Lecture Note 10

advertisement
I S 6 3 0 : A c c o u nti ng I n f orma tion S y s t ems
h t t p : / / w w w. c s u n . e d u / ~ d n 5 8 4 1 2 / I S 5 3 0 / I S 5 3 0 _ F 1 5 . h t m
Auditing Computer-based
Information Systems
Lecture 10
Learning Objectives
 Scope and objectives of audit work, and major
steps in the audit process.
 Objectives of an information system audit, and fourstep approach necessary for meeting these
objectives.
 Design a plan for the study and evaluation of
internal control in an AIS.
 Describe computer audit software, and explain
how it is used in the audit of an AIS
 Describe the nature and scope of an operational
audit.
IS 530 : Lecture 10
2
Auditing
 The systematic process of obtaining and evaluating
evidence regarding assertions about economic
actions and events in order to determine how well
they correspond with established criteria
IS 530 : Lecture 10
3
Types of Audits
 Financial
• Examines the reliability and integrity of:




o Financial transactions, accounting records, and financial
statements.
Information System
Reviews the controls of an AIS to assess compliance with:
o Internal control policies and procedures and effectiveness
in safeguarding assets
Operational
Economical and efficient use of resources and the
accomplishment of established goals and objectives
Compliance
Determines whether entities are complying with:
o Applicable laws, regulations, policies, and procedures
Investigative
Incidents of possible fraud, misappropriation of assets, waste
and abuse, or improper governmental activities.
IS 530 : Lecture 10
•
•
•
•
4
The Audit Process
 Planning
 Collecting Evidence
 Evaluating Evidence
 Communicating Audit Results
IS 530 : Lecture 10
5
Planning the Audit
 Why, when, how, whom
 Work targeted to area with greatest risk:
• Inherent
o Chance of risk in the absence of controls
• Control
o Risk a misstatement will not be caught by the internal control
system
• Detection
o Chance a misstatement will not be caught by auditors or their
procedures
IS 530 : Lecture 10
6
Collection Of Audit Evidence
• Not everything can be
examined so samples are
collected
• Observation activities to
be audited
• Review of documentation
• Gain understanding of
process or control
• Discussions
• Questionnaires
• Physical examination
• Confirmations
• Testing balances with
external 3rd parties
• Re-performance
• Recalculations to test
values
• Vouching
• Examination of
supporting documents
• Analytical review
• Examining relationships
and trends
IS 530 : Lecture 10
7
Evaluation of Audit Evidence
 Does evidence support favorable or unfavorable
conclusion?
 Materiality
• How significant is the impact of the evidence?
 Reasonable Assurance
• Some risk remains that the audit conclusion is incorrect.
IS 530 : Lecture 10
8
Communication of Audit Conclusion
 Written report summarizing audit findings and
recommendations:
• To management
• The audit committee
• The board of directors
• Other appropriate parties
IS 530 : Lecture 10
9
Risk-Based Audit
 Determine the threats (fraud and errors) facing the company.
• Accidental or intentional abuse and damage to which the
system is exposed
 Identify the control procedures that prevent, detect, or
correct the threats.
These are all the controls that management has put into
place and that auditors should review and test, to minimize
the threats
 Evaluate control procedures.
A systems review
o Are control procedures in place
Tests of controls
o Are existing controls working
 Evaluate control weaknesses to determine their effect on the
nature, timing, or extent of auditing procedures.
•
•
•
IS 530 : Lecture 10
10
Information Systems Audit
 Purpose:
• To review and evaluate the internal controls that protect
the system
 Objectives:
1.Overall information security
2.Program development and acquisition
3.Program modification
4.Computer processing
5.Source files
6.Data files
IS 530 : Lecture 10
11
1. Information System Threats
 Accidental or intentional damage to system assets
 Unauthorized access, disclosure, or modification of
data and programs
 Theft
 Interruption of crucial business activities
IS 530 : Lecture 10
12
2. Program Development and Acquisition
 Inadvertent programming errors due to
misunderstanding system specifications or
careless programming
 Unauthorized instructions deliberately inserted
into the programs
 Controls:
• Management and user authorization and approval,
thorough testing, and proper documentation
IS 530 : Lecture 10
13
3. Program Modification
 Source Code Comparison
• Compares current program against source code for any
discrepancies
 Reprocessing
• Use of source code to re-run program and compare for
discrepancies
 Parallel Simulation
• Auditor-created program is run and used to compare
against source code
IS 530 : Lecture 10
14
4. Computer Processing
 System fails to detect:
• Erroneous input
• Improper correction of input errors
• Process erroneous input
• Improperly distribute or disclose output
 Concurrent audit techniques
• Continuous system monitoring while live data are processed
during regular operating hours
• Using embedded audit modules
o Program code segments that perform audit functions, report
test results, and store the evidence collected for auditor review
IS 530 : Lecture 10
15
Types of Concurrent Audits
 Integrated Test Facility
• Uses fictitious inputs
 Snapshot Technique
• Master files before and after update are stored for specially
marked transactions
 System Control Audit Review File (SCARF)
Continuous monitoring and storing of transactions that meet
pre-specifications
 Audit Hooks
Notify auditors of questionable transactions
 Continuous and Intermittent Simulation
Similar to SCARF for DBMS
•
•
•
IS 530 : Lecture 10
16
5. Source Data & 6. Data Files
 Accuracy
 Integrity
 Security of data
IS 530 : Lecture 10
17
Download