Chapter 3 with added info - PowerPoint PPT Presentation

Loading...

PPT – Chapter 3 with added info PowerPoint presentation | free to view - id: 82e0ce-ZjA4M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Chapter 3 with added info

Description:

Title: ACCT 4240- Auditing Author: Jerry Last modified by: Faculty, staff, student or affiliate. Created Date: 5/22/2003 8:28:21 PM Document presentation format – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 36
Provided by: Jerr2222
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Chapter 3 with added info


1
Chapter 3 with added info
Auditing Data Management Systems
2
Challenges of Sophisticated Computer Systems
  • electronic method of sending
    documents between companies
  • no paper trail for the auditor to follow
  • increased emphasis on front-end controls
  • security becomes key element in controlling
    system

3
Objectives of General Controls
  • 1. Responsibility for control
  • 2. Information system meets needs of entity
  • 3. Efficient implementation of information
    systems
  • 4. Efficient and effective maintenance of
    information systems
  • 5. Effective and efficient development and
    acquisition of information systems
  • 6. Present and future requirements of users can
    be met
  • 7. Efficient and effective use of resources
    within information systems processing

4
Objectives of General Controls
  • 8. Complete, accurate and timely processing of
    authorized information systems
  • 9. Appropriate segregation of incompatible
    functions
  • 10. All access to information and information
    systems is authorized
  • 11. Hardware facilities are physically protected
    from unauthorized access, loss or damage
  • 12. Recovery and resumption of information
    systems processing
  • 13. Maintenance and recovery of critical user
    activities

5
Input Controls
  • input data should be authorized approved
  • the system should edit the input data prevent
    errors
  • Examples include validity checks, field checks,
    reasonableness check, record counts etc.

6
Processing Controls
7
Processing Controls
  • Examples
  • control, batch, or proof total - a total of a
    numerical field for all the records of a batch
    that normally would be added (example wages
    expense)
  • logic test - ensures against illogical combina
  • tions of information (example a salaried em-
  • ployee does not report hours worked)

8
Database Processing Controls Inference Controls
  • Must prohibit the retrieval of individual data
    through statistical (aggregate) operations on the
    database.
  • Example
  • SELECT MAX(Salary)
  • FROM EMPLOYEE
  • WHERE Dept CSE AND
  • Address LIKE Cincinnati
  • Note What if only one employee in CSE lives
    in Cincinnati?

9
Output Controls
assure that data generated by the system are
valid, accurate, complete, and distributed to
authorized persons in appropriate quantities
10
Objectives of Application Controls
  • 1. Design application controls with regard to
  • - segregation of incompatible functions
  • - security
  • - development
  • - processing of information systems
  • 2. Information provided by the systems is
  • - complete
  • - accurate
  • - authorized
  • 3. Existence of adequate management trails

11
Auditing Software
  • Generalized audit software involves
  • the use of auditor programs, client
  • data, and auditor hardware. The
  • primary advantage of GAS is that the
  • client data can be down-loaded into
  • the auditors system and manipulated
  • in a variety of ways.

12
Differences with Computer Processing
  • Audit trails are different than with manual
    accounting systems
  • Portions of audit trails may be temporary or
    never exist
  • Processing is more uniform
  • Computer may initiate and complete transactions
  • Greater potential for fraud

13
Impact of Computers on Planning
  • Extent to which computers are used
  • Complexity of computer operations
  • Organizational structure of computer operations
  • Availability of data
  • Use of CAATs
  • Need for specialized skills by auditor

14
Audit Alternatives
  • Continuous (Electronic) Auditing
  • Auditing Around the Computer
  • Auditing Through the Computer
  • Non-concurrent (after-the-fact) auditing
  • Recent SAS pronouncements reduce applicability of
    non-concurrent auditing

15
Audit Alternatives
  • Concurrent auditing provides greater information
    about the effectiveness of controls
  • Special audit test records can be used to examine
    system effectiveness
  • Embedded audit modules collect, process and
    report audit evidence as it is processed by the
    system

16
SAS No. 80
  • In entities where significant information is
    transmitted, processed, maintained, or accessed
    electronically, the auditor may determine that it
    is not practical or possible to reduce detection
    risk to an acceptable level by performing only
    substantive tests for one or more financial
    statement assertions.

17
SAS No. 80
  • Due to the short-term nature of electronic data,
    the auditor should consider the time during which
    information exists or is available in determining
    the nature, timing and extent of his tests

18
SAS No. 94
  • SAS No. 94 acknowledges that IT use presents
    benefits as well as risks to internal control
  • The auditor should expect to encounter IT systems
    and electronic records
  • An entitys IT use may be so significant that the
    quality of the audit evidence available to the
    auditor will depend on the controls that business
    maintains over its accuracy and completeness

19
SAS No. 94
  • As companies rely more and more on IT systems and
    controls, auditors will need to adopt new testing
    strategies to obtain evidence that controls are
    effective
  • An auditor might need specialized skills to
    determine the effect of IT on the audit
  • In some instances, the auditor may need the
    skills of a specialist

20
Errors and Irregularities Necessary Control Procedures Necessary Control Procedures
INPUT INPUT INPUT INPUT
Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Verification controls Computer editing Batch controls Data control group monitoring Transmittal controls Control totals Error logs Data control group monitoring
PROCESSESSING PROCESSESSING PROCESSESSING PROCESSESSING
The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. External file labels Internal file labels Control totals Limit and reasonableness tests
OUTPUT OUTPUT OUTPUT OUTPUT
Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output control totals Periodic comparisons of file data with source documents Data control group monitoring Report distribution control sheet
21
Tests of Controls Techniques
  • Auditing Around the ComputerManually processing
    selected transactions and comparing results to
    computer output
  • Auditing Through the ComputerComputer assisted
    techniques
  • Test DecksProcessing dummy transactions and
    records with errors and exceptions to see that
    program controls are operating

22
Types of Concurrent Auditing
  • Testing real data
  • Tracing transactions
  • Snapshot/extended record (EAM)
  • System Control Audit Review File (SCARF)
  • Testing simulated data
  • Test deck approach
  • Integrated test facility (ITF)

23
Auditing Using Clients Computer- Tracing Real
Data
  • Provides direct confirmation that controls
    functioned as prescribed
  • Weaknesses of approach
  • Actual transactions selected may not trigger all
    of the controls- in fact, finding actual
    transactions to test every control may not be
    possible
  • May be disruptive to clients operation

24
Auditing using Clients Computer- Tracing Real
Data
  • Weaknesses, continued
  • Difficult to verify that program tested is
    program normally used
  • Difficult to verify that procedures used during
    test are procedures normally employed
  • Auditor needs to understand IT operations

25
Auditing using Clients Computer- Using Simulated
Data
  • Strengths
  • Auditor can reduce substantially the number of
    records that have to be processed (one record can
    test several controls)
  • Permits testing of every control

26
Auditing using Clients Computer- Using Simulated
Data
  • Weaknesses
  • Only those conditions known to exist can be
    tested
  • Same program and procedures questions as in
    processing real data
  • Removal of simulated data from client's records

27
Auditing using Clients Computer- Using Simulated
Data
  • Verify that no amounts, accounts, or transaction
    types are omitted
  • Verify pricing, extensions, and other valuation
    procedures
  • Verify account coding and classification
  • Verify proper time period recording
  • Test subsidiary records footing and
    reconciliation to control account balances

28
Auditing using Clients Computer- Using Simulated
Data
  • Test data or test record approach
  • Simulated data is controlled and processed
    separately from real data
  • Output is compared to auditor-calculated output

29
Auditing using Clients Computer- Using Simulated
Data
  • Integrated test facility (ITF)
  • Simulated data is assigned a special code to
    distinguish it from real data
  • Simulated data is integrated with real data and
    processed in normal course of business
  • Weakness - simulated data may be processed
    differently than real data

30
Generalized Audit Software
  • Off-the-shelf software that allows examination of
    client data on auditors computer
  • Information systems vary widely between clients
  • Hardware and software environments
  • Data structures
  • Record formats
  • Processing functions

31
Functional Capabilities of GAS
  • File access
  • File reorganization (sorting and merging)
  • Filtering (Boolean operators , gt, lt, ltgt, AND,
    OR, etc.)
  • Statistical (sample selections)
  • Arithmetic
  • Stratification
  • File creation
  • Reporting

32
Available CAATs
  • CA-Easytrieve (Computer Associates)
  • Works in UNIX or LAN (primarily mainframes)
  • Uses a background language similar to COBOL
  • SAS
  • Statistical analysis
  • Data mining
  • ACL
  • IDEA

33
Electronic Workpapers
  • Electronic working papers
  • Standardizes audit forms and formats
  • Improves quality and consistency
  • Coordinates efforts
  • Can centralize management efforts

34
Centralized Vs Distributed Systems
  • Some activities should remain centralized
  • DDP is more expensive but can add efficiencies
    over straight client-server approach
  • Data can be distributed in different ways
  • May raise security issues
  • Auditor must question how each site is secured
  • DDP may be partitioned or replicated
  • DDP requires concurrency control

35
End Ch 3
About PowerShow.com