Scribd Logo
Upload

Welcome to Scribd!

  • Continuous Auditing 04

    Uploaded by

    Frederick Kwaku
    29 views26 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views26 pages

    Continuous Auditing 04

    Uploaded by

    Frederick Kwaku

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Continuous Auditing ISACA Chester 27th Oct 2004

    Robert Onions Researcher - Information Systems Security Research Group, The University of Salford, England.

    Enron, Xerox, Maxwell, Worldcom, BCCI, Parmelat. Large Company Frauds Prevalent, Dont Hear from Small and Medium Companies.
    SMEs 3.8 m UK, 30m + USA, 40m EU. In EU employ circa 156 million people.

    Continuous Auditing ISACA Chester 27th Oct 2004

    European Union Definition of SME: Small Company if any two of following apply:

    Less than 50 employees.


    Balance sheet less than 2.8 million.

    Turnover less than 5.6 million.

    Continuous Auditing ISACA Chester 27th Oct 2004

    European Union Definition of SME: Medium Company if any two apply:

    Less than 250 employees.


    Balance sheet less than 11.2 million.

    Turnover less than 23.6 million.

    Continuous Auditing ISACA Chester 27th Oct 2004

    DTI funded research questionnaire: Control group of 20 SMEs. 4 x A4 Pages. Total of 161 questions. Posted to 2000 random SMEs late 2002. Truly Random = Inference. Census/Sample Letter from DTI/Salford explaining research. Pre-paid return envelope. Response from 107 companies, 5.4%.

    Continuous Auditing ISACA Chester 27th Oct 2004

    Some Pre-Research Hypotheses:

    1. Most SMEs receive limited systems auditing attention with auditors paying inadequate attention to aspects of Information Technology and Security. 2. Unreported fraud may be widespread within SMEs and may be growing.
    3. Directors are keenly interested in reducing fraud if they can.

    4. SMEs might favour an alternative, low cost, automated auditing technology such as a Continuous Auditing software package if such a technology was available to them.

    Continuous Auditing ISACA Chester 27th Oct 2004

    1. Most SMEs receive limited systems auditing attention with auditors paying inadequate attention to aspects of Information Technology and Security. In 2002 80% SMEs not mandated to annual audit. Using revised 5.6 m threshold in 2004 its 88%. 8% Would not undergo voluntary audit. 24% Would take a voluntary audit. 68% Undecided

    Continuous Auditing ISACA Chester 27th Oct 2004

    1. Most SMEs receive limited systems auditing attention with auditors paying inadequate attention to aspects of Information Technology and Security. 64% Auditors do not audit company systems. 78% Auditors do not bring in specialist technical expertise to audit the systems. 60% of auditors have no specialist knowledge of the application systems. 75% do not report on any aspect of Information Technology 62% Auditors do not use specialised auditing software. Only 6% auditors attempt penetration testing. Hypothesis 1.

    Continuous Auditing ISACA Chester 27th Oct 2004

    Corollary to Hypothesis 1 analysing all respondents defrauded in last 5 years: 40% did not have an annual audit. Where audited: 54% did not have any systems auditing. 61% auditors had no specialist IT knowledge. 55% auditors did not report on any aspect IT.

    Continuous Auditing ISACA Chester 27th Oct 2004

    2. Unreported fraud may be widespread within SMEs and may be growing. Very difficult to measure. How does one measure intangible?

    45% respondents had been defrauded last 5 years and they all Completed questionnaire.
    Howeveronly 31% of that 45% gave details of frauds. Reasons for non reporting? Hypothesis 2

    Continuous Auditing ISACA Chester 27th Oct 2004

    3. Directors are keenly interested in reducing fraud if they can.


    3
    2.4 13.1 31

    Managing Director Financial Director Owner/Dir ector Manager Staff Member

    36.9 16.7

    Total of 84% Directors completed arduous questionnaire. Letter stated best practice Hypothesis 3.

    Continuous Auditing ISACA Chester 27th Oct 2004

    4. SMEs might favour an alternative, low cost, automated auditing technology such as a Continuous Auditing software package if such a technology was available to them.

    55% of respondents thought that there should be a simple methodology for systems auditing
    53% favoured some form of automatic auditing. Rises to 60% in defrauded companies. Where fraud values given rises to 88%. 15.8% would pay up to 2,000 for package. 14.3% would pay up to 2,500/year to maintain system. Hypothesis 4.

    Continuous Auditing ISACA Chester 27th Oct 2004

    Some examples, if research findings are accepted as inferential, extrapolated across UK SME base (3.8 million companies). 100% of Group companies having their computer networks accessed remotely, had no idea what functions were being carried out by Group. This equates to some 328,000 UK companies. Around 3.5 million SMEs use anti-virus software; 3.34 million have Internet access and 2.93 million use e-mail. Some 3.68 million companies send data over the Internet without any protection such as encryption.

    Continuous Auditing ISACA Chester 27th Oct 2004

    Some 2.69 million companies are at risk from virus attacks by not updating their virus definition software on a daily basis. Over 543,000 companies NEVER update their virus definition software and around 445,000 only update once a year.

    Companies where all employees know the system administrator password number some 1.71 million. Some 1.44 million UK companies, do not screen their new or temporary staff.
    1.78 million UK companies have suffered instances of fraud in the last five years! Of this number, 1.44 million were defrauded by employees.

    Continuous Auditing ISACA Chester 27th Oct 2004

    2.28 million companies have auditors who have no specialist knowledge of the company software systems and a staggering 2.85 million companies have auditors who do not report on any aspect of Information Technology. 2.43 million companies have auditors who do not audit the company software systems and 3 million companies have auditors who do not bring in specialist technical expertise to audit systems. Some 2.1 million companies favour some form of automatic, on-line auditing capability. In 1.68 million companies staff members know each others passwords.

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    The world we have created today as a result of our thinking thus far, has problems which cannot be solved by thinking the way we thought when we created them. Einstein. Definition of Continuous Auditing:

    Analysis of endogenous and exogenous transactions and keystrokes, virtually simultaneously with, or a short period of time after the processing.

    Continuous Auditing

    ISACA Chester 27th Oct 2004


    Proposed Model for Secure Continuous Auditing

    All Other Exogenous Data & Keystrokes

    Local Workstation

    Remote Workstation

    All Other Local Workstation Endogenous Data & Keystrokes

    Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.

    2
    Secure Partitioned Processor or External System

    Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge

    7
    X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department

    Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux

    Rules Development Repository Automatically Updated Classified by Industry Type

    Alert Investigation Findings

    4
    Secure VPN

    Statutory Organisations Auditors Directors Police Stakeholders

    Alert Gravity Gradings

    Legend of Mnemonics
    X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    DBMS Requirements: They should be computer generated and capture all database changes including the time, workstation and signed-on name of the user which generated the transaction. They need to be immediately encrypted and exported to a secure area. It must be tamper proof and any attempts to tamper with it need to be logged.

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    DBMS Requirements: All keystrokes need to be stored. All endogenous and exogenous data must be captured.

    One such package is DataMirror (http://www.datamirror.com/resourcecenter/liveaudit.aspx) which can function in conjunction with several database systems and multiple operating systems. It also contains a mapping tool which outputs XML.

    Continuous Auditing

    ISACA Chester 27th Oct 2004


    Proposed Model for Secure Continuous Auditing

    All Other Exogenous Data & Keystrokes

    Local Workstation

    Remote Workstation

    All Other Local Workstation Endogenous Data & Keystrokes

    Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.

    2
    Secure Partitioned Processor or External System

    Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge

    7
    X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department

    Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux

    Rules Development Repository Automatically Updated Classified by Industry Type

    Alert Investigation Findings

    4
    Secure VPN

    Statutory Organisations Auditors Directors Police Stakeholders

    Alert Gravity Gradings

    Legend of Mnemonics
    X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    Extensible Continuous Auditing Language - XCAL

    Defines a generic transaction and master files. Needed because of plethora of software packages. Similar to XBRL which defines a generic GL Chart of Accounts. Now world standard. Cisco, Reuters, Evergreen statements.

    Continuous Auditing

    ISACA Chester 27th Oct 2004


    Proposed Model for Secure Continuous Auditing

    All Other Exogenous Data & Keystrokes

    Local Workstation

    Remote Workstation

    All Other Local Workstation Endogenous Data & Keystrokes

    Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.

    2
    Secure Partitioned Processor or External System

    Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge

    7
    X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department

    Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux

    Rules Development Repository Automatically Updated Classified by Industry Type

    Alert Investigation Findings

    4
    Secure VPN

    Statutory Organisations Auditors Directors Police Stakeholders

    Alert Gravity Gradings

    Legend of Mnemonics
    X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    Ephemeral editing rules require meta-rules: Benford across all relevant fields
    User authorised to transaction.

    Time of transaction
    Weekend transaction? Remote transaction? Total transaction cost acceptable? I.E. Stock adjustments

    Continuous Auditing

    ISACA Chester 27th Oct 2004


    Proposed Model for Secure Continuous Auditing

    All Other Exogenous Data & Keystrokes

    Local Workstation

    Remote Workstation

    All Other Local Workstation Endogenous Data & Keystrokes

    Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.

    2
    Secure Partitioned Processor or External System

    Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge

    7
    X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department

    Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux

    Rules Development Repository Automatically Updated Classified by Industry Type

    Alert Investigation Findings

    4
    Secure VPN

    Statutory Organisations Auditors Directors Police Stakeholders

    Alert Gravity Gradings

    Legend of Mnemonics
    X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    Aggregated transactions:
    Action 1. 2. 3. 4. 5. 6. 7 8. 9. 10. System Administrator (SA) signs on remotely at 11.00 pm SA goes to master file maintenance routines. SA opens supplier master file, searches for supplier. SA changes mailing address of supplier. SA selects supplier invoice post routines. SA posts invoice for supplier just amended. SA selects payment run and cheques are produced. SA selects mail label run for suppliers with cheques. SA goes back to master file maintenance. SA changes supplier-mailing address to original. Acceptable to System Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

    CA Laboratories Rutgers University

    Continuous Auditing

    ISACA Chester 27th Oct 2004

    Web services. Alert Handling.


    Proposed Model for Secure Continuous Auditing
    All Other Exogenous Data & Keystrokes All Other Local Workstation Endogenous Data & Keystrokes

    Local Workstation

    Remote Workstation

    Transaction Flow Operating System Security & Application Systems Basic Editing Transactions Mapped to XCAL Format.

    2
    Secure Partitioned Processor or External System

    Forensic Data Capture Ephemeral Editing Expert Systems Technology Rules Based Accounting Standards X Forensic Knowledge

    7
    X X ALERTS Secure VPNs Either: On-Line Systems Audit Centre or: Internal Audit Department

    Verification Agencies Web Services Companies House Criminal Records Credit Checking Bureaux

    Rules Development Repository Automatically Updated Classified by Industry Type

    Alert Investigation Findings

    4
    Secure VPN

    Statutory Organisations Auditors Directors Police Stakeholders

    Alert Gravity Gradings

    Legend of Mnemonics
    X Severe, high possibility of problems VPN XCAL Virtual Private Network X Medium, chance of problems Extensible Continuous Audit Language X Low, mundane levels of activity.

    Continuous Auditing ISACA Chester 27th Oct 2004

    Future
    The future is like heaven, everyone exalts it but no one wants to go there right now. Baldin 1961.
    Future # 1. Eighth World Continuous Auditing and Reporting Symposium Web Address: http://raw.rutgers.edu/8wcas Rutgers Business School, 190 University Avenue Engelhard Hall Bove Auditorium 1st floor, Newark, NJ 07102 November 5, 2004 ( 8:30AM-5:00PM) November 6, 2004 ( 8:30AM 4:030PM)

    Future # 2. Ninth World Continuous Auditing and Reporting Symposium The University of Malta. May 20th & 21st 2005. E-Mail: roberton@maltanet.net

    You might also like