School of Administrative Studies

Faculty of Liberal Arts and Professional Studies

YorkUniversity

Fall 2011 Course Outline
AP/ADMS 4552 3.0 Section A Term F Information Systems Audit

Term: Fall 2011

COURSE

AP/ADMS 4552 3.0 Section A Information Systems Audit

Wednesdays 4:00 p.m. to 7:00 p.m.
Location: HNE-032
First day of class: Wednesday September 7, 2011

REQUIRED COURSE TEXT/READINGS:

Required Readings:

  • Course Kit (CK), available from book store and
  • Additional material as posted on the course web site and as listed by means of links in the course outline. This includes cases and assignment details posted on our web site.
  • CICA Assurance Handbook, as available online from YorkUniversity.

Selected readings are from: [Note these books are available on reserve at the business library in the Schulich building.]

  • Arens, A., R. J. Elder, M. S. Beasley and I. B. Splettstoesser-Hogeterp. 2011. Auditing: The Art and Science of Assurance Engagements (ASAE), Canadian 11th Edition, Pearson Prentice Hall: Toronto.
  • Rainer, R. K. Jr., C. G. Cegielski, I. Splettstoesser-Hogeterp, C. Sanchez-Rodriguez. 2011. Introduction to Information Systems (IIS), Second Canadian Edition, John Wiley & Sons Canada, Ltd.: Mississauga.

WEIGHTING OF COURSE:

Individual assignments: (To be submitted via Turnitin.com)

10% Two hand-in assignments (Due in Sessions 3 and 5)

5%Article analysis assignment (Sign up in first class, completed throughout term)

10% ACL assignment (Due Session 10)

Group work:

5%Multiple choice quiz and provision of current articles (from Session 2, each class)

Examinations:

30%Midterm Examination (Session 7)

40%Final Examination (during regular examination schedule, December 8 – 22)

Assignments: Detailswill be posted on the course website in the Assignments folder.

If the midterm examination is missed due to an illness, or other extenuating circumstance, with appropriate supporting documentation, your midterm percentage allocation will be added to the final examination. The documentation required to be allocate your midterm percentage to the final examination is as follows:

A completed medical form (physician's statement) as provided by the Registrar’s Office:

Physician statements need to be from the same day as the midterm or the day immediately after. Physician statements older than one day after the date of the midterm exam will not be accepted.Physician statements are to be provided to your course director at least one week prior to the makeup midterm date to be eligible to write the makeup midterm.

If a student misses an individual assignment or group workday he or she will receive a grade of “0” for that piece of course work.

Deferred Examination Policy
If you miss an examination due to illness, you will need to supply a completed physician’s statement and complete a Deferred Standing Agreement (DSA), to enable you to write the final examination in the following term.

COURSE INSTRUCTOR/CONTACT

Ingrid Splettstoesser, Email:

Office: Atkinson 208, Telephone: (416) 736-2100 x 20472,

Office hours: prior to or after class, or by appointment

Email etiquette:

  • Emails are to be sent from the YorkU domain only; other emails may not be received
  • Use business-like language, with a clear subject line that includes your name, course code and purpose. “Sign” your email with your full name.
  • Emails will be replied to within 24 hours, during the normal business week (Monday through Friday, 9 a.m. to 5 p.m.)

EXPANDED COURSE DESCRIPTION

Calendar Description: Covers the audit of computer-based information systems. Topics include business/accounting information system applications, information systems risks, management controls, control evaluation, audit strategies and computer assisted audit techniques. 1) For students in the Honours program, 78 credits including AK/ADMS 3595 3.00, AK/ADMS 4551 3.00; and AK/ADMS 2511 3.00 or AK/ADMS 3511 3.00 (prior to Summer 2005) or 2) other students, these above-listed courses and an average grade of C+ or better in AK/ADMS 3585 3.00 and AK/ADMS 3595 3.00. Course credit exclusion: None.

Prerequisite / Co-Requisite: See Calendar Description. Students are personally responsible to ensure they have the required prerequisites as stated in the course outline or in the course calendar. Students who do not have the prerequisites are at risk of being dropped from the course at any time during the course.

ORGANIZATION OF THE COURSE

Session 1, Wednesday, September7, 2011

Audit process, information systems audit and Information Technology auditors; information technology auditing standards; Academic honesty issues.

SIGN UP FOR ARTICLE ANALYSIS ASSIGNMENT

FORM GROUPS FOR GROUP WORK

Learning Objectives:

(1) Describe the risk-based financial statement audit process. State the impact of basic and advanced information systems upon the audit process and the role of the information systems auditor,

(2) List the types of information systems audits.Apply the risk-based approach to these audits,

(3) Describe the role of internal auditors in information systems auditing.Describe the nature of the skills required to conduct information systems auditing,

(4) Identify and describe the sources of standards for information systems auditors,

(5) Apply the risk-based audit approach to the audit of spreadsheets

Discussion Cases:Technology Parts Inc.; YourTaxReturn.com (Part 1)

Readings:

  • ASAE Section 2.2 “Responding to the Public Call for High-Quality Audits” and 2.3 “Quality Control” (p. 27-39); Section 5.3 “Audit phases” (p. 120-125); Section 7.1 “Risk in Auditing and the Audit Risk Model” and 7.2 “Inherent Risk Assessment” (p. 205-217);Chapter 8 “Client risk profile and documentation,”Table 10-7 “Impact of Information Systems on Financial Statement Audit Phases” (p. 329), Section 10.3 “Advanced Information Systems and the Audit Process” (p. 330-336)
  • CICA Handbook, CAS 315, Identifying and assessing the risks of material misstatement through understanding the entity and its environment
  • CAS 330, The auditor’s responses to assessed risks
  • Mukheriee, Uttam. 2009, April. “The good, the bad and the ugly,” Internal Auditor, p. 25-26
  • Singleton, Tommie. 2007. “Emerging Technical Standards on Financial Audits: How IT Auditors Gather Evidence to Evaluate Internal Controls”, Information Systems Control Journal, Volume 4, p. 9-11
  • Smith, Philip. 2008, August. “IT skills for internal auditors,” Internal Auditor, p. 44-48
  • Parker, Gerald and M. Datardina. 2011. September. “The top ten TECH issues,” CAMagazine, p. 20-25, from: [Note that your Course Kit has the 2009 article, please go online for the current version.]
  • G7 Due Professional Care, IS Auditing Guideline, from: [Note that you can download each Guideline individually from this page, or you can download a PDF of all of the standards from:

Session 2, Wednesday, September14, 2011

Information technology control frameworks, information technology governance, information technology auditing standards

STARTING TODAY, THERE WILL BE A GROUP MULTIPLE CHOICE QUIZ (10 QUESTIONS) AT THE BEGINNING OF EACHCLASS. YOU MUST BE PRESENT FOR THE ENTIRE QUIZ TO RECEIVE A GRADE. Each group must also bring in a current article that pertains to today’s lecture to discuss with their group.

Learning Objectives:

(1) Identify the different layers or levels of controls.Provide relevant examples for each control level linked to a particular business or case scenario,

(2) Describe the COSO framework. Apply the COSO framework to information technology,

(3) Describe COBIT and the controls levels used by COBIT,

(4) Describe IT governance and its role within corporate governance,

(5) Contrast the financial statement and internal audit approach for: general controls, application controls and audit assertions

Discussion Cases:YourTaxReturn.com Part 2; Balderssarini Corporation Part 1

Readings:

  • ASAE. Sections 9.2 COSO Components of Internal Control, 9.3 Internal controls and the audit process (p. 273-304); 10.1 Corporate governance strategies and risk assessment frameworks, 10.2 IT Governance and the audit of general information systems controls (p. 313-330) [Note that the Chapter 10 reading also pertains to the next class.]
  • IIS Chapter 12, Acquiring Information Systems and Applications
  • Canadian Institute of Chartered Accountants. 2007. “20 questions directors should ask about IT projects,” from:
  • Hardy, Gary. 2009. “The role of the IT auditor in IT governance,” ISACA, Vol. 1, p. 17-18
  • ISACA. 2009. “In summary: the taking governance forward mapping initiative,” ISACA, Vol. 1, p. 28-31
  • Sobel, Paul. 2008, August. “Risk management-based auditing,” Internal Auditing, p. 92-93
  • Internal control over Financial Reporting – Guidance for Smaller Public Companies, Volume I: Executive Summary, (read Information Technology, p. 4; Focusing on Risk, p. 6; Applying principles in achieving effective internal control over financial reporting, p. 10-11)from:
  • COBIT 4.1 Excerpt, Executive Summary Framework (read Executive Overview, p. 5-8, COBIT Framework, p. 9-11, Fig 23 – Overall CobiT Framework, p. 24) from:
  • G18 IT Governance, IS Auditing Guideline, (read Section 5 and Glossary) from:

Session 3, Wednesday, September 21, 2011

Risk assessment and audit of pervasive/general controls and impact on the audit of application controls; nature of operational application systems reviews

HAND-IN CASE #1 DUE TODAY: see course web site

Learning Objectives:

(1) Use the audit risk model and audit assertions to select audit techniques and design evidence mix in a financial statement audit, with a focus on automated systems,

(2) Explain the difference between test data and generalized audit software

(3) State the impact of access controls upon all levels of controls.Provide relevant examples of controls (Using reference to COSO and COBIT), weaknesses, and audit tests

(4) Assess general controls, providing relevant examples of controls (Using reference to COSO and COBIT), weaknesses and audit tests

(5) State the impact of general controls upon the audit of application controls

Discussion Cases: Surefoot Corporation; Regal and Joyous Foundation Inc.

Readings:

  • ASAE. Section 6.2. Methods of evidence collection (p. 171-178); Chapter 7 Materiality and Risk
  • IIS. Section 3.3 Protecting Information Resources (p. 90-100)
  • Duval, Guylaine. 2008, January/February. “Rotation of Controls,” CAMagazine, p. 54-56
  • Singleton, Tommie W. 2008. “What every IT auditor should know about access controls,” ISACA, Vol. 4, p. 11-13
  • G11 Effect of Pervasive IS Controls, ISACA IS auditing Guideline, (read from Section 2), from:
  • COBIT 4.1 Exerpt, Executive Summary Framework (See S2 for link), pp. 12-17 (up to the paragraph that describes AC6)
  • G14 Application System Reviews, ISACA IS Auditing Guideline, (read from Section 2), from:

Session 4, Wednesday, September28, 2011

Identity theft, privacy and privacy audits, controls over data management and database management access

Learning Objectives:

(1) Identify and assess risks with respect to identity theft and unauthorized data disclosure. Link these risks to the financial statement audit process.

(2) Describe a privacy framework used for implementation of a privacy strategy

(3) List and describe the components of a privacy assurance engagement

(4) Identify strengths and weaknesses associated with data management risks, provide controls to prevent or detect control weaknesses, match with control testing

Discussion Cases: YourTaxReturn.com, Part (3); Santasgiftworld.com

Readings:

  • IIS. Sections 3.1 Ethical Issues, 3.2 Threats to Information Security (p. 70-90)
  • IIS. SectionsChapter 4 Data, Information, and Knowledge Management, Sections 4.1 to 4.5 (p. 110-130)
  • Canadian Institute of Chartered Accountants. 2007. “20 Questions Business Should ask About Privacy,” from:
  • Godbout, Yves. 2007, August. “What have you got to lose?” CAMagazine, p. 41-42
  • LeGrand, Charles, and Dan Sarel. 2008. “Database security, compliance and audit,” ISACA, Vol. 5, p. 27-31
  • Parker, Robert G. 2004, November. “Private practices,” CAMagazine, p. 28-34

Session 5, Wednesday, October5, 2011

Change management: control and audit of the systems development, acquisition and maintenance process; conversion audits; disaster recovery planning

HAND-IN CASE #2 DUE TODAY: see course web site

Learning Objectives:

(1) Describe the typical process for developing a business continuity plan and a disaster recovery plan; describe the auditor’s role in testing such a plan

(2) Identify the controls (with linkage to COSO and COBIT), required at each stage of the systems development process to help provide adequate controls over the information systems development or maintenance process

(3) Design control tests, weakness investigation tests for the above process

(4) Assess and audit systems conversions and data conversions

Discussion Cases: Balderssarini, Part (2); MEC

Readings:

  • Review IIS Chapter 12 (previously assigned as a reading for Session 2)
  • ASAE. Appendix 7ADisaster Recovery Planning (p. 231-232), Part of Section 18.2 Audit of system conversions (p. 605-607)
  • Njaa, Daryl. 2008, August. “Project checkup,” Internal Auditor, p. 31, 33-34
  • Morochove, Richard. 2008, March. “The right fit,” CAMagazine, p. 32, 34-36, 38, 40
  • Singleton, Tommie W. 2007. “Systems Development Life Cycle and IT Audits”, Information Systems control Journal, Vol. 1, 2007, p. 24-26

NO CLASS WEDNESDAY OCTOBER 12. CO-CURRICULAR WEEK.

Session 6, Wednesday, October19, 2011

Risk assessment, controls and audit in the sales and accounts receivable cycle; Computer assisted audit testing for audit of controls and tests of details

Learning Objectives:

(1) Provide risk assessment, controls, tests of controls, tests of details by audit assertion for the sales and accounts receivable cycle (manual, interdependent and automated) for both batch and online systems

(2) State the purpose of, describe, and provide expected results for computer assisted audit tests of sales and accounts receivable

(3) State the advantages and disadvantages of different types of computer assisted audit techniques; describe when they should be used during the audit and how they should be controlled or managed during the audit process

(4) State the capabilities and functions of generalized audit software such as ACL and explain how it could be used for the audit of sales and accounts receivable, linking to audit assertion

Discussion Cases: Big Mall Shoe Store; AR CAAT

Readings:

ASAE. Chapter 14and Chapter 15; pay particular attention to: Figure 14-2, Tables 14-1, 14-3, 14-5, Section 14.4 A Real-life example of a sales audit, Section 15.4 Auditing Hillsburg Hardware Accounts Receivable.

Session 7, Wednesday, October26, 2011 -- Midterm examination, Covering Sessions 1 to 6, Room TEL-0010

Session 8, Wednesday,November2, 2011

Risk assessment, controls and audit in the purchases, payments and payroll cycles; Computer assisted audit testing for audit of controls and tests of details for these cycles; electronic payments. Use of ACL including demonstration. ROOM TBA.

Learning Objectives:

1) Provide risk assessment, relevant controls, tests of controls, tests of details by audit assertion for the accounts payable, payments and payroll cycles (manual, interdependent and automated) for both batch and online systems (2) State the purpose of, describe, and provide expected results for relevant computer assisted audit tests of accounts payable, payments and payroll (3) Describe risks and relevant controls(with linkage to COSO and COBIT), tests of controls, tests of details by audit assertion for electronic payment systems

Discussion Cases: Tom Thumb, Big Blue

Readings:

  • ASAE. Chapter Section 16.4 Additional examples of cash auditing (includes electronic cash transactions and electronic payments) (p. 556-558), Review chapters 17 and 18, Section 10.4 Relating the effects of entity-level controls to transactions and balances
  • Kessler, Bethmara. 2008, October. “The unchecked payroll manager,” Internal Auditor, p. 89, 91, 93
  • Kress, J. 2008, August. “Is your information safe?” CAMagazine, p. 44-46
  • Marks, Jonathan. 2009, February. “How tight is your treasurer’s grip on the cash?” Internal Auditor, p. 40, 42-43, 45
  • Ritlop, T. 2009. “Where’s the info?” CAMagazine, December 2009, p. 43-45

Session 9, Wednesday, November9, 2011

Advanced topics. Risks and audit of: data communications and the internet, electronic data interchange, wireless systems, enterprise resource planning systems.

Learning Objectives:

(1) Identify relevant advantages, disadvantages, risks, controls(with linkage to COSO and COBIT),recommendations for improvement, tests of controls, tests of details for selected advanced systems

(2) Analyze the impact of each of the advanced systems on the financial statement audit process and integrate into the audit planning process

Discussion Cases: YourTaxReturn.com Part 4; Shiny Computers

Readings:

  • CICA Assurance Handbook, AuG-32 Assurance and Related Service Guideline, “Electronic Commerce – effect on the audit of financial statements.” (available from YorkUniversity library online)
  • Allen, V. 2008, February. “ERP Security Tools,” Internal Auditor, p. 25, 27
  • Gibbs, Nelson. 2008, October. “The science behind wireless,” Internal Auditor, p. 25, 27
  • Jogani, Anil. 2006. “Governance of Mobile Technology in Enterprises,”Information Systems Control Journal, Volume 4, p. 25-27
  • Price, Sean M. 2009. “Auditing Enterprise Resource Planning Systems,” ISACA Journal Online, Volume 1, 2009
  • Suleman, R. 2010. “Getting the evasive PEARL,” CAMagazine, January/February 2010, p. 35-38

Session 10, Wednesday,November 16, 2011

Role of internal audit in information systems technology auditing; impact of Sarbanes Oxley and CSA Multilateral Instrument 52-109 on information technology auditing; continuous auditing; WebTrust and SysTrust

ACL Assignment Due at Beginning of Class

Learning Objectives:

(1) Describe how information systems auditing fits into the requirements of Sarbanes Oxley and Canadian auditing standards for auditing

(2) Describe continuous auditing and how it is implemented; state advantages and disadvantages

(3) Describe the role of WebTrust and SysTrust

Discussion Cases: Fast Fresh Burgers; Delectable Inc.

Readings:

  • ASAE. Attestation services on information technology: Web Trust & Systrust, p. 10-11
  • Coderre, David. 2006, April. “A Continuous View of Accounts, Internal Auditor,” p. 25-28
  • Ferrell, Pat and Seth Davis. 2008, March/April. “How an internal audit department maximized its technology,” Fraud Magazine, Vo. 22 No. 2, p. 25-27, 46-47
  • Helpert, Anita and John Lazarine. 2009, April. “Making integrated audits reality,” Internal Auditor, p. 37-40
  • Schoelch, C. and Y. Nadeau. 2009. “Transparency and accountability,” CAMagazine, p. 37-39

Session 11, Wednesday, November23, 2011

Information systems security concepts; control (with linkage to COSO and COBIT)and audit of security planning; forensic information systems auditing

Learning Objectives:

(1) Describe the components of a security policy and how it would be audited

(2) Identifyrelevant information systems security risks, the impact on organizations. Relate to their impact on the audit planning process

(3) Describe fraud risk management, forensic information systems auditing. Explain the relationship of forensic information systems auditing to the financial statement audit.

Discussion Cases: Oakdale Manufacturing Ltd., Security Bits

Readings:

  • Chandra, Ishwar. 2008, December. “The five C’s of IT policy,” Internal Auditor, p. 23-24
  • Lambiras, Jon J. 2008, November/December. “Inaction caused costly hacking at large retailer,” Fraud Magazine, Vol. 22. No. 6, p. 25-26, 55, 58
  • Lister, Linda M. 2007, December. “A practical approach to fraud risk,” Internal Auditor, p. 61-65

Session 12, Wednesday, November30, 2011