Reasons For Using Computer Assisted Audit Techniques Information Technology Essay
Software vulnerabilities are a growing problem and furthermore, many of the mistakes that lead to weakness are always frequent. Auditing tools can be of great assistance in detecting common errors and the evaluation of programs’ security. Although some vulnerabilities could not be detected by any code auditor because they are unusual to some extent because it should be audited by people familiar with the code, and carefully be inspected to see if values ​​can be manipulated in a way to produce undesirable effects. Clearly, and audit the source code for all the weaknesses process remains time-consuming, even with the help of existing tools, and there is a need for further research to identify and avoid common other mistakes.
Introduction:
Government organizations and companies have become more and more helpless without computerized information systems to accomplish their tasks and to process, maintain, and report important information; as long as computer tools and technology advances. And therefore, systems that process, maintain and report computerized data dependency on auditing is a foremost matter.
But “Major software packages such as operating systems could be secured through code auditing and formal verification – but it may take as long as 50 years before this is possible”, said chief executive of Invisible Things Lab Joanna Rutkowska to Gartner’s London IT Security Summit on 17 September.[1]
The Using of computer services and facilities has caused different ways of processing, logging and controlling information. And so the repetitive nature of using many computer applications implies that small errors may lead to large losses. As an example for illustration; an error in the calculation of employees’ Income Tax payment in a manual system will not occur in each case, but on the other hand; oppositely once a malfunction or an error happens in a computerised system, it will continuously affect each case and a bank might face vast losses if just a simple mistake like rounding off to next dollar instead of near dollar. This makes it very vital for the auditor to test the undetectable or indistinguishable procedures and to detect the weaknesses or wrongness in a computer information system since the loss involved of errors and irregularities could be massive. One thing for sure is that many security problems are because of technology not the users or workers (operators) who are usually get the blame. Fixing the problem of users’ misuse or exploitation will not solve everything, but if technology would allow anyone to be secured that would be a great leap and advance.
Auditing is a technique defined as any procedure used by auditors to find out abnormalities from controls founded by an organization or company and also used in finding problems in established controls and processes. Auditing is used to help organizations through detecting errors and offering methods of correction. Several companies have found new ways to save money and streamline business practices through various auditing techniques which have found waste in certain processes.
Information systems auditing:
Information systems auditing is a cut of the auditing process that helps corporates in providing facilities for good governance. There might be no single universal definition of information systems auditing; but Ron Weber has stated “the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.”[2].
IT Auditing is the process of collecting, assessing and testing evidences to decide whether a computer system has been designed to maintain data integrity and allows organisational goals to be achieved efficiently while using resources not wastefully. Data integrity is related to the completeness, correctness and accuracy of information besides validity corresponding to the standards. An effective information system leads the organisation to accomplish its aims and objectives and an efficient information system uses least resources to achieve the aimed goals. To achieve the effectiveness in any system, IT Auditor must also know users’ of the information system characteristics and their decisions in the audited organisation system for evaluating. [3]
The reliability of computer generated data and their outcomes is evaluated and analyzed through specific programs by IT auditors. Furthermore, to certify system efficiency, IT Auditors also scan the sufficiency and acceptability of controls in related operations in information systems.
An application that uses auditing procedures require the auditor to be get known to techniques known as Computer Assisted Audit Techniques (CAATs); as it for improving the efficiency and effectiveness of audit procedures uses the computer as an audit tool. Computer Assisted Audit Techniques are computer programs or data that the auditor uses as part of the auditing procedures to audit and process data that are contained in an entity’s information systems. [4]
Main Challenge
Information System auditing as mentioned by S. Anantha Sayana [5]; involves discovering, logging and recording inspections that are highly technical. This technical extent is vital to perform effective Information System audits. And at the same time, it is essential to mine audit results and records into weaknesses and businesses controls that working managers can relay on. That is the main challenge of Information System audit.
Reasons for using Computer Assisted Audit Techniques:
Computer Assisted Audit Techniques are used in performing several auditing measures and processes, including:
Analytical procedures, as: when discovering major irregularities or variations.
Implementing modules to obtain data for audit testing.
Testing of application controls, as in evaluating the running of a program.
Testing of general controls, as in evaluating the structure or set-up of the operating system or logging actions to the program’s data or through operating code comparison software to inspect that the version of the program used is the version approved by administration.
Testing aspects of balances and trades; as: when an auditor uses a software in extraction of bills from a certain value from computer logs or in recalculating an interest.
Revaluating calculations done by the company’s accounting systems.
Types of auditing programmes:
There are various categories of auditing software, including:
Purpose-Written Programs: to execute audit jobs in special conditions. Most of the time; this type of programs are developed by the auditor, the company being audited or by an outsourced computer programmer employed by the auditor and certain situations the auditor may use the company’s current programs but adapted as it is sometimes more effective than developing new programs.
Package Programs: which are general computer programs aimed to perform data processing tasks, such as interpreting and analysing data, and executing calculations, producing data files and saving in a format specified by the user or auditor.
System Management Programs: These programs are not specifically created for audit purposes. They are productivity tools that are usually part of an operating systems environment, as: code comparison or data retrieval software.
Utility Programs: As with System Management programs these tools are not specifically designed for auditing use and their use requires additional care, and so may not cover elements as automatic record counts. They are used by an entity to execute general data handling functions, as creating, sorting and printing.
Examples of Computer Assisted Audit:
As said by Stuart McClure who is the president and CTO and Joel Scambray who is the managing principal at security consultancy Foundstone; there is no complete or “done” software so planning auditing with a discrete series of milestones is a must. And therefore there many techniques for computer assisted auditing as:
Audit Automation: which are expert systems and tools to estimate risk management procedures or financial modelling programs for use as predictive audit test.
Audit Software: which are used by the auditor to read data on clients’ files to deliver information for auditing and to re-execute actions the clients’ programs carry out.
Core Image Comparison: these are software the auditor uses to compare the executable version of a software with a master locked copy of this software.
Database Analysers: which are software used by the auditor to inspect the access rules and rights linked to terminals and the capacity of users to access data on database.
Embedded Code: are software used by the auditor to check connections passing through the system by placing the auditor’s program within the programs used for processing.
Log Analysers: used by the auditor to interpret and examine machine activities’ records.
Mapping Software: are used to catalogue or group unused program instructions.
Modelling: which are various commonly related to microcomputer software for carrying out analytical feedbacks of client’s results, to modify conditions or to record results and compare actual results with the expected ones.
On-line Testing: are manipulating or arranging data either real or unreal to ensure that a certain program edit check is executing efficiently.
Program Code Analysis: a test of the source code of a specific program with a scene to track the logic of the program as to ensure the program will perform according to the auditor’s comprehending.
Program Library Analysers: are software used by the auditor for inspect dates of changes done to the executable library
Snapshots Software: which are used to record a “picture” of connection passing through the system at a specific time or a file of data.
Source Comparison Software: that used to compare the source version of a software with a locked master one.
Tracing Software: are used to identify which instructions were used in a program and in what order.
An example of code auditing program:
An example of tools for auditing code from (vanheusden.com) [6], for the C++ language is a tool called “Gibberish”. It is for server applications that run in a hostile environment (the internet). While on the internet the program would be harshly tortured by attacks. With this program, it tests the program if it can tolerate such attacks. It is also used to test UDP and TCP servers, the test-data can contain random binary data. This program was developed and implemented for the UNIX but it can be effortlessly ported to Windows or Mac.
Another example is the LoriotPro [7] which is a program for Observing availability and performance of IP attached program and hardware, printer, routers, switches, servers, OS and others and also show the up-to-date availability status through graphical and visual representation.
http://www.loriotpro.com/Products/On-line_Documentation_V5/images/J10-A2_img/TCP-AuditGraph.jpg
Order Now