IS 630 : Accounting Information Systems

1
Auditing Computer-based Information Systems

• IS 630 Accounting Information Systems
• http//www.csun.edu/dn58412

Lecture 10
2
Learning Objectives

• Scope and objectives of audit work, and major
  steps in the audit process.
• Objectives of an information system audit, and
  four-step approach necessary for meeting these
  objectives.
• Design a plan for the study and evaluation of
  internal control in an AIS.
• Describe computer audit software, and explain how
  it is used in the audit of an AIS
• Describe the nature and scope of an operational
  audit.

3
Auditing

• The systematic process of obtaining and
  evaluating evidence regarding assertions about
  economic actions and events in order to determine
  how well they correspond with established criteria

4
Types of Audits

• Financial
• Examines the reliability and integrity of
• Financial transactions, accounting records, and
  financial statements.
• Information System
• Reviews the controls of an AIS to assess
  compliance with
• Internal control policies and procedures and
  effectiveness in safeguarding assets
• Operational
• Economical and efficient use of resources and the
  accomplishment of established goals and
  objectives
• Compliance
• Determines whether entities are complying with
• Applicable laws, regulations, policies, and
  procedures
• Investigative
• Incidents of possible fraud, misappropriation of
  assets, waste and abuse, or improper governmental
  activities.

5
The Audit Process

• Planning
• Collecting Evidence
• Evaluating Evidence
• Communicating Audit Results

6
Planning the Audit

• Why, when, how, whom
• Work targeted to area with greatest risk
• Inherent
• Chance of risk in the absence of controls
• Control
• Risk a misstatement will not be caught by the
  internal control system
• Detection
• Chance a misstatement will not be caught by
  auditors or their procedures

7
Collection Of Audit Evidence

• Not everything can be examined so samples are
  collected
• Observation activities to be audited
• Review of documentation
• Gain understanding of process or control
• Discussions
• Questionnaires
• Physical examination

• Confirmations
• Testing balances with external 3rd parties
• Re-performance
• Recalculations to test values
• Vouching
• Examination of supporting documents
• Analytical review
• Examining relationships and trends

8
Evaluation of Audit Evidence

• Does evidence support favorable or unfavorable
  conclusion?
• Materiality
• How significant is the impact of the evidence?
• Reasonable Assurance
• Some risk remains that the audit conclusion is
  incorrect.

9
Communication of Audit Conclusion

• Written report summarizing audit findings and
  recommendations
• To management
• The audit committee
• The board of directors
• Other appropriate parties

10
Risk-Based Audit

• Determine the threats (fraud and errors) facing
  the company.
• Accidental or intentional abuse and damage to
  which the system is exposed
• Identify the control procedures that prevent,
  detect, or correct the threats.
• These are all the controls that management has
  put into place and that auditors should review
  and test, to minimize the threats
• Evaluate control procedures.
• A systems review
• Are control procedures in place
• Tests of controls
• Are existing controls working
• Evaluate control weaknesses to determine their
  effect on the nature, timing, or extent of
  auditing procedures.

11
Information Systems Audit

• Purpose
• To review and evaluate the internal controls that
  protect the system
• Objectives
• Overall information security
• Program development and acquisition
• Program modification
• Computer processing
• Source files
• Data files

12
1. Information System Threats

• Accidental or intentional damage to system assets
• Unauthorized access, disclosure, or modification
  of data and programs
• Theft
• Interruption of crucial business activities

13
2. Program Development and Acquisition

• Inadvertent programming errors due to
  misunderstanding system specifications or
  careless programming
• Unauthorized instructions deliberately inserted
  into the programs
• Controls
• Management and user authorization and approval,
  thorough testing, and proper documentation

14
3. Program Modification

• Source Code Comparison
• Compares current program against source code for
  any discrepancies
• Reprocessing
• Use of source code to re-run program and compare
  for discrepancies
• Parallel Simulation
• Auditor-created program is run and used to
  compare against source code

15
4. Computer Processing

• System fails to detect
• Erroneous input
• Improper correction of input errors
• Process erroneous input
• Improperly distribute or disclose output
• Concurrent audit techniques
• Continuous system monitoring while live data are
  processed during regular operating hours
• Using embedded audit modules
• Program code segments that perform audit
  functions, report test results, and store the
  evidence collected for auditor review

16
Types of Concurrent Audits

• Integrated Test Facility
• Uses fictitious inputs
• Snapshot Technique
• Master files before and after update are stored
  for specially marked transactions
• System Control Audit Review File (SCARF)
• Continuous monitoring and storing of transactions
  that meet pre-specifications
• Audit Hooks
• Notify auditors of questionable transactions
• Continuous and Intermittent Simulation
• Similar to SCARF for DBMS

17
5. Source Data 6. Data Files

• Accuracy
• Integrity
• Security of data