Advanced Accounting
Information Systems
Day 18
IT Auditing Wrap-up /
Control Frameworks Introduction
October 5, 2009
Announcements
– Revised syllabus
– Assignment 3
– Assignment 4
Outline for today

Continuous auditing example

Hot dog cart case
Validating Computer Programs

Tests of programs change controls
– responsibility system of computer program development and
maintenance

Program comparison
– Control total tests

Review of systems software
– Operating system software
– Utility programs that do basic ‘housekeeping’ chores such as sorting and
copying
– Program library software that controls and monitors storage of programs
– Access control software that controls logical access to programs and data
files


Validating users and access privileges
Continuous auditing
–
–
–
–
–
Embedded audit modules or audit hooks (SCARF)
Exception reporting
Transaction tagging
Snapshot technique
Continuous and intermittent simulation
IT Auditing Today

Component of IT governance
– Process of using IT resources effectively to
meet organizational objectives
– Two objectives
• Focus on use of IT strategically to fulfill the
organizational mission and to compete
effectively
• Making sure that organization’s IT resources are
managed effectively and that management
controls IT related risks
Fraud triangle (SAS 99)



Incentive / pressure
Opportunity
rationalization
SOX



Section 201 – services outside scope of
practice of auditors
Section 302 – corporate responsibility for
financial reports
Section 404 – management assessment
of IC
– Small companies must now comply – see
SEC press release
Continuous Auditing

In groups of two to three, answer the
following questions:
– List two definitions of continuous auditing in
the paper and explain how they differ
– Develop your own definition of continuous
auditing
– Approximately what year did continuous
auditing start in?
Continuous Auditing

In groups of two to three, answer the
following questions:
– Identify factors influencing whether internal
auditing can be appraised as attaining
continuous auditing status
– How does continuous auditing differ from
continuous monitoring?
Continuous Auditing – American
Electric Power

In groups of two to three, answer the
following questions:
– How does American Electric Power
implement continuous auditing?
– What technology does American Electronic
Power internal auditing use to implement
continuous auditing
– What is a safety audit?
Continuous Auditing - Microsoft

In groups of two to three, answer the
following questions:
– What factors did Microsoft expect when it
developed its continuous auditing program?
– What problems did it actually encounter?
– Is Microsoft using continuous auditing or
continuous monitoring (or both) today?
Explain..
– How does Microsoft internal audit monitor is
business activities for possible fraud?
Continuous Auditing – Hospital
Corporation of America

In groups of two to three, answer the
following questions:
– How does Hospital Corporation of America
(HCA) determine which automated audits to
implement?
– Give examples of variables HCA monitors.
– How does HCA reduce the threat that senior
management could manipulate their
financial statements?
Hot Dog Cart Case

What business objectives do you expect
your new employee to achieve?

What operational and financial risks do
you face with allowing an employee to
run your hot dog cart?
Hot Dog Cart Case

How can the problem of lack of
segregation of duties be addressed
when you are away from the business?
Hot Dog Cart Case

What controls could you develop to
mitigate (notice I did NOT say completely
eliminate) the operational and financial
risks identified above while achieving
your business objectives?
Hot Dog Cart Case

How can we organize the controls
identified above to ensure that our
business objective is achieved?
Questions for Wednesday

Identify two control frameworks
discussed in our textbook and determine
if either framework would be useful if you
were considering expanding your hot
dog cart business