2. GENERALIZED AUDIT SOFTWARE
GAS is designed generally for auditors.
GAS is used to achieve audit satisfaction
GAS can’t resolve all of the auditors problems, it
assist in many areas
Examples of GAS is:- Excel
Generalized audit software (GAS) is the tool used
by auditors to automate various audit tasks. As
most accounting transactions are now
computerized, auditing of accounting data is also
expected to be computerized as well, for which
general purpose tools are used by auditors.
3. INTEGRATED TEST FACILITY
An embedded audit facility consisting of program, code, or
additional data provided by the auditor and incorporated into
the computer element of the client’s accounting system.
Integrated test facilities are built-in test environment.
Snapshot
It’s a technique in which known transaction is taken and
follows it through the processing logic of program taking
“Snapshots” at pre-specified places of Program.
Its very highly specialized technique that requires a
relatively high level of computer expertise to interpret the
results
4. CONTD…
The snapshot audit technique is an automated tool
used to trace a specific transaction through
software and to document logic paths, control
conditions, and processing sequences. This
technique can verify program logic flow and help
the auditor understand the various processing steps
within the application software.
This technique involves the installation of a
snapshot software at critical processing points of an
application or a system. The software proceeds to
capture images of the transaction as it flows
through the application and reports to the
administrator immediately.
5. SPECIALIZED AUDIT SOFTWARE
Specialized audit software is written explicitly to
achieve some desired audit objective.
Its data analytical software for auditors
Examples of specialized software are ACL, IDEA
6. PROS & CONS
Advantages of audit software are:-
1.Focused approach
2.It is capable of performing exactly what is
required in a particular application.
3.It meets the needs of auditor
Disadvantages of audit software are as follows:-
1.Limited applicability
2.Development cost
3.High level of expertise required
7. AUDIT OF SYSTEM DEVELOPMENT PROCESS
The success of a system development project is
dependent on the success of key processes: Project
Management, Analysis, Design, Testing &
Implementation.
The auditor’s objectives are
1. to ensure that the controls over a substantial
investment will produce value-for-money
2. to ensure that systems developed meet the internal
control requirements of the business
A. the auditor is required to participate in the key project
management meetings, assess risk, systems design,
development, and systems delivery meetings to
provide ongoing, proactive control recommendations.
B. Alternatively, the auditor reviews the end-stage
deliverables throughout the development process
without becoming a part of the process
8. SYSTEM DEVELOPMENT LIFE CYCLE
Phase 1: Feasibility Study
Phase 2: Requirement Definition
Choose buy or build
Phase 3: System Design Phase 3: System Selection
Phase 4: Configuration
Phase 4: Development Phase 5: Implementation
Phase 6: Postimplementation
Phase 7: Disposal
Build Buy
9. AUDIT OF SYSTEM DEVELOPMENT PROCESS
o Each system development should be risk assessed to
determine the level of auditor’s involvement
o The type of review varies depending on the risks of a
particular project
o Auditors may only be involved in key areas or the entire
development project
Auditors Role in system development
•Control Consultant – Being part of team, not independent member
•Independent Reviewer
10. KEY TASK OF AUDITOR IN SYSTEM
DEVELOPMENT PROCESS
o Review user requirements
o Review manual and application controls
o Check all technical specifications for compliance with company standards
o Perform design walkthroughs at the end of each development phase
o Submit written recommendations for approval after each walk-through
o Ensure implementation of recommendations before beginning the next phase
o Review test plans
o Present findings to management
o Maintain independence to remain objective
These tasks can help minimize control weaknesses and problems before the
system becomes operational rather than after it is in use
11. Phases of System Development Life Cycle
1. Feasibility Study-
This is the first phase in the systems development process. It identifies
whether or not there is the need for a new system to achieve
a business"s strategic objectives. This is a preliminary plan
(or a feasibility study) for a company"s business
initiative to acquire the resources to build on an infrastructure to
modify or improve a service. The company might be trying to
meet or exceed expectations for their employees, customers and
stakeholders too. The purpose of this step is to find out the scope
the problem and determine solutions. Resources, costs, time,
benefits and other items should be considered at this stage.
2. Requirements Definition
The second phase is where businesses will work on the source of their
problem or the need for a change. In the event of a problem, possible
solutions are submitted and analyzed to identify the best fit for the ultimate
goal(s) of the project. This is where teams consider the functional
requirements of the project or solution. It is also where system analysis
takes place—or analyzing the needs of the end users to ensure the new
system can meet their expectations. Systems analysis is vital in
determining what a business"s needs are, as well as how they can be met,
who will be responsible for individual pieces of the project, and what sort
of timeline should be expected.
12. CONTD.
3. System Design
The third phase describes, in detail, the necessary specifications,
features and operations that will satisfy the functional
requirements of the proposed system which will be in place. This
is the step for end users to discuss and determine their specific
business information needs for the proposed system. It"s during
this phase that they will consider the essential components
(hardware and/or software) structure (networking capabilities),
processing and procedures for the system to accomplish its
objectives.
Price of nonconformance (PONC) represents
the added costs of not doing it right the first
time.
Price of conformance (POC) refers to avoiding
the headache by doing it right the first time.
13. CONTD
4. Development
The fourth phase is when the real work begins—in particular, when a
programmer, network engineer and/or database developer are brought
on to do the major work on the project. This work includes using a flow
chart to ensure that the process of the system is properly organized. The
development phase marks the end of the initial section of the process.
Additionally, this phase signifies the start of production. The
development stage is also characterized by instillation and change.
Focusing on training can be a huge benefit during this phase.
A prototype is a small-scale working system used to test assumptions.
These assumptions may be about user requirements, program design, or the
internal logic used in critical functions. Prototypes usually are inexpensive to
build and are created over a short period of time. The principal advantage of
a prototype is that it permits change to occur before the major development
effort begins.
Compiling programs is a process of converting human-readable instructions
into machine language instructions for execution. The human-readable
version of software is referred to as source code. The unreadable compiled
version of the program is referred to as the object code.
Debugging is a systematic process of finding and reducing the number of
bugs, or defects, in a computer program so that it behaves as expected.
14. CONTD….
5. Implementation
Go Live and Changeover
A plan for switching processing from the old system to the
new system
Parallel operation: The old and new systems are run in
parallel, usually for an extended period of time
Phased changeover: In case of larger systems,
converting to the new system is usually done in small
steps or phases.
Hard changeover: A full change occurring at a
particular cutoff date and time. The purpose is to force
migration of all the users at once.
6. Post-implementation
7. Disposal
15. AUDIT OF DATA SECURITY
Data backup and Recovery
To ensure that the critical activities of an organization (and
supporting applications) are not interrupted in the event of a
disaster; secondary storage media are used to store software
application files and associated data for backup purposes
Online Backup
RAID:
o Redundant Array of Independent Disks (RAID) is a technology
used to improve the reliability, performance, or size of disk-
based storage systems.
o RAID is used to create virtual disk volumes over an array of
disk storage devices and can be configured so that the failure
of any individual disk drive in the array will not affect the
availability of data on the disk array.
o When the array is configured with RAID, a failure of a single
disk drive will have no effect on the disk array’s availability to
the server to which it is connected.
16. CONTD…
Replication: Replication is an activity where data that is written
to a storage system is also copied over a network to another
storage system
Synchronous replication: In this method writing data to a local
and to a remote storage system are performed as a single
operation, guaranteeing that data on the remote storage system
is identical to data on the local storage system.
Asynchronous replication: Writing data to the remote storage
system is not kept in sync with updates on the local storage
system. Instead, there may be a time lag, and you have no
guarantee that data on the remote system is identical to that on
the local storage system.
Server Clusters: In a cluster two or more servers appear as a
single server resource. Clusters are best suited for applications
that require a high degree of availability and a very small RTO
(recovery time objective)
if one of the servers in the cluster fails, the other server (or
servers) in the cluster will continue to run the application
17. CONTD…
Offline Backup
Data is copied into an external medium like CD or
external hard disk periodically and kept in a safe
place on site
Offsite Backup
To provide disaster recovery protection, backup
media must be stored off-site in a secure location