Audit IS ve finančním sektoru / IS audit in financial institutions

Ševčík, Petr

January 2011

Concern of this thesis is a topic of an IT audit on financial institutions. These institutions are subject to severe regulations and considering their purpose -- to provide financial services, it has to be maintained unconditional security of both their information system and data. Therefore, financial institutions belong to the group of the most common customers of IT audit services. Opening part is dedicated to the relationship between financial audit and IT audit. Their history is described until present days. Both local and international contemporary legislation is also described. Then the COBIT methodology is introduced as main methodology concerning IT auditing. Finally, conclusions about relationship between financial audit and IT audit are presented. Following part of this thesis introduce essential requirements on financial institutions controls that are specific for this sector. There are several kinds of assurances and audit is only one of them, so the following part is dedicated to the introduction of each kind with description of their specifics. In the last, practical, part the IT audit checklist for financial institutions is worked out.

IT audit jako podpora finančního auditu / IT audit as a support for financial audit

GIERTL, Jakub

January 2016

The diploma thesis deals with the use of IT audit as support for financial audit. The work is divided into two larger parts, theoretical and practical. In the theoretical part, the author describes the audit as such, audit methodology, standards of good practice and information system. The practical part is based on the practical execution of the audit, which begins with the audit plan and ends with the evaluation of testing and possible recommendations for change.

A decision support system for selecting IT audit areas using a capital budgeting approach / Dewald Philip Pieters

Pieters, Dewald Philip

January 2015

Internal audit departments strive to control risk within an organization. To do this they choose specific audit areas to include in an audit plan. In order to select areas, they usually focus on those areas with the highest risk. Even though high risk areas are considered, there are various other restrictions such as resource constraints (in terms of funds, manpower and hours) that must also be considered. In some cases, management might also have special requirements. Traditionally this area selection process is conducted using manual processes and requires significant decision maker experience. This makes it difficult to take all possibilities into consideration while also catering for all resource constraints and special management requirements. In this study, mathematical techniques used in capital budgeting problems are explored to solve the IT audit area selection problem. A DSS is developed which implements some of these mathematical techniques such as a linear programming model, greedy heuristic, improved greedy heuristic and evolutionary heuristic. The DSS also implements extensions to the standard capital budgeting model to make provision for special management requirements. The performance of the mathematical techniques in the DSS is tested by applying different decision rules to each of the techniques and comparing those results. The DSS, empirical experiments and results are also presented in this research study. Results have shown that in most cases a binary 0-1 model outperformed the other techniques. Internal audit management should therefore consider this model to assist with the construction of an IT internal audit plan. / MSc (Computer Science), North-West University, Potchefstroom Campus, 2015

IT audit plan

Capital budgeting

Linear programming

Integer programming

Heuristics

Decision support system (DSS)

A decision support system for selecting IT audit areas using a capital budgeting approach / Dewald Philip Pieters

Pieters, Dewald Philip

January 2015

Internal audit departments strive to control risk within an organization. To do this they choose specific audit areas to include in an audit plan. In order to select areas, they usually focus on those areas with the highest risk. Even though high risk areas are considered, there are various other restrictions such as resource constraints (in terms of funds, manpower and hours) that must also be considered. In some cases, management might also have special requirements. Traditionally this area selection process is conducted using manual processes and requires significant decision maker experience. This makes it difficult to take all possibilities into consideration while also catering for all resource constraints and special management requirements. In this study, mathematical techniques used in capital budgeting problems are explored to solve the IT audit area selection problem. A DSS is developed which implements some of these mathematical techniques such as a linear programming model, greedy heuristic, improved greedy heuristic and evolutionary heuristic. The DSS also implements extensions to the standard capital budgeting model to make provision for special management requirements. The performance of the mathematical techniques in the DSS is tested by applying different decision rules to each of the techniques and comparing those results. The DSS, empirical experiments and results are also presented in this research study. Results have shown that in most cases a binary 0-1 model outperformed the other techniques. Internal audit management should therefore consider this model to assist with the construction of an IT internal audit plan. / MSc (Computer Science), North-West University, Potchefstroom Campus, 2015

IT audit plan

Capital budgeting

Linear programming

Integer programming

Heuristics

Decision support system (DSS)

Bringing an IT specialist into the audit process : A decision model for small audit firms / IT specialist i revisionen : En beslutsmodell för små revisionsbyråer

Lundberg, Lisa, Axelsson, Camilla

January 2005

The purpose of this thesis is to develop a decision model for how small audit firms should decide to bring an external IT specialist into the audit process. This model primarily aims to help identify those characteristics of IT in a client company that is being audited that a financial auditor should consider in this decision. This decision model is our proposed solution to a problem that we have identified through previous research; that financial auditors may not have an understanding of risks related to IT and hence infrequently bring an IT specialist into the audit process. The extent of the decision model is limited to small audit firms, because they are the ones requiring external IT specialist while larger audit firms today usually have internal IT specialists. To fulfil the purpose we conducted a qualitative study consisting of an expert study and a user study which identified and classified criteria to include in the decision model. The expert study included two interviews with Certified Information Systems Auditors while the user study included two financial auditors working at small auditing firms. In addition a model validation was conducted with the help of the financial auditors from the user study. The presented decision model has its starting point in the identification of a client company’s most critical process and how this process is affected by the IT in the client company. The expert study showed that the dependency on IT is crucial during an IT audit. The user study instead indicated that the primary criteria when assessing small client com-panies are the presence of software which have been created or adapted for the purpose of the client company. Other criteria that were included in the model were audit trails, access, routines and transaction intensity. The three empirical steps of our research process; the expert study, the user study and the model validation, indicated that all relevant criteria are included in the decision model and that it is useful. Our conclusion is that the decision model may increase the use of IT specialists through the identification of those questions that should be asked in a decision to bring an IT specialist into the audit process and through increasing the awareness of the limits of the users IT knowledge and the risks associated with IT. / Syftet med denna uppsats är att skapa en beslutsmodell för hur små revisionsbyråer skall besluta att ta in en extern IT-specialist i revisionsprocessen. Det främsta syftet med denna modell är att hjälpa till att identifiera de kvaliteter hos IT, i ett klientföretag som revideras, som en revisor skall överväga i detta beslut. Denna beslutsmodell är vår föreslagna lösning till ett problem som vi har identifierat genom tidigare studier; att finansiella revisorer möjligen inte har en full förståelse för de IT relaterade riskerna och till följd av det sällan tar in en IT-specialist i revisionsprocessen. Omfattningen av beslutsmodellen är begränsad till små revisionsbyråer eftersom det är de som behöver externa IT-specialister medan större revisionsbyråer idag ofta har interna IT-specialister. För att uppfylla syftet har vi genomfört en kvalitativ studie bestående av en expertstudie och en användarstudie vilka har identifierat och klassificerat kriterier som bör inkluderas i beslutsmodellen. Expertstudien bestod av två intervjuer med CISA-certifierade IT specialister, medan användarstudien bestod av intervjuer med två finansiella revisorer som arbetar på små revisionsbyråer. Utöver detta genomfördes en modellvalidering med hjälp av revisorerna från användarstudien. Den presenterade beslutsmodellen har sin utgångspunkt i identifieringen av ett klientföretags mest kritiska process och hur denna process är påverkad av klientföreta-gets IT. Expertstudien visade att beroendet av IT är avgörande under en IT-revision. Användarstudien indikerade å andra sidan att det främsta kriteriet när man bedömer små klientföretag är närvaron av mjukvara som har anpassats för klientföretaget. Andra kriterier som inkluderades i modellen var revisionsspår, rutiner för behörighet och transaktionsintensitet. De tre empiriska stegen i vår undersökningsprocess; expertstudien, användarstudien och modellvalideringen, indikerade att alla relevanta kriterier inkluderats i beslutsmodellen och att den är användbar. Vår slutsats är att beslutmodellen kan öka användandet av IT-specialister genom att identifiera de frågor som bör ställas i ett beslut att ta in en IT-specialist i revisionsprocessen och genom att öka medvetenheten om användarnas begränsade kunskap om IT och om risker med IT.

Audit

IT audit

IT specialist

Revision

IT revision

IT specialist

Business studies

Företagsekonomi

Bringing an IT specialist into the audit process : A decision model for small audit firms / IT specialist i revisionen : En beslutsmodell för små revisionsbyråer

Lundberg, Lisa, Axelsson, Camilla

January 2005

<p>The purpose of this thesis is to develop a decision model for how small audit firms should decide to bring an external IT specialist into the audit process. This model primarily aims to help identify those characteristics of IT in a client company that is being audited that a financial auditor should consider in this decision.</p><p>This decision model is our proposed solution to a problem that we have identified through previous research; that financial auditors may not have an understanding of risks related to IT and hence infrequently bring an IT specialist into the audit process. The extent of the decision model is limited to small audit firms, because they are the ones requiring external IT specialist while larger audit firms today usually have internal IT specialists.</p><p>To fulfil the purpose we conducted a qualitative study consisting of an expert study and a user study which identified and classified criteria to include in the decision model. The expert study included two interviews with Certified Information Systems Auditors while the user study included two financial auditors working at small auditing firms. In addition a model validation was conducted with the help of the financial auditors from the user study.</p><p>The presented decision model has its starting point in the identification of a client company’s most critical process and how this process is affected by the IT in the client company. The expert study showed that the dependency on IT is crucial during an IT audit. The user study instead indicated that the primary criteria when assessing small client com-panies are the presence of software which have been created or adapted for the purpose of the client company. Other criteria that were included in the model were audit trails, access, routines and transaction intensity.</p><p>The three empirical steps of our research process; the expert study, the user study and the model validation, indicated that all relevant criteria are included in the decision model and that it is useful. Our conclusion is that the decision model may increase the use of IT specialists through the identification of those questions that should be asked in a decision to bring an IT specialist into the audit process and through increasing the awareness of the limits of the users IT knowledge and the risks associated with IT.</p> / <p>Syftet med denna uppsats är att skapa en beslutsmodell för hur små revisionsbyråer skall besluta att ta in en extern IT-specialist i revisionsprocessen. Det främsta syftet med denna modell är att hjälpa till att identifiera de kvaliteter hos IT, i ett klientföretag som revideras, som en revisor skall överväga i detta beslut.</p><p>Denna beslutsmodell är vår föreslagna lösning till ett problem som vi har identifierat genom tidigare studier; att finansiella revisorer möjligen inte har en full förståelse för de IT relaterade riskerna och till följd av det sällan tar in en IT-specialist i revisionsprocessen. Omfattningen av beslutsmodellen är begränsad till små revisionsbyråer eftersom det är de som behöver externa IT-specialister medan större revisionsbyråer idag ofta har interna IT-specialister.</p><p>För att uppfylla syftet har vi genomfört en kvalitativ studie bestående av en expertstudie och en användarstudie vilka har identifierat och klassificerat kriterier som bör inkluderas i beslutsmodellen. Expertstudien bestod av två intervjuer med CISA-certifierade IT specialister, medan användarstudien bestod av intervjuer med två finansiella revisorer som arbetar på små revisionsbyråer. Utöver detta genomfördes en modellvalidering med hjälp av revisorerna från användarstudien.</p><p>Den presenterade beslutsmodellen har sin utgångspunkt i identifieringen av ett klientföretags mest kritiska process och hur denna process är påverkad av klientföreta-gets IT. Expertstudien visade att beroendet av IT är avgörande under en IT-revision. Användarstudien indikerade å andra sidan att det främsta kriteriet när man bedömer små klientföretag är närvaron av mjukvara som har anpassats för klientföretaget. Andra kriterier som inkluderades i modellen var revisionsspår, rutiner för behörighet och transaktionsintensitet.</p><p>De tre empiriska stegen i vår undersökningsprocess; expertstudien, användarstudien och modellvalideringen, indikerade att alla relevanta kriterier inkluderats i beslutsmodellen och att den är användbar. Vår slutsats är att beslutmodellen kan öka användandet av IT-specialister genom att identifiera de frågor som bör ställas i ett beslut att ta in en IT-specialist i revisionsprocessen och genom att öka medvetenheten om användarnas begränsade kunskap om IT och om risker med IT.</p>

Audit

IT audit

IT specialist

Revision

IT revision

IT specialist

Business studies

Företagsekonomi

Zabezpečení ERP SAP jako součást finančního auditu v prostředí velkých firem / SAP ERP security as part of financial audit in a large business environment

Fišer, Marek

January 2017

The aim of this diploma thesis is to present the methodology that is used, to test the design and implementation of internal application controls in environment of large companies using ERP systems, especially in the environment of companies using SAP ECC. This methodology is described in the thesis. Practical task which is aimed at verifying the security level of SAP ECC in real business environment is also part of the thesis. The practical part is composed of a detailed description of IT auditors individual steps of the testing procedure, a list of security elements, which are subject to an audit procedures and documents required for verification of the control effectiveness implemented in clients environment. Furthermore, there is a summary and evaluation of the risk level associated with identified deficiencies. Part of the evaluation is a list of recommendations, which the company should apply to increase the efficiency of internal controls and thus achieve the optimal security level of SAP ECC. In the final section of the diploma thesis there is an analysis of the deficiencies elaborated. These deficiencies have been identified during the audit season in 2016 in environment of 20 large companies using this ERP system. Identified findings are classified according to the risk level. Another part of analysis are comprehensive recommendations that IT auditors provide to their clients in order to increase the security level of IT environment, especially in connection with the management and other activities related to financial data.

The use of generalized audit software by Egyptian external auditors: the effect of audit software features

Kim, H-J., Kotb, A., Eldaly, Mohamed K.A.

2016 July 1929

Yes / Purpose - This study aims to explore: the actual usage of GAS features among Egyptian external auditors, through the technology acceptance model (TAM); how the conceptual complexity of GAS features impact its actual usage; and what factors influencing the GAS use by Egyptian external auditors. Design/methodology/approach - External audit professionals at twelve international audit firms, including the Big 4 and eight medium-sized firms, in Egypt were surveyed. Findings - The results show that the basic features including database queries, ratio analysis, and audit sampling were higher in GAS use, perceived usefulness, and perceived ease of use among Egyptian external auditors than the advanced features: digital analysis, regression/ANOVA, and data mining classification. The SEM analysis by GAS features suggests that perceived ease of use has a stronger effect on GAS use when the conceptual complexity of GAS features is high. The analysis also support that the use of GAS by Egyptian external auditors is more affected by co-worker, supervisor, or organization through perceived usefulness, but not by job relevance, output quality, and result demonstration. Research limitations/implications - Although Egyptian external auditors participated in this study may limit the extent to which the findings may be generalized, the responses provide an insight into the actual usage of GAS features by external auditors and the impact of conceptual complexity of GAS features, which is consistent with the literature concerning the relatively low level of utilizing the advanced features of GAS by internal auditors, suggesting that the issues revealed should be of concern. Practical implications - The results reported in this paper are useful to audit software developers and audit firms in their understanding of factors influencing GAS usage in a different audit context. Originality/value - The study adds value to prior research by providing context-contingent insight into the application of technology acceptance model in an unexplored audit context.

GAS acceptance

GAS use

GAS features

IT audit

Egyptian external audit

The value of context awareness within information technology audit and governance

Le Roux, Theo

January 2020

Thesis (MTech (Business Information Systems))--Cape Peninsula University of Technology, 2020 / A shared common understanding or context awareness (CA) of IT Audit and Governance among all the internal stakeholders of a business remains an important factor. This context awareness is needed between the business itself, the IT department, and the Audit and Risk functions of the business. The research problem states that there is a lack of shared context awareness among all stakeholders when conducting IT audits and implementing IT Governance. To answer the research questions, a case study research strategy was followed using an International Services Group of companies operating from South Africa. The case study offered a diverse group of companies and vast experience in the South African Services, Trading, and Distribution sector. The diversity of this group of companies made it a perfect candidate for understanding context and the value of context in IT when conducting IT audits. The following research questions were asked: i) What are the factors affecting a shared context understanding among the stakeholders when conducting IT audits and implementing IT Governance? ii) How can a shared context understanding among stakeholders be achieved when conducting IT audits and implementing IT Governance? The aim of the study was to explore the value of context awareness within IT Audit and Governance in order to identify the value of shared context understanding. Data collection was done by means of interviews using semi-structured questionnaires and an interview guide. Qualitative data analysis techniques were adopted for this research. The conclusion of the study highlights the importance of a collective understanding of the business’s context in order to obtain alignment in business, IT, and Audit. It refers to the same or a similar understanding of the business processes; this takes time and is unique on all levels.

Context awareness

IT audit

IT Governance

shared context understanding

ubiquitous computing

Artificial Intelligence

machine learning

business process

Revisionens digitalisering : En kvalitativ studie om hur digitaliseringen påverkar revisionens tillförlitlighet och revisionsrisker / Audit digitization : A qualitative study on how digitization affects the reliability of the audit and audit risks

Johansson, Elin, Grönlund, Annica

January 2016

Sammanfattning Examensarbete i företagsekonomi, Högskolan i Skövde.Kandidatuppsats, Externredovisning, vårterminen 2016 Bakgrund: Datorer har under ett halvt sekel använts i näringslivet och revisorer har använt datorer i revisionsprocessen sedan 1980-talet. Teknik är menat att effektivisera revisionen och möta behov av automatisering för att öka lönsamheten, minska tidsåtgången och underlätta revisorernas arbete. Betydelsen och utnyttjandet av automatisering och informationsteknik [IT] i revisionen har ökat kraftigt under 2000-talet som en följd av den tekniska utveckling som sker i samhället. Revisionsbevis går från papper till elektronisk form och informationssystem [IS] kontrollerar data med lite eller helt utan mänsklig inblandning. Branschens digitalisering innebär flera fördelar som flitigt belyses i litteraturen, medan eventuella nackdelar och risker lämnas obelysta.FAR publicerade år 2013 en framtidsstudie där de önskar förbereda branschen på olika förändringar och vara i framkant för att undvika fallgropar och utnyttja möjligheter. I studien utreds flera framtida drivkrafter och en av dem är digitaliseringen. Flera fördelar med digitaliseringen belyses, men också här missas eventuella nackdelar och risker. Syfte: Syftet med denna studie är att, genom att undersöka dagens yrkesverksamma revisionsutövare syn, öka revisionsbranschen och revisionens intressenters förståelse för hur revisionens tillförlitlighet och revisionsrisker påverkas av digitaliseringen. Metod: Studiens empiriska material samlades in genom en kvalitativ metod. Nio revisorer och tre personer som arbetar med risker inom revision och IT-revision har intervjuats genom elva semistrukturerade intervjuer. Slutsats: Studien har kommit fram till att revisorerna i studien och forskningen är eniga om att digitaliseringen innebär flera positiva effekter för revisionen. Exempelvis en ökad kvalitet på slutprodukten, effektivare revisionsprocess och minskad upptäcktsrisk genom att större datamängder kan analyseras. Det föreligger dock en tvetydighet kring huruvida det påverkar revisionens tillförlitlighet som slutprodukt. Studien har visat att yrkesverksamma revisorer har svårt att se risker med den tekniska utvecklingen. Studien har även visat att revisorerna inte har eller anser sig behöva några speciella IT-kunskaper, samtidigt som forskningen menar att IT-kunskaper är mycket viktiga för revisorernas förmåga att göra kvalificerade riskbedömningar. Nyckelord: Revision, digitalisering, tillförlitlighet, förtroende, revisionsrisk, revisionskvalitet, revisionsautomatisering, IT, teknik, IT-revision, ARM. / Abstract Degree in Business Administration, University of SkövdeBachelor Thesis, Financial Accounting, spring term 2016 Background: Computers have been used for half a century in business and auditors have been using computers in the audit process since the 1980s. Technology is meant to make the audit more efficient and meet the needs of automation to increase profitability, reduce the timescale and facilitate the work of the auditors. The meaning and utilization of automation and information technology [IT] in the audit has increased greatly in the 2000s as a result of technological developments taking place in society. Audit evidence goes from paper to electronic and information systems [IS] controls data with little or no human intervention. The industry digitization has several advantages as extensively illustrated in the literature, but the possible disadvantages and risks left not observed. FAR published in 2013 a prospective study in which they wish to prepare the industry to various changes and be in the forefront to avoid pitfalls and exploit opportunities. The study investigated several future drivers and one of them is digitization. Several benefits of digitization are illuminated, but also this study missed potential disadvantages and risks. Purpose: The purpose of this study is that, by examining today's professionals audit practitioners sight, improve the accounting profession and audit stakeholders' understanding of how the reliability of audit and audit risks are affected by digitization. Method: The study's empirical material was gathered through a qualitative method. Nine auditors and three people working with risk assurance and IT audit have been interviewed through eleven semi-structured interviews. Conclusion: The study has concluded that the auditors of the study and research agree that digitization brings several positive effects for the audit. For example, a higher end product quality, a more efficient audit process and reduced detection-risk as a result of larger amounts of data being analyzed. However, there is an ambiguity as to whether it affects the reliability of the audit as a final product. The study has shown that practicing auditors has difficult to see the risks of technological progress. The study has also shown that the auditors did not have or think they need any special IT skills, but research says that IT skills are very important for the auditor's ability to make qualified risk assessments. Keywords: Audit, digitization, reliability, trust, audit risk, audit quality, audit automation, IT, technology, IT audit, ARM.

Audit

digitization

reliability

trust

audit risk

audit quality

audit automation

IT

technology

IT audit

ARM

Revision

digitalisering

tillförlitlighet

förtroende

revisionsrisk

revisionskvalitet

revisionsautomatisering

IT

teknik

IT-revision

ARM