غزة – اإلسالمية الجامعةالتجارة كلية

قسمالمحاسبة

Islamic University – GazaFaculty of CommerceDepartment of Accounting

The Role of Using Information Technology in Enhancing the Quality

Of Auditing Services in Gaza strip

A Graduation Project ProposalPresented to the

Faculty of CommerceThe Islamic University of Gaza

By

Student : Osama Mahmoud El-Hindi (120080987)

Student: Mahmoud JawadEl-Helou (120082255)

Supervisor

DR. Salah shubair

Gaza strip

بسم الله الرحمنالرحيم

!ن !ه! ع!لم إ } و ال تقف ما ليس لك ب!ك كان مع والبصر والفؤاد كل أولـئ الس

سورة اإلسراءعنه مسؤوال {

1

Dedication:

For Our Palestine…

For Our University…

For Our Teachers…

For Our Family…

We Present This Research…

2

Acknowledgment:

- First of all, we thank Allah for helping us to complete our Research.

- Our ability to accomplish this research is due to the good effort provided by our great university IUG.

- We thank very much our parents, who were granted everything in their life for us, and also we thank them for push us to success.

- We would like to thank Mr. Salah Shubair for his advice and continuous supports.

- For all our teachers at IUG and for the IUG library staff.

- We would like to express our personal gratitude to all auditing offices in Gaza strip .

3

- Finally, thanks for everyone who contributes in any way to support us.

List of content:

Averse OF Quran……………………………..……..……1

Dedication………………………………………..……………..…..2

Acknowledgment………………………..……………..…..……3

CHAPTER 1: RESEARCH PROPOSAL :

ABSTRACT 7

INTRODUCTION 7

RESEARCH PROBLEM 8

RESEARCH IMPORTANCE 8

RESEARCH OBJECTIVES 9

RESEARCH HYPOTHESIS 9

SCOPE AND LIMITATIONS OF THE RESEARCH 10

RESEARCH METHODOLOGY 10

TIME TABLE AND BUDGET 11

CHAPTER 2: LITERATURE REVIEW :

4

BRIEF HISTORY OF AUDITING ……………………………………14

AUDITING DEFINITION …………………………………………….19THE IMPORTANCE OF AUDITING……………………………… .20

THE TYPES OF AUDITS……………………………………………. 24

TYPES OF AUDITORS ………………………………………………26

CHAPTER 3: AN INTRODUCTION TO COMPUTER AUDITING :

IMPORTANCE OF INFORMATION TECHNOLOGY…………………28

INTRODUCTION…………………………………………………….…………29

SYSTEMS UNDER DEVELOPMENT………………………….….………34

LIVE APPLICATIONS…………………………………………..……………44

IT INFRASTRUCTURE……………………………………………….………47

AUDIT AUTOMATION………………………………………..……………..61

Chapter 4 : applied case on auditing offices of Gaza strip………………………………………………………………………..…..64

Chapter 5 : RESULTS AND RECOMMENDATIONS

Results……………..………………………………………………………………82

Recommendations……………………………………………………………...83

References………………………………………….…………..…………84

Appendix ……………………………………………………………………..86

5

CHAPTER 1 :

RESEARCH PROPOSAL

6

ABSTRACT

The using of computer during the past twentieth years in auditing process was greatly spread to introduce the best services to clients and to immediate performance for audit work, according to the increase of financial transaction in the large establishments, the increase of its details and accuracy. This demands from the external auditor to obtain a sufficient understanding of accounting data and the environment of information systems which use computer, defining the effect of this environment on the inherent and control risks, designing and executing the suitable control tests and the substantive procedures to reduce the audit risks to the acceptable level.

INTRODUCTION

A key feature of many organizations today is change.Although not necessarily the driver of change, IT is invariably an intrinsic component and much of the change would not be possible without IT. IT has had a major impact on social, economic and political factors throughout the world. Not only has it led to the creation of new professions but it has also revolutionized others, such as office work, or, when combined with robotics, manufacturing industries. Computer audit operates in a climate of constant and rapid change. Computer auditors are continually faced with the prospect of faster, smaller and cheaper IT systems. An analogy that is frequently used to describe the rapid development of IT, is if aviation had developed at the same rate, man would havelanded on the moon in 1922. IT is a dynamic area which in turn, requires a dynamic and flexible control structure.

In fact, the accounting aims to provide the organization's management with necessary information for all activities of the entity (that is related to the results of operations, financial position and cash flows at the end of the fiscal period) and this information is so important for planning, controlling, taking the appropriate decisions and to save the organization's asset from theft, embezzlement and so on. During the last twenty years of the twentieth century,

The emergence of corporations and holding companies leads to increases in production, marketing and financial transactions. This increases create the need for using high-

7

techniques in processing financial data and auditing processes instead of traditional methods, so the use of computer for data processing purposes is so important because of more reasons such as: timing and accuracy, this reasons emphasize the use of computer in auditing processes. the ISA number(401) show that the auditor must consider the electronic information system during the audit procedures in order to reduce the risks that may be generated in auditing processes at reasonable level. In later years, the use of computer for auditing spread around the world, but we find out that the use of computer techniques for auditing in Gaza strip faces more problems: (1)Israeli siege and bad financial situations in Gaza strip resulting to the lack of material capabilities (2) the lack of familiarity of audit offices in Gaza strip about the use of computer techniques in audit (3) the clients (audited companies) do not corporate with or help audit offices in using computer techniques (or IT) in auditing process, so we will show in this research the importance of using computer in audit as well as the role of universities and organizations to enhance the efficiency and effectiveness of auditing services in Gaza strip only.

RESEARCH PROBLEM

we can summarize the problems as following :

1. Israeli siege in Gaza strip resulted to the lack of material capabilities and then there are more Obstacles of using computer techniques and information technology by auditor to end his job in acceptable level.

2. The lack of experience and knowledge in using the computer techniques and programs that are designed to make audit process.

3. Currently, there are no courses that emphasize the use of computer programs for auditing which is called now (IT audit) or (E-audit)) provided by universities or entities in Gaza strip.

4. There are no uses for quality and typical measures provided for computer by audit offices in Gaza strip.

5. There are no uses for advanced facilities provided by computer and its software techniques.

RESEARCH IMPORTANCE

In our research, information technology audit (or using computer for audit) is very important for all auditors, audit offices and accounting department students and graduators in Gaza strip. This importance increases with the advantages and facilities provided by IT audit for more reasons:

1. The role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS) and the reporting of organization finances to avoid and hopefully prevent future financial fiascos such as Enron

8

and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. The need to control and audit IT has never been greater.

2. To evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.

3. IT audit is characterized by speed and accuracy.

4. To make audit profession in Gaza strip more efficient and effective .In addition, this research claims all universities (specially , accounting department of Islamic university ) to include courses talking about IT audit in depth in order to enhance the use of IT in auditing as well as to make audit profession in Gaza strip more effective and efficient.

RESEARCH OBJECTIVES

The main objective is:

To show the role of IT in enhancing the quality of auditing services provided by audit offices in Gaza strip.

The secondary objectives are:

1. To show the importance and characteristics of IT audit.

2. To show the process and procedures in which IT audit can be done effectively and efficiently.

3. To show the problems and obstacles that stand against the use of IT audit and computer techniques in Gaza strip.

4. To find out potential solutions to solve those problems faced by auditors.

5. To show the role of Gaza strip universities in enhancing the quality of audit services provided by audit offices in Gaza strip.

RESEARCH HYPOTHESIS

H0: There is no relationship between IT and the quality of auditing services.

H1:There is relationship between IT and the quality of auditing services.

H2: There is relationship between the age and the quality of auditing services.

9

H3:There is relationship between educational qualification and the quality of auditing services.

H4:There is relationship between practical experience and the quality of auditing services.

RESEARCH SCOPE AND LIMITATIONS

There are multiple limitations defined that may face the researchers during doing their study and they have to try minimize the effect of these limitations to be able to achieve the objectives of this study:

1. First, in this study the researcher may face some problems that may hinder the research process concerning limitation of resources and information as not all information are easily accessible.

2. Second, time restriction that the researchers will face, this study must be completed within two months, which mean that they have to work hard to collect data, analyze these data and reach the targeted objectives within a short period.

3. Third, this research require statistical studies showing the facts and problems around audit profession in Gaza strip.

RESEARCH METHODOLOGY

The two researchers will use the descriptive analytical approach to complete the study which depends on describing and demonstrate the importance of use IT in enhancing auditing services in Gaza strip. Sources to collect information:

Primary sources:

1. Previous researches.2. Related websites.

Secondary sources:

1. Related books.2. Magazines and periodicals.

10

RELATED WORKS

India-Office of the Comptroller and Auditor General (Information Technology Audit: General Principles. (IT Audit Monograph Series # 1):(Controls in a computer information system reflect the policies, procedures, practices and organizational structures designed to provide reasonable assurance that objectives will be achieved. The controls in a computer system ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations...).

State of Florida-auditor general (David W, Martin , CPA) : ( Public entities rely heavily on information technology (IT) to achieve their missions and business objectives.As such, IT controls are an integral part of entity internal control systems. The Auditor General evaluatesthe effectiveness of entity controls over IT as a part of financial and operational audits).

The Office of the Auditor General of Norway : (The public sector in Norway is dependent on Information and Communication Technology (ICT) and therefore the auditor has to understand how organizations use technology to run their business and reach their overall goals. If the auditors do not have this understanding, they will not be able to perform their function. This does not mean that all auditors need deep knowledge on IT-audits, but the OAG have to ensure that the auditors have the right level of competence when we staff the audits. In order to assess the internal control systems, the auditors may have to perform audits on the IT-systems).

INTERNATIONAL STANDARD ON AUDITING 401: (The purpose of this International Standard on Auditing (ISA) is to establish standards and provide guidance on procedures to be followed when an audit is conducted in a computer information systems (CIS) environment. For purposes of ISAs, a CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third part).

The Extent of the use of Information Technology in the processof auditing (E-Auditing)in Palestine, and its effect on thequality of the evidence to support the audit opinion of theneutral prepared on the financial statement:

(The study aimed at investigating to what extent do auditors in Palestine use information technology in planning, controlling and documenting the audit processes, hamdona&hamdan 2007).

From previous related works , the importance of use computer techniques as well as IT to conduct auditing process increases from day to day around the world . from here, we must enforce ISA number 401 effectively and efficiently in Gaza strip as well as west bank as we can as in order to save our companies and then our economic from potential losses and produce high experience graduators with accounting and audit.

11

TIME TABLE AND BUDGET

The research has a time limit; it should be done in three months. The following chart describes the way we will spent the research time.

What we will do? March April May

periods1 2 3 4 5 6 7 8 9

Generate the topic

Collect references

Writing research proposal

Apply proposal & writing the research

Results and

recommendations

Discussion the

research

after

may

12

The estimated research budget could be NIS 250 or more.This budget will be spent on copying, typing and other expenses related to this research.

CHAPTER 2 :

LITERATURE REVIEW

13

1. BRIEF HISTORY OF AUDITING

Auditors have been around for a long time. As long as there has been civilization, there has been a need for some type of record-keeping to implement accountability. In fact, it was the need to keep records of ownership of quantities of goods that led to the development of writing and arithmetic. The first number systems and the first written words were developed as symbols to keep track of merchandise either collected as taxes or used in trade. It was centuries later that literature and mathematics evolved separately, far removed from this initial accountability application. For example, the first proto-Greek written script, Linear B, was essentially developed for keeping records of business transactions and palace inventories in Mycenaean Greece in 1400–1300 B.C. It was only in 800–700 B.C. that a further evolved writing system was used to record some of the earliest works of Western literature, the Iliad and the Odyssey. By then in Greece writing had evolved to the point of recording outstanding deeds and social events and not just commercial transactions. Similarly, accounting and measuring evolved into more abstract mathematics. This pattern of the gradual evolution of writing had been seen in many even earlier civilizations, starting with the Sumerians (3000 B.C.), the Egyptians (2500 B.C.), the first Indus River civilization (2500 B.C.) and the start of the Xia dynasty in China (2300 B.C.).

Auditing accompanied the development of accounting, and the first recorded auditorswere the spies of King Darius of ancient Persia (522 to 486 B.C.). These auditors acted as “the King’s ears” checking on the behavior of provincial satraps. The word auditor comes from the Latin word “to hear” because in ancient times auditors listened to the oral reports of responsible officials (stewards) to owners or those having authority, and confirmed the accuracy of the reports. Over the centuries this role of auditors as verifiers of official reports evolved to include that of verifying written records. By 1500 A.D. double-entry bookkeeping had evolved to the point of being documented by Luca Pacioli of Italy in the first known book on accounting. Pacioli also recommended that the accounting records be verified by auditors. By the early 19th century auditors acting as independent outside experts were frequently called upon to investigate and report on business failures or to settle business disputes.

Independence is a key characteristic of the auditor. For now think of it as conditions necessary to obtain an objective appraisal of the subject matter at issue. If the auditor showed any bias in his or her investigation, or even if there was merely the suspicion of bias, the effectiveness of the auditor’s report would be greatly reduced.

14

Modern auditing began in 1844 when the British Parliament passed the Joint Stock Companies Act, which for the first time required that corporate directors report to shareholders via an audited financial statement, the balance sheet. In 1844 the auditor was required to be neither an accountant nor independent, but in 1900 a new Companies Act was passed that required an independent auditor.

The first public accountants’ organization was the Society of Accountants in Edinburgh, organized in 1854, and Scotland and England became the leaders in establishing the modern accounting profession. As a result of the British lead, the first North American association of accountants, later to become the Institute of Chartered Accountants of Ontario, was organized in 1879 in Toronto. The Quebec Order became the first legally incorporated accounting association in North America in 1880. The Canadian Institute of Chartered Accountants (CICA) began under federal incorporation laws in 1902. And the Certified General Accountants Association of Canada was incorporated by an Act of Parliament in 1913.

Following British precedents, the first legislation requiring audits in Canada was the Ontario Corporations Act of 1907. This was followed by the Federal Corporation Act of 1917. Until 1930 Canadian practice followed the British model, focusing on the procedures that were followed to process a transaction (transaction oriented); these procedures largely relied on internal evidence.

15

After the 1929 stock market crash and the Great Depression of the 1930s, Canadian practice was increasingly influenced by developments in the United States. U.S. practice had evolved since the late 19th century towards a process of collecting evidence as to assets and liabilities or what is frequently referred to as a balance sheet audit. As a result of extensive misleading financial reporting that contributed to the stock market crash of 1929 and the world depression of the 1930s, the U.S. passed legislation in 1933 and 1934 that greatly influenced auditing around the world. The U.S. Securities Acts of 1933 and 1934 created the Securities and Exchange Commission (SEC), which regulated the major stock exchanges in the United States. Companies wishing to trade shares on the New York Stock Exchange or the American Stock Exchange were required to issue audited income statements as well as balance sheets. In addition, because of the earlier problems with misleading financial reports of the 1920s, the emphasis switched to fairness of presentation of these financial statements, and the auditor’s role was to verify the fairness of presentation. In 1941, as a result of experience in the McKesson and Robbin’s fraud case, the SEC recommended references to “generally accepted audit standards (GAAS)” in the auditor’s report and mandated more extensive reliance on external evidence. This created a need to better define audit standards and objectives. This process was begun in 1948 by the American Institute of Certified Public Accountants (AICPA).

1.1 U.S. Auditing

In the United States the early formal development of accounting and auditing were mixed together. Working with the Federal Trade Commission, the Federal Reserve Board and the New York Stock Exchange, the American Institute of Accountants (later renamed the American Institute of Certified Public Accountants) produced these bulletins designed to systematize accounting and auditing:

1917— Federal Reserve Board, “Uniform Accounting: A Tentative Proposal Submitted by the Federal Reserve Board.”

1918— Federal Reserve Board, “Approved Methods for the Preparation of Balance Sheet Statements.”1929— Federal Reserve Board, “Verification of Financial Statements.”1934— New York Stock Exchange, “Audits of Corporate Accounts.”1936—American Institute of Accountants, “Examination of Financial Statements byIndependent Public Accountants.”

16

These first 20 years were marked by interest in both accounting and auditing and by cooperation between the American Institute and government agencies. In 1939 the American Institute went its own way by creating the Committee on Auditing Procedure to deal exclusively with auditing matters. This committee launched the Statements on Auditing Procedure series, the first of which (1939) was titled “Extensions of Auditing Procedure.” Generally accepted auditing standards, however, were not known by that name until 1947. Following an investigation of the McKesson and Robbins fraud in the late 1930s and the auditors’ failure to detect it, the Securities and Exchange Commission in the United States passed a rule requiring auditors to report that their audits were “in accordance with generally accepted auditing standards.”

The Committee on Auditing Procedure got busy (after being delayed by World War II) and published in 1947 the “Tentative Statements of Auditing Standards—Their Generally Accepted Significance and Scope.”

1.2 Internal Auditing: An Historical Perspective

The demand for both external and internal auditing is sourced in the need to have some means of independent verification to reduce record-keeping errors, asset misappropriation, and fraud within business and non business organizations. The roots of auditing, in general, are intuitively described by accounting historian Richard Brown (1905, quoted in Mautz&Sharaf, 1961) as follows: “The origin of auditing goes back to times scarcely less remote than that of accounting…Whenever the advance of civilization brought about the necessity of one man being in trusted to some extent with the property of another, the advisability of some kind of check upon the fidelity of the former would become apparent.” As far back as 4000 B.C., historians believe, formal record-keeping systems were first instituted by organized businesses and governments in the Near East to allay their concerns about correctly accounting for receipts and disbursements and collecting taxes. Similar developments occurred with respect to the Zhao dynasty in China (1122-256 B.C.). The need for and indications of audits can be traced back to public finance systems in Babylonia, Greece, the Roman Empire, the City States of Italy, etc., all of which developed a detailed system of checks and counterchecks. Specifically, these governments were worried about incompetent officials prone to making bookkeeping errors and inaccuracies as well as corrupt officials who were motivated to perpetrate fraud whenever the opportunity arose. Even the Bible (referring to the period between 1800 B.C. and A.D. 95) explains the basic rationale for instituting controls rather straightforwardly: “…if employees have an opportunity to steal they may take advantage of it.” The Bible also contains examples of internal controls such as the dangers of dual custody of assets, the need for competent and honest employees, restricted access, and segregation of duties (O’Reilly et al., 1998). Historically then, the emergence of double-entry bookkeeping in circa 1494 A.D. can be directly traced to the critical need for exercising stewardship and control. Throughout European history, for instance, fraud cases — such as the South Sea bubble of the 18th century,

17

and the tulip scandal — provided the justification for exercising more control over managers.

Within a span of a couple of centuries, the European systems of bookkeeping and auditing were introduced into the United States. As business activities grew in size, scope, and complexity, a critical need for a separate internal assurance function that would verify the (accounting) information used for decision-making by management emerged. Management needed some means of evaluating not only the efficiency of work performed for the business but also the honesty of its employees. Around the turn of the 20th century, the establishment of a formal internal audit function to which these responsibilities could be delegated was seen as the logical answer. In due course, the internal audit function became responsible for“careful collection and interpretive reporting of selected business facts” to enable management to keep track of significant business developments, activities, and results from diverse and voluminous transactions (Mautz, 1964).

Companies in the railroad, defense, and retail industries had long recognized the value of internal audit services, going far beyond financial statement auditing and devoted to furnishing reliable operating reports containing nonfinancial data such as “quantities of parts in short supply, adherence to schedules, and quality of the product” (Whittington &Pany, 1998). Similarly, the U.S. General Accounting Office (GAO) and numerous State Auditors’ Offices, for instance, the State of Ohio Auditors’ Office, have traditionally employed large numbers of internal auditors.

In sum, the collective effect of growing transaction complexity and volume, the owner/ manager’s (“principals”) remoteness from the source of transactions and potential bias ofreporting parties (“agents”), technical (accounting) expertise required to review and summarize business activities in a meaningful way, need for organizational status to ensure independence and objectivity, as well as the procedural discipline necessary for being the “eyes and ears” of management all contributed to the creation of an internal audit department within business organizations. Starting as an internal business function primarily focused on protection against payroll fraud, loss of cash, and other assets, internal audit’s scope was quickly extended to the verification of almost all financial transactions, and still later, gradually moved from an “audit for management” emphasis to an “audit of management” approach (Reeve, 1986).

1.3 Auditing Profession In Islam Age

Hisbah In Islamic Civilization :

18

The first muhtasib is Rasulullah SAW e.g. he passed by a pile of food and then put his hand in it until his fingers wetted, he said: "What is this, owner of the food?" He said: "It was wetted by rain, Messenger of Allah." He said: "Would not you put it on top of the food so people can see it. The one who cheats is not of me.”

First muhtasib appointed after the conquest of Makkah on Makkah markets – Sa’id bin Sa’id bin Al-’As. Rasulullah SAW appointed a woman, Samra’ bintiNuhaik Al-Asadiyyah as a muhtasib, and Khalifah Umar kept her in the position during his tenure.Khalifah ‘Umar himself performed the role of muhtasib and he used to tour the market carrying a stick with him warning those who sold goods at exorbitant prices and cheaters.

Shariah Rule On Hisbah And Shariah Auditing

Two major views on the Shariah rule on hisbah which is based on the discussion of al-amrbil’ma’rufwal-nahyu ‘an almunkar:

1. Fardhkifayah, but if everyone is ignorant of it, it is fard ‘ayn upon the capable – Views of the majority (Shafi’yyah, Hanabilah and Hanafiyyah). They includes Qaadi Abu Bakr al-Jassas and Al-Alusi (Hanafiyyah), Imam al-Ghazzali and Imam Juwayni (Shafi’iyyah) and Syeikhul Islam IbnuTaimiyyah (Hanabilah).

2. The duty is wajib on everybody – Malikiyyah e.g. ImaamIbn Abi Zayd al Qayrawaani :

Many Quranic verses and ahadith supported the first view. Hence, Shariah auditing should not be accorded as worldly corporate

governance practices only, but a religious obligation on the Islamic financial institutions and Shariah auditors (muhtasib/ mudaqqiqsyar’ie).

Shariah Rule On Muhtasib (Shariah Auditors)

THE CHARACTERISITICS OF AUDITOR (MUHTASIB) IN ISLAM CAN BE IDENTIFIED AS FOLLOWING :

1. Must be a Muslim adult, of sound mind and just.2. Must be of the opinion and strict in religion, knowledge-able of the provisions and purposes of the law.3. Must be of good standing of the Sunnah4. Sincere in his intention for the sake of Allah and is not flawless hypocrisy.5. Known that what he says are not contrary to what he did.6. To be innocent of people's money and refuse to accept gift from employers and industries (auditees).

19

Among The Functions Of A Muhtasib (Khan, 1992) Are As Follows. There Should Be Similarity To What Is Expected Of The Scope Of Work Of Auditors In An Islamic Organization.

MANAGE EQUILIBRIUM: This function implies that the economy is actively managed by the state and a Muhtasib is appointed by the state. Economic equilibrium is manipulated to attain a reasonable degree of efficiency and justice.

PRICE CONTROLS: If market rigidities exist such that the economically powerful class is able to manipulate the price level, the muhtasib has a duty to apply corrective measures and to save the general public from hardship.

CREDIT STRUCTURE: He is to check on any transactions involving usury (riba). In a case where the debtor cannot pay his debt, he would arrange for aid from the zakat fund.

REGULATION OF SUPPLY: He ensures that all trade has to be done in the open market. He is to prevent secret dealings by the traders at their homes, warehouses and behind closed doors that could disturb the supply flows and thus interfere in the establishment of a natural price level. Free access to the market is ensured to anyone who wants to enter the market.

EFFICIENCY IN THE PUBLIC SECTOR: He is to advise the regulator to adopt commendable behavior and refrain from improper conduct. This was based on the Prophetic tradition that the best of jihad was to pronounce truth before an oppressive ruler. He would also deal with complaints of bribery and misappropriation of public funds.

2. AUDITING DEFINITION

Audit was originally confined to ascertaining whether the accounting party had properly accounted for all receipts and payments on behalf of his principal, and was in fact merely a cash audit. Modern audit not only examine cash transactions, but also verify the purport to which the cashtransactions relate.

THERE ARE SEVERAL DEFINITIONS OF AUDITNG AS FOLLOW :

Audit is an examination of accounting records undertaken with a view to establishing whether they correctly and completely reflect the transactions to which they purport to relate.

Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between

20

those assertions and established criteria and communicating the results to interested users.

Financial Audits In a financial audit, the assertions about which the auditor seeks objective evidence relate to the reliability and integrity of financial and, occasionally, operating information. The examination of the objective evidence underlying the financial data as reported is called an audit. Analytics, inquiries of management and the verification of information through evidential matter (support) external to the company (i.e., “other audit procedures”) are required.

The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, water management, and energy conservation.

3. THE IMPORTANCE OF AUDITING

Auditing is the analysis of the financial accounts/records, by a qualified accountant, and procedures of a firm or organization. This is essential in order to gain a fair perspective on the company's financial statements. With auditing, potential investors and creditors can look at the financial statements to decide whether to invest in a business or not. Auditing is important as it also protects the public from scams and corrupt business procedures.

The advantages for a business audit are:

1. Gain a strong sense of internal control.2. Identify key areas for improvement in your company.3. Test out the performance of new technology.4. Evaluate threats, economy, efficacy and quality.5. Realize fraudulent occurrences in the business.6. Analyze and understand your firms' financial data.7. The public are protected from corruption.

The disadvantages of a business audit are:

1. It does not take into account the productivity and the skills of the employees of the business.

2. The financial data is never current and does not reveal much about the present financial position of a company.

3. Different accountants use different techniques, therefore it would be hard to compare audits between companies who have used different accountants.

4. For smaller companies, hiring an accountant/firm to carry out an audit can be costly.

21

5. A bad audit can discourage investment.6. Can be time consuming to answer the auditor's questions and the business

may not work to maximum capacity.

Carrying out an audit is essential because for public listed companies it is important that an audit is carried out to ensure that the companies are using fair policies prescribed by law and the public’s money is in safe hands. The basic advantage of an audit is that it makes it easier to compare different companies as the auditors express their opinions about the fairness of procedures. Of a company is given a good opinion then it means that it is following the law. It also helps in following certain standards. An audit will keep the managers from trying to indulge in fraudulent practices as it is a means of accountability. It testifies to reliability and integrity of the results. The only disadvantage of an audit can be the costs involved because you have to pay the auditors and also ensure that you maintain detailed records of all the transactions which involve a lot of costs.

ADVANTAGES TO BUSINESS

Advantages of audit for the business are:

1. Satisfaction of Owner

It is because of audit that the owner will be satisfied about the business operations and working of its various departments.

2. Detection and Prevention of Errors

The errors whether committed innocently or deliberately are discovered by the process of audit and its presence prevents their occurrence in the future. No one will try to commit an error or fraud as the accounts are subject to audit and hence they will have a fear of being detected.

3. Verification of Books

Another advantage of audit is the verification. Of the books of accounts, which helps in maintaining the records up to date at all times.

4. Independent Opinion

Auditing is very useful in obtaining the independent opinion of the auditor about business condition. If the accounts are audited by an independent auditor, the report of the auditor will be true and fair in all respects and it will be of extreme importance for the management of the company.

5. Detection and Prevention of Frauds

22

Just like errors, frauds are discovered by audit and its presence minimizes future possibility if not eliminated totally.

6. Moral Check

The process of audit will establish a check on the minds of the staff working in the business and they will not be able to commit any irregularity, as they will have a fear and will also be aware that the accounts will be examined in the near future and that action would be taken against them if any irregularity is discovered. Thus the audit prevents the happening of any irregularity before it starts and the staff hence becomes more active and responsible. The fear of their getting caught act as a moral check on the staff of the company.

7. Protection of the Rights and Interests of Shareholders

Audit helps in protecting the interests of shareholders in case of joint stock company. Audit gives assurance to the shareholders that the accounts of the company are being maintained properly and their interest will not suffer under any circumstances.

8. Reliance by Outsiders

Outsiders like creditors, debenture holders and banks etc. Will rely on the business accounts if they are audited by an independent authority (external auditor).

9. Loan Facility

Money can be borrowed easily on the basis of audited balance sheet from financial institutions. If accounts are audited the true picture will be visible to banks and it will be easy for them to issue loans as early as possible.

10. Easy Valuation

It becomes easier to evaluate property etc. If the accounts are audited when the business is disposed off and as a result no dispute whatsoever will arise.

11. Up to Date Record

Due to the fear of audit the work of accounting always remains upto date and correct in all respects.

12. Reliance by Partners

If a new partner is to be inducted in the business, the audited balance sheet will be a good base to estimate the value of good will. Moreover, the audited accounts of a company by an independent person will minimize the chances of misunderstanding among the partners.

13. Reliance by Shareholders

23

In case of joint stock company, the shareholders have no hand in the actual running of the business because the management was in the hands of the directors. So the shareholders are assured in the presence of the process of audit that the directors have not taken any undue advantage of their status and position.

ADVANTAGES TO THE PUBLIC

Advantages of audit for the public are given below:

1. Safety from Exploitation

The interest of the public and shareholders is safe and guaranteed in the presence of audit. Otherwise they may have been exploited by the management. This is the main reason for which the audit has been made mandatory for public limited companies.

2. Facility for Prospective Investor

The prospective investor can easily analyze the position of the company gaining through the audited financial statements of the company and can make the decision to invest or not in the company.

3. Satisfaction about Business Operations

In the presence of audit, the public in general and the owner of the business in particular receive the reliable statement of accounts, indicating the true financial position of the concern and they can collect result from it and feel satisfaction about it in every respect.

ADVANTAGES TO THE STATE

Advantages of audit to the state are as under:

1. Privatization of Industries

If the nationalized industries are running in losses, the government may denationalize them after going through the audited accounts of such industries.

2. Easy Assessment of Tax

In the presence of audited accounts the assessment of tax becomes very easy because the tax is imposed on the basis of audited accounts.

3. Quick Recovery of Taxes

As the assessment orders can easily be made it will lead to early recovery of taxes.

24

4. Leading to Economic Progress

The joint stock companies play a vital role in giving a boost to the economic progress of a country. The successful operation of the companies would have not been possible without the presence of audit. So we can easily say that presence of audit leads to economic progress of the country.

4. THE TYPES OF AUDITS

Types of Audits and Reviews:

1. Financial Audits or Reviews2. Operational Audits3. Department Reviews4. Information Systems Audits5. Integrated Audits6. Investigative Audits or Reviews7. Follow-up Audits

Financial Audit

A historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy, and reliability of financial data. CSULB's external auditors, KPMG, perform this type of review. CSULB's Director of Financial Reporting coordinates the work of these auditors on our campus.

Operational Audit

A future-oriented, systematic, and independent evaluation of organizational activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies may be evaluated during this type of review.

25

Department Review

A current period analysis of administrative functions, to evaluate the adequacy of controls, safeguarding of assets, efficient use of resources, compliance with related laws, regulations and University policy and integrity of financial information.

Information Systems (IS) Audit

There are three basic kinds of IS Audits that may be performed:

1. General Controls Review

A review of the controls which govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data center, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc.

2. Application Controls Review

A review of controls for a specific application system. This would involve an examination of the controls over the input, processing, and output of system data. Data communications issues, program and data security, system change control, and data quality issues are also considered.

3. System Development Review

A review of the development of a new application system. This involves an evaluation of the development process as well as the product. Consideration is also given to the general controls over a new application, particularly if a new operating environment or technical platform will be used.

Integrated Audit

This is a combination of an operational audit, department review, and IS audit application controls review. This type of review allows for a very comprehensive examination of a functional operation within the University.

26

Investigative Audit

This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual. All members of the campus community are invited to report suspicions of improper activity to the Director of Internal Auditing Services on a confidential basis. Her direct number is 562-985-4818.

Follow-up Audit

These are audits conducted approximately six months after an internal or external audit report has been issued. They are designed to evaluate corrective action that has been taken on the audit issues reported in the original report. When these follow-up audits are done on external auditors' reports, the results of the follow-up may be reported to those external auditors.

5. TYPES OF AUDITORS

Auditors of financial statements can be classified into two categories:

External auditor / Statutory auditor is an independent firm engaged by the client subject to the audit, to express an opinion on whether the company's financial statements are free of material misstatements, whether due to fraud or error. For publicly-traded companies, external auditors may also be required to express an opinion over the effectiveness of internal controls over financial reporting. External auditors may also be engaged to perform other agreed upon procedures, related or unrelated to financial statements. Most importantly, external auditors, though engaged and paid by the company being audited, are regarded as independent auditors.

The most used external audit standards are the US GAAS of the American Institute of Certified Public Accountants; and the ISA International Standards on Auditing developed by the International Auditing and Assurance Standards Board of the International Federation of Accountants

Internal auditors are employed by the organization they audit. They perform various audit procedures, primarily related to procedures over the effectiveness of the company's internal controls over financial reporting. Due to the requirement of Section 404 of the Sarbanes Oxley Act of 2002 for management to also assess the effectiveness of their internal controls over financial reporting (as also required of the external auditor), internal auditors are utilized to make this assessment. Though internal auditors are not considered independent of the company they perform audit procedures for,

27

internal auditors of publicly-traded companies are required to report directly to the board of directors, or a sub-committee of the board of directors, and not to management, so to reduce the risk that internal auditors will be pressured to produce favorable assessments.

The most used Internal Audit standards are those of the Institute of Internal Auditors

Consultant auditors are external personnel contracted by the firm to perform an audit following the firm's auditing standards. This differs from the external auditor, who follows their own auditing standards. The level of independence is therefore somewhere between the internal auditor and the external auditor. The consultant auditor may work independently, or as part of the audit team that includes internal auditors. Consultant auditors are used when the firm lacks sufficient expertise to audit certain areas, or simply for staff augmentation when staff are not available.

Quality auditors may be consultants or employed by the organization.

CHAPTER 3 :

28

AN INTRODUCTION

TOCOMPUTER AUDITING

1 .IMPORTANCE OF INFORMATION TECHNOLOGY

Information Technology is related to studying, designing and developing the information related to computers. This field is growing at a very fast pace over the last few years and according to successful and well-known people in the Information Technology sector, this growth is expected to remain stable. Due to the robust growth, millions of jobs have been created in this field. However, it is very essential for us to understand what is the importance of information technology. Given below is the importance of information technology in business.

29

1.1 Why Is Information Technology Is Important In Business ?

There are many businesses which are in need of the software packages for satisfying their operational as well as functional needs. For fulfilling this requirement, these companies sign deals with the software manufacturing companies. Information technology is useful in ensuring the smooth functioning of all the departments in a company such as the human resource department, finance department, manufacturing department and in security related purposes.

With the help of information technology, the companies in the automobile manufacturing sector are able to get rid of any sort of errors or mistakes in the proper functioning of the tools used for designing and manufacturing purposes. Due to the development of the information technology sector, the companies are being able to keep themselves aware of the changes in the global markets.

The software applications and the hardware devices are known to be the main elements of the use of information technology. The web browsers, the operating systems, ERP's and special purpose applications are the software which are used in information technology. Information technology plays an important role in easily solving the mathematical problems and in the project management system. Information technology has a great use in the automated production of sensitive information, automated upgradation of the important business processes and the automated streamlining of the various business processes. It has also played an important role in the areas of communication and automated administration of entire systems.

These days IT is crucial to the majority of businesses. Almost all companies use IT to some extent, making it important for employees to have proficient knowledge in the area. It is not longer just IT jobs where staff need a good knowledge of IT. Almost all office based jobs are now almost entirely based around computers and IT.

Having good IT skills gives you a major advantage over those who do not. Even if a role is not an IT job per se, IT knowledge may give you an advantage over other candidates and help you once you are employed. Employees are expected to know the basics of IT in most jobs and there is an assumption that you are able to perform basic computer related tasks. Email is often the main mode of communication, while employees are also expected to be able to write documents and use spreadsheets.

In most cases the Internet is the main research method, so being confident using Google, for example, can be a must.

Most admin tasks in any business are now performed through the use of IT and for the large part the traditional numerous filing cabinets are gone. Accounting is usually done with spreadsheets, so accounting staff also need knowledge of IT. Even those working in shops and restaurant will use IT is certain ways, such as the tills. Anyone working in management in any job will need to

30

be able to use computers to either a small or large extend, depending on the nature of their particular job.

With IT playing such an important role in business today, good IT training, either in education or once in employment, can make an important difference. IT is there to make life easier, but if you do not have the necessary confidence it can turn into a nightmare. Staff need to understand the processes they are using, and this requires sufficient training.

IT can be complex, especially in businesses that use it to a large degree, and as with all technologies there will be things that go wrong. Therefore support staff who can solve any issues are useful. Some companies will have a person, or even a whole team of people, whose sole job it is to run and maintain the IT systems and networks. IT is there to help, not hider, but if things are not managed properly it can cause a whole host of problems. The IT department and processes need to be managed for IT to have the best possible impact on a business. Things need to be in place so the business can make the most of the advantages IT offers.

Some will use some kind of IT methodology to keep their IT management on track. The most widely used methodology is ITIL, which stands for Information Technology Infrastructure Library. ITIL is a set of concept and policies for managing the IT within a business. Essentially it is the IT best practice.

2. INTRODUCTION

2.1 PurposeThe aim of these notes is to give potential computer auditors an overview of the main activities of computer audit and the role of the computer auditor. They have been written to assist candidates who are planning to attend an interview for a position in computer audit but have a limited knowledge of the subject. For those from either an audit, business or information technology (IT) background seeking a move into computer audit, these notes will provide useful background reading. Whilst any organisation that has agreed to interview a candidate who has limited experience of computer auditing will judge them accordingly, there is substantial scope for candidates to improve their chances by demonstrating that they have done some research and are conversant with the basic principles.

Further, as it is increasingly difficult to distinguish between IT and business areas, many organisations now require that all business auditors have an awareness of computer audit. These notes, therefore, should assist business auditors in obtaining a greater appreciation of computer auditing. Given the diversity of IT, it is not possible within a document of this type to be specific about computer audit in particular sectors or in relation to specific hardware or software. The

31

basic principles of computer audit should be common to all sectors and to most types of hardware and software.

2.2 DefinitionOne of the most important factors to consider when discussing computer audit is that the term “computer audit” can mean many different things to different people. What may be regarded as computer auditing in one organisation, and very much the realm of the specialist computer auditor, may be undertaken by business auditors in another similar organisation. For example, computer audit may be restricted to auditing systems software in one organisation, whilst areas such as auditing systems under development may be the responsibility of the business auditor.Similarly, in some organisations, it is not uncommon for the role of computer audit to be extended to include the review of clerical procedures and the production of compliance based audit work programmes for field auditors, thereby providing a wider systems audit service. There are no hard and fast rules as to what constitutes computer audit. Often, similar sized organisations operating in the same sector may have different approaches to computer audit. Even where there appears to be commonality in the scope of audit areas, there can be significant variations in the depth of auditing undertaken. An audit of an operating system in one organisation may require between 5 and 10 man-days, whilst in another, the same operating system may be subject to a more detailed examination lasting several months.

2.3 Origins Of Computer AuditThe absence of a common definition of computer audit may, in part, be due to the relative newness of computer audit. The history of traditional auditing or inspection can be traced back many hundreds of years. In contrast, computer audit is a relatively recent development. It was not until the late 1970’s that the majority of major organisations in the UK established a computer audit capability for the first time.

The use of IT in business is also a relatively recent development. The father of modern day computing is generally regarded as being Charles Babbage, who produced his Difference Calculator in 1833. It was not until the outbreak of the Second World War and the widespread development of valve technology, that the 1st Generation computers were used. Even then, it was many years later that they became commonplace in business.

2.4 ChangeA key feature of many organisations today is change. Although not necessarily the driver of change, IT is invariably an intrinsic component and much of the change would not be possible without IT.

32

IT has had a major impact on social, economic and political factors throughout the world. Not only has it led to the creation of new professions but it has also revolutionised others, such as office work, or, when combined with robotics, manufacturing industries. Computer audit operates in a climate of constant and rapid change. Computer auditors are continually faced with the prospect of faster, smaller and cheaper IT systems. An analogy that is frequently used to describe the rapid development of IT, is if aviation had developed at the same rate, man would have landed on the moon in 1922. IT is a dynamic area which in turn, requires a dynamic and flexible control structure. The rapid development of IT is perhaps best indicated by the relative absence of specific IT legislation, which, in England and Wales, is largely based upon precedent established over many years. The only specific IT legislation in the UK at present is the Data Protection Act 1984 and the Computer Misuse Act 1990, both of which have been subject to considerable interpretation by the Courts. Both pieces of legislation are security and control related.

2.5 Nature Of Computer AuditAlthough an IT system may achieve the same end result as a manual system, the way in which it does so, and hence the level of security and control required, can differ considerably. There are a number of significant risks associated with the processing of IT systems. It is important, therefore, that high standards of security and control are maintained to minimise the potential impact on the organisation.

Computer fraud and abuse can have a detrimental effect on an organisation. Periodic surveys undertaken by organisations such as the NCC (National Computing Centre) and the Audit Commission indicate the following common instances of computer fraud and abuse:

• unauthorised disclosure of confidential Information

• unavailability of key IT systems

• unauthorised modification/destruction of software

• unauthorised modification/destruction of data

• theft of IT hardware and software

• use of IT facilities for personal business

When considering computer audit, it should be noted that the basic control objectives and principles do not change. The manner in which those objectives are achieved, however, does change fundamentally. Specifically, there is a need for greater preventative controls rather than a reliance on the more detective and corrective control mechanisms which would usually be found in manual systems. The development of on-line real time systems, where the immediacy of processing can result I millions of pounds being transferred away in a funds transfer system, requires a robust level of security.

33

2.6 Computer AuditorsIt was not until the late 1970’s that most organisations in the UK established a computer audit capability. This primarily arose out of the need to provide business auditors with independent data from the IT system. This in turn progressed to a wider review of the IT applications and infrastructure to provide an assurance that the organisation’s assets were protected and that suitable security and control mechanisms were in place. The high level of technical knowledge required resulted in the birth of the computer auditor. It is important when considering computer audit to note that it is an integral part of the overall audit activity. It is usually separated to enable specialized security and control issues to be dealt with more effectively and to make better use of specialist staff. Computer auditing, therefore, is a means to an end rather than an end in itself. There is always a temptation when dealing with IT to become engrossed in the technical complexities of an operating system or application and to ignore the business realities of the organisation.

Risk based computer auditing, integrated as appropriate with business audit, is essential if computer audit is to add value to the organisation and to deliver the effective service demanded of it by senior management. Over the years, the role of the computer auditor has changed to being more consultative and value adding. Clearly, where a new system is being developed, it is more cost effective for audit comments to be provided prior to a system being implemented, when improved security and control features can be included more easily and cheaply. Similarly, although computer auditors regularly undertake audits of say logical access controls, there is considerable scope for computer auditors to be involved in the design of those components.

There is an issue of independence if the computer auditor becomes involved in the design process as this may be compromised if the same individual subsequently audits that system.

It is generally recognised, however, that the costs of not getting involved are so great that this is not an option. It is unlikely, for example, that senior management will be happy to receive an audit report just after a new IT system has gone live which details significant security and control exposures. The role of the computer auditor continues to mature and develop. This is essential if computer audit is to provide a value added service to the business in the face of increasingly sophisticated technology. A key challenge for computer auditors is to keep up to date with the constant and rapid developments in IT. Continuous training and development is essential. Successful computer auditing is based upon a foundation of technical excellence. Without this, computer auditors are limited in their ability to audit effectively and to provide a valuable service to the organisation. It should also be noted that the role of the computer auditor can, in some areas, overlap with that of the computer security function and this can cause confusion.

It is essential to clearly define respective responsibilities so that unnecessary duplication is avoided. Essentially, the role of the computer security section is to assist users in developing security solutions and to administer that security on a day to day basis. The role of the computer auditor is to provide senior management with an independent and objective assurance as to the level of security applied within the IT environment. As an integral part of the audit process,

34

computer auditors will also provide advice and it is in this area that duplication and overlap may arise.

2.7 ScopeThe following sections of these notes describe the main areas of computer audit activity:

• systems under development

• live applications

• IT infrastructure

• audit automation

The extent to which these areas are reviewed and the depth to which they are examined will vary. Key to the performance of audit work is a comprehensive risk based evaluation which should determine the amount of audit resource required and should also assist in determining an assessment of a satisfactory level of security and control. A brief outline of the involvement of the computer auditor has been provided for each area. The purpose of this outline is to give an indication of the audit considerations rather than to provide an exhaustive list.

Readers are advised to refer to appropriate text books where additional information is required, specifically, “Computer Auditing” by Ian J Douglas and the “CIPFA Computer Auditing Guidelines” by CIPFA.

3. SYSTEMS UNDER DEVELOPMENT

3.1 Background

“There is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than the creation of a new system” Machievelli. The development of a new computer system represents an area of potentially significant risk to an organisation. New computer systems are developed to meet a variety of business needs, whether they be to meet new legal requirements, to maintain or enhance profitability, to improve efficiency or to reduce costs. The

35

failure of a new system could have a major impact on an organisation’s future viability and well being.

A review of an organisation’s financial statements will usually indicate that, with minor exceptions, the development of IT systems is also one of the organisation’s major areas of investment. The potential sources of a new IT application are many and varied. A number of factors, such as cost, time constraints and availability of a skilled resource, will determine which source is the most appropriate for a particular organisation.

Options include:

• a bespoke development by an in-house IT team

• a package solution from a software house

• a bespoke development by a software house

• joint bespoke development (partnership) by a software house and the in-house IT team

• end-user development Computer audit activity within systems under development is focused on two main areas :

the manner in which a new IT application is developed the adequacy of security and control within an IT Application

3.2 Development Of New ITApplications

It is important to ensure that new IT applications are developed in a controlled manner so that they perform only those functions that the user requires and that adequate security and control is included.

The manner in which a new IT system is developed is generally considered under two main headings:

• project management

• the systems development life cycle

3.2.1 Project Management

36

Project Management is concerned with delivering a solution on time, within budget and to the appropriate level of quality. Project management as an activity is not confined to IT and many of the basic principles have been developed in other industries, notably the construction industry.

The basic principles of good project management are:

• clearly defined management responsibility

• clear objectives and scope

• effective planning and control

• clear lines of accountability

There are a variety of project management methodologies in existence, such as PRINCE (Project in Controlled Environment), which in turn may be supported by an ever increasing range of project management tools, such as Project Manager Workbench (PMW) and MS-Project. The precise requirements of project management methodologies vary and frequently methodologies may be customised to meet the specific needs of an organisation.

In spite of the widespread availability of such methodologies and tools, research has shown that the majority of IT projects are not implemented on time, within budget or to the appropriate level of quality. Typical components in a project management methodology include :

Organisation

This is to ensure that senior management are committed to the project and to enable issues to be resolved promptly. A standard framework for the direction and management of a project should be established, which generally involves committees such as a Steering Committee and the appointment of specific personnel such as a Project Manager or Project Sponsor.

Planning

This is to ensure that work activities are addressed at an appropriate level of detail, that resource requirements are identified and that risks are properly evaluated. Comprehensive planning is the key to successful project management and forms the basis of subsequent project control. Typically, a project will be broken down into a number of sub-projects, each with a number of specific stages.

37

Control

This is to ensure that potential problems can be identified and that the ongoing viability of the project can be continuously monitored.

Project control generally consists of financial controls such as budgets and time controls such as milestones, which enable the status of a project to be measured. Frequently, a regime of more subjective controls will also be established, such as internal and quality assurance reviews, supported where necessary by external reviews undertaken by specialist consultancy

Computer Audit Involvement in Project Management

The computer auditor should be involved in the audit of project management. The purpose of this involvement is to provide an objective view to project management and an independent appraisal to accountable senior management, that an adequate system of project management is in place. Key areas of audit interest are to assess whether :

• an effective project team has been set up to ensure that responsibilities are clearly defined, that senior management are involved and that issues can be raised

• comprehensive and sufficiently detailed plans have been prepared together with an assessment of the extent to which they are achievable and whether they cover all areas

• effective mechanisms have been established to continuously monitor project progress in order to obtain an assurance that senior management is provided with timely information so that variances from the plans can be investigated and the appropriate action taken

3.2.2 Systems Development Life Cycle

The systems development life cycle is concerned with the formal development of an IT application and aims to ensure that a new IT solution is:

• developed in a controlled manner

• adequately documented

• maintainable in the future

• developed efficiently and securely

• meets the user’s requirements

38

IT applications have traditionally been developed in a mainframe computer environment, in a low level programming language such as Assembler, or a high level programming language such as COBOL, by specialised programmers working to a design produced by systems analysts. Package solutions are also used extensively for common applications such as payroll.

As with project management, a variety of methodologies have been developed to assist in this process, the most widely known of which is probably SSADM (Structured Systems Analysis and Design Methodology).

The precise definition of stages in a systems development life cycle will vary according to the development process and methodology being used.

In many ways the stages of a life cycle are consistent with the basic principles of TQM (Total Quality Management). Typical stages are:

Project Initiation/Feasibility Study

The purpose of this phase is to progress an initial idea to a stage where a project can be formallydefined. Once defined, the feasibility of this proposal and the cost benefit can be determined.

Analysis And User Requirements

The aims of this phase are to confirm the project objectives and scope, to identify and classify the required data and to identify and prioritise business requirements.

Design

The aim of this phase is to complete a logical and detailed technical design of the system which meets the user’s requirements.

Build

This involves programming and testing the system. Testing will consist of a number of components, such as unit testing, link testing, systems testing and user acceptance testing.

Implementation

39

The aims of this stage are to plan and co-ordinate all the activities needed to ensure that the new (or amended) system can be successfully moved into production in a manner which will maximise the delivery of benefits while keeping disruption to a minimum.

Post Implementation Review

The aim of this stage is to review the development to determine any lessons for the future. In practice, this stage is all too frequently ignored.

Increasingly, IT applications are being developed by alternative processes. IT applications, for example, are being developed by end users, whether relatively simple spreadsheet which generate key MIS for strategic decision making or more complex developments in languages such as MS-Access and FoxPro. Even within the more formal and structured IT development areas there is a move towards modern methods of developing IT applications.

These include :

• CASE (Computer Aided Software Engineering) - this is a working environment consisting of programs and other developmental tools that help managers, systems analysts, programmers and users to automate the design and implementation of programs and procedures. Common CASE tools include IEF, from Texas Instruments, andFoundation, from Andersen Consulting

• Object Orientation - a program is viewed as a collection of discrete objects that are self contained collections of data structures and routines that interact with other objects. C++ isan object orientated version of the C programming language

• Prototyping - here systems are developed on-screen interactively with the user, typically in a fourth generation language (4GL). Several iterations may be produced until an acceptable product is achieved. From this, a full productionsystem can be developed

• Rapid Application Development (RAD) – unlike prototyping which is a development technique to create a throwaway version of a product, RAD is an end to end development life cycle. It is based upon the premise that 80% of the solution can be achieved in 20% of the time it would take to develop 100% of the solution. The most widely known RAD methodology is DSDM (Dynamic Systems Development Method)

40

A key impact of these newer approaches is that traditional development documentation may not be available. A more interactive and ongoing involvement may be necessary although this in turn may create issues of resourcing and scheduling.

AUDIT INVOLVEMENT IN THE SYSTEMSDEVELOPMENT LIFE CYCLE

Early involvement in the audit of systems under development is essential. The purpose of this involvement is to provide an assurance to project management, user management and accountable senior management of the organisation that the application has been developed in a secure and controlled manner. Some types of development may cause greater concern than others, such as end-user developments where the users are not skilled in the disciplines of developing IT systems.

The primary area of audit focus should be the design phase where an assurance and advice on the adequacy of proposed controls can be provided.

A strong presence in the testing phase is also recommended to ensure that the proposed controls are robust and workable. The computer auditor should seek an assurance that:

• user requirements have been fully understood and confirmed

• the IT system, and any associated manual processes, meet those requirements

• the development approach and methodology are appropriate for that development and provide for a thorough consideration of risks and the inclusion of controls

• adequate documentation is available which explains the workings of the system The computer auditor may also undertake limited compliance testing to ensure that deliverables are produced in accordance with the approved methodology.

3.3 IT Application Controls

Within an IT application it is important to ensure that satisfactory levels of security and control are implemented to meet identified risks. Application controls generally fall under two main headings:

• application specific controls

• general IT infrastructure controls

41

3.3.1 Application Specific Controls

This is concerned with controls within the IT application and consists of the following:

Input Control

Input controls will be necessary to ensure that all data entered is authorised, complete, accurate and entered only once. Typically, a combination of manual and automated controls will be required to achieve this. These include validation checks, range checks and segregation. The system should also provide a suitable mechanism that records sensitive or critical activities by individual users and enablesthe production of evidence of processing.

Processing Controls

Processing controls will be necessary to ensure that transactions are processed completely, accurately and in a timely fashion. A variety of controls will be used to achieve this, for example, reconciling input control totals with subsequent output, validating the integrity and reasonableness of automatically generated transactions and generating calculations automatically from the appropriate authorised standing data.

Output Controls

Output controls will be necessary to ensure the completeness, accuracy and availability of application output, whether it be in a paper form, or as electronic data. On printed output, controls such as sequence numbers and page numbers will be used to ensure completeness.

Procedures

Procedures should be prepared which contain adequate management and supervisory controls and checks. In some instances, separate user guides may be prepared for the application, although usually they will be incorporated in a departmental procedures manual.

42

COMPUTER AUDIT INVOLVEMENT IN APPLICATION

SPECIFIC CONTROLS

Early involvement in the development of a new IT application is essential if the computer auditor is to add value to the process and to safeguard the organisation’s interests. It is obviously easier and cheaper to incorporate improved security and control features at the design stage of a new system rather than when it has gone live. Research suggests that it only costs 50p to implement a recommendation at the design phase, but £1500 when it has gone live.

In practice, the actual cost can be far higher as the system may not get the necessary priority and resource, and even if it does, the organisation runs the risk of the exposure until the weakness can be corrected.

As the application is in the process of being developed the computer auditor will have to rely on a review of available documentation and discussions with relevant IT and business personnel to obtain an assurance as to the adequacy of security and control.

Whilst it is not possible during the development phase to conduct detailed audit testing, formal test plans should be reviewed to ensure that controls are being adequately addressed and consideration could even be given to setting up specific security and control test plans. Key areas of interest for the computer auditor include:

Input

• are input documents authorised by an appropriate person(s)

• is adequate segregation in place

• does input validation include the following checks :

• data within valid limits

• data one of valid codes

• data compared to existing items on file

• check digits

• balancing - e.g. agrees to batch total, journal totals to zero

Processing Controls

• are changes to the calculation/formulae properly controlled, tested and authorised

43

• are key calculations checked

Output Controls

• is printed output held and distributed securely

• are reasonable checks of output performed

• are logical controls over access to on-line output reports adequate

• is there a schedule of when output is due, which should be linked to an operations schedule to ensure that the necessary programs are run on time

Procedures

• have procedures manuals been prepared which adequately define controls and checks

• have the procedures been tested before the system goes live

3.3.2 General IT Infrastructure Controls

When considering application controls, general IT infrastructure controls should also be evaluated. The rationale behind this is that there is limited value in providing an evaluation on the adequacy of security and control within the application if no assurance can be provided about the IT environment on which it runs.

The basic areas to be considered under general IT infrastructure controls are detailed in Section 4 of these notes. In this instance, they are considered at a lower, application specific level of detail. The extent to which general IT infrastructure controls need to be considered will obviously vary from application to application. If an application is to run on an existing mainframe, then a reliance can be placed upon existing mainframe infrastructure controls. It will only be necessary to consider the areas specific to that application, e.g. which users are to be allowed access, what type of access will be allowed or what additions need to be made to the existing mainframe contingency plan. If, however, the application is to run on a new LAN for example, then additional areas will need to be considered, e.g. should a logical access control package be installed, who will be responsible for its administration and will a new contingency plan be necessary?

The general IT infrastructure controls to be considered include:

44

• physical security

• contingency planning

• logical access control

• program change control

• operating system

• telecommunications

• storage media

• databases

• cryptography

• computer operations

COMPUTER AUDIT INVOLVEMENT IN GENERAL IT INFRASTRUCTURE CONTROLS

If the new application will run on an existing mainframe installation, a reliance will be placed upon existing computer audit work to assess the security and control mechanisms in place. The audit effort in this instance will focus on the application specific aspects, e.g. has the application been included in the contingency plan and have appropriate logical access control rules been established. If, however, the application requires a new computer installation, say a LAN, then these areas will need to be considered in more detail.

4. LIVE APPLICATIONS

4.1 Background

45

Many organisations are dependent upon the availability of IT systems to such an extent that it is true to say that for them, no IT means no business.

It is important, therefore, that the IT applications within an organisation are subject to a periodic risk based evaluation of security and control. The rationale behind a periodic evaluation is that :

• IT applications are dynamic and changes to the system will be necessary.

Although such changes may be subject to audit evaluation, it is usually the case that changes are made over a period of time, usually without audit review, and the application system may differ considerably from that originally implemented. This may impact on the effectiveness of security and control

• the control environment surrounding the application may change. Associated manual processes, for example, may change significantly, as the dramatic de-layering of middle management in many organisations has shown

• live data may indicate the need for additional security and control. As the application is used in a live environment, specific processing conditions or types of data may come to light which the existing security and control structure does not accommodate

• risks may change and increase or decrease, rendering the existing security and controls inappropriate. For example, the number of customers may increase substantially, or data may be used for new purposes such as strategic decision making In a similar way to the audit of systems under development, effective security and control are achieved by a combination of application specific and general IT infrastructure controls.

4.2 Application Controls

This is concerned with controls within the application Systems Under Development for details. For ease of reference, the headings of this Section are summarisedhere :

Input Controls

46

• processing controls

• output controls

• procedures

Computer Audit Involvement in Application Specific Controls

The key issue of audit involvement in live applications is to determine who will undertake the review.

In many organisations, computer auditors will perform a live review of IT applications, whilst in others, live applications may be viewed as a business area and therefore the responsibility of a business auditor. Increasingly, a joint approach is being adopted by many organisations where the IT application forms part of a wider scope audit of the business area and enables a more integrated and complete review to be undertaken. The frequency of the periodic review is also important. Risk should be the key factor in determining frequency and hence, importance to the organisation. A variety of risk assessment methodologies are available for this purpose from the simple and subjective to the more formal and structured such as CRAMM (Computerised Risk Analysis and Management Methodology).

The audit work required for a live application review is very similar to that undertaken for a system under development with one main exception. When auditing an application under development, there is little opportunity for detailed audit testing. Audit work will focus on evaluating the adequacy of security and control using discussion and a review of technical documentation. The testing phase of the project may allow some scope for control testing, but this is artificial. With a live application review, there is considerable scope for audit testing, as live data will be available together with other documentary evidence such as error logs. Effective use of CAATS can also be made in live application reviews.

Interrogation software can be used to identify exceptional conditions in data or to produce a sample of records for testing.

4.3 General IT Infrastructure Controls

As with systems under development, when considering application controls, general IT infrastructure controls should also be considered. These areas include :

• physical security

• contingency planning

47

• logical access control

• program change control

• operating systems

• telecommunications

• storage media

• databases

• cryptography

• computer operations

Computer Audit Involvement in General IT Infrastructure

Controls

The approach to the review of general IT infrastructure controls is very similar to that detailed in Section : Systems Under Development. Again, the main difference is that there is considerably more scope for detailed audit testing in a live review.

5. IT INFRASTRUCTURE

5.1 Background

48

IT Infrastructure is a generic term which describes components such as computer hardware, systems software or telecommunications which provide a processing platform for business applications.

IT infrastructure represents an area of potentially significant risk to the organisation as the overall security and control of its business applications is to a large extent dependent upon the level of integrity, availability and confidentiality within the ITinfrastructure.

5.2 IT Environment

In considering IT infrastructure, it should be notedthat there is no such ideal as a standard computer installation. In some organisations, IT hardware may be located in a purpose built computer centre, where responsibility for its operation and maintenance is in the hands of specialist personnel, such as computer operators, systems programmers and operations analysts. In other organisations, IT hardware may also be located in a purpose built computer installation, but responsibility for its operation and maintenance may be vested in a smaller number of personnel who will perform a wider range of duties.

In some organisations, IT hardware may be located in a user environment, where responsibility for such activities as software upgrades and back-ups is simply the part-time responsibility of one or two individuals.

Traditional computer audit text books invariably refer to three distinct types of computer: mainframe, mini and micro. Whilst such terms do exist, in practice it is very difficult to distinguish between them. What is regarded by one organisation as a mainframe computer located in a purpose built computer centre, may be viewed as a mini computer by another and could be located in an office environment.

The situation is further complicated by extensive telecommunications networks and the use of client server environments, where several desktop machines are connected to a central server which contains the data and programs. This move towards a distributed computing environment has increased the potential exposure of most organisations as the control environment increasingly becomes dependent on theweakest link in the network.

The impact of these variances is that the control environment over identical IT infrastructure components can differ significantly.

When considering IT infrastructure, a computer auditor may come across a wide range of environments, configurations, hardware and software.

As ever, risk should be the critical factor in determining the amount of audit effort required and the most effective audit approach to be adopted.

49

5.3 Infrastructure Areas

The following areas are of interest to the computer auditor in considering IT infrastructure, although the amount of work required under each heading will vary.

For example, a physical security review of a purpose built computer centre housing a large IBM mainframe computer may require a specific audit of several weeks duration. A review of the physical security aspects of a user based PC, however, may only, require a few hours work and could be incorporated into a larger scope audit.

5.3.1 Physical Security

Accidental or deliberate physical damage to IT equipment could damage the software and data of the organisation. Given the large capital investment made by organisations in IT, not only could this result in a significant financial cost to the organisation, but also the non-availability of the system could have a major impact on the well-being of the organisation. It is essential that effective physical security arrangements are in place to protect the IT environment from accidental or malicious damage.

The term physical security can be further considered under the following headings :

Physical Access

This is concerned with restricting access to IT infrastructure to authorised persons only.

Physical access will initially consist of perimeter security which may be achieved by the use of walls and fencing, supported as appropriate by such controls as CCTV or security guards. Within the building, various IT infrastructure components such as telecommunications and central processing units should be segregated and an access control system should be installed to restrict the access of unauthorised personnel. Typically, this will involve some form of card based access control system, although more sophisticated systems using biometrics, such as finger print scanning may be found.

Comprehensive intruder detection systems, incorporating a combination of contact breakers and passive infra red detectors should be used, connected directly to a central monitoring station.

Fire Protection

Fire represents a key area of risk to IT infrastructure and good fire protection systems are essential. Fire protection is generally considered under the following headings:

50

• fire prevention systems - these include no smoking policies, good housekeeping practices such as the prompt removal of waste paper or the use of fire proof materials

• fire detection systems - these include the use of smoke and fire detectors in ceiling and floor voids and manual fire alarms, which should be connected directly to a central monitoring station

• fire extinguishing systems - traditionally Halon has been used as an effective extinguishing agent although environmental concerns mean that this is no longer appropriate. Other types of extinguishing system include CO2 and fine spray water sprinkler systems. The systems should be capable of manual and automatic activation and also be linked to an automatic power down of the IT equipment

Power Supplies

The availability of quality power supplies is essential to the efficient running of IT infrastructure, otherwise data corruption and equipment damage can occur.

A wide range of devices are available to smooth out potential fluctuations in the quality of the power supply, known as spikes and troughs, such as an uninterruptable power supply (UPS) system. Again, dependent on risk, it may also be appropriate to have a back-up power supply in the event of a mains failure. This will usually consist of a back-up generator and a short term battery powered supply.

Air Conditioning

As with power supplies, IT infrastructure is sensitive to its operating environment. Controls are needed to ensure the quality of air and the temperature. Typically, air conditioning systems will be installed, together with good housekeeping procedures, such as avoiding the shredding of paper in the vicinity of IT equipment.

Flood Protection

Flooding can be caused by both internal and external sources and the impact can be significant, particularly if the water is contaminated, in which case equipment may be damaged beyond repair. Water detection systems should be installed and where possible, water supplies should be routed away from IT equipment.

Care should also be given to the siting of IT equipment so that it is protected from local hazards, such as being below ground level in an area prone to flooding.

51

Computer Audit Involvement in Physical Security

In considering physical security, the computer auditor should be aware that in some areas this can be a specialist field. In these circumstances, e.g. fire systems, computer auditors should seek the advice of specialist organisations such as the Fire Brigade.

Careful risk analysis is necessary to determine the amount of audit work required in this area and to ensure that the level of control is commensurate with the degree of risk to the organisation.

The computer auditor should ensure that effective security and control mechanisms are in place so that the computer installation is physically secure and is adequately protected against potential destruction and physical loss. Audit work will rely heavily on observation and discussion, together with a review of available documentation such as access control logs, and associated manual procedures, such as those for allowing access to visitors.

5.3.2 Contingency Planning

Such is the dependence on IT by an increasing number of organisations that the non-availability of their IT infrastructure could have a profound impact on the well being of the organisation, if not on its continued survival. Research has indicated that of those organisations suffering a major IT failure, the majority will be out of business within two years. Effective physical security controls can do much to prevent or restrict the potential impact of a disaster, but it is essential that effective and tested contingency plans are in place to enable the organisation to survive such an eventuality. Contingency plans should cater for various levels of IT infrastructure failure, from strike action by key IT staff, to a major disaster such as a fire or flood which completely destroys the IT capability.

In terms of larger IT installations, a number of different strategies can be adopted for contingency. These include:

• hot standby - a dedicated site is available to resume processing from the main site almost instantaneously. This site will have identical IT hardware, software and data to the main site

• warm standby - an alternative, similarly configured site is available to resume processing, but which will require several hours to set up, e.g. to load back-up data. Typically, these sites are provided by specialist disaster recovery services such as CDR (Computer Disaster Recovery) or Guardian Computer Services andmay be shared by several users

• cold standby - where premises are available which must first be equipped out with hardware, etc. before they can be used. Typically these range from an empty warehouse to a spare office or a port cabin

52

• reciprocal agreements - arrangements with other organisations operating similar equipment are also an option, although in reality, these tend to be impractical in today’s IT dependent business environmentClearly the specific needs of the business will determine which is the most appropriate solution to its needs. For smaller IT environments, variations of these strategies can be adopted.

It is important to ensure that IT contingency plans do not exist in isolation of the business. Business requirements, ideally in the form of a wider business resumption plan, should be clearly identified and should provide the basis for subsequent contingency planning. Regular and thorough testing of the plan is essential if an assurance is to be obtained as to its effectiveness. IT is such a dynamic area and regular testing helps to ensure that potential problems are identified and resolved.

Computer Audit Involvement in Contingency Planning

Ideally, computer auditors should be involved in the development of a contingency plan and in the testing process. The objective of this involvement is to ensure that the plan is comprehensive, up to date, and meets the requirements of the business. The computer auditor should consider whether a contingency plan exists and if it is documented, up to date and regularly tested. Areas to consider include ensuring that the correct back-ups are taken, stored off-site and that the back-up hardware and software environment will meet the needs of the business.

5.3.3 Logical Access Control

The nature of IT is such that the emphasis of the traditional control environment has moved to one of prevention rather than detection. Most organisations now use on-line or real time systems where data is updated and transactions are initiated immediately. Logical access controls, therefore, are a key feature of IT infrastructure in that they provide the ability to identify and authenticate users and thereby control access to and usage of the system. The basic purpose of logical access controls is to restrict authorised users to performing authorised activities from authorised locations via only authorised channels. It is essential, to achieve an effective balance between having too much security and allowing too much flexibility and access for the users.

In operating systems such as VMS from DEC, Windows NT from Microsoft and OS/400 from IBM, security functionality is integrated within the operating system software. In others, such as the large IBM operating system, MVS, separate logical access control software will have to be implemented to achieve the required level of security - Top Secret and ACF2 from Computer

53

Associates and RACF from IBM are the most common packages available for this purpose. In some operating systems, notably the various flavours of UNIX, security functionality is included within the operating system software, but it may need to be supplemented by third party packages such as BOKs, to achieve the required level of security.

The basic components of logical access control systems include :

• environmental controls - where system-wide options/parameters are set. These include the initial security level, whether protection is to be extended to magnetic media, password options such as the number of invalid attempts allowed and the enforcement of password changes

• user controls - where restrictions are put on who can access the system and from where.

Usually, there will be a number of users in the system who are privileged; that is they have special attributes which enable them to perform special actions. In UNIX, for example, the privileged user is known as “Root” and has access to all system resources

• resource controls - where the protection for resources such as databases are created, e.g. when is access to this database to be allowed, is the access to be read only and from what terminal?

Logical access control systems can be customised although this can have a significant effect on the security of the IT system. The customisation is achieved by a series of parameters or values which determine how the software will work, e.g. how many logon attempts will a user be allowed? Exits are also included which enable an organisation to develop its own logical access controls code.

The administration of logical access control is particularly important. Specifically, it is advisable to segregate the administration of logical access control from other operational activities and to provide for regular checking of the administrator’s activities, e.g. the independent review of audit trails.

A key issue of logical access control is that with the proliferation of IT systems, many users are required to hold several User-IDs and passwords. Inevitably, this results in users keeping a record of them, so compromising security. It is technically feasible to implement a single sign-on system where a user is authenticated at the point of entry and only has to sign-on once. Such systems, however, do not necessarily provide for a secure single sign-on as frequently, passwords are distributed in clear text.

There are problems of password synchronisation and, invariably, the available products do not cater for all of the IT platforms that an organisation is likely to use.

54

Computer Audit Involvement in Logical Access Control

The basic objective of a logical access control review is to establish whether controls over access to systems, data, software and resources are adequate.

Ideally, the computer auditor should be involved in the initial design of the access control system when appropriate advice and guidance on the level of security can be provided.

The computer auditor should review the access control administration function to ensure adequate segregation, procedures and checking of work.

The system-wide options and locally coded exits should be reviewed to ensure that they do not compromise security. Limited testing may be undertaken to ensure that key databases and system resources are sufficiently protected and that user’s access rights are consistent with their operational duties. An important consideration is to ensure that effective mechanisms have been established to investigate potential and actual breaches of IT security.

5.3.4 Change Control

Change is a common feature of the IT world. It is important that effective control procedures are in place to ensure that only authorised changes are made to IT systems. Not only is there scope for the accidental or deliberate inclusion of unauthorised code (the so called Trojan horse or time bomb) but change involves a degree of risk and it is necessary to ensure, for example, that the right version of software is actually implemented.

Formal change control systems are necessary to ensure that changes to application software, systems software, and even IT hardware, are adequately tested, authorised and moved to live production in a controlled manner.

A variety of change control software products are available to assist, notably CALibrarian and Endevor for IBM systems. Many operating systems include basic change control functionality, whilst a number of organisations develop their own to meet specific needs. The basic functions of this software are to:

• establish different logical environments for programming, testing, quality assurance and live

program versions

• restrict access to program code

• provide version control over the program libraries

55

• provide an audit trail facility

Formal change control systems should accommodate not only scheduled changes, but also the need for emergency changes, whether they be software or data.

The basic principles of change control apply to emergency changes, i.e. authorisation is required, although detailed investigation, testing and documentation of the change may be undertaken after the event.

Computer Audit Involvement in Program Change Control

The objective of the computer auditor is to obtain an assurance that changes to applications and systems software and hardware are adequately controlled.

The computer auditor should ensure that a change control system is in place which accommodates both scheduled and emergency changes. An assurance should also be obtained that an authorisation mechanism is in place, that adequate documentation of the change is produced, that the integrity and security of program versions is maintained and thatthe implementation process provides for back-out routines.

5.3.5 Operating Systems

An operating system is usually defined as a set of programs which permit the continuous operation of a computer. The software controls scheduling and execution of application programs and use of computer resources. Simplistically, the operating system acts as the interface between the application program, the user and the IT hardware. The security and control of an operating system is a complex issue and provides an area of potentially major risk to an organisation.

The complexity, size and functionality of operating systems varies enormously from one manufacturer to another. Some operating systems may include functionality, such as database management systems and security software, whilst others will require separate systems software to perform such tasks.

Some of the most well known operating systems include MVS from IBM, which contains over 10 million lines of code, VMS from DEC and VME from ICL. Whilst operating systems such as MVS, VMS and VME are proprietary to that manufacturer and dependent on its hardware, a few operating systems, notably UNIX, are portable and can be run on a range of manufacturers’

56

hardware. This portability, however, may be limited, as invariably basic UNIX is customised by each supplier to provide its own features, such as AIX from IBM and HP-UX from Hewlett Packard. In effect, these portable, or open systems, become proprietary and dependent on a specific manufacturer’s hardware.

The extent to which operating systems need to be customised varies considerably, not only from one operating system to another, but from organisation to organisation, depending upon its specific requirements. Usually, most operating systems will have a series of parameters or values which determine how the operating system will work. Exits are also included which enable an organisation to develop its own operating system code. This customisation can have a significant effect on the confidentiality, availability and integrity of IT processing.

In larger organisations, running large complex operating systems, it is not uncommon to have personnel specifically responsible for fine tuning and customising the operating system. Effective control procedures are required over such personnel.

Computer Audit Involvement in Operating Systems

The audit of operating systems is a complex and time consuming area. In some instances, software is available to assist in this process, such as CA-Examine for MVS. The basic objective of the computer auditor is to ensure that the security and integrity of the operating system has not been compromised. The auditor should consider whether responsibility for the maintenance of the operating system has been established and that suitable procedures have been documented. An effective change control system is necessary to ensure that only authorised amendments can be made to the operating system. The computer auditor should also ensure that system initiation procedures are established to prevent unauthorised changes.

5.3.6 Telecommunications

The major development in computing in the last few years has been the rapid expansion of telecommunications. As a result, a vast amount of data is regularly transmitted throughout the world and with it there are significant security and control exposures, specifically in terms of availability and integrity.There are many different types of telecommunications networks, such as local area networks (LANs) which are usually confined to individual offices and wide area networks (WANs) which can span continents.

Telecommunications software is necessary to operate these networks and to enable communication between user terminals and the application program. A vast array of network protocols are necessary and several will be found in the same organisation, whether for historical or specific business reasons (a protocol is a set of standards to ensure data moves efficiently around a network).

57

Typical protocols include IBM’s SDLC Synchronous Data Link Controland TCP/IP (Transmission Control Protocol/Internet Protocol).

Telecommunications software typically provides the following functionality:

• controlling the flow of data in a network

• providing for recovery and resilience

• MIS on network performance and capacity management

• security and cryptography functionality

• network administration tools

• network audit trails

Again, telecommunications is a very specialised area possibly requiring the support of a separate team.

The number of staff required will vary from installation to installation, and may comprise several sections in large organisations running software such as IBM’s SNA (Systems Network Architecture). As with operating systems, telecommunications software can be customised as appropriate by an organisation. Exit points are also available to enable user code to be implemented.

Some telecommunications software, such as CICS (Customer Information Control System) also includes security software features.

Computer Audit Involvement in Telecommunications

The basic audit objective is to ensure that adequate security and control is in place over the organisation’s telecommunications networks. Initially, the computer auditor must obtain network diagrams of all physical and logical connections.

58

The computer auditor should ensure that telecommunications hardware, such as front-end processors (FEPs) are physically secure. Effective control should be exercised over the addition or deletion of devices to the network and documented procedures should govern the work of the various personnel involved in the network.

The computer auditor should assess the adequacy of the back-up arrangements and assess whether adequate control is exercised over the use of diagnostic tools, such as data scopes which could compromise network integrity or confidentiality. Particular attention should be paid to the existence of any dial-in connections.

5.3.7 Cryptography

The risks associated with the transmission of data over extensive telecommunications networks (parts of which may not be under the organisations direct control) have created a need to take additional steps to prevent the unauthorised/accidental corruption of messages in transit, or a breach of confidentiality. Cryptography can be used to ensure confidentiality, integrity, non repudiation and authenticity and includes such techniques as encryption and digital signatures.

Military organisations and banking institutions make extensive use of cryptography.

Encryption

Encryption is a widely used technique which involves making information indecipherable to protect it from unauthorised viewing or use, especially during transmission or when it is held on removable magnetic media.

Encryption is usually based on a key(s) without which the information cannot be decoded (decrypted). The most widely used encryption system is DES (Data Encryption Standard) although increasingly this is being replaced commercially by the more secure public key system RSA.

Message Authentication

Message authentication makes use of encryption to create a digital signature which is appended to a transaction. This does not scramble the data but any difference in the digital signature at the receiving end will indicate some form of message corruption.

59

Computer Audit Involvement in Cryptography

Cryptography is a very specialised and complex area and a review of this requires a high degree of specialised knowledge. Typically, in ensuring that adequate controls are in place over authentication and encryption, the computer auditor will wish to ensure that encryption hardware is physically secure, that audit trails are made of key change activity and that the generation of keys is well controlled.

5.3.8 Computer Operations

Within any type of computer installation, personnel are required to operate the IT systems. The tasks undertaken, the number of personnel required and the extent of automation involved may vary significantly from one installation to another.

Typical operating tasks include :

• job scheduling

• operating IT hardware

• housekeeping

• recovery and back-up

Computer Audit Involvement In Computer Operations

The basic objectives of the computer auditor are to assess whether adequate controls are in place over data preparation, the completeness of processing and the dispatch of output. The computer auditor will wish to ensure that adequate audit logs of operator activity are maintained, that the computer room is tidy, that there is an adequate segregation of duties and that work is appropriately organised.

The computer auditor should also ensure that output is securely controlled and that appropriate arrangements exist for re-runs and that unwanted output is safely disposed of.

5.3.9 Databases

60

A database may be defined as “a collection of interrelated data which is organised so that, as far as possible, it is independent of any specific application and wherever possible, not duplicated”. A database is a structured way of storing and managing data in a consistent manner, which is independent of the physical structure of the data. Data is arguably one of the organisation’s most important resources and a such it is essential that strong controls are in place over its use.

There are two main types of database:

• hierarchical or CODASYL – hierarchical databases have a “tree” structure, with a hierarchy of nodes, the top node being the “root” node. One of the most common examples of this type of database is IMS (Information Management System) from IBM

• relational - with relational databases, data is modelled into logical records and relationships as before, but entities become rows in a table and attributes become columns. DB/2 from IBM is an example of a widely used relational database

The database which holds the data is controlled by software known as a database management system (DBMS). The purpose of this system is to manage the data in the most efficient form. All requests to read, change, insert or delete data must be made through the database management system. Logs are also maintained of such actions. Usually, the database management system incorporates security software to control access to the data.

Computer Audit Involvement in Databases

The basic objective of the computer auditor is to assess the integrity and availability of the database.

Key areas of interest are to restrict access and to ensure a satisfactory segregation of duties between the database administrator and other operation and support functions. Local exits should

61

be reviewed, together with the various DBMS options to ensure that security has not been compromised.

5.3.10 Storage Media

Most organisations operating sophisticated IT systems will hold a vast quantity of data. In general, this will be held on direct access storage devices (DASD) such as fixed disks. In some instances, notably archive data and back-up data, other media such as cartridges, magnetic tapes or optical disks may be used. Often, robotic devices such as cartridge libraries are in use to automate the control of such media, although manually administered tape libraries will also be found.

The concentration of such a quantity of data in a small number of locations poses potential risks to an organisation. It is essential, therefore, that this data is held securely, that it is protected from unauthorised use and that adequate records of its use are maintained. Specific procedures are required to provide for the safe disposal of magnetic media, for which devices such as degaussers may be used.

Computer Audit Involvement in Storage Media

The computer auditor should ensure that satisfactory control is exercised over its use and storage and that it is physically protected from accidental or deliberate damage.

The computer auditor should determine what data is held on magnetic media and its significance to the organisation. There will be a need to ensure that authorisation mechanisms are in place for the use of media and that procedures provide for its correct labelling and cleaning.

6. AUDIT AUTOMATION

6.1 Background

62

In many organisations, the origins of computer audit lie in the need for business auditors to obtain independent data from the system and subsequently, to obtain an assurance about the internal workings ofthe IT system. Although audit automation still represents a core activity of many computer auditors, increasingly, this activity is being transferred to business auditors. This transition has been facilitated by the availability of more user friendly application software. The role of the computer auditor in this environment is to provide specialist expertise to the business auditors, rather than perform the activity.

IT can deliver significant benefits to the audit process in terms of: timeliness, efficiency, professionalism and increased productivity.

Audit automation is generally considered under two main headings:

• as an audit tool

• as an administration tool

6.2 Audit Tools

Audit automation, in this context, involves the use of computer assisted audit techniques (CAATS) as an integral part of an audit review to increase its overall efficiency and effectiveness. CAATS are generally categorised into those which review data and those which review controls.

Those CAATS which review data generally involve the extraction, examination and manipulation of data by programs. Such techniques can enable the auditor to gain an assurance as to the accuracy and integrity of the data being reviewed and, by implication, the strength or weakness of control. Those CAATS which review controls look at the system rather than data and provide the auditor with an assurance as to whether or not controls exist and are functioning effectively. By implication, this will cause the auditor to question the accuracy and integrity of that data.

Traditional text books on computer audit usually refer to a large range of CAATS. Although some of these are used to varying degrees by some organisations, in practice, interrogation software is the most widely used CAAT.

6.2.1 Interrogation Software

Interrogation software involves the production of a computer program to interrogate either system or application data. Standard programming languages such as COBOL may be used and generalised audit software is also available from the accounting firms, such as System 2190 from

63

KPMG. Specific retrieval software such as Easytrieve from SRA can also be obtained. Increasingly, there is a large range of third party software products available for the development of CAATS. Some of the most widely known include:

• IDEA (Interactive Data Extraction & Analysis)

• ACL (Auditor Command Language)

• SQL (Structured Query Language - used with relational databases)

• SAS (Statistical Analysis Software)

There is also a wide variety of other third party software which can assist in an audit review, such as CA-Examine for a review of the IBM MVS operating system, or the Enterprise Security Manager from Axent for a review of UNIX.

6.2.2 Embedded Data Collection

This is similar to interrogation software, but the program logic is embedded within the live application program or systems software.

6.2.3 Parallel Simulation

This involves the re-writing of a system and processing data through it so that the results can be compared to the live system.

6.2.4 Others

There are a variety of other tools, such as code comparison software which can compare two files, containing either data or program code, and highlight differences.

64

6.3 Administration Tools

A large range of products is now available to assist in the effective running of the internal audit function. These can be developed in-house or acquired from third party suppliers. In some instances, such as planning software, generally available products such as PMW can be used, although audit specific products are increasingly becoming available. Not only do such products simplify the administration of the function, but they also provide a more professional service for the organisation. Typically products will be used for such areas as:

planning, risk assessment, time recording, electronic working papers and presentations.

65

CHAPTER 4

applied case on auditing offices

of Gaza strip

الفصل الرابعالطريقة واإلجراءات

ــذ ــان في تنفي يتناول هذا الفصل وصفا مفصال لإلجراءات التي إتبعها الباحث الدراسة، ومن ذلك تعريف منهج الدراسة، ووصف مجتمع الدراسة، وتحديد

66

ــة ( ــة، وإعـــداد أداة الدراسـ دور اسJJتخدام تكنولوجيJJاعينـــة الدراسـ )، والتأكــد منالمعلومات في تعزيز جودة التدقيق في قطاع غزة

ــتي ــان إجــراءات الدراســة، واألســاليب اإلحصــائية ال ــا، وبي صــدقها وثباتهاستخدمت في معالجة النتائج، وفيما يلي وصف لهذه اإلجراءات.

منهج الدراسة:

استخدم الباحث في هذه الدراسة المنهج الوصفي التحليلي الذي يحاول دور استخدام تكنولوجيا)من خالله وصف الظاهرة موضوع الدراسة

وتحليــل(المعلومات في تعزيز جودة التدقيق في قطJJاع غJJزةــات بياناتها وبيان العالقة بين مكوناتها واآلراء التي تطــرح حولهــا والعملي

التي تتضمنها واآلثار التي تحدثها. مجتمع الدراسة:

.يتكون مجتمع الدراسة منعينة الدراسة:

اشتملت عينة الدراسة على عينات البحث , والجداول التالية توضحخصائصها:

(1جدول)

يوضح توزيع افراد العينة حسب العمر

النسبةالتكرارالعمرالمئوية

%620 سنة25اقل من 25-351550%36-45620%

%310 سنة فاكثر46

67

%30100المجموع

% من افراد العينة يتراوح50) يوضح ان 1من خالل الجدول رقم ( % من افراد العينة متوسط20 سنة, و 35 سنة الي 25اعمارهم ما بين

45 سنة الي 36 سنة او يتراوح اعمارهم ما بين 25اعمارهم اقل من سنة.45% من افراد العينة متوسط اعمارهم اكثر من 10سنة, و

(2جدول)

يوضح توزيع افراد العينة حسب التحصيل العلمي

النسبةالتكرارالتحصيل العلميالمئوية

%310دبلوم%2273.3بكالوريوس%516.7ماجستير%30100المجموع

% من افراد العينة73.3) يوضح ان 2من خالل الجدول رقم ( % من افراد العينة حاصلين على16.7حاصلين على درجة بكالوريوس, و

% من افراد العينة حاصلين على درجة دبلوم.10درجة ماجستير, و (3جدول)

يوضح توزيع افراد العينة حسب الخبرة العملية

النسبةالتكرارالخبرة العمليةالمئوية

%1240 سنوات5اقل من 5-101033.3%11-15310%%15516.7اكثر من

%30100المجموع

68

% من افراد العينة متوسط40) يوضح ان 3من خالل الجدول رقم ( % من افرا العينة تتراوح33.3 سنوات, و 5سنوات الخبرة لديهم اقل من % من16.7 سنوات, و 10 سنوات الي 5سنوات الخبرة لديهم ما بين

% من10 سنة, و 15افراد العينة متوسط سنوات الخبرة لديهم اكثر من سنة.15 سنة الي 11افراد العينة تتراوح سنوات الخبرة لديهم ما بين

)4جدول( يوضح توزيع افراد العينة في هل اقوم باستخدام تكنولوجيا

المعلومات في انجاز عمليات التدقيق

المجموالنعمع

25530التكرار النسبة%100%16.7%83.3المئوية

% من افراد العينة يقوموا83.3من خالل الجدول السابق يتضح ان % من16.7باستخدام تكنولوجيا المعلومات في انجاز عمليات التدقيق, و

افراد العينة ال يقوموا باستخدام تكنولوجيا المعلومات في انجاز عملياتالتدقيق.

)5جدول( يوضح توزيع افراد العينة في هل حصلت على دورة تدريبية في

استخدام تكنولوجيا المعلومات في عملية التدقيق

المجموالنعمع

69

191130التكرار النسبة%100%36.7%63.3المئوية

% من افراد العينة حصلوا63.3من خالل الجدول السابق يتضح ان على دورة تدريبية في استخدام تكنولوجيا المعلومات في عملية التدقيق,

% من افراد العينة لم يحصلوا على دورة تدريبية في استخدام36.7و تكنولوجيا المعلومات في عملية التدقيق.

أدوات الدراسة:

بعد اإلطالع على الدراسات السابقة المتعلقة بمشكلة الدراسة واستطالع رأي عينة من افراد العينة عن طريق المقابالت الشخصية ذات الطابع غير

الرسمي قام الباحث ببناء االستبانة وفق الخطوات اآلتية:.تحديد االستبانة فقرة.30صياغة الفقرات التي تقع تحت االستبانة واشتملت على .إعداد االستبانة في صورتها األولية.عرض االستبانة على ( ) محكمين

حيث أعط الباحث وزن مدرج خماسي لكل فقرة من فقرات االستبانة .(6جدول )

يوضح ترميز استجابات فقرات االستبانة باستخدام برنامجSPSS

عددالفقرات

ال اوافق موافقموافقمحايدال اوافقبشدة

بشدة

3012345

صدق االستبانة:أوال: صدق المحكمين:

تم عــرض االســتبانة في صــورتها األوليــة على مجموعــة من أســاتذة جــامعيين من المتخصصــين ممن يعملــون في الجامعــات الفلســطينية في محافظات الــوطن، حيث قــاموا بإبــداء آرائهم ومالحظــاتهم حــول مناسبة فقرات االستبانة، ومدى انتماء الفقرات إلى االستبانة، وكذلك

70

ــتبعاد بعض ــك اآلراء تم اس ــوء تل ــة، وفي ض ــياغاتها اللغوي ــوح ص وض) فقرة.30الفقرات وتعديل بعضها اآلخر ليصبح عدد الفقرات (

ثانيا: صدق االتساق الداخلي: جرى التحقق من صدق االتساق الداخلي لالستبانة بتطبيق االستبانة

) مفردة، وتم حساب معامل ارتباط15على عينة استطالعية مكونة من ( سبيرمان بين درجات كل فقرة من فقرات االستبانة والدرجة الكلية

) والجدول التاليSPSSلالستبانة وذلك باستخدام البرنامج اإلحصائي (يوضح ذلك:

(7جدول رقم )

معامل ارتباط كل فقرة من فقرات االستبانة مع الدرجةالكلية لالستبانة

رقمالفقر

ة معاملاالرتباط

رقمالفقر

ة

معاملاالرتبا

ط

رقمالفقر

ة معاملاالرتباط

10.715110.626210.54620.491120.513220.486

30.546130.473230.601

40.548140.623240.50050.680150.634250.48660.836160.673260.54270.597170.565270.481

80.854180.627280.540

90.702190.777290.562

100.472200.597300.458

71

يتضح من الجدول السابق أن فقرات في االسبتانة دالة إحصائيا عند ), وهذا يؤكد أن فقرات االستبانة تتمتع0.05, 0.01مستوى داللة (

بدرجة جيدة من االتساق الداخلي.ثبات االستبانة:

ــل تم تقدير ثبات االستبانة على أفراد العينة وذلك باستخدام طريقتي معامألفا كرونباخ والتجزئة النصفية.

طريقة التجزئة النصفية:-1 تم استخدام درجات العينة لحساب ثبات االستبانة بطريقة التجزئة النصفية حيث احتسبت درجة النصف األول لالستبانة وكــذلك درجــة النصــف الثــاني من الدرجات وذلك بحساب معامل االرتباط بين النصــفين ثم جــرى تعــديلــات بطريقــة الطول باستخدام معادلة سبيرمان براون فكانت معامالت الثب

وأن معامل الثبــات بعــد التعــديل ()ــ 0.580التجزئة النصفية قبل التعديل (ــات يطمئن0.734 ) وهذا يدل على أن االستبانة تتمتع بدرجة عالية من الثب

الباحثإلى تطبيقها على عينة الدراسة.طريقة ألفا كرونباخ:-2

اســتخدم البــاحث طريقـة أخـرى من طــرق حســاب الثبــات، وذلـك إليجــادــات الكلي ( ــات االســتبانة، حيث حصــال على قيمــة معامــل الثب معامــل ثب

) وهذا يدل على أن االستبانة تتمتع بدرجة جيدة من الثبــات يطمئن0.893الباحث إلى تطبيقها على عينة الدراسة.

المعالجات واالساليب االحصائية: استخدم الباحث المعالجات واالساليب االحصائية عند التحليل باستخدام

:SPSSبرنامج التكرارات والنسب المئوية.-1المتوسط الحسابي واالنحراف المعياري والوزن النسبي-2معامل االرتباط. -3اختبار الفا كرونباخ.-4 لمعرفةOne Way ANOVAاختبار "ف" التحليل التباين االحادي -5

الفروق بين متغيرين احدهما رقمي واالخر نوعي اكثر من اتجاهين.التحليل االحصائي

التساؤل االول:

72

استخدام تكنولوجيا المعلوماتما دور ينص التساؤل االول على أن " "في تعزيز جودة التدقيق في قطاع غزة

لالجابة على التساؤل قام الباحثانبحساب المتوسط الحسابي واالنحرافOneالمعياري والوزن النسبي وقيمة اختبــار"ت" " Sample T testومســتوى

الداللــة وتكــون الفقــرة ايجابيــة بمعــنى ان افــراد العينــة يوافقــون على والوزن النسبي اكــبر0.05محتواها, اذا كان مستوى المعنوية اقل من

% وتكون الفقرة سلبية بمعنى ان افراد العينــة ال يوافقــون على60من والوزن النسبي اقــل0.05محتواها بمعنى ان مستوى المعنوية اقل من

ــتوى60من ــان مس ــدة اذا ك ــرة محاي ــة في الفق ــون اراء العين %, و تك, والجدول التالي يوضح ذلك:0.05المعنوية اكبر

(8الجدول )

المتوسطات الحسابية واالنحرافات المعيارية والوزن النسبي وقيمة اختبار"ت" ومستوى الداللة

لكل فقرة من فقرات االستبانة

م

المتوالفقرات سط

الحسابي

االنحرا ف

المعياري

الوزنالنسب

ي

قيمةاختبا

ر"ت"

مستو ى

الداللة

تديقيق 1 عمليات في المعلومات تكنولوجيا استخدام اناكبر بسرعة االعمال ياسعدعلىانجاز 4.3330.66186.6711.05.000الحسابات

الحسابات 2 تدقيق عمليات في المعلومات تكنولوجيا استخدام انالعمل في اكبر دقة 4.3000.65186.0010.93.000يحقق

الحسابات 3 تدقيق عمليات في المعلومات تكنولوجيا استخدام انالعمليات تلك تكاليف من 4.1671.02083.336.27.000يخفض

4الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

البرامج على الرقابية االجراءات جودة تحسين على يعملالتدقيق موضع بالمنشاة المستخدمة االلكترونية والملفات

4.2330.67984.679.95.000

الحسابات 5 تدقيق عمليات في المعلومات تكنولوجيا استخدام انافضل بشكل للتدقيق الالزم الزمني البرنامج اعداد في 4.1000.71282.008.46.000يساعد

6الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام انبشكل التدقيق فريق موظفي على المهام توزيع في يساعد

افضل4.0670.78581.337.44.000

الحسابات 7 تدقيق عمليات في المعلومات تكنولوجيا استخدام انافضل بشكل المستقبلية التدقيق المخاطر تقدير في 3.8670.90077.335.28.000يساعد

73

الحسابات 8 تدقيق عمليات في المعلومات تكنولوجيا استخدام انادق بشكل التدقيق عينة حجم احتساب في 3.9000.88578.005.57.000يسعد

9تدقيق عمليات في المعلوماتت تكنولوجيا استخدام ان

بعمليات للقيام الالزم الوقت موازنة اعداد في يساعد الحساباتافضل بشكل التدقيق ومراحل

4.1670.59283.3310.79.000

الحسابات 10 تدقيق عمليات في المعلومات تكنولوجيا استخدام انفضل بشكل التدقيق عينة مفردات اختيار على 4.0330.61580.679.20.000يساعد

11الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

مع للمنشاة الفعلية المالية النسب مقارنة على الممدقق يساعدادق بشكل المقدرة المماثلة المالية النسب

4.1330.62982.679.87.000

12الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

مع للمنشاة الفعلية المالية النسب مقارنة على المدقق يساعدالشركة دفاتر من المستخرجة المماثلة السابقة المالية النسب

ادق بشكل4.2000.71484.009.20.000

13الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

هو ما مع القسامالمنشارة الفعلية النتائج مقارنة على يساعدداالسباب ومعرفة االنحرافات لتحديد مخطط

4.2000.48484.0013.57.000

14الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

بالسنوات الخاصة التدقيق عملي علىاوراق االطالع في يساعدبسهولة السابقة

4.3000.70286.0010.14.000

15الحسابات تدقيق عليمات في المعلومات تكنولوجيا استخدام ان

المالية والقوائم الحسابات كافة بمراجعة الممدقق يساعدبسهولة السابقة والسنوات الحالية للسنة للشركة

4.1000.80382.007.50.000

16الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

السنوية المالية التقارير على الاطالع في الممدقق يساعدبسهولة الصناعة في المنافسة للمنشات

3.9670.71879.337.37.000

17الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

تتاثر التي والتشريعات القوانين على االطالع في المدقق يساعدتدقيقها المراد العميل منشاة انشطة بها

3.8670.81977.335.79.000

18الحسابات تدقيق عمليات في المعلمات تكنولوجيا استخدام ان

ادق بشكل المختلفة الحسابات ارصدة تدقيق على يساعدوافضل

3.9670.80979.336.55.000

19الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

االرتباط ورسائل العمل اوراق اعداد في المدقق يساعدافضل بشكل والمصادقات

4.2670.64085.3310.85.000

20الحسابات تدقيق عمليات في المعومات تكنولوجيا استخدام ان

بشكل والتدقيقية االنسيابية الخرائط اعدد في المدقق يساعدافضل

4.1000.66282.009.10.000

74

21الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

مع مراجعتها اجل من التدقيق نتائج تلخيص في الممدقق يساعدالمنشاة ادارة او التدقيق فريق

4.2670.58385.3311.89.000

22الحسابات تدقيق عمليات في المعلومات تكنولوجيا استخدام ان

يتم سوف التي والتقارير الرسائل اعداد في المدقق يساعدلالدارة رفعها

4.2670.69185.3310.03.000

الحسابات 23 تدقيق عمليات في المعلومات تكنولوجيا استخدام انافضل بشكل والكتابية الحسابية العمليات انجاز في 4.3000.65186.0010.93.000يساعد

الحسابات 24 تدقيق عمليات في المعلومات تكنولوجيا استخدام اناقصر بوقت التدقيق برنامج انجاز في المدقق 4.1670.74783.338.56.000يساعد

تكيد 25 التدقيق مجال في المعلومات تكنولوجيا استخدام يتطلبالتدقيق مكتب على مرتفعة 3.6330.80972.674.29.000تكاليف

تكنولوجيا 26 الستخدام الحسابات مدقق لدى كافية خبرة يوجد الالتدقيق عمليات في 3.6001.16372.002.83.008المعلومات

تكنولوجيا 27 باستخدام تلزم قوانين او تشريعات وجود عدم يعتبراستخدامها لعدم سببا 3.7001.17974.003.25.003المعلومات

28يحول اليدوية لالنظمة التدقيق موضع الشركات استخدام ان

عمليات في المعلمات التكنولوجيا المدقق استخدام دونالتدقيق

3.7000.87774.004.37.000

على 29 قادرا يجعلة الحسابات لمدقق كافي تدريب يوجد الالتدقيق عمليات في المعلومات تكنولوجيا 3.7000.95274.004.03.000استخدام

يجعلة 30 الحسابات مدقق لدى االنجليزية اللغة مهارات ضعف انالتدقيق عملية في المعلومات تكنولوجيا استخدام على قادر 4.0000.83080.006.60.000غير

4.0530.76581.078.060.000المتوسط العام

) على ان اراء افراد العينة في جميع10يتضح من الجدول السابق رقم ( %60الفقــرات ايجابيــة حيث ان الــوزن النســبي لكــل فقــرة اكــبر من

بمعنى ان افـراد العينـة يوافقـون على0.05ومستوى المعنوية اقل من ان استخدام تكنولوجيا المعلومات في عمليات تــدقيق الحســاباتانه "

ــوزن نســبي يســاعد على إنجــاز االعمــال بســرعة اكــبر %,86.67 " ب ان اســتخدام تكنولوجيــا المعلومــات في عمليــاتويوافقــون على انــه "

%,86 " بــوزن نســبي تــدقيق الحســابات يحقــق دقــة اكــبر في العمــل ان اســتخدام تكنولوجيــا المعلومــات في عمليــاتويوافقــون على انــه "

" بــوزن نســبيتــدقيق الحســابات يخفض من تكــاليف تلــك العمليــات ــات في%, و يوافقون على انه " 83.33 ان استخدام تكنولوجيا المعلوم

ــة عمليات تدقيق الحسابات يعمل على تحسين جودة االجــراءات الرقابي على البرامج والملفات االلكترونية المستخدمة بالمنشاة موضع التــدقيق

75

ان اســتخدام تكنولوجيــا%, ويوافقون على انــه " 84.67" بوزن نسبي المعلومات في عمليــات تــدقيق الحســابات يســاعد في اعــداد البرنــامج

%, ويوافقــون82" بــوزن نســبي الزمني الالزم للتدقيق بشــكل افضــل ــه " ان اســتخدام تكنولوجيــا المعلومــات في عمليــات تــدقيقعلى ان

الحسابات يساعد في توزيع المهام على موظفي فريق التــدقيق بشــكلــوزن نســبي افضــل ــه " 81.33 " ب ــون على ان ان اســتخدام%,ويوافق

تكنولوجيا المعلومات في عمليات تــدقيق الحســابات يســاعد في تقــدير %,77.33 " بــوزن نســبي المخاطر التدقيق المستقبلية بشــكل افضــل

ان اســتخدام تكنولوجيــا المعلومــات في عمليــاتويوافقــون على انــه " "تدقيق الحسابات يساعد في احتساب حجم عينة التــدقيق بشــكل ادق

ان اســـتخدام تكنولوجيـــا%,ويوافقـــون على انـــه "78بـــوزن نســـبي المعلومــات في عمليــات تــدقيق الحســابات يســاعد في اعــداد موازنــة

" بــوزنالوقت الالزم للقيام بعمليات ومراحـل التــدقيق بشـكل افضــل ــا%, ويوافقـــون على انـــه "83.33نســـبي ــ ــتخدام تكنولوجي ــ ان اس

المعلومات في عمليات تدقيق الحســابات يســاعد على اختيــار مفــردات %, و يوافقــون على80.67 " بــوزن نســبي عينة التدقيق بشكل أفضل

ان استخدام تكنولوجيا المعلومات في عمليــات تــدقيق الحســاباتانه " يساعد المدقق على مقارنة النسب المالية الفعلية للمنشاة مــع النســب

ــكل ادق ــدرة بشـ ــة المقـ ــة المماثلـ ــبي الماليـ ــوزن نسـ %,82.67" بـ ان اســتخدام تكنولوجيــا المعلومــات في عمليــاتويوافقون على انــه "

تدقيق الحسابات يساعد المــدقق على مقارنــة النســب الماليــة الفعليــة للمنشاة مــع النســب الماليــة الســابقة المماثلــة المســتخرجة من دفــاتر

ــوزن نســبي الشــركة بشــكل ادق ــه " 84 " ب ان%, ويوافقــون على ان استخدام تكنولوجيا المعلومــات في عمليــات تــدقيق الحســابات يســاعد على مقارنة النتائج الفعلية القسام المنشأة مع مــا هــو مخطــط لتحديــد

%,ويوافقــون على انــه "84 " بوزن نسبي االنحرافات ومعرفة االسباب ان استخدام تكنولوجيا المعلومات في عمليات تدقيق الحسابات يســاعدــة بالســنوات الســابقة في االطالع على اوراق عمليــة التــدقيق الخاص

ان اســـتخدام%, ويوافقـــون على انـــه " 86 " بـــوزن نســـبي بســـهولة تكنولوجيــا المعلومــات في عليمــات تــدقيق الحســابات يســاعد المــدققــة ــة للشــركة للســنة الحالي ــوائم المالي ــة الحســابات والق ــة كاف بمراجع

%,ويوافقــون على انــه "82" بــوزن نســبي والسنوات السابقة بسهولة ان استخدام تكنولوجيا المعلومات في عمليات تدقيق الحسابات يســاعد المدقق في االطالع على التقارير الماليـة السـنوية للمنشـات المنافسـة

ان%, ويوافقــون على انــه "79.33 " بوزن نسبي في الصناعة بسهولة استخدام تكنولوجيا المعلومــات في عمليــات تــدقيق الحســابات يســاعد المدقق في االطالع على القوانين والتشــريعات الــتي تتــاثر بهــا انشــطة

76

%, و يوافقون على77.33 " بوزن نسبي منشاة العميل المراد تدقيقها ان استخدام تكنولوجيا المعلمــات في عمليــات تــدقيق الحســاباتانه "

"يســاعد على تــدقيق ارصــدة الحســابات المختلفــة بشــكل ادق وافضل ان اســتخدام تكنولوجيــا%, ويوافقــون على انــه " 79.33بوزن نســبي

المعلومــات في عمليــات تــدقيق الحســابات يســاعد المــدقق في اعــداد " بــوزناوراق العمــل ورســائل االرتبــاط والمصــادقات بشــكل افضــل

ان اســـتخدام تكنولوجيـــا%, ويوافقـــون على انـــه " 85.33نســـبي المعلومــات في عمليــات تــدقيق الحســابات يســاعد المــدقق في اعــداد

ــكل افضل ــ ــة بش ــ ــيابية والتدقيقي ــ ــط االنس ــ ــبيالخرائ ــ ــوزن نس ــ " ب ان اســتخدام تكنولوجيــا المعلومــات في%,ويوافقــون على انــه " 82

عمليات تدقيق الحسابات يساعد المدقق في تلخيص نتائج التــدقيق من " بــوزن نســبياجــل مراجعتهــا مــع فريــق التــدقيق او ادارة المنشــاة

ــا المعلومــات في%, ويوافقون على انه " 85.33 ان استخدام تكنولوجي عمليات تدقيق الحسابات يساعد المدقق في اعـداد الرسـائل والتقـارير

ــوزن نســبي التي سوف يتم رفعها لالدارة %,ويوافقــون على85.33" ب ان استخدام تكنولوجيا المعلومات في عمليــات تــدقيق الحســاباتانه "

" بــوزنيساعد في انجاز العمليــات الحســابية والكتابيــة بشــكل افضــل ان اســتخدام تكنولوجيــا المعلومــات%, ويوافقون على انه "86نسبي

في عمليات تدقيق الحسابات يساعد المدقق في انجاز برنامج التــدقيقــوقت اقصر ــوزن نســبي ب ــه " 83.33 " ب يتطلب%, و يوافقــون على ان

استخدام تكنولوجيا المعلومات في مجال التدقيق تكبد تكــاليف مرتفعــةــه " 72.67" بوزن نسبي على مكتب التدقيق ال%, ويوافقــون على ان

ــات يوجد خبرة كافية لدى مدقق الحسابات الستخدام تكنولوجيا المعلوم يعتــبر%, ويوافقــون على انــه " 72 " بوزن نســبي في عمليات التدقيق

عدم وجود تشريعات او قــوانين تلــزم باســتخدام تكنولوجيــا المعلومــات ان%,ويوافقــون على انــه " 74 " بــوزن نســبي سببا لعــدم اســتخدامها

استخدام الشركات موضع التدقيق لالنظمة اليدوية يحول دون اســتخدام " بــوزن نســبيالمــدقق التكنولوجيــا المعلومــات في عمليــات التــدقيق

ال يوجــد تــدريب كــافي لمــدقق الحســابات%, ويوافقون على انــه " 74ــدقيق "يجعله قادرا على استخدام تكنولوجيا المعلومات في عمليات الت

ــبي ــوزن نس ــه "74ب ــون على ان ــة%,ويوافق ــارات اللغ ــعف مه ان ضــادر على اســتخدام ــير ق ــه غ ــدقق الحســابات يجعل ــدى م ــة ل االنجليزي

%, ومن80 " بـوزن نسـبي تكنولوجيــا المعلومـات في عمليـة التـدقيق ) يتضــح ان اراء افــراد العينــة في جميــع10خالل الجدول الســابق رقم (

%, ومســتوى60% وهي اكــبر من 81.07فقرات االستبانة بوزن نسبي اســتخدام تكنولوجيــا وهذا يعني ان 0.05 وهي اصغر من 0.000الداللة

.المعلومات لها دور في تعزيز جودة التدقيق في قطاع غزة

77

الفرضية االولى: يوجد عالقة ذات داللة احصائية عند مستوىتنص الفرضية االولى على أن "

بين جودة التدقيق واستخدام تكنولوجيا المعلومات في0.05داللة "التدقيق في قطاع غزة

للتحقق من صحة الفرضية استخدم الباحثــان معامــل االرتبــاط بيرســونبين متغيرات محل الدراسة:

(9الجدول )

يوضح العدد وقيمة معامل االرتباط ومستوى الداللة

ــلالعدد ــ قيمـــة معاماالرتباط

مستوى الداللة

300.0780.681جودة التدقيق

اســـــــــــتخدامالتكنولوجيا

30

من خالل الجدول السابق يتضح انه ال يوجــد عالقــة ارتباطيــة ذات داللــة بين جــودة التــدقيق واســتخدام0.05احصــائية عنــد مســتوى داللــة

ــاط تكنولوجيا المعلومات في قطاع غزة حيث كانت قيمــة معامــل االرتب0.078.

78

الفرضية الثانية: يوجد فروق ذات داللة احصائية عند مستوىتنص الفرضية الثانية على أن "

في استخدام تكنولوجيا المعلومات في تقرير جودة التدقيق0.05داللة تعزى لمتغير العمر"في قطاع غزة

Independentلتحقق من صحة الفرضية استخدم الباحثان اختبــار sample t test

بين متغيرات محل الدراسة:(10الجدول )

يوضح مجموع المربعات ودرجة الحرية ومتوسط المربعات وقيمة اختبار"ف" ومستوى الداللة

مجموعالمربعا

ت

درجةالحرية

متوسطالمربعا

ت

قيمة اختبار"ف"

مستوىالداللة

بينالمجموعات

582.6333194.2111.340.283

داخل3768.56726144.945المجموعات

4351.20029المجموع

من خالل الجدول السابق يتضح انه ال يوجــد فــروق ذات داللــة احصــائية استخدام تكنولوجيــا المعلومــات في تقريــر في 0.05عند مستوى داللة

جودة التدقيق في قطاع غزة تعزى لمتغير العمر.

79

الفرضية الثالثة: يوجد فروق ذات داللة احصائية عند مستوىتنص الفرضية الثالثة على أن "

في استخدام تكنولوجيا المعلومات في تقرير جودة التدقيق0.05داللة تعزى لمتغير التحصيل الدراسي"في قطاع غزة

Independentلتحقق من صحة الفرضية استخدم الباحثان اختبــار sample t test

بين متغيرات محل الدراسة:(11الجدول )

يوضح مجموع المربعات ودرجة الحرية ومتوسط المربعات وقيمة اختبار"ف" ومستوى الداللة

مجموعالمربعا

ت

درجةالحرية

متوسطالمربعا

ت

قيمة اختبار"ف"

مستوىالداللة

بينالمجموعات

734.5362367.2682.742.082

داخل3616.66427133.951المجموعات

4351.20029المجموع

من خالل الجدول السابق يتضح انه ال يوجــد فــروق ذات داللــة احصــائية استخدام تكنولوجيــا المعلومــات في تقريــر في 0.05عند مستوى داللة

جودة التدقيق في قطاع غزة تعزى لمتغير التحصيل الدراسي.

80

الفرضية الرابعة: يوجد فروق ذات داللة احصائية عندتنص الفرضية الرابعة على أن "

في استخدام تكنولوجيا المعلومات في تقرير جودة0.05مستوى داللة تعزى لمتغير الخبرة العملية"التدقيق في قطاع غزة

Independentلتحقق من صحة الفرضية استخدم الباحثان اختبــار sample t test

بين متغيرات محل الدراسة:(12الجدول )

يوضح مجموع المربعات ودرجة الحرية ومتوسط المربعات وقيمة اختبار"ف" ومستوى الداللة

مجموعالمربعا

ت

درجةالحرية

متوسطالمربعا

ت

قيمة اختبار"ف"

مستوىالداللة

بينالمجموعات

478.6833159.5611.071.378

داخل3872.51726148.943المجموعات

4351.20029المجموع

من خالل الجدول السابق يتضح انه ال يوجــد فــروق ذات داللــة احصــائية استخدام تكنولوجيــا المعلومــات في تقريــر في 0.05عند مستوى داللة

جودة التدقيق في قطاع غزة تعزى لمتغير الخبرة العملية.

81

Chapter 5

RESULTS AND RECOMMENDATI

ONS

RESULTS OF OUR RESEARCH:

82

After we finished our research, we concluded the following:

1. The using of IT auditing plays an important role in enhancing the

quality of auditing services in Gaza strip.

2. Not all auditing offices in Gaza strip use special audit software in

conducting their auditing services.

3. Some of auditing offices confuse between special auditing software

and local accounting packages in conducting their auditing services. We

discovered that some auditing offices use accounting programs (not

auditing programs) to conduct auditing services such as : (Al-assel

program). In contrast, there are some little auditing offices use special

auditing software to conduct their auditing services such as : case ware

program, aura program and audit system (2) program.

4. The age of auditors, practical experience,educational degree,all of

them, affects the quality of auditing services in Gaza strip.

5. There are no related regulations and local standards that compel the

auditors in Gaza strip to use IT auditing to conduct their auditing

services.

6. Lack knowledge of auditing offices about: what is IT auditing? and

what are its procedures and standards?

7. Auditing offices do not have IT departments that can support the audit

process .

Recommendations of our research :

83

By the results that have been reached and to highlight the

importance of using IT in auditing , the two Researchers proposed a

set of recommendations.

1. Increase the use of special IT software that can be used to conduct the

auditing services in Gaza strip.

2. Maximize the practical knowledge about IT auditing and its uses and

importance to auditing offices in Gaza strip specially for new auditors.

3. Impose the strict regulations and local auditing standards to compel the

use of IT auditing in Gaza strip.

4. Developing special training courses that maximize the practical

knowledge about auditing software and its uses.

5.Developing IT auditing major that can enhance the use of IT auditing in

Gaza strip universities.

84

References

REF:

85

1. http://jobsearchtech.about.com/od/historyoftechindustry/g/IT_Audit.htm2. http://en.wikipedia.org/wiki/Information_technology_security_audit3. http://en.wikipedia.org/wiki/Computer-aided_audit_tools4. http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm5. http://en.wikipedia.org/wiki/Information_technology_audit6. http://www.joyer.com.au/blog/articles/2010/04/importance-it-audit7. http://www.ittoday.info/Articles/IT_Controls_and_Audit.htm8. http://en.wikipedia.org/wiki/Information_technology_audit#Purpose9. http://www.intosaiitaudit.org/auditguides.htm10. http://highered.mcgrawhill.com/sites/dl/free/0070951691/436879/Smieliauskas4e_App1B.pdf11. http://users.cba.siu.edu/odom/acct465/roia/Ch1.pdf12. http://en.wikipedia.org/wiki/Audit13. http://www.blurtit.com/q678572.html14. http://en.wikipedia.org/wiki/Audit15. http://daf.csulb.edu/offices/univ_svcs/internalauditing/audits.html

86

Appendix

استبانة الدراسة الدراسة : موضوع

87

التدقيق خدمات جودة تحسين في المعلومات تكنولوجيا استخدام دور قياسهذه تطوير تم قد و الحسابات مدققي نظر وجهة من غزة قطاع في

فقرات تعبئة القيام منك المرجو و الدراسة اهداف لتحقيق االستبانةمناسبا . تراه ما حسب التالية االستبانة

الجزءاألول

المعلوماتالشخصية :

المناسبة (×) . االجابة عند اشارة وضع يرجى

الجنس. :1

انثىذكر

العمر. :2

سنة٢٥أقلمن25-35 سنة36-45 سنة46 فأكثر سنة

العلمي. :3 التحصيل

دبلومبكالوريوس ماجستيردكتوراة

العملية. :4 الخبرة

88

سنوات خمس من اقل5-10 سنوات11-15 سنوات من سنة 15اكثر

عمليات. 5 انجاز في المعلومات تكنولوجيا باستخدام اقومالتدقيق:

ال نعم

تكنولوجيا. 6 استخدام في تدريبية دورة على حصلتالتدقيق : عملية في المعلومات

نعمال

89

الثاني : الجزء

: (×) فيالعمودالذيتراهمناسبا يرجىوضعإشارة

الرقم

مواالفقرة فقبشدة

موافق

محايد

الاوافق

ال اوافقبشدة

تكنولوجيا 1 استخدام انتدقيق عمليات في المعلوماتانجاز على يساعد الحسابات

. اكبر بسرعة االعمالتكنولوجيا 2 استخدام ان

تدقيق عمليات في المعلوماتفي اكبر دقة يحقق الحسابات

العمل .تكنولوجيا 3 استخدام ان

تدقيق عمليات في المعلوماتتكاليف من يخفض الحسابات

العمليات . تلكتكنولوجيا 4 استخدام ان

تدقيق عمليات في المعلوماتتحسين على يعمل الحسابات

على الرقابية االجراءات جودةااللكترونية الملفات و البرامج

موضع بالمنشأة المستخدمةالتدقيق .

تكنولوجيا 5 استخدام انتدقيق عمليات في المعلومات

اعداد في يساعد الحساباتالالزم الزمني البرنامج

افضل . بشكل للتدقيقتكنولوجيا 6 استخدام ان

تدقيق عمليات في المعلوماتتوزيع في يساعد الحساباتفريق موظفي على المهام

افضل . بشكل التدقيق

90

تكنولوجيا 7 استخدام انتدقيق عمليات في المعلومات

تقدير في يساعد الحساباتالمستقبلية التدقيق المخاطر

افضل . بشكلتكنولوجيا 8 استخدام ان

تدقيق عمليات في المعلوماتاحتساب في يساعد الحسابات

بشكل التدقيق عينة حجمادق .

تكنولوجيا 9 استخدام انتدقيق عمليات في المعلومات

اعداد في يساعد الحساباتللقيام الالزم الوقت موازنة

التدقيق مراحل و بعملياتافضل . بشكل

تكنولوجيا 10 استخدام انتدقيق عمليات في المعلوماتاختيار على يساعد الحساباتبشكل التدقيق عينة مفردات

افضل .تكنولوجيا 11 استخدام ان

تدقيق عمليات في المعلوماتعلى المدقق يساعد الحسابات

الفعلية المالية النسب مقارنةالمالية النسب مع للمنشأة

ادق . بشكل المقدرة المماثلةتكنولوجيا 12 استخدام ان

تدقيق عمليات في المعلوماتعلى المدقق يساعد الحسابات

الفعلية المالية النسب مقارنةالمالية النسب مع للمنشأة

المستخرجة المماثلة السابقةادق . بشكل الشركة دفاتر من

تكنولوجيا 13 استخدام انتدقيق عمليات في المعلومات

الحساباتيساعدعلىمقارنةالنتائجالفعلية ألقسامالمنشأةمعماهومخططلتحديداالنحرافاتومعرفةاألسبا

ب.

91

تكنولوجيا 14 استخدام انتدقيق عمليات في المعلومات

االطالع في يساعد الحساباتالتدقيق عمل اوراق على

السابقة بالسنوات الخاصةبسهولة .

تكنولوجيا 15 استخدام انتدقيق عمليات في المعلومات

المدقق يساعد الحساباتو الحسابات كافة بمراجعة

للسنة للشركة المالية القوائمالسابقة السنوات و الحالية

بسهولة .تكنولوجيا 16 استخدام ان

تدقيق عمليات في المعلوماتفي المدقق يساعد الحسابات

المالية التقارير على االطالعالمنافسة للمنشات السنوية

بسهولة . الصناعة في

تكنولوجيا 17 استخدام انتدقيق عمليات في المعلومات

الحسابات يساعدالمدققفياإلطالععلى

التي التشريعات و القوانينالعميل منشأة انشطة بها تتأثر

تدقيقها . المرادتكنولوجيا 18 استخدام ان

تدقيق عمليات في المعلومات الحسابات

يساعدعلىتدقيقأرصدةالحساباتالمختلفةبشكألدقوأفضل.

تكنولوجيا 19 استخدام انتدقيق عمليات في المعلومات

في المدقق يساعد الحساباترسائل و العمل اوراق اعداد

بشكل المصادقات و االرتباطافضل .

تكنولوجيا 20 استخدام انتدقيق عمليات في المعلومات

92

الحساباتيساعدالمدققفيإعدادالخرائطاالنسيابيةوالتدفقيةبشكألفضل.

تكنولوجيا 21 استخدام انتدقيق عمليات في المعلومات

في المدقق يساعد الحساباتاجل من التدقيق نتائج تلخيص

او التدقيق فريق مع مراجعتهاالمنشاة . ادارة

تكنولوجيا 22 استخدام انتدقيق عمليات في المعلومات

الحسابات يساعدالمدققفيإعدادالرسائل

رفعها يتم سوف التي والتقاريرلالدارة .

تكنولوجيا 23 استخدام انتدقيق عمليات في المعلومات

الحساباتيساعدفيإنجازالعملياتالحسابية

والكتابيةبشكألفضل.تكنولوجيا 24 استخدام ان

تدقيق عمليات في المعلومات الحسابات

يساعدالمدققفيإنجازبرنامجالتدقيقبوقتأقصر.

تكنولوجيا 25 استخدام يتطلبالتدقيق مجال في المعلوماتعلى مرتفعة تكاليف تكبد

التدقيق . مكتبمدقق 26 لدى كافية خبرة يوجد ال

تكنولوجيا الستحدام الحساباتعمليات في المعلومات

التدقيق .او 27 تشريعات وجود عدم يعتبر

باستخدام تلزم قوانينسببا المعلومات تكنولوجيا

استخدامها . لعدمموضع 28 الشركات استخدام ان

يحول اليدوية لالنظمة التدقيقالمدقق استخدام دون

في المعلومات لتكنولوجياالتدقيق . عمليات

93

لمدقق 29 كافي تدريب يوجد العلى قادرا يجعله الحسابات

المعلومات تكنولوجيا استخداماالتدقيق . عمليات في

اللغة 30 مهارات ضعف انمدقق لدى االنجليزية

قادر غير يجعله الحساباتتكنولوجيا استخدام على

عملية في المعلوماتالتدقيق .

94