chapter 11 auditing computer-based information systems copyright © 2012 pearson education, inc....
TRANSCRIPT
![Page 1: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/1.jpg)
Chapter 11Auditing Computer-Based Information Systems
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-1
![Page 2: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/2.jpg)
Learning Objectives
Describe the scope and objectives of audit work, and identify the major steps in the audit process.
Identify the objectives of an information system audit, and describe the four-step approach necessary for meeting these objectives.
Design a plan for the study and evaluation of internal control in an AIS.
Describe computer audit software, and explain how it is used in the audit of an AIS
Describe the nature and scope of an operational audit.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-2
![Page 3: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/3.jpg)
Auditing
The systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-3
![Page 4: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/4.jpg)
Types of Audits
Financial Examines the reliability and integrity of:
Financial transactions, accounting records, and financial statements.
Information System Reviews the controls of an AIS to assess compliance with:
Internal control policies and procedures and effectiveness in safeguarding assets
Operational Economical and efficient use of resources and the accomplishment of
established goals and objectives
Compliance Determines whether entities are complying with:
Applicable laws, regulations, policies, and procedures
Investigative Incidents of possible fraud, misappropriation of assets, waste and abuse,
or improper governmental activities.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-4
![Page 5: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/5.jpg)
The Audit Process
Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit Results
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-5
![Page 6: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/6.jpg)
Planning the Audit
Why, when, how, whom
Work targeted to area with greatest risk: Inherent
Chance of risk in the absence of controls Control
Risk a misstatement will not be caught by the internal control system
Detection Chance a misstatement will not be caught by auditors
or their procedures
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-6
![Page 7: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/7.jpg)
Collection of Audit Evidence
Not everything can be examined so samples are collected
Observation activates to be audited
Review of documentation Gain understanding of
process or control
Discussions
Questionnaires
Physical examination
Confirmations Testing balances with
external 3rd parties
Re-performance Recalculations to test
values
Vouching Examination of
supporting documents
Analytical review Examining
relationships and trends
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-7
![Page 8: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/8.jpg)
Evaluation of Audit Evidence
Does evidence support favorable or unfavorable conclusion?
Materiality How significant is the impact of the evidence?
Reasonable Assurance Some risk remains that the audit conclusion is incorrect.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-8
![Page 9: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/9.jpg)
Communication of Audit Conclusion
Written report summarizing audit findings and recommendations: To management The audit committee The board of directors Other appropriate parties
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-9
![Page 10: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/10.jpg)
Risk-Based Audit
Determine the threats (fraud and errors) facing the company. Accidental or intentional abuse and damage to which the system is
exposed
Identify the control procedures that prevent, detect, or correct the threats. These are all the controls that management has put into place and
that auditors should review and test, to minimize the threats
Evaluate control procedures. A systems review
Are control procedures in place Tests of controls
Are existing controls working
Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-10
![Page 11: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/11.jpg)
Information Systems Audit
Purpose: To review and evaluate the internal controls that protect
the system
Objectives:1. Overall information security
2. Program development and acquisition
3. Program modification
4. Computer processing
5. Source files
6. Data files
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-11
![Page 12: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/12.jpg)
1. Information System Threats
Accidental or intentional damage to system assets
Unauthorized access, disclosure, or modification of data and programs
Theft
Interruption of crucial business activities
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-12
![Page 13: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/13.jpg)
2. Program Development and Acquisition
Inadvertent programming errors due to misunderstanding system specifications or careless programming
Unauthorized instructions deliberately inserted into the programs
Controls: Management and user authorization and approval,
thorough testing, and proper documentation
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-13
![Page 14: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/14.jpg)
3. Program Modification
Source Code Comparison Compares current program against source code for any
discrepancies
Reprocessing Use of source code to re-run program and compare for
discrepancies
Parallel Simulation Auditor-created program is run and used to compare
against source code
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-14
![Page 15: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/15.jpg)
4. Computer Processing
System fails to detect: Erroneous input Improper correction of input errors Process erroneous input Improperly distribute or disclose output
Concurrent audit techniques Continuous system monitoring while live data are
processed during regular operating hours Using embedded audit modules
Program code segments that perform audit functions, report test results, and store the evidence collected for auditor review
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-15
![Page 16: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/16.jpg)
Types of Concurrent Audits
Integrated Test Facility Uses fictitious inputs
Snapshot Technique Master files before and after update are stored for specially marked
transactions
System Control Audit Review File (SCARF) Continuous monitoring and storing of transactions that meet pre-
specifications
Audit Hooks Notify auditors of questionable transactions
Continuous and Intermittent Simulation Similar to SCARF for DBMS
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-16
![Page 17: Chapter 11 Auditing Computer-Based Information Systems Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-1](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649cec5503460f949b7fa2/html5/thumbnails/17.jpg)
5. Source Data and6. Data Files
Accuracy
Integrity
Security of data
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-17