Accounting information system an overview 9e bodnar and hopwood 2015 chapter 11

Copyright © 2015 Pearson Education, Inc.Learning Objectives • Describe the nature, scope, and objectives of audit work, and identify the major steps in the audit process.. Copyright © 2

Copyright © 2015 Pearson Education, Inc.

Auditing Computer-Based Information

Systems

Chapter 11

11-1

Copyright © 2015 Pearson Education, Inc.

Learning Objectives

• Describe the nature, scope, and objectives of audit work, and identify the major steps

in the audit process.

• Identify the six objectives of an information system audit, and describe how the

risk-based audit approach can be used to accomplish these objectives.

• Describe the different tools and techniques auditors use to test software programs

and program logic.

• Describe computer audit software, and explain how it is used in the audit of an AIS.

• Describe the nature and scope of an operational audit.

11-2

Copyright © 2015 Pearson Education, Inc.

Auditing

• The process of obtaining and evaluating evidence regarding

assertions about economic actions and events in order to

determine how well they correspond with established criteria

11-3

Copyright © 2015 Pearson Education, Inc.

Major Steps in the Auditing Process

• Audit planning

▫ Why, how, when, and who

▫ Establish scope and objectives of the audit; identify risk

• Collection of audit evidence

• Evaluation of evidence

• Communication of results

11-4

Copyright © 2015 Pearson Education, Inc.

Risk-Based Framework

• Identify fraud and errors (threats) that can occur that threaten

each objective

• Identify control procedures (prevent, detect, correct the threats)

• Evaluate control procedures

▫ Review to see if control exists and is in place

▫ Test controls to see if they work as intended

• Determine effect of control weaknesses

▫ Compensating controls

11-5

Copyright © 2015 Pearson Education, Inc.

Information Systems Audit

allows the auditor to review and evaluate internal controls that

protect the system to meet each of the following objectives:

▫ Protect overall system security (includes computer equipment,

programs, and data)

▫ Program development and acquisition occur under management

authorization

▫ Program modifications occur under management authorization

▫ Accurate and complete processing of transactions, records, files, and reports

▫ Prevent, detect, or correct inaccurate or unauthorized source data

▫ Accurate, complete, and confidential data files 11-6

Copyright © 2015 Pearson Education, Inc.

1 Protect Overall System Security

Controls

intentional)

• Loss, theft, unauthorized access to

▫ Programs

▫ Data

programs and data files

data

• Interruption of crucial business activities

• Limit physical access to computer

equipment

• Use authentication and authorization

controls

• Data storage and transmission controls

• Virus protection and firewalls

• File backup and recovery procedures

• Disaster recovery plan

• Preventive maintenance

• Insurance

Threats

11-7

Copyright © 2015 Pearson Education, Inc.

2 Program Development and Acquisition Occur under Management Authorization

• Review software license agreements

• Management authorization for:

▫ Program development

▫ Software acquisition

• Management and user approval of

programming specifications

• Testing and user acceptance of new

programs

Copyright © 2015 Pearson Education, Inc.

3 Program Development and Acquisition Occur under Management Authorization

• List program components to be modified

• Management authorization and approval for modifications

• User approval for modifications

• Test changes to program

• System documentation of changes

Copyright © 2015 Pearson Education, Inc.

4 Accurate and Complete Processing of Transactions,

Records, Files, and Reports

• Failure to detect incorrect, incomplete, or

unauthorized input data

• Failure to correct errors identified from

data editing procedures

• Errors in files or databases during

updating

Reconciliation of batch totals

• Error correction procedures

• Understandable documentation

• Competent supervision

11-10

Copyright © 2015 Pearson Education, Inc.

5 Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data

• User authorization of source data input

• Batch control totals

• Log receipt, movement, and disposition of

source data input

• Turnaround documents

• Check digit and key verification

Copyright © 2015 Pearson Education, Inc.

6 Accurate, Complete, and Confidential Data Files

▫ Errors

▫ Hardware and software malfunctions

▫ Sabotage

of stored data

• Secure storage of data and restrict physical

access

• Logical access controls

• Write-protection and proper file labels

• Concurrent update controls

• Data encryption

• Virus protection

• Backup of data files (offsite)

Copyright © 2015 Pearson Education, Inc.

Audit Techniques Used to Test Programs

• Integrated Test Facility

▫ Uses fictitious inputs

▫ Master files before and after update are stored for specially marked

transactions

▫ Continuous monitoring and storing of transactions that meet

pre-specifications

▫ Notify auditors of questionable transactions

Copyright © 2015 Pearson Education, Inc.

Software Tools Used to Test Program Logic

▫ Interprets source code and generates flowchart

▫ Interprets source code and generates a decision table

• Scanning routines

▫ Searches program for specified items

▫ Identifies unexecuted code

▫ Prints program steps with regular output to observe sequence of

Copyright © 2015 Pearson Education, Inc.

Computer Audit Software

• Computer assisted audit software that can perform audit tasks on

a copy of a company’s data Can be used to:

▫ Query data files and retrieve records based upon specified criteria

▫ Create, update, compare, download, and merge files

▫ Summarize, sort, and filter data

▫ Access data in different formats and convert to common format

▫ Select records using statistical sampling techniques

▫ Perform analytical tests

▫ Perform calculations and statistical tests

11-15

Copyright © 2015 Pearson Education, Inc.

Operational Audits

• Purpose is to evaluate effectiveness, efficiency, and goal

achievement Although the basic audit steps are the same, the

specific activities of evidence collection are focused toward

operations such as:

▫ Review operating policies and documentation

▫ Confirm procedures with management and operating personnel

▫ Observe operating functions and activities

▫ Examine financial and operating plans and reports

▫ Test accuracy of operating information

▫ Test operational controls

11-16

Copyright © 2015 Pearson Education, Inc.

Key Terms

• Auditing

• Internal auditing

• Financial audit

• Information systems audit

• Operational audit

• Compliance audit

• Investigative audit

• Inherent risk

• Control risk

• Detection risk

• Confirmation

• Reperformance

• Vouching

• Analytical review

• Integrated test facility (ITF)

11-17

Copyright © 2015 Pearson Education, Inc.

• Audit hooks

• Continuous and intermittent simulation

(CIS)

• Automated flowcharting program

• Automated decision table program

• Scanning routines

• Mapping programs

• Program tracing

(CAAT)

11-18