access to system using
authentication and authorization controls
Data storage and transmission controls
Virus protection and firewalls
File backup and recovery procedures
Fault tolerant systems design
Disaster recovery plan
Preventive maintenance
Firewalls
Casualty and Business Interruption
Insurance
2. Program Development and Acquisition
Threats
Controls
You're Reading a Preview

Unlock to view full version