Lecture Notes (12-Sep)
advertisement
Information Systems Auditing (ISMT 350) week #2 Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: Office: 852 2358 7643 Email: westland@ust.hk Fax: 852 2358 2421 URL: http://teaching.ust.hk/~ismt350/ Course Topics Topic Readings Practicum Competency Case Study What is Information Systems (IS) Auditing? Industry Profile: The Job of the IS Auditor Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks Jacksonville Jaguars IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey IS Security Chapter 3 Recognizing Fraud The Anonymous Caller Utility Computing and IS Service Organizations Chapter 4 Evaluating a Prospective Audit Client Ocean Manufacturing Physical Security Chapters7 Inherent Risk and Control Risk Comptronix Corporation Logical Security Chapter 8 Evaluating the Internal Control Environment Easy Clean IS Operations Chapter 9 Fraud Risk and the Internal Control Environment Cendant Corporation Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems St James Clothiers Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement Dell Computer New Challenges from the Internet: Course Wrap-up Information Systems and Henrico Retail Logical Structure of the Course With Readings from the Text IS Auditing IS Components Ch. 1&2 Controls over IS Assets Ch. 7 & 8 Encryption Ch. 11 Current and Future Issues in IS Auditing Audit Components Ch 3&4 Procedural Controls Ch. 9 Audit Standards and Procedures Ch. 10 Forensics and Fraud Audits Ch. 12 IS Audit Programs The first step in Audits Transactions External Real World Entities and Events that Create and Destroy Value Internal Operations of the Firm The Physical World Transactions Corporate Law Substantive T ts Analytical Tes Audit Report / Opinion Auditing Accounting Systems The Parallel (Logical) World of Accounting Ledgers: Databases Journal Entries Reports: Statistics Tests of Transactions Audit Program tation Attes Auditing ests 'Owned' Assets and Liabilities Audit Objectives Reporting Risks (External Audit) Control Process Risks (Internal & External Audits) Asset Loss Risks (Internal Audits) Transaction Flows Business Application Systems Operating Systems (including DBMS, network and other special systems) Hardware Platform Physical and Logical Security Environment How Auditors Should Visualize Computer Systems The IS Auditor’s Challenge Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to Accounting • Information that is needed for an Audit is often hidden from easy access by auditors • Making computer knowledge an important prerequisite for auditing IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations The Challenge to Auditing Presented by Computers Transaction flows are less visible • Fraud is easier • Computers do exactly what you tell them • To err is human • But, to really screw up you need a computer Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the auditor) • Audits grow bigger and bigger from year to year • And there is more pressure to eat hours Environmental, physical and logical security problems grow exponentially • Externally originated viruses and hacking • are the major source of risk • (10 years ago it was employees) The Challenge to Auditing Presented by The Internet Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems • require giving control to outsiders with different incentives Audit samples may be impossible to obtain Because they require access to 3rd party databases Transaction flows are intermingled between companies Environmental, physical and logical security problems grow exponentially • Externally originated viruses and hacking • are the major source of risk • (10 years ago it was employees) Material Labor How Accounting has had to Change Because of Business Automation Capital 30% 50% Knowledge Integrator Knowledge Integrator 20% Knowledge Integrator Manufacturing Value Added 110% Material Consumer Knowledge Base (uncertain claims, contributions and property rights) Labor Capital 5% 5% 80% 10% Knowledge Integrator Manufacturing Value Added % ed ish ct 20 n i F du g Pro rin u t ns fac nu icatio a M ecif Sp Consumer 110% Ideas, not Things, have Value 16 600 14 500 Asset Intensity (Fixed Assets / Sales) 12 400 10 300 8 200 6 100 4 2 0 0 -100 Rank order by increasing return 5-yr Shareholder Return % … and these ideas are tracked in the computer Transactions External Real World Entities and Events that Create and Destroy Value Internal Operations of the Firm The Physical World Transactions 'Owned' Assets and Liabilities Substantive T ests ts Analytical Tes tation Attes Auditing Audit Program Audit Report / Opinion Accounting Systems The Parallel (Logical) World of Accounting Ledgers: Databases Journal Entries Reports: Statistics Tests of Transactions What is Auditing? Corporate Law What is Auditing? Nature of Procedures / Work • Accountants prepare, analyze, and verify financial reports and taxes, • and furnish this information to individuals and managers in business, industry, and government • The three major fields in accounting are: • Auditing • Public Consulting • Corporate / Internal Public Accounting Auditor: An auditor examines an organization's financial statements, verifies the accuracy of the financial records, examines management procedures and internal controls to ensure accuracy, and checks for mismanagement, waste, or fraud. The auditor may review company operations compliance with corporate policies, laws, and government regulations. The auditor, or reports to investors and authorities such as the federal government that financial statements have been prepared and reported correctly. Other Public: Public accountants perform accounting, auditing, tax, and consulting activities for public accounting firms, their own businesses, governments, nonprofit organizations, or individuals. Typically, accountants specialize in one aspect of accounting, concentrating on taxes or bankruptcies, for example. Some become consultants who offer advice on compensation, employee benefits, the design of accounting processing systems, or how to safeguard assets. Corporate / Internal Often called management, industrial, or corporate accountants, private accountants record and analyze financial information for the employer and prepare financial reports for stockholders, creditors, regulatory agencies, and tax authorities. Duties may include budgeting, performance evaluation, cost management, and asset management. An accountant also may work as part of an executive team in strategic planning or new product development. Entry-level private accountants often start as cost accountants, junior internal auditors, or as trainees for other accounting positions. Qualifications Auditors must have: ability to analyze, compare, and interpret facts and figures quickly; and be able sound judgments based on this information. should have good oral and written communication skills, welldeveloped interpersonal skills, and ability to work in cross-functional teams. Business systems and computer skills are required. Some employers prefer hiring individuals with a master's degree in accounting or a master's degree in business administration. Most want to hire someone who is familiar with computers and accounting and internal auditing software applications. Changing legislation regarding taxes, financial reporting standards, international competition, business investments, mergers, and other financial matters require accountants and auditors to continuously update their knowledge. CPAs Most accounting positions require at least a bachelor's degree in accounting or a related field. Based on recommendations made by the American Institute of Certified Public Accountants (AICPA), certified public accountant (CPA) candidates must complete 150 semester hours of college coursework – an additional 30 hours beyond the usual four-year bachelor's degree to become licensed. CPA certificate applicants to have some accounting experience. Almost all states require a CPA and other public accountants to complete a minimum number of hours of continuing education before a license can be renewed. Employment Outlook Job opportunities for accountants are expected to grow 10 to 40 percent per year through 2006 due to the increasing number of new businesses spurred by China’s growing economy. Jobs with major accounting and business firms remain the most sought after by new graduates. More jobs will be available replacing thousands of accountants and auditors who retire or transfer to other occupations each year. Accountants and auditors who have earned certification or licensure or who have advanced degrees will have the best job prospects. Audit Procedures Analytical Review • Tests for internal consistency of accounts, crosssectional and over time Internal Control Tests (Tests of Transactions; Mid-Year Tests) • Tests that Actual Accounting System is doing what it should be Substantive Tests • Tests that Financial Statements accurately reflect reality (within material error) Auditing = Statistics All three classes of procedures share a goal with Statistics Objective: use ‘data’ to guess what is ‘true’ Problems: • Type I error: Auditor says F/S are Wrong when they are Fairly Stated • Type II error: Auditor says F/S are Fairly Stated when they are Wrong Consequence of either: LAWSUITS Auditing Procedures These are formally laid out in the Audit Program The Planning and Risk Assessment phase of the Audit Writes the Audit Program Which is a sequence of Statistical Tests (Auditors call the sloppier of these ‘Judgment Tests’) (Where Do Information Systems Fit in?) Compare an Accounting Department in the early 1900s Computers Interface of the Future c. 1950 SAGE Computer (Where Do Information Systems Fit in?) With an Accounting Department in the 1970s (Where Do Information Systems Fit in?) With an Accounting Department Today (well … not everywhere, but you see the potential….) (Where Do Information Systems Fit in?) With an Accounting Department of 2020 (… at least my prediction….) Industry Structure, c. 2006 Information Technology Market Operations & Accounting Search & Storage Tools Embedded Communications Total Annual Expenditures ($US billion) Employees (thousand) Major Suppliers 500 2000 US, India 1000. 5000 US 300 300 US, Germany 1500 700 US, Japan, Korea, Greater China 700 2000 4,000 10,000 US, Germany, Japan, Greater China GWP ~$45 trillion (Pop: 6 billion) US GDP ~$10 trillion (Pop: 300 million) Tools & Toolsmiths Hardware Taxonomy Central Processing Unit Cache Fast Memory Peripheral Processor (Video, Bus, Etc.) RAM / ROM Optical & Magnetic Media Slow Network Devices Software Taxonomy Operating Systems Specialized O/S Network O/S Utilities Database O/S Programming Languages, Tools & Environments Applications Utilities and Services Major Players Hardware, Software, Communication Leaders IS Audit Programs Chapter 2 What is IS Auditing? Why is it Important? What is the Industry Structure? Attestation and Assurance Transactions External Real World Entities and Events that Create and Destroy Value Internal Operations of the Firm The Physical World Transactions Corporate Law Substantive T ts Analytical Tes Audit Report / Opinion The Auditing World Accounting Systems The Parallel (Logical) World of Accounting Ledgers: Databases Journal Entries Reports: Statistics Tests of Transactions Audit Program tation Attes Auditing ests 'Owned' Assets and Liabilities Audit Objectives Reporting Risks (External Audit) Control Process Risks (Internal & External Audits) Asset Loss Risks (Internal Audits) Transaction Flows Business Application Systems Operating Systems (including DBMS, network and other special systems) Hardware Platform Physical and Logical Security Environment Auditors and Information Systems The IS Auditor’s Challenge Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to Accounting • Information that is needed for an Audit is often hidden from easy access by auditors • Making computer knowledge an important prerequisite for auditing IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations The Challenge to Auditing Presented by Computers Transaction flows are less visible • Fraud is easier • Computers do exactly what you tell them • To err is human • But, to really screw up you need a computer Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the auditor) • Audits grow bigger and bigger from year to year • And there is more pressure to eat hours Environmental, physical and logical security problems grow exponentially • Externally originated viruses and hacking • are the major source of risk • (10 years ago it was employees) The Challenge to Auditing Presented by The Internet Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems • require giving control to outsiders with different incentives Audit samples may be impossible to obtain Because they require access to 3rd party databases Transaction flows are intermingled between companies Environmental, physical and logical security problems grow exponentially • Externally originated viruses and hacking • are the major source of risk • (10 years ago it was employees) Flowcharting Accounting Systems the first step in audit planning A picture is worth 1000 words Flowcharts are the accountants’ pictures / shorthand They are the first step in an audit Flowcharting Accounting Systems A data flow diagram Data Flow Diagram Notations Flowcharting Accounting Systems A process transforms incoming data flow into outgoing data flow. Flowcharting Accounting Systems Datastores are repositories of data in the system. They are sometimes also referred to as databases or files. Flowcharting Accounting Systems Dataflows are pipelines through which transactions (packets of information) flow. Label the arrows with the name of the data that moves through it. Flowcharting Accounting Systems External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers, advertisers, etc. External entities are sources and destinations of the transaction input and Flowcharting Accounting Systems The Context diagram lists all of the external relationships Flowcharting Accounting Systems …Levels Context DFD levels known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities. The first level DFD shows the main processes within the system. Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page. The Datastore The Datastore is used to represent Ledgers, Journals Or more often in the current world Their computer implemented counterpart Since almost no one keeps physical records Flowcharting Accounting Systems …Lower Level with Multiple Processes Data Flow Diagram Layers Draw data flow diagrams in several nested layers. A single process node on a high level diagram can be expanded to show a more detailed data flow diagram Control Concepts Each bubble is associated with a person or entity that is responsible for that process The same individuals with: Managerial Control Accountability Responsibility for the process Should all be responsible for the same bubble Internal Controls Are processes that insure procedures (bubbles) operate as they should And produce accurate account values Prac·ti·cum (prăk-tĭ-kəm) noun Lessons in a specialized field of study designed to give students supervised practical application of previously studied theory Student Competence Case Study 1 Evaluating IT Benefits and Risks Jacksonville Jaguars 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey 3 Recognizing Fraud The Anonymous Caller 4 Evaluating a Prospective Audit Client Ocean Manufacturing 5 Inherent Risk and Control Risk Comptronix Corporation 6 Evaluating the Internal Control Environment Easy Clean 7 Fraud Risk and the Internal Control Environment Cendant Corporation 8 IT-based vs. Manual Accounting Systems St James Clothiers 9 Materiality / Tolerable Misstatement Dell Computer 10 Analytical Procedures as Substantive Tests Burlington Bees 11 Information Systems and Audit Evidence Henrico Retail Practicum: Jacksonville Jaguars Assurance Services for the Electronic Payments System of a privately held company Try making a simple flowchart of the system Identify benefits, costs and risks to businesses from implementing information technologies Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)
