Richard E. Cascarino - Auditors Guide to IT Auditing

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

Copyright 2012 by Richard E. Cascarino. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

First Edition: Auditors Guide to Information Systems Auditing (978-0-470-00989-5). Copyright 2007 John Wiley & Sons, Inc. Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com . Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions .

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com .

Library of Congress Cataloging-in-Publication Data:

Cascarino, Richard.
Auditors guide to IT auditing / Richard E. Cascarino. 2nd ed.
p. cm. (Wiley corporate F&A series)
Rev. ed. of: Auditors guide to information systems auditing.
Includes index.
ISBN 978-1-118-14761-0 (hardback); ISBN 978-1-118-22584-4 (ebk);
ISBN 978-1-118-23907-0 (ebk); ISBN 978-1-118-24425-8 (ebk)
1. Electronic data processingAuditing. I. Cascarino, Richard. Auditors guide to information systems auditing. II. Title.
QA76.9.A93C37 2012
658.0558dc23
2011042683
ISBN 978-1118-14761-0

I wish to take this opportunity to dedicate this book to my wife, Max, who has, over the last 33 years, put up with my bad temper when the computer would not do what I programmed it to do, my ego when it did eventually work, my despair when the system crashed again and again, and my complacency when the problems were solved.

I would also like to thank those who molded my career over the years, particularly Jim Leary for showing me what an IS manager could be and Scotch Duncan Anderson for showing me what an internal auditor should be.

And in grateful thanks to my friend, the late Gene Schultz, who died before being able to review the second edition of this book having given such a sterling review to the first edition. He was an inspiration and will be sadly missed.

Preface

IN TODAYS BUSINESS ENVIRONMENT, computers are continuing the revolution started in the 1950s. Size and capacity of the equipment grows on an exponential curve, with the reduction in cost and size ensuring that organizations take advantage of this to develop more effective and responsive systems, which allow them to seek to gain competitive advantage by interfacing more closely with their customers. This second edition has been brought up to date with the latest in information technology (IT) approaches such as cloud computing as well as the latest in standards and regulations. The section on risk management has been expanded to include varying risk-analysis techniques available to the IT auditor.

Net technologies such as cloud computing, electronic data interchange (EDI), electronic funds transfers (EFTs), and e-commerce have fundamentally changed the nature of business itself and, as a result, organizations have become more computer dependent. The radical changes to business are matched only by their impact on society.

It has become impossible for todays enterprises of any size and in any market sector to exist without computers to assist with their fundamental business operations. Even the old adage that we can always go back to manual operations is today a fallacy. The nature of todays business environment obviates that option. Even the smallest businesses have found that the advent of personal computers (PCs) with increased capabilities and processing speed, while at the same time reduced pricing and sophisticated PC software, has revolutionized the concept of what a small business is.

In order for organizations to take full advantage of the new facilities that computers can offer, it is important that their systems can be controlled and are dependable. They require that their auditors confirm that this is the case. The modern auditor therefore requires significantly more knowledge of computers and computer auditing than did auditors of earlier years.

CONTROLS IN MODERN COMPUTER SYSTEMS

The introduction of the computer has brought fundamental changes to the ways organizations process data. Computer systems:

• Are frequently much more complex than manual systems, the larger systems at least requiring a number of highly skilled computer technicians to develop and maintain them.
• Process large volumes of data at high speed, and can transmit data effectively and instantaneously over extreme distances, commonly between continents.
• Hold data in electronic form, which, without the appropriate tools and techniques, is often more complex for the auditor to access than paper records. In addition, modern systems have reduced the volumes of printed outputs by the incorporation of online access and online inquiry facilities. Indeed, many modern EDI-type systems have no paper audit trail whatsoever.
• Process data with much less manual intervention than manual systems. In fact large parts of sophisticated systems now process data with no manual intervention at all. In the past, the main justification for computerization was frequently to reduce the number of staff required to operate the business. With modern decision support and integrated systems, this is becoming a reality not at the clerical level, but at the decision-making and control level. This can have the effect that the fundamental business controls previously relied upon by the auditor, such as segregation of duties or management authorization, may no longer be carried out as previously and must be audited in a different manner. In computer systems, the user profile of the member of staff as defined within the systems access rights will generally control the division of duties while managerial authorities are, in many cases, built into systems themselves.