Chapter 7-1 Chapter 7-2 Auditing Information TechnologyBased Processes Accounting Information Systems, 1st Edition Study Objectives 1. An introduction to auditing IT processes 2. The various types of audits and auditors 3. Information risk and IT-enhanced internal control 4. Authoritative literature used in auditing 5. Management assertions used in the auditing process and the related audit objectives 6. The phases of an IT audit 7. The use of computers in audits 8. Tests of controls 9. Tests of transactions and tests of balances 10. Audit Completion/Reporting 11. Other audit considerations 12. Ethical issues related to auditing Chapter 7-3 Introduction to Auditing IT Processes Accounting services that improve the quality of information are called assurance services. An audit is the most common type of assurance service. Chapter 7-4 SO 1 An introduction to auditing IT processes Types of Audits and Auditors Main purpose of the audit is to assure users of financial information about the accuracy and completeness of the information. Three primary types of audits include compliance audits, operational audits, and financial statement audits. Chapter 7-5 SO 2 The various types of audits and auditors Types of Audits and Auditors Audits are typically conducted by accountants. Certified public accountants (CPAs) Internal auditor IT auditors Government auditors Chapter 7-6 SO 2 The various types of audits and auditors Types of Audits and Auditors IT environment plays a key role in how auditors conduct their work in the following areas: Consideration of risk Audit procedures used to obtain knowledge of accounting and internal control systems Design and performance of audit tests Chapter 7-7 SO 2 The various types of audits and auditors Types of Audits and Auditors Concept Check Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings? a. Financial statement audits b. Operational audits c. Regulatory audits d. Compliance audits Chapter 7-8 SO 2 The various types of audits and auditors Types of Audits and Auditors Concept Check Financial statement audits are required to be performed by a. government auditors. b. CPAs. c. internal auditors. d. IT auditors. Chapter 7-9 SO 2 The various types of audits and auditors Risk and IT-Enhanced Internal Control Information risk is the chance that information used by decision makers may be inaccurate. Following are some causes of information risk: Remoteness of information Volume and complexity of underlying data Motive of the preparer Chapter 7-10 SO 3 Information risk and IT-enhanced internal control Authoritative Literature Used in Auditing Sources of authoritative literature Generally accepted auditing standards (GAAS) Public Company Accounting Oversight Board (PCAOB) Auditing Standards Board (ASB) International Audit Practices Committee (IAPC) Information Systems Audit and Control Association (ISACA). Chapter 7-11 SO 4 Authoritative literature used in auditing Authoritative Literature Used in Auditing Concept Check Which of the following is not a part of generally accepted auditing standards? a. general standards b. standards of fieldwork c. standards of information systems d. standards of reporting Chapter 7-12 SO 4 Authoritative literature used in auditing Authoritative Literature Used in Auditing Concept Check Which of the following best describes what is meant by the term “generally accepted auditing standards”? a. Procedures used to gather evidence to support the accuracy of a client’s financial statements b. Measures of the quality of an auditor’s conduct c. Professional pronouncements issued by the Auditing Standards Board d. Rules acknowledged by the accounting profession because of their widespread application Chapter 7-13 SO 4 Authoritative literature used in auditing Authoritative Literature Used in Auditing Concept Check In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to a. document the auditor’s understanding of the client company’s internal controls. b. search for weaknesses in the operation of the client company’s internal controls. c. perform tests of controls to evaluate the effectiveness of the client company’s internal controls. d. determine whether controls are appropriately designed to prevent or detect material misstatements. Chapter 7-14 SO 4 Authoritative literature used in auditing Management Assertions and Audit Objectives Responsibility for the preparation of financial statements lies with management Management assertions are claims regarding the financial condition and results of operations. Existence/occurrence Valuation and Allocation Accuracy, Classification, Cutoff Completeness Rights and Obligations Audit tests developed for an audit client are documented in an audit program. Presentation and Disclosure Chapter 7-15 SO 5 Management assertions used in the auditing process and the related audit objectives Management Assertions and Audit Objectives Concept Check Auditors should design a written audit program so that a. all material transactions will be included in substantive testing. b. substantive testing performed prior to year end will be minimized. c. the procedures will achieve specific audit objectives related to specific management assertions. d. each account balance will be tested under either a substantive test or a test of controls. Chapter 7-16 SO 5 Management assertions used in the auditing process and the related audit objectives Management Assertions and Audit Objectives Concept Check Which of the following audit objectives relates to the management assertion of existence? a. A transaction is recorded in the proper period. b. A transaction actually occurred (i.e., it is real). c. A transaction is properly presented in the financial statements. d. A transaction is supported by detailed evidence. Chapter 7-17 SO 5 Management assertions used in the auditing process and the related audit objectives Phases of an IT Audit There are four primary phases to an IT audit: planning, tests of controls, substantive tests, and audit completion/reporting. Chapter 7-18 SO 6 The phases of an IT audit Phases of an IT Audit Chapter 7-19 SO 6 The phases of an IT audit Exhibit 7-4 Process Map of Phases of an Audit Phases of an IT Audit Audit evidence is proof of the fairness of financial information. Techniques for gathering evidence: physically examining or inspecting assets or supporting documentation obtaining written confirmations rechecking or recalculating information observing the underlying activities making inquiries of client personnel analyzing financial relationships and comparisons Chapter 7-20 SO 6 The phases of an IT audit Phases of an IT Audit Audit Planning Auditors review and assess the risks and controls, establish materiality guidelines, and develop relevant tests addressing the objectives. Chapter 7-21 SO 6 The phases of an IT audit Phases of an IT Audit Audit Planning Chapter 7-22 Exhibit 7-5 Audit Planning Phase Process Map SO 6 The phases of an IT audit Phases of an IT Audit Concept Check Risk assessment is a process designed to a. identify possible events that may effect the business. b. establish policies and procedures to carry out internal controls. c. identify and capture information in a timely manner. d. test the internal controls throughout the year. Chapter 7-23 SO 6 The phases of an IT audit Phases of an IT Audit Concept Check Which of the following audit procedures is most likely to be performed during the planning phase of the audit? a. Obtain an understanding of the client’s risk assessment process. b. Identify specific internal control activities that are designed to prevent fraud. c. Evaluate the reasonableness of the client’s accounting estimates. d. Test the timely cutoff of cash payments and collections. Chapter 7-24 SO 6 The phases of an IT audit Use of Computers in Audits Auditing around the computer Auditing through the computer Auditing with the computer Chapter 7-25 Computer-assisted audit techniques (CAATs) SO 7 The use of computers in audits Use of Computers in Audits Concept Check Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer? a. The time involved in testing processing controls is significant. b. The cost involved in testing processing controls is significant. c. A portion of the audit trail is not tested. d. The technical expertise required to test processing controls is extensive. Chapter 7-26 SO 7 The use of computers in audits Tests of Controls Exhibit 7-6 Control Testing Phase Process Map Tests of controls involve audit procedures designed to evaluate both general controls and application controls. Chapter 7-27 SO 8 Test of controls Tests of Controls General Controls Two broad categories of general controls that relate to IT systems: IT administration and related operating systems development and maintenance processes Security controls and related access issues Chapter 7-28 SO 8 Test of controls Tests of Controls General Controls IT Administration Audit tests include review for the existence and communication of company policies regarding: personal accountability and segregation of incompatible responsibilities job descriptions and clear lines of authority computer security and virus protection IT systems documentation Chapter 7-29 SO 8 Test of controls Tests of Controls General Controls Security Controls To test external access controls, auditors may perform: Authenticity tests. Penetration tests Vulnerability assessments Review access logs to identify unauthorized users or failed access attempts Chapter 7-30 SO 8 Test of controls Tests of Controls Application Controls Computerized controls over application programs. Auditors should test Systems documentation Main functions of the computer applications input, processing, and output. Chapter 7-31 SO 8 Test of controls Tests of Controls Application Controls Input Controls 1. Financial totals 2. Hash totals 3. Completeness or redundancy tests 4. Limit tests 5. Validation checks 6. Field checks Chapter 7-32 SO 8 Test of controls Tests of Controls Application Controls Processing Controls, techniques for testing 1. Test data method 2. Program tracing 3. Integrated test facility 4. Parallel simulation 5. Embedded audit modules Chapter 7-33 SO 8 Test of controls Tests of Controls Application Controls Output Controls 1. Reasonableness tests 2. Audit trail tests 3. Rounding errors tests Chapter 7-34 SO 8 Test of controls Tests of Controls Concept Check The primary objective of compliance testing in a financial statement audit is to determine whether a. procedures have been updated regularly. b. financial statement amounts are accurately stated. c. internal controls are functioning as designed. d. collusion is taking place. Chapter 7-35 SO 8 Test of controls Tests of Controls Concept Check Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor’s control to periodically test controls in the client’s computer system? a. Test data method b. Embedded audit module c. Integrated test facility d. Parallel simulation Chapter 7-36 SO 8 Test of controls Tests of Controls Concept Check Which of the following is a general control to test for external access to a client’s computerized systems? a. Penetration tests b. Hash totals c. Field checks d. Program tracing Chapter 7-37 SO 8 Test of controls Tests of Transactions and Balances Substantive Testing - tests of accuracy of monetary amounts of transactions and account balances. Computerized auditing tools make it possible for more efficient audit tests such as: mathematical and statistical calculations data queries identification of missing items in a sequence stratification and comparison of data items selection of items of interest from the data files summarization of testing results into a useful format for decision making Chapter 7-38 SO 9 Test of transactions and tests of balances Tests of Transactions and Balances Exhibit 7-9 Substantive Testing Phase Process Map Chapter 7-39 SO 9 Test of transactions and tests of balances Tests of Transactions and Balances Concept Check Generalized audit software can be used to a. examine the consistency of data maintained on computer files. b. perform audit tests of multiple computer files concurrently. c. verify the processing logic of operating system software. d. process test data against master files that contain both real and fictitious data. Chapter 7-40 SO 9 Test of transactions and tests of balances Audit Completion/Reporting Four basic types of reports: 1. Unqualified opinion 2. Qualified opinion 3. Adverse opinion 4. Disclaimer The most important task is obtaining a letter of representations from client management. Chapter 7-41 SO 10 Audit Completion/Reporting Audit Completion/Reporting Exhibit 7-10 Audit Completion/Reporting Phase Process Map Chapter 7-42 SO 10 Audit Completion/Reporting Other Audit Considerations Different IT Environments Using PCs, companies may use IT environments that involve networks, database management systems, and/or e-commerce systems. Chapter 7-43 SO 11 Other audit considerations Other Audit Considerations Changes in a Client’s IT Environment Auditors must consider whether additional audit testing is needed. Specific audit tests include verification of: Assessment of user needs Authorization for new projects and program changes Adequate feasibility study and cost–benefit analysis Proper design documentation Proper user instructions Adequate testing before system is put into use Chapter 7-44 SO 11 Other audit considerations Other Audit Considerations Sampling Test a limited number of items or transactions and then draw conclusions about the balance as a whole on the basis of the results. Chapter 7-45 SO 11 Other audit considerations Other Audit Considerations Concept Check Independent auditors are generally actively involved in each of the following tasks except: a. Preparation of a client’s financial statements and accompanying notes b. Advising client management as to the applicability of a new accounting standard c. Proposing adjustments to a client’s financial statements d. Advising client management about the presentation of the financial statements Chapter 7-46 SO 11 Other audit considerations Other Audit Considerations Concept Check Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions? a. Due professional care b. Competence c. Independence d. A complex underlying body of professional knowledge Chapter 7-47 SO 11 Other audit considerations Other Audit Considerations Concept Check Which of the following terms is not associated with the auditor’s requirement to maintain independence? a. Objectivity b. Neutrality c. Professional skepticism d. Competence Chapter 7-48 SO 11 Other audit considerations Ethical Issues Related to Auditing AICPA Code of Professional Conduct Six principles of the code: Chapter 7-49 Auditors must practice professional skepticism 1. Responsibilities. 2. The Public Interest. 3. Integrity. 4. Objectivity and Independence. CPAs 5. Due Care 6. Scope and Nature of Services SO 12 Ethical issues related to auditing Copyright Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein. Chapter 7-50 Overview of ERP Systems Concept Check Manufacturing companies implement ERP systems for the primary purpose of a. Increasing productivity. b. Reducing inventory quantities. c. Sharing information. d. Reducing investments. Chapter 7-51 SO 1 The overview of an ERP system