Week 11
Accounting Information Systems
Romney and Steinbart
Linda Batch
March 2012
Learning Objectives
• Auditing Computer-based Systems (Chapter 11)
– Overview of audit process
– 5 objectives of Information Systems Audits
• Systems Development (Chapter 20)
– The Systems Development Lifecycle
• Microsoft Access
– Creating Forms
– Creating Macros and Switchboard
• Work on Assignment 4
• Quiz (Chapter 7 and Chapter 8)
Chapter 11 – Auditing Computer Based AIS
• Definitions
– Auditing is the systematic process of obtaining and evaluating evidence
to determine how well activities correspond with established criteria
– Internal Audit is an independent, objective assurance and consulting
activity designed to improve organizational effectiveness and efficiency
• There are several different types of audits
– Financial audit – reliability and integrity of financial statements
– Information systems audit – controls of an AIS
– Operational audit – economic use of company resources and
achievement of organizational objectives
– Compliance audit – evaluates compliance with applicable laws and
regulations
– Investigative audit – investigates potential fraud, misappropriation of
assets, and improper governance of activities
Chapter 11 – Auditing Computer Based AIS
• Overview of the Audit Process
–
–
–
–
Audit Planning
Collection of Audit Evidence
Evaluation of Audit Evidence
Communication of Audit Results
• An audit is planned so the greatest amount of audit work
focusses on areas with the highest risk factors.
– Inherent risk - susceptibility to material risk in the absence of
controls
– Control risk - risk a material misstatement will get through the
internal control structure and into the financial statements
– Detection risk – risk the auditors and their procedures will fail to
detect a material error or misstatement
Chapter 11 – Risk Based Audit Approach
• The risk based audit approach provides a framework for
conducting information systems audits (or any kind of
audit for that matter)
– Determine the threats facing the company
– Identify the control procedures that prevent, detect, or correct
the threats
– Evaluate the control procedures
– Evaluate control weaknesses to determine their effect on the
nature, timing or extent of auditing procedures (are there
compensating controls?)
Ch. 11 – Six Objectives of an Information Systems Audit
• Purpose is to review and evaluate the internal controls that
protect the system
• There are six objectives to an information systems audit
–
–
–
–
–
–
Overall systems security is effective
Program development and acquisition is controlled
Programming modifications are authorized and approved
Transaction processing is accurate and complete
Source data that is not accurate is identified
Storage of data files are accurate, complete, and confidential
Ch. 11 – Six Objectives of an Information Systems Audit
Chapter 11 – Information Systems Audits
• There are frameworks for each of these six
objectives
• Each framework Identifies
–
–
–
–
–
The types of errors and fraud
Control procedures
Audit procedures
Audit procedures – test of controls
Compensating controls
Chapter 11 – Examples of Audit Techniques
• Objective 3 - Program Modifications
– Source code comparison program
– Reprocessing data
– Parallel simulation
• Objective 4 – Audit Process Controls
– Concurrent audit techniques continually monitor the system use
embedded audit modules. Types of concurrent techniques are:
– Integrated test facility (ITF) where a fictitious division is created and
transactions are created that will not be included in the corporate
results
– Snapshot technique where select transactions are tagged with a
special code and these are reviewed by internal audit
– Systems Control Audit Review file (SCARF) – continually monitors
transactions and collects them into a log for periodic review
Chapter 11 – Audit Software
• Computer-Assisted Audit Techniques
– CAATS (often called generalized audit software (GAS))
– Uses audit supplied specifications to generate a program that
performs audit functions
– The program uses a copy of the live data to perform auditing
procedures
• Ernst and Young uses CAATS to create samples of transactions for
review during their external audit
Chapter 11 – Audit Software – Chapter 11 Checkpoint
1.
Which of the following is a characteristic of auditing
a. Auditing is a systematic, step-by-step process
b. Auditing involves the collection and review of evidence
c. Auditing involves the use of established criteria to evaluate evidence
d. All of the above
2. Which type of audit involves a review of general and application controls
to determine compliance with policies and adequate safeguarding of
assets
a. Information systems audit
b. Financial audit
c. Operational audit
d. Compliance audit
Chapter 11 – Audit Software – Chapter 11 Checkpoint
3.
At what step in the audit process do the concepts of reasonable
assurance and materiality enter into the auditor’s decision process?
a. Planning
b. Evidence collection
c. Evidence evaluation
d. They are important in all three steps
4. What is the four step approach to internal control evaluation that
provides a logical framework for carrying out an audit?
a. Inherent risk analysis
b. Systems review
c. Tests of controls
d. A risk-based approach to auditing
Chapter 11 – Audit Software – Chapter 11 Checkpoint
5.
Which of the following is a concurrent audit technique that monitors all
transactions and collects transactions that meet certain criteria?
a. ITF – integrated test facility
b. Snap shot technique
c. SCARF – Systems control audit review file
d. Audit hooks
6. Which of the following is a computer program written specifically for
audit use?
c. ITF
a. GAS
d. CIS
b. CATAS
7.
True or False: If it is found that system changes are not appropriately
authorized, tested or approved system output may be unreliable.
Chapter 11 – Audit Software – Chapter 11 Checkpoint
8.
The focus of an operational audit is?
a. Reliability and integrity of financial information
b. All aspects of information systems management
c. Internal controls
d. Safeguarding assets
9. Six Objective for information systems audits are?
a. Overall systems security
b. Program development and acquisition
c. Program modification
d. Computer processing
e. Source data
f. Data files
g. All of the above
Chapter 11 – Audit Software – Chapter 11 Checkpoint
10. The four steps in the audit process include?
a. Audit planning
b. Collection of audit evidence
c. Evaluation of audit evidence
d. Communication of audit results
e. All of the above
11. Three ways an auditor can test for unauthorized program changes are?
a. Use a source code comparison program
b. Use a reprocessing technique
c. Use parallel simulation
d. All of the above
Chapter 20 – Systems Development and Analysis
• Due to the increasingly competitive nature of business,
companies are constantly improving or replacing their
information systems. Reasons to change the system are:
–
–
–
–
–
–
–
Changes in user or business needs
Technological changes
Improved business processes
Competitive advantage
Productivity gains
Systems Integration
Systems age and need to be replaced
Know three
Chapter 20 – Systems Development and Analysis
• Absolutely critical that software implementations are done
well
–
–
–
–
70% of software development projects were late
54% are over budget
30% are cancelled prior to completion
75% of all large systems are not used, are not used as intended, or
generate meaningless reports or inaccurate
• Skipping or skimping on systems development processes can
lead to “runaways” that consume time and money
Chapter 20 – Systems Development Lifecycle
• SDLC
– Systems Analysis – feasibility study and assess information
needs
– Conceptual Design – evaluate design alternatives and deliver
conceptual design requirements
– Physical Design – develop input, output, database, programs,
procedures, controls, deliver the system
– Implementation and Conversion – develop an
implementation and conversion plan, install, train, test,
convert, deliver an operational system
– Operations and Maintenance – post-implementation review,
operate, modify, ongoing maintenance, and improve
• The Players
– Management, Accountants and Other Users, IS Steering
Committee, Project Development Team, Systems analysts and
Programmers, External Players
Systems
analysis
Conceptual
System
Design
Physical
Design
Implementation
And
Conversion
Operation
and
Maintenance
Chapter 20 – Systems Development Life Cycle
Systems
analysis
Conceptual
System
Design
Physical
Design
Implementation
And
Conversion
Operation
and
Maintenance
Chapter 20 – Systems Development Lifecycle
Chapter 20 – Planning the Development
• Planning enables the systems goals and objectives to
correspond to the organization’s strategic plans
–
–
–
–
Efficiency in design and coordinated with subsystems
Alignment of technologies
No duplication of effort
Staffing / skill sets will be planned
• Two plans are needed
– Project Development Plan
• Relates to a specific project, is prepared by the project team, and contains a cost /
benefit analysis, project requirements and a schedule of activities
– Master Plan
• Long range planning, is prepared by the steering committee, specifies what will be
developed, how it will be developed, who will develop it, resources required, and
when it will be developed – creates a prioritized inventory of projects
Chapter 20 – Planning Techniques
• GANTT Chart
– Bar chart with project activities on the left side and units of time
across the top (Figure 20-3)
– For each activity there is an arrow across that indicates the start and
end date of an activity
• PERT Chart – Program Evaluation and Review Technique
– All activities and the precedent and subsequent relationships among
them are identified and used to draw a PERT diagram
– The PERT diagram identifies the items that determine the project
critical path
– The critical path items are those items, in aggregate, influence the
project duration (greatest amount of time)
Chapter 20 – Feasibility Analysis
• Feasibility Study or Business Case
– Prepared during the systems analysis and updated as necessary
during the Systems Development Life Cycle.
– All stakeholders should have input into the feasibility study
– At major decision points the steering committee reassesses feasibility
to decide whether to terminate a project or to proceed (go/no go
decision)
– Economic, technical, legal, scheduling, operational feasibility needs to
be considered during this phase
– Capital budgeting techniques such as Payback period, Net Present
Value, Internal Rate of Return, are used to determine whether a
project is feasible (methods to compare very different projects)
– A project should be evaluated on both tangible and intangible
benefits
Chapter 20 – Behavioural Aspects of Change
• How People Resist Change
– Failure to provide developers with information, tardiness, or subpar
performance
• Resistance takes three forms
– Aggression – behaviour that destroys, cripples, or weakens system
effectiveness such as increased error rates, disruptions or sabotage
– Projection – blaming the new system for everything that goes wrong.
The criticisms must be controlled and answered, systems integrity can
be damaged or destroyed
– Avoidance – ignoring the system and hoping that it goes away.
Eliminate the options to avoid its use and / or eliminate the
employees that do not adopt the technology
Chapter 20 – Behavioral Aspects of Change
• Preventing Behavioural Problems
– Obtain Management Support
– Meet user needs
– Involve users – users who participate are more knowledgeable, better
trained and committed
– Avoid emotionalism
– Performance evaluations should be reexamined to ensure they are
congruent with the new system
– Keep communication lines open
– Test the system
– Control user expectations by being realistic when describing the
merits of the system
Chapter 20 – Systems Development Checkpoint
1.
Which of the following is a planning technique that identifies the critical
path of a project
a. GANTT chart
b. PERT chart
c. Physical model
d. Data flow diagram
2. Which is the long range planning document that specifies the the IT
strategic plan
a. Steering committee agenda
b. Master Plan
c. Systems development life cycle
d. Project development plan
Chapter 20 – Systems Development Checkpoint
3.
True or False - Resistance is often a reaction to the methods of instituting
change rather than to change itself.
4. Increased error rates, disruptions, and sabotage are examples of what?
a. Aggression
b. Avoidance
c. Projection
d. Payback
5. What is often the most significant problem a company encounters in
designing, developing, and implementing a system?
a. The human element
b. Technology
c. Legal challenges
d. Planning for a new system
Chapter 20 – Systems Development Checkpoint
6.
Determining whether the organization has access to people who can
design, implement, and operate the proposed system is?
a. Technical feasibility
b. Operational feasibility
c. Legal feasibility
d. Scheduling feasibility
e. Economic feasibility
7. Which of the following are potential tangible or intangible benefits of a
new computer system?
a. Cost savings
b. Improved customer service and productivity
c. Improved decision making
d. Improved data processing
e. All of the above
Chapter 20 – Systems Development Checkpoint
8.
Identify the five steps in the systems development lift cycle (SDLC).
a. Systems analysis
b. Conceptual design
c. Physical design
d. Implementation and conversion
e. Operations and maintenance
9. Three commonly used capital budgeting techniques that are used to
assess and compare the cost benefits of projects are:
a. NPV
b. IRR
c. Payback period
d. SLC
e. All of the above
Ch. 11 – Systems Auditing – Review for Final
•
•
•
•
•
•
•
•
What is auditing and internal audit (slide 2)
Five different audit types (slide 2)
Four stages of the audit process
Know what a risk based audit approach is (do not worry about the 4
steps)
Six objectives for an IS audit – be able to name them on fig. 11-2 (slide 7)
Three examples of objective 3 – program modifications
Three examples of objective 4 – audit process controls
Computer assisted audit techniques (CAATS, GAS)
Ch. 20 – Systems Development – Review for Final
• Two types of plans used in IS system development planning
• GANTT and PERT Charts (what they are, how they differ)
• How people resist change - three forms of resistance – aggression,
projection, avoidance
• Preventing behavioural problems (know 4)