Add to collection(s) Add to saved
  1. Business
  2. Management

Chapter 10

Core Concepts of
ACCOUNTING INFORMATION SYSTEMS
Moscove, Simkin & Bagranoff
Developed by:
Marianne Bradford, Ph.D.
Bryant College
John Wiley & Sons, Inc.
Chapter 10
Auditing Computerized Accounting
Information Systems
• Introduction
• The Audit Function
• Auditing Computerized Accounting Information
Systems
• Auditing with the Computer
• Auditing in the Information Age
The Audit Function
• The audit is to examine and to assure.
• The nature of auditing differs according
to the subject under examination.
• Audits can be internal,
external, and audits of
information systems.
Internal versus External
Auditing
• In an internal audit a company’s own
accounting employees perform the audit.
• Accountants working for an
independent CPA firm normally
perform the external audit.
• The chief purpose of the external
audit is the attest function.
• The fairness evaluation of
financial statements in an external
audit is conducted according to GAAP.
• Fraud auditors specialize in investigating
fraud.
Information Systems
Auditing
• Information systems auditing or electronic
data processing (EDP) auditing involves
evaluating the computer’s role in achieving
audit and control objectives.
• The AIS components of a computer-based
AIS are people, procedures, hardware, data
communications, software and databases.
• These components are a system of interacting
elements that auditors examine to accomplish
the purposes of their audits.
The Information Systems
Audit Process
• If computer controls are weak or nonexistent,
auditors will need to do more substantive
testing, or detailed tests of transactions and
account balances.
• Compliance testing is performed to ensure that
the controls are in place and working as
prescribed.
– This may entail using computer-assisted
audit techniques (CAATs) to audit through
the computer.
Careers in Information
Systems Auditing
• Information systems auditors may choose to
obtain professional certification as a Certified
Information Systems Auditor (CISA).
• Applicants must pass an examination given by
the Information Systems Audit and Control
Association (ISACA).
• Specialized skills and broad-based set of
technical knowledge needed.
Risk Assessment
• An external auditor’s main objective in
reviewing information systems control
procedures is to evaluate the risks to the
integrity of accounting data presented in
financial reports.
• A secondary objective is to make
recommendations to managers
about improving these
controls.
Risk-Based Audit Approach
• Determine threats facing the AIS.
• Identify the control procedures that should be
in place to minimize threats.
• Evaluate the control procedures within the AIS
(systems review).
• Evaluate weaknesses within the
AIS to ascertain their effect
on auditing procedures.
Information Systems Risk
Assessment
• Information Systems Risk Assessment evaluates the
desirability of IT-related controls for a particular
aspect of business risk.
• Auditors and managers must answer each of the
following questions:
– What assets or information does the company have that
unauthorized individuals would want?
– What is the value of these identified assets of
information?
– How can unauthorized individuals obtain valuable assets
or information?
– What are the chances of unauthorized individuals
obtaining valuable assets or information?
Guidance in Reviewing and
Evaluating IT Controls
• Systems Auditability and Control (SAC) report
identifies important information technologies
and the specific risks related to these
technologies.
• Control Objectives for Information and
Related Technology (COBIT) provides auditors
with guidance in assessing and controlling for
business risk associated with IT environments.
Objectives of an Information
Systems Audit
• As part of the process of performing an IT audit,
auditors should determine that the following objectives
are met:
– Security provisions protect computer equipment, programs,
communications, and data from unauthorized access,
modification, or destruction.
– Program development and acquisition are performed in
accordance with management’s authorization.
– Program modifications have authorization and approval from
management.
– Processing of transactions, files, reports, and other computer
records is accurate and complete.
– Source data that are inaccurate or improperly authorized are
identified and handled according to prescribed managerial
policies.
– Computer data files are accurate, complete, and confidential.
Auditing Computerized AIS
-Auditing Around the Computer
• Auditing around the computer assumes that the
presence of accurate output verifies proper
processing operations.
• This type of auditing pays little or no attention
to the control procedures within the IT
environment.
• Generally not an effective approach
to auditing a computerized
environment.
Auditing Computerized AISAuditing Through the Computer
• When auditing through the computer, an
auditor follows the audit trail through the
internal computer operations phase of
automated data processing.
• Through-the-computer auditing attempts
to verify the processing controls involved
in the AIS programs.
Approaches to Auditing
through the Computer
Primary approaches to auditing
through the computer using CAAT are:
1.testing programs
2.validating computer programs
3.reviewing systems software
4.continuous auditing.
Testing Computer Programs Test Data
• The test data approach uses a set of
hypothetical transactions to test the edit
checks in programs.
• Auditor should use as many different
exception situations as possible.
• Auditor can also use software programs called
test data generators to develop a set of test
data.
Testing Computer Programs Integrated Test Facility
• An Integrated Test Facility (ITF) is effective in
evaluating integrated online systems and complex
programming logic.
• Its purpose is to audit an AIS in an operational
setting.
• The auditor’s role is to examine results of
transaction processing to find out how
well the AIS does the tasks required of it.
• An auditor will introduce artificial transactions
into the data processing stream of the AIS.
Testing Computer Programs Parallel Simulation
• With Parallel Simulation, the auditor uses live
input data, rather than test data, in a program
written or controlled by the auditor.
• The auditor’s program simulates all or some of
the operations of the real program that is
actually in use.
• Auditors need complete understanding of client
system and sufficient technical knowledge.
• Parallel simulation eliminates the need to
prepare a set of test data.
Validating Computer
Programs
• Auditors must validate any program
presented to them.
• Procedures that assist in program
validation are 1) tests of program change
control, 2) program comparison, and 3)
surprise audits and surprise use of
programs.
Tests of Program
Change Control
• Program change control is a set of
internal controls developed to ensure
against unauthorized program changes.
• Requires documentation of every request
for application program changes.
• Test begins with inspection of
documentation maintained by
information processing subsystem.
Program Comparison
• To guard against unauthorized program
tampering, a test of length control total can be
performed.
• A comparison program can compare code lineby-line to ensure consistency between
authorized version and version
being used.
• Both tests can detect Trojan horse
computer programs.
Surprise Audits and Surprise
Use of Programs
• The Surprise audit approach involves
examining application programs unexpectedly.
• With the Surprise use approach, an auditor
visits the computer center unannounced
and requests that previously obtained
authorized programs be used for the
required data processing.
Review of Systems Software
• Systems software includes 1) operating system
software, 2) utility programs, 3) program
library software, and 4) access control software.
• Auditors should review systems software
documentation.
• Systems software can generate incident reports,
which are reports listing events encountered by
the system that are unusual or interrupt
operations.
Continuous Approach
• Audit tools can be installed within an
information system to achieve continuous
auditing.
• This is particularly effective when most of an
application’s data is in electronic form.
• Examples: 1) embedded audit modules,
2) exception reporting, 3) transaction
tagging, and 4) snapshot technique.
Auditing with the Computer
• Auditing with the Computer entails using computerassisted audit techniques (CAATs) to help in various
auditing tasks.
• This approach is virtually mandatory since data are
stored on computer media and manual access is
impossible.
• CAATs is effective and saves time.
General-Use Software
• Auditors use general-use software such as
spreadsheets and database management
systems as productivity tools to improve their
work.
• Auditors use structured query
language (SQL) to retrieve a
client’s data and display these
data in a variety of formats
for audit purposes.
Generalized Audit Software
• Generalized audit software (GAS)
packages enable auditors to review
computer files without continually
rewriting processing programs.
• GAS programs are specifically
tailored to auditor tasks.
• Audit Command Language (ACL)
and Interactive Data Extraction
and Analysis (IDEA) are examples
of GAS.
Automated Workpaper
Software
• Automated workpaper software is similar
to general ledger software but is much
more flexible.
• Features include: 1) generated trial
balances, 2) adjusting entries, 3)
consolidations,and 4) analytical
procedures.
Auditing in the Information
Age
•
•
•
•
Software can control audit
Audit tools stored on CD-ROM
Electronic spreadsheets
Client/server systems
Copyright
Copyright 2001 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser may
make backup copies for his/her own use only and not for distribution
or resale. The Publisher assumes no responsibility for errors,
omissions, or damages, caused by the use of these programs or from
the use of the information contained herein.
Chapter 10
Related documents
Internal Auditor Job Description
Internal Auditor Job Description
As the 2nd largest business support solutions (BSS) provider, CSG
As the 2nd largest business support solutions (BSS) provider, CSG
Getting to Know Internal Auditing - The Institute of Internal Auditors
Getting to Know Internal Auditing - The Institute of Internal Auditors
COVER LETTER SAMPLE
COVER LETTER SAMPLE
grp-2
grp-2
Green Impact Auditor
Green Impact Auditor
Auditing Presentation
Auditing Presentation
IIA Seminar - Event Description
IIA Seminar - Event Description
Download