Audit charter - A document approved by the board, which defines the purpose, authority and responsibility of the internal audit activity. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management, and if available, the audit committee.
Audit hook - involves embedding code in application systems for the examination of selected transaction. This helps an IS auditor to act before an error or irregularity gets out of hand.
Automated code comparison - the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is automated.
Application control review - involves the evaluation of an application's automated controls and an assessment of any exposures resulting from the control weaknesses.
Attribute sampling - Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. An audit technique used to select items from a population for audit testing purposes based on
selecting all those items that have certain attributes or characteristics (such as all items over a
certain size).
Balanced Scorecard (BSC) - a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes, and the ability to innovate.
Computer-aided software engineering (CASE) tools - CASE tools are used to assist software development. Includes design, analysis, and programming. CASE tools automate methods for designing, documenting, and producing structured code.
Compliance testing - Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.
Control self-assessment (CSA) - A method/process by which management and staff of all levels collectively identify and evaluate risks and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager. A CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. A CSA is not intended to replace audit's responsibilities, but to enhance them. The objective of a CSA is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
Control totals - control totals can be used to verify the integrity of the contents of data that has been extracted. A value that can be compared against the sum of a batch of items to check against loss in transit. Similar to old-style test keys, the system can compare what the control total indicates was transmitted with the incoming records of what was actually received. If the control total is transmitted separately from the transactional message(s) to which it relates, it can provide some protection against fraudulent or mischievous manipulation of data in transit. The safest way of using control totals is to send the control total message at a different time, and by a different route to the master message.
Data flow diagram - used as aids to graph or chart data flow and storage. They trace the data from its origin to its destination, highlighting the paths and storage of data. Data flow diagrams do not order data in any hierarchy. The flow of the data may not necessarily match any hierarchy or data generation order.
Electronic Data Interchange (EDI) - The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders.
Electronic Funds Transfer (ETF) - The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another.
Embedded audit module - involves embedding specially-written software in a organization's host application system so that applications are monitored on a selective basis.
Enterprise architecture (EA) - involves documenting the organization's IT assets and processes in a structured manner to facilitate understanding, management, and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to create an EA, organizations can address the problem either from a technology perspective or business process perspective
Forensic audit - The systematic collection of evidence after a system irregularity. The evidence collected could then be used in a judicial proceeding. Forensic audits are not limited to corporate fraud. Assessing the correctness of an organization's financial statements is not the purpose of a forensic audit.
Hash Totals - a form of data validation. (1) A method for ensuring the accuracy of processed data. It is a total of several fields of data in a file, including fields not normally used in calculations, such as account number. At various stages in the processing, the hash total is recalculated and compared with the original. If any data has been lost or changed, a mismatch signals an error. (2) The total of any numeric data field on a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing.
Heuristic scanning tools - used to scan for viruses to indicate possible infected code.
Honeypot - A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems.
Integrated test facility (ITF) - uses the same programs to compare processing using independently calculated data. This involves setting up many dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy. An ITF creates a fictitious entry entity in the database to process test transactions simultaneously with live input. One advantage is that periodic testing does not require separate test processes. Careful planning is necessary and test data must be isolated from production data.
IT strategic plan - the purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives.
Open system architecture - open systems are those for which supplies provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors.
Processing controls - processing controls ensure that calculations are accurate, data is processed as expected / correctly, and create sufficient audit trails from source to output and vice versa.
Production library listings - these represent executable(s) that are approved and authorized to process organizational data.
(RAD) example - Rapid Application Development uses a prototype that can be updated continually to meet changing user or business requirements.
Reasonableness Check - Compares data to predefined reason-ability limits or occurrence rates established for the data.
Substantive testing - Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. A substantive test confirms the integrity of actual processing.
Trend/variance detection tools - look for anomalies in user or system behavior, for example, determining whether the numbers for prenumbered documents are sequential or increasing.
SOURCES: ISACA , STF, yw.tIS, PCMag, UT,
EDI (Electronic Data Interchange) is a standard format for exchanging business data. The standard is ANSI X12 and it was developed by the Data Interchange Standards Association. ANSI X12 is either closely coordinated with or is being merged with an international standard, EDIFACT.
ReplyDeleteEDI Solution