INFORMATION SYSTEM AUDITING AND ASSURANCE



Similar documents
CONTROLLING COMPUTER-BASED INFORMATION SYSTEMS, PART I

ETHICS, FRAUD, AND INTERNAL CONTROL

4 Testing General and Automated Controls

James A. Hall Chapter Accounting Information Systems, 4th. Ed. The Information System THE INFORMATION SYSTEM: AN ACCOUNTANT S PERSPECTIVE

DATABASE MANAGEMENT SYSTEMS

Accounting Information Systems, 4th. Ed. CHAPTER 4 THE REVENUE CYCLE

MANAGING THE SYSTEMS DEVELOPMENT LIFE CYCLE

Certified Information Systems Auditor (CISA)

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

INFORMATION TECHNOLOGY CONTROLS

PART 10 COMPUTER SYSTEMS

INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS

Master Document Audit Program

ELECTRONIC COMMERCE SYSTEMS

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE

ENTERPRISE RESOURCE PLANNING SYSTEMS

Learning Objective 1. The Impact of Information Technology on the Audit Process. Describe how IT improves internal control.

Navigating the Standards for Information Technology Controls

Module 7: Computer auditing

IT - General Controls Questionnaire

An organization properly establishes and operates its control over risks regarding the information system to fulfill the following objectives:

Chapter 9 The Study of Internal Control and Assessment of Control Risk

Chapter 6--Audit Evidence, Audit Objectives, Audit Programs and Working Papers

Appendix A. Specific Learning Objectives by Course

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

CISA TIMETABLE (4 DAYS)

(Refer Slide Time: 01:52)

The Impact of Information Technology on the Audit Process

3.B METHODOLOGY SERVICE PROVIDER

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Formal Software Testing. Terri Grenda, CSTE IV&V Testing Solutions, LLC

3. Current Auditing Computerized Tools

Audit Phases. Phase 1: Planning and Risk Identification

Knowledge Management Series. Internal Audit in ERP Environment

ACCOUNTING INFORMATION SYSTEMS

Control Matters. Computer Auditing. (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising)

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

How To Audit A Financial Statement

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

GENERALIZED AUDIT SOFTWARE

Software Test Plan (STP) Template

Toronto Maintenance Management System Application Review. the exercise to harmonize business practices is completed;

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

THE REA APPROACH TO BUSINESS PROCESS MODELING

[300] Accounting and internal control systems and audit risk assessments

Continuous auditing: the audit of the future

August 2008 Report No

ISACA PROFESSIONAL RESOURCES

U S I N G D A T A A N A L Y S I S T O M E E T T H E R E Q U I R E M E N T S O F R I S K B A S E D A U D I T I N G S T A N D A R D S

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452

Project Risk and Pre/Post Implementation Reviews

IT Application Controls Questionnaire

THE GENERAL LEDGER, FINANCIAL REPORTING, AND MANAGEMENT REPORTING SYSTEMS

Prequalification Education, Assessment of Professional Competence and Experience Requirements of Professional Accountants

i) Question Type The following are guidelines on the type of questions and their approximate weightings:

Activity Code Material Management and Accounting System (MMAS) Version 9.10, dated September 2015 B-1 Planning Considerations

Development, Acquisition, Implementation, and Maintenance of Application Systems

2. Auditing Objective and Structure What Is Auditing?

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

SECTION 15 INFORMATION TECHNOLOGY

Computer System Configuration Management and Change Control

Internal Auditing & Controls. Examination phase of the internal audit Module 5. Course Name: Internal Auditing & Controls

ROADMAP TO SAP SECURITY

Internal Control Deliverables. For. System Development Projects

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

HealthCare Management system

Ethics, Fraud, and Internal Control

IT Architecture Review. ISACA Conference Fall 2003

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Disaster Recovery and Business Continuity Plan

October 14, (1)

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

This interpretation of the revised Annex

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

INTERMEDIATE QUALIFICATION

Internal Controls. A short presentation from Your Internal Audit Department

Chapter 7 Information System Security and Control

Checklist for Market Risk Management

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Domain 1 The Process of Auditing Information Systems

Computer System Configuration Management and Change Control

SCOPE OF WORK FOR PERFORMING INTERNAL CONTROL AND STATUTORY/REGULATORY COMPLIANCE AUDITS FOR RECIPIENTS OF SPECIAL MUNICIPAL AID

Auditing in an Automated Environment: Appendix C: Computer Operations

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Department of Public Utilities Customer Information System (BANNER)

Auditing Standard 5- Effective and Efficient SOX Compliance

B.Sc (Computer Science) Database Management Systems UNIT-V

Transcription:

CHAPTER INFORMATION SYSTEM AUDITING AND ASSURANCE As more and more accounting and business systems were automated, it became more and more evident that the field of auditing had to change. As the systems being audited increased their use of technology, new techniques for evaluating them were required. This chapter focuses on computer or information systems (IS) auditing. It begins with a discussion of how the auditing profession has expanded in response to the spread of technology. The objectives of this chapter are:! to understand the general purpose of an audit and to have a firm grasp of the basic conceptual elements of the audit process;! to know the difference between internal and external auditing and to be able to explain the relationship between these two types of auditing;! to understand how auditing objectives and tests of control are determined by the control structure of the firm that is being audited;! to be familiar with the audit objective and tests of control for each of the nine general control areas;! to understand the auditing techniques that are used to verify the effective functioning of application controls; and! to understand the auditing techniques used to perform substantive tests in a CBIS environment. Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -1

I. Attest Services versus Assurance Services Because AIS is a prerequisite to the auditing course on many campuses, it is understandable that you not be too sure of the nature and purpose of an audit. This introduction is, of necessity, brief. It will not take the place of your auditing course. But it is a start. Read carefully to distinguish between traditional auditing (the attest function) and the emerging field of assurance services. Fig. -1, on page 861, is a schematic of the relationship. A. What is a Financial Audit? Auditing is a form of independent attestation (or verification) performed by an expert who expresses an opinion about the fairness of a company s financial statements. Independence is of great importance since it is fundamental to stakeholder confidence in the audit opinion. Conduct of an audit involves studying the client organization, evaluating the internal controls of the system to see how it works, and evaluating the information in the system. B. Auditing Standards You are familiar with GAAP, Generally Accepted Accounting Principles. These must be followed by companies required by SEC regulation to provide financial statements. In order for users to be confident that the audit did examine the books thoroughly, the external auditor must follow GAAS, Generally Accepted Auditing Standards. This section introduces GAAS, in particular, the Statements on Auditing Standards issued by the AICPA as needed, since 1972. Early in the text you were introduced to SAS 78. Read carefully the discussion related to Table -1, on page 863. C. External Auditing versus Internal Auditing Many of the same tasks are often carried out by external auditors and by individuals who are employees of the client. These employees who are involved in audit-related activities are called internal auditors. Although employed by the client firm, many duties can be conducted with a reasonable level of objectivity if the internal auditors report to the audit committee of the board of trustees, and not to the controller, who is responsible for the accounting system. Rather than representing the interests of Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -2

external stakeholders, they serve the best interests of the client organization itself. Your text presents the standard definition of auditing and discusses the key elements. This is brief but good. D. What is an Information Technology (IT) Audit? IT auditing refers to the part of an audit that involves the computerized elements of an accounting information system. It is here that the elements of auditing are present. Note in particular, the discussion of audit objectives. See Table -2, on page 866. E. The Structure of an IT Audit Fig. -2, on page 867, is a schematic of an IT audit showing three phases: audit planning, tests of controls (tests of the system), and substantive testing (tests of the data in the system). Each of these phases is comprised of several steps. The discussion is clear. II. Assessing Audit Risk and Designing Tests of Controls Several concerns face an auditor that material errors do exist in the accounting system and that the audit will not detect them. The text discusses audit risk the probability that an auditor will render a clean audit opinion when material errors exist. A. Audit Risk Components There are three basic components of audit risk:! inherent risk,! control risk, and! detection risk. There are two basic types of audit tests: tests of controls, which determine whether the internal controls are operating correctly (i.e., these are tests of the accounting system), and substantive tests, which determine whether the data fairly reflects the organization s financial affairs (i.e., these are tests of the accounting information in the system). Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -3

B. Relationship between Tests of Controls and Substantive Tests The results of the tests of controls have great impact on the extent of substantive testing required. If the internal controls system is judged to be strong, less substantive testing is needed. Or, if the controls are deemed to be weak, more testing must be done to judge the data. III. Tests of General Controls This section of the text follows the framework developed in 15 with regard to general controls. The next section focuses on application controls. But first, you must understand the concept of an audit objective. A. Developing Audit Objectives The objective(s) of any audit test relates to the exposures that may threaten the organization s activities and the internal controls that are in place. The approach that will be taken will relate risk, control, the audit objective, and the appropriate audit procedure. Significant professional judgment is required in practice. Table -3, on pages 870-01, summarizes exposures and controls in a CBIS environment. Use this as your guide for reading the related narrative. For each area of control, the objectives and procedures are presented. B. Testing Operating System Controls Recall the objectives of operating system that we discussed in 15. The relevant control techniques are intended to verify that policies are strong enough to protect the operating system. These controls appear quite rigorous. But one disaster will make you a believer. The audit objectives and audit procedures are presented for each of five areas: access privileges, password policy, virus control, audit trail controls, and fault tolerance. C. Testing Data Management Controls Data management controls are comprised of backup controls and access controls. The need for both should be clear. Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -4

D. Testing Organizational Structure Controls We have discussed several times the fact that the location of separation of duties shifts in the CBIS environment. This is reflected in the tests examined here. E. Testing System Development Controls This type of control is extremely important for confidence in the output of the system. Not only must procedures be followed throughout the SDLC, but the system must have been justified and documented. The review of SDLC documentation is a good check on the process itself. F. Testing System Maintenance Controls The seventh stage of the SDLC is system maintenance. During the system s life, things often need to be changed. Just as the recording of financial transactions should only happen if authorized, changes in an existing system, i.e., system maintenance, should occur only with proper authorization and under strict control in order to protect system integrity. The techniques discussed assume some programming knowledge. G. Testing Computer Center Security The objectives of computer center security should be obvious, by now. The tests that must be made will not be very exciting, but without the computer center, most firms would be unable to conduct business and would soon close their doors. This is true both from physical construction and backup power to full scale disaster recovery. Note the importance given to critical applications, first discussed in 15. The disaster recovery plan must be tested often because of changes in the organization, the environment, the system, and the personnel involved. H. Testing Internet and Intranet Controls There is little point in communicating electronically if the information is not transferred correctly or if it can be easily intercepted. Communication controls are designed to assure accurate communication, prevent unauthorized access, and make any data that is intercepted worthless. Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -5

I. Testing Electronic Data Interchange Controls The value of EDI has been discussed before. If it is of benefit to trading partners, it is worth protecting. Authorization, validation, and access are key factors. With the absence of a paper trail, the issue of the audit trail deserves special attention. J. Testing Personal Computer Controls The problems inherent in the personal computer environment should not be underestimated. There is a connection with end-user controls that were discussed in 16. The text focuses on three areas of concern that are of special importance in the personal computer environment: access, segregation of duties, backup, and systems development and maintenance. Read this carefully. You will work in organizations littered with personal computers. IV. Testing Computer Applications The last area of exposure to be considered involves application controls. All that has been covered up to now related to general controls. Application controls fall into two classes: tests of application controls, and tests of the transaction details and account balances. The latter are substantive tests and are covered in the next section of the chapter. Tests of controls are considered below. When computerized, or automated, accounting systems first made their entrance into the business world, auditors were frequently faced with a black box that they did not understand but which processed much of the data about which they were asked to voice an opinion. Initially they audited around the computer by observing input and observing output and checking for mutual consistency. Although adequate, it was nonetheless inefficient. Also, the evaluation of the internal control system was hampered. It was often impossible to trace an audit trail through the automated parts of the system. If an application had a material effect on the financial statements, auditing around the computer may not have been acceptable. The second approach to auditing computer systems has been called auditing through the computer. It requires the ability to trace transaction paths from input to output through all parts of the system manual and automated. The flow of data must be verified as it moves through the system, and the contents of machine readable files must be examined. Internal controls are tested as they operate on the data. The black box is gone. Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -6

The current trend is toward auditing with the computer, using the computer as a tool of the audit. The computer is used as a tool for examining the data, accessing the files, retrieving records at will, extracting statistical samples, and performing test calculations. Use of the computer has made feasible a great many procedures which would otherwise have been impractical from a clerical standpoint. The major problem that this last method creates is that practicing auditors are required to have extensive and up-to-date knowledge of computer systems. It is difficult to stay abreast of changes in technology. This has created a new demand for continuing professional education. A. Black Box Approach Note the advantages and disadvantages of this approach. B. White Box Approach Auditing through the computer can be called the white box approach to contrast it to the black box approach. A number of tests of controls are discussed. The purposes of these different tests will help you appreciate the concerns faced by an auditor. C. White Box Testing Techniques Five proven procedures are described:! test data method! base case system evaluation,! tracing,! integrated test facility, and! parallel simulations. These are very complex techniques. Focus on the key objectives. The first three are variations of the same method. They all work through the computer. The last two actually use the computer as a tool of the audit auditing with the computer. D. The Integrated Test Facility The integrated test facility builds auditability into the system. Both the logic of the application and the controls are tested during normal operation. The computer is now part of the audit process the audit is being done with the computer. Focus on the advantages and disadvantage of this method. You will learn more about it in your auditing course. Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -7

E. Parallel Simulation Parallel simulation, as the name implies, imitates the application under review. It must be written to perform the same steps as the application so that results can be compared. If the real system and the parallel yield the same output, then you would have confidence that the real system is OK. V. Substantive Testing Techniques The second major type of audit tests, after the tests of controls, are the substantive tests which are used to verify the $$$$ on the financial statements and in the accounts. Several examples are given in the text. Because these tests evaluate the data in the system, there must be ways to get at it. A. The Imbedded Audit Module The imbedded audit module is a set of specially written computer instructions built into the client software to extract specified types of data for later testing. Read through the advantages and disadvantages carefully. B. Generalized Audit Software Generalized audit software refers to a number of programs developed as tools for auditors. Because of the need to repeatedly perform basic audit tasks, many public accounting firms have created such packages. The text describes the type of functions built in. Concentrate on the tasks that can be performed by GAS, not the access to file structures. Review Questions for : 1-29 Discussion Questions for : 1-16 Study Prepared by H. M. Savage South-Western Publishing Co., 2004 Page -8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information