chapter 11 auditing computer-based information systems copyright © 2012 pearson education, inc....

Chapter 11Auditing Computer-Based Information Systems

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-1

Learning Objectives

Describe the scope and objectives of audit work, and identify the major steps in the audit process.

Identify the objectives of an information system audit, and describe the four-step approach necessary for meeting these objectives.

Design a plan for the study and evaluation of internal control in an AIS.

Describe computer audit software, and explain how it is used in the audit of an AIS

Describe the nature and scope of an operational audit.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 11-2

Auditing

The systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria


Types of Audits

Financial Examines the reliability and integrity of:

Financial transactions, accounting records, and financial statements.

Information System Reviews the controls of an AIS to assess compliance with:

Internal control policies and procedures and effectiveness in safeguarding assets

Operational Economical and efficient use of resources and the accomplishment of

established goals and objectives

Compliance Determines whether entities are complying with:

Applicable laws, regulations, policies, and procedures

Investigative Incidents of possible fraud, misappropriation of assets, waste and abuse,

or improper governmental activities.


The Audit Process

Planning

Collecting Evidence

Evaluating Evidence

Communicating Audit Results


Planning the Audit

Why, when, how, whom

Work targeted to area with greatest risk: Inherent

Chance of risk in the absence of controls Control

Risk a misstatement will not be caught by the internal control system

Detection Chance a misstatement will not be caught by auditors

or their procedures


Collection of Audit Evidence

Not everything can be examined so samples are collected

Observation activates to be audited

Review of documentation Gain understanding of

process or control

Discussions

Questionnaires

Physical examination

Confirmations Testing balances with

external 3rd parties

Re-performance Recalculations to test

values

Vouching Examination of

supporting documents

Analytical review Examining

relationships and trends


Evaluation of Audit Evidence

Does evidence support favorable or unfavorable conclusion?

Materiality How significant is the impact of the evidence?

Reasonable Assurance Some risk remains that the audit conclusion is incorrect.


Communication of Audit Conclusion

Written report summarizing audit findings and recommendations: To management The audit committee The board of directors Other appropriate parties


Risk-Based Audit

Determine the threats (fraud and errors) facing the company. Accidental or intentional abuse and damage to which the system is

exposed

Identify the control procedures that prevent, detect, or correct the threats. These are all the controls that management has put into place and

that auditors should review and test, to minimize the threats

Evaluate control procedures. A systems review

Are control procedures in place Tests of controls

Are existing controls working

Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures.


Information Systems Audit

Purpose: To review and evaluate the internal controls that protect

the system

Objectives:1. Overall information security

2. Program development and acquisition

3. Program modification

4. Computer processing

5. Source files

6. Data files


1. Information System Threats

Accidental or intentional damage to system assets

Unauthorized access, disclosure, or modification of data and programs

Theft

Interruption of crucial business activities


2. Program Development and Acquisition

Inadvertent programming errors due to misunderstanding system specifications or careless programming

Unauthorized instructions deliberately inserted into the programs

Controls: Management and user authorization and approval,

thorough testing, and proper documentation


3. Program Modification

Source Code Comparison Compares current program against source code for any

discrepancies

Reprocessing Use of source code to re-run program and compare for

discrepancies

Parallel Simulation Auditor-created program is run and used to compare

against source code


4. Computer Processing

System fails to detect: Erroneous input Improper correction of input errors Process erroneous input Improperly distribute or disclose output

Concurrent audit techniques Continuous system monitoring while live data are

processed during regular operating hours Using embedded audit modules

Program code segments that perform audit functions, report test results, and store the evidence collected for auditor review


Types of Concurrent Audits

Integrated Test Facility Uses fictitious inputs

Snapshot Technique Master files before and after update are stored for specially marked

transactions

System Control Audit Review File (SCARF) Continuous monitoring and storing of transactions that meet pre-

specifications

Audit Hooks Notify auditors of questionable transactions

Continuous and Intermittent Simulation Similar to SCARF for DBMS


5. Source Data and6. Data Files

Accuracy

Integrity

Security of data


chapter 11 auditing computer-based information systems copyright © 2012 pearson education, inc....

Documents