Livro - Auditors Guide to Information System
OVERALL FRAMEWORK
Within the book the terms Information Technology (IT) and Information Systems (IS) are both used because both are in common use to mean virtually identical functions. The book is split into eight sections, namely:
Part I—IS Audit Process
This part covers the introduction to the technology and auditing involved with the modern computer systems. It seeks to establish common frames of reference for all IT students by establishing a baseline of technological understanding as well as an understanding of risks, control objectives, and standards, all concepts essential to the audit function. Internal control concepts and the planning and management of the audit process in order to obtain the appropriate evidence of the achievement of the control objectives is explained as is the audit reporting process. Chapter 1 covers the basics of technology and audit. The chapter is intended to give readers an understanding of the technology in use in business as well as knowledge of the jargon and its meaning. It covers the components of control within an IT environment and
explains who the main players are and what their role is within this environment.
After reading this chapter you should be able to:
■ Understand the technology currently in use in business
■ Understand the jargon and its meaning
■ Define the components of control in an IT environment
■ Briefly explain who the players are and what their roles are
■ Define the fundamental differences between batch and on-line systems
■ Explain the principal business risks within each processing type
■ Describe the components that make up the on-line system and the effect these have on control objectives
■ Explain the controls within each type of computer system
■ Contrast the basics of batch and on-line security
■ Demonstrate an ability to:
● Identify the differing types of database structures
● Identify the principal components of each type of Database Management System (DBMS)
● Identify the primary threats to each of these components
● Relate DBMS components to the operating system environment in which they operate
● Identify potential control opportunities and select among control alternatives
● Identify the principal DBMS products in market
● Recognize vulnerabilities in multiple DBMS environments and make appropriate recommendations
TECHNOLOGY AND AUDIT
Some Computing Jargon
Before we can start to discuss the audit and control of computer systems, we must have a common understanding of the jargon used.
Hardware - Hardware consists of those components that can physically be touched and manipulated. Principles among those components are:
■ CPU. The Central Processing Unit is the heart of the computer.
This is the logic unit that handles the arithmetic processing of all calculations.
■ Peripherals. Peripheral devices are those devices that attach to the CPU to handle, typically, inputs and outputs. These include:
● Terminals
● Printers
● Disk and tape devices
■ Memory. Memory takes the form in modern computers of silicon chips capable of storing information. In commercial computers, this information takes the form of 1 and 0 in the notation known as binary. Memory comes in various forms including:
● RAM. Random Access Memory whose contents can be changed but which is vulnerable to loss of power where the contents of memory may also be lost. This type of memory is
also known as dynamic or volatile memory.
● ROM. Read-Only Memory is a form of memory whereby instructions are “burned-in” and not lost in the event of a power loss. These programs cannot be changed. This is also
known as non-volatile memory.
● PROM. Programmable Read-Only Memory is similar to ROM but can have the contents changed.
● EPROM. Erasable Programmable Read-Only Memory is similar to PROM but the instructions can be erased by ultra-violet light. There is another version of memory known as nonvolatile RAM. This is memory that has been attached to a battery so that, in the event of a power loss, the contents will not be lost.
■ Mainframe. Mainframe computers are the large (physically as well as in power) computers used by companies to carry out large volume processing and concentrated computing.
■ Mini. Minicomputers are physically smaller than mainframes, although the power of many minicomputers exceeds that of recent mainframes.
■ Micro. Microcomputers are physically small computers with limited processing power and storage. Having said that, the power and capacity of today’s micro is equivalent to that of a mainframe only five years ago.
■ LANs. Local Areas Networks are collections of computers linked together within a comparatively small area.
■ WANs.Wide Area Networks are collections of computers spread over a large geographical area.
Storage Data is stored in a variety of forms for both permanent and temporary retention:
■ Bits. Binary Digits, individual ones and zeros
■ Bytes. Collections of Bits making up individual characters
■ Disks. Large-capacity storage devices containing anything from 10 Mb to 150 Gb of data
■ Diskettes. Small-capacity removable disks containing from 360 k to 100 Mb of data
■ Optical Disks. Laser-encoded disks containing between 650 Mb and 9 GB of data
■ Tapes. Reel-to-Reel or cassette
■ Memory. As above
Communications In order to maximize the potential of the effective use of the information on computers it is essential that isolated computers
be able to communicate and share data, programs, and hardware devices.
■ Terminals. Remote devices allowing the input and output to and from the computer of data and programs.
■ Modem. MOdulator/DEModulator, which translates digital computer signals into analog signals for telephone wires and retranslates them at the other end.
■ Multiplexer. Combining signals from a variety of devices to maximize utilization of expensive communication lines.
■ Cable. Metallic cable, usually copper, which can carry the signal between computers. These may come in the form of “twisted pair,” where two or more cables are strung together within a plastic sleeve, or in the form of coaxial, where a cable runs within a metallic braiding in the same manner as a television aerial cable.
■ Fiber Optics. These consist of fine strands of fiberglass or plastic filaments that carry light signals without the need for electrical insulation. They have extremely high capacity and transfer rates but are expensive.
■ Microwave. This form of communication involves sending highpower signals from a transmitter to a receiver. They work on a direct line-of-sight basis but require no cabling.
Input - Inputs to computer systems have developed rapidly over the years. The IS Auditor will still occasionally encounter some of the earlier types:
■ Cards. Rarely seen nowadays, punch cards were among the first input and output media and consisted of cardboard sheets, some 8 inches by 4 inches with 80 columns, where rectangular holes could be punched in combinations to represent numeric, alphabetic, and special characters.
■ Paper Tape. Another early input/output medium, paper tape was a low-cost alternative to punch cards and consisted of a 1-inch wide paper tape with circular holes punched to form the same range of characters.
■ Keyboards. The most common input device today (although that is changing). Most keyboards are still based on the original typist’s QWERTY keyboard design.
■ Mouse. An electromechanical pointing device used for inputting instructions in real time.
■ Scanners. Optical devices that can scan pictures into a digitized computer-readable form. These devices may be used in combination with OCR (Optical Character recognition) software to allow the computer to interpret the pictures of data into actual characters.
■ Bar Codes. Optically recognizable printing that can be interpreted by low-cost scanners. Common in retail operations.
■ Voice. Perhaps the future of computer input whereby the computer user, programmer, or auditor simply dictates into a microphone and the computer responds appropriately.
Output - As with inputs, outputs are changing rapidly. In the earliest of computing times, output came in three basic forms. The most common of these was paper; however, quantities of cards and paper tape were output for subsequent reprocessing. Nowadays most outputs are via screens or directly onto magnetic media.
■ Paper. Still a popular output medium, paper may be in continuous stationery form, cut sheet form, or preprinted business stock such as invoices or negotiable instruments such as checks.
■ Computer. Output directly to another computer is a growing trend with the coming of age of electronic data interchange (EDI).
■ Screen. Output to screen is the current norm for the majority of outputs with graphics, tables, and charts, and three-dimensional forms possible.
■ Microfilm/fiche. For permanent, readable recording of outputs with a small storage space required, microfilm is a popular output medium. Each frame contains one page of printed output. An alternative is the creation of microfiche measuring approximately
6 inches by 4 inches and containing some 200 pages of printout.
■ Magnetic Media. Output to disks, diskettes, and tapes is commonly used to store large volumes of information.
■ Voice. Another new output medium is voice, where a permanent record is not required.
Control - Within the computer systems, control is exercised at a variety of points within the overall architecture. At each stage, opportunities exist to vary the manner in which the computer systems perform to meet the needs of the users.
■ Operating System. The Operating System is the set of programs that control the basic operations of the computer. All other software runs under the direction of the Operating System and rely on its services for all of the work they undertake.
■ Applications. These systems perform the business functions required of the computer. They run under the direct control of the Operating System but may contain many powerful control elements themselves.
■ Parameters. These are user-defined variations adjusting the manner in which programs normally operate.
■ Run Instructions. These are instructions to operators of computers instructing them on the jobs to be run and responses to machine questions to be entered.
■ JCL. Job Control Language is a means of automating the job-running process by giving the computer the instructions in a form of batch programming language.
■ Human Element. Ultimately control is exercised by the people who use, operate, program, and manage computers.
People - As pointed out in the Criteria of Control (CoCo) report referenced
in Chapter 15, control is exercised by people and, as such, the auditor must understand the roles and responsibilities of the individuals involved in the development and processing of computer systems.
■ Operators. Run the computers on a day-to-day basis.
■ Programmers. Write the application programs that run on the computer.
■ Systems Designers. Design the overall structure of the application systems and specify the programs required.
■ Systems Analysts. Analyze the business structures, applications, and procedures to determine what, if any, contribution IS can make. They will also design the outline business specifications of new systems.
■ Systems Programmers. Are responsible for the well-being of the Operating Systems and programmers, the related systems software components.
■ Database Analysts. Are responsible for maintaining the Database Management System (DBMS), which is the systems software controlling access to and format of the data.
■ Network Analysts. Are responsible for ensuring availability; performance standards and security are achieved on networks.
■ Management. Plan, organize, and direct to ensure corporate objectives are achieved.
Data Data consists of:
■ Fields held in
● Records held in
■ Files held on
● Disks
Within the book the terms Information Technology (IT) and Information Systems (IS) are both used because both are in common use to mean virtually identical functions. The book is split into eight sections, namely:
Part I—IS Audit Process
This part covers the introduction to the technology and auditing involved with the modern computer systems. It seeks to establish common frames of reference for all IT students by establishing a baseline of technological understanding as well as an understanding of risks, control objectives, and standards, all concepts essential to the audit function. Internal control concepts and the planning and management of the audit process in order to obtain the appropriate evidence of the achievement of the control objectives is explained as is the audit reporting process. Chapter 1 covers the basics of technology and audit. The chapter is intended to give readers an understanding of the technology in use in business as well as knowledge of the jargon and its meaning. It covers the components of control within an IT environment and
explains who the main players are and what their role is within this environment.
After reading this chapter you should be able to:
■ Understand the technology currently in use in business
■ Understand the jargon and its meaning
■ Define the components of control in an IT environment
■ Briefly explain who the players are and what their roles are
■ Define the fundamental differences between batch and on-line systems
■ Explain the principal business risks within each processing type
■ Describe the components that make up the on-line system and the effect these have on control objectives
■ Explain the controls within each type of computer system
■ Contrast the basics of batch and on-line security
■ Demonstrate an ability to:
● Identify the differing types of database structures
● Identify the principal components of each type of Database Management System (DBMS)
● Identify the primary threats to each of these components
● Relate DBMS components to the operating system environment in which they operate
● Identify potential control opportunities and select among control alternatives
● Identify the principal DBMS products in market
● Recognize vulnerabilities in multiple DBMS environments and make appropriate recommendations
TECHNOLOGY AND AUDIT
Some Computing Jargon
Before we can start to discuss the audit and control of computer systems, we must have a common understanding of the jargon used.
Hardware - Hardware consists of those components that can physically be touched and manipulated. Principles among those components are:
■ CPU. The Central Processing Unit is the heart of the computer.
This is the logic unit that handles the arithmetic processing of all calculations.
■ Peripherals. Peripheral devices are those devices that attach to the CPU to handle, typically, inputs and outputs. These include:
● Terminals
● Printers
● Disk and tape devices
■ Memory. Memory takes the form in modern computers of silicon chips capable of storing information. In commercial computers, this information takes the form of 1 and 0 in the notation known as binary. Memory comes in various forms including:
● RAM. Random Access Memory whose contents can be changed but which is vulnerable to loss of power where the contents of memory may also be lost. This type of memory is
also known as dynamic or volatile memory.
● ROM. Read-Only Memory is a form of memory whereby instructions are “burned-in” and not lost in the event of a power loss. These programs cannot be changed. This is also
known as non-volatile memory.
● PROM. Programmable Read-Only Memory is similar to ROM but can have the contents changed.
● EPROM. Erasable Programmable Read-Only Memory is similar to PROM but the instructions can be erased by ultra-violet light. There is another version of memory known as nonvolatile RAM. This is memory that has been attached to a battery so that, in the event of a power loss, the contents will not be lost.
■ Mainframe. Mainframe computers are the large (physically as well as in power) computers used by companies to carry out large volume processing and concentrated computing.
■ Mini. Minicomputers are physically smaller than mainframes, although the power of many minicomputers exceeds that of recent mainframes.
■ Micro. Microcomputers are physically small computers with limited processing power and storage. Having said that, the power and capacity of today’s micro is equivalent to that of a mainframe only five years ago.
■ LANs. Local Areas Networks are collections of computers linked together within a comparatively small area.
■ WANs.Wide Area Networks are collections of computers spread over a large geographical area.
Storage Data is stored in a variety of forms for both permanent and temporary retention:
■ Bits. Binary Digits, individual ones and zeros
■ Bytes. Collections of Bits making up individual characters
■ Disks. Large-capacity storage devices containing anything from 10 Mb to 150 Gb of data
■ Diskettes. Small-capacity removable disks containing from 360 k to 100 Mb of data
■ Optical Disks. Laser-encoded disks containing between 650 Mb and 9 GB of data
■ Tapes. Reel-to-Reel or cassette
■ Memory. As above
Communications In order to maximize the potential of the effective use of the information on computers it is essential that isolated computers
be able to communicate and share data, programs, and hardware devices.
■ Terminals. Remote devices allowing the input and output to and from the computer of data and programs.
■ Modem. MOdulator/DEModulator, which translates digital computer signals into analog signals for telephone wires and retranslates them at the other end.
■ Multiplexer. Combining signals from a variety of devices to maximize utilization of expensive communication lines.
■ Cable. Metallic cable, usually copper, which can carry the signal between computers. These may come in the form of “twisted pair,” where two or more cables are strung together within a plastic sleeve, or in the form of coaxial, where a cable runs within a metallic braiding in the same manner as a television aerial cable.
■ Fiber Optics. These consist of fine strands of fiberglass or plastic filaments that carry light signals without the need for electrical insulation. They have extremely high capacity and transfer rates but are expensive.
■ Microwave. This form of communication involves sending highpower signals from a transmitter to a receiver. They work on a direct line-of-sight basis but require no cabling.
Input - Inputs to computer systems have developed rapidly over the years. The IS Auditor will still occasionally encounter some of the earlier types:
■ Cards. Rarely seen nowadays, punch cards were among the first input and output media and consisted of cardboard sheets, some 8 inches by 4 inches with 80 columns, where rectangular holes could be punched in combinations to represent numeric, alphabetic, and special characters.
■ Paper Tape. Another early input/output medium, paper tape was a low-cost alternative to punch cards and consisted of a 1-inch wide paper tape with circular holes punched to form the same range of characters.
■ Keyboards. The most common input device today (although that is changing). Most keyboards are still based on the original typist’s QWERTY keyboard design.
■ Mouse. An electromechanical pointing device used for inputting instructions in real time.
■ Scanners. Optical devices that can scan pictures into a digitized computer-readable form. These devices may be used in combination with OCR (Optical Character recognition) software to allow the computer to interpret the pictures of data into actual characters.
■ Bar Codes. Optically recognizable printing that can be interpreted by low-cost scanners. Common in retail operations.
■ Voice. Perhaps the future of computer input whereby the computer user, programmer, or auditor simply dictates into a microphone and the computer responds appropriately.
Output - As with inputs, outputs are changing rapidly. In the earliest of computing times, output came in three basic forms. The most common of these was paper; however, quantities of cards and paper tape were output for subsequent reprocessing. Nowadays most outputs are via screens or directly onto magnetic media.
■ Paper. Still a popular output medium, paper may be in continuous stationery form, cut sheet form, or preprinted business stock such as invoices or negotiable instruments such as checks.
■ Computer. Output directly to another computer is a growing trend with the coming of age of electronic data interchange (EDI).
■ Screen. Output to screen is the current norm for the majority of outputs with graphics, tables, and charts, and three-dimensional forms possible.
■ Microfilm/fiche. For permanent, readable recording of outputs with a small storage space required, microfilm is a popular output medium. Each frame contains one page of printed output. An alternative is the creation of microfiche measuring approximately
6 inches by 4 inches and containing some 200 pages of printout.
■ Magnetic Media. Output to disks, diskettes, and tapes is commonly used to store large volumes of information.
■ Voice. Another new output medium is voice, where a permanent record is not required.
Control - Within the computer systems, control is exercised at a variety of points within the overall architecture. At each stage, opportunities exist to vary the manner in which the computer systems perform to meet the needs of the users.
■ Operating System. The Operating System is the set of programs that control the basic operations of the computer. All other software runs under the direction of the Operating System and rely on its services for all of the work they undertake.
■ Applications. These systems perform the business functions required of the computer. They run under the direct control of the Operating System but may contain many powerful control elements themselves.
■ Parameters. These are user-defined variations adjusting the manner in which programs normally operate.
■ Run Instructions. These are instructions to operators of computers instructing them on the jobs to be run and responses to machine questions to be entered.
■ JCL. Job Control Language is a means of automating the job-running process by giving the computer the instructions in a form of batch programming language.
■ Human Element. Ultimately control is exercised by the people who use, operate, program, and manage computers.
People - As pointed out in the Criteria of Control (CoCo) report referenced
in Chapter 15, control is exercised by people and, as such, the auditor must understand the roles and responsibilities of the individuals involved in the development and processing of computer systems.
■ Operators. Run the computers on a day-to-day basis.
■ Programmers. Write the application programs that run on the computer.
■ Systems Designers. Design the overall structure of the application systems and specify the programs required.
■ Systems Analysts. Analyze the business structures, applications, and procedures to determine what, if any, contribution IS can make. They will also design the outline business specifications of new systems.
■ Systems Programmers. Are responsible for the well-being of the Operating Systems and programmers, the related systems software components.
■ Database Analysts. Are responsible for maintaining the Database Management System (DBMS), which is the systems software controlling access to and format of the data.
■ Network Analysts. Are responsible for ensuring availability; performance standards and security are achieved on networks.
■ Management. Plan, organize, and direct to ensure corporate objectives are achieved.
Data Data consists of:
■ Fields held in
● Records held in
■ Files held on
● Disks
Comentários