Auditing Computer-based Information SystemsLearning ObjectivesAuditingTypes of AuditsThe Audit ProcessPlanning the AuditCollection Of Audit EvidenceEvaluation of Audit EvidenceCommunication of Audit ConclusionRisk-Based AuditInformation Systems Audit1. Information System Threats2. Program Development and Acquisition3. Program Modification4. Computer ProcessingTypes of Concurrent Audits5. Source Data & 6. Data FilesIS 630 : Accounting Information IS 630 : Accounting Information SystemsSystemshttp://www.csun.edu/~dn58412/IS 630/IS630_F1 4.htmAuditing Computer-based Auditing Computer-based Information SystemsInformation SystemsLecture 10Lecture 10Learning ObjectivesLearning ObjectivesScope and objectives of audit work, and major steps in the audit process.Objectives of an information system audit, and four-step approach necessary for meeting these objectives.Design a plan for the study and evaluation of internal control in an AIS.Describe computer audit software, and explain how it is used in the audit of an AISDescribe the nature and scope of an operational audit.IS 630 : Lecture 10 2AuditingAuditingThe systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteriaIS 630 : Lecture 10 3Types of AuditsTypes of AuditsFinancial•Examines the reliability and integrity of:oFinancial transactions, accounting records, and financial statements.Information System•Reviews the controls of an AIS to assess compliance with:oInternal control policies and procedures and effectiveness in safeguarding assetsOperational•Economical and efficient use of resources and the accomplishment of established goals and objectivesCompliance•Determines whether entities are complying with:o Applicable laws, regulations, policies, and proceduresInvestigative•Incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.IS 630 : Lecture 10 4The Audit ProcessThe Audit ProcessPlanningCollecting EvidenceEvaluating EvidenceCommunicating Audit ResultsIS 630 : Lecture 10 5Planning the AuditPlanning the AuditWhy, when, how, whomWork targeted to area with greatest risk:•InherentoChance of risk in the absence of controls•ControloRisk a misstatement will not be caught by the internal control system•DetectionoChance a misstatement will not be caught by auditors or their proceduresIS 630 : Lecture 10 6Collection Of Audit Evidence•Not everything can be examined so samples are collected•Observation activities to be audited•Review of documentation•Gain understanding of process or control•Discussions•Questionnaires•Physical examination•Confirmations•Testing balances with external 3rd parties•Re-performance•Recalculations to test values•Vouching•Examination of supporting documents•Analytical review•Examining relationships and trendsIS 630 : Lecture 10 7Evaluation of Audit EvidenceEvaluation of Audit EvidenceDoes evidence support favorable or unfavorable conclusion?Materiality•How significant is the impact of the evidence?Reasonable Assurance•Some risk remains that the audit conclusion is incorrect.IS 630 : Lecture 10 8Communication of Audit Communication of Audit ConclusionConclusion Written report summarizing audit findings and recommendations:•To management•The audit committee•The board of directors•Other appropriate parties IS 630 : Lecture 10 9Risk-Based AuditRisk-Based AuditDetermine the threats (fraud and errors) facing the company.•Accidental or intentional abuse and damage to which the system is exposedIdentify the control procedures that prevent, detect, or correct the threats.•These are all the controls that management has put into place and that auditors should review and test, to minimize the threatsEvaluate control procedures.•A systems reviewoAre control procedures in place•Tests of controlsoAre existing controls workingEvaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures.IS 630 : Lecture 10 10Information Systems AuditInformation Systems AuditPurpose:•To review and evaluate the internal controls that protect the systemObjectives:1.Overall information security2.Program development and acquisition3.Program modification4.Computer processing5.Source files6.Data filesIS 630 : Lecture 10 111. Information System Threats1. Information System ThreatsAccidental or intentional damage to system assetsUnauthorized access, disclosure, or modification of data and programsTheftInterruption of crucial business activitiesIS 630 : Lecture 10 122. Program Development and 2. Program Development and AcquisitionAcquisitionInadvertent programming errors due to misunderstanding system specifications or careless programmingUnauthorized instructions deliberately inserted into the programsControls:•Management and user authorization and approval, thorough testing, and proper documentationIS 630 : Lecture 10 133. Program Modification3. Program ModificationSource Code Comparison•Compares current program against source code for any discrepanciesReprocessing•Use of source code to re-run program and compare for discrepanciesParallel Simulation•Auditor-created program is run and used to compare against source codeIS 630 : Lecture 10 144. Computer Processing4. Computer ProcessingSystem fails to detect:•Erroneous input•Improper correction of input errors•Process erroneous input•Improperly distribute or disclose output Concurrent audit techniques•Continuous system monitoring while live data are processed during regular operating hours•Using embedded audit modulesoProgram code segments that perform audit functions, report test results, and store the evidence collected for auditor reviewIS 630 : Lecture 10 15Types of Concurrent AuditsTypes of Concurrent AuditsIntegrated Test Facility•Uses fictitious inputsSnapshot Technique•Master files before and after update are stored for specially marked transactionsSystem Control Audit Review File (SCARF)•Continuous monitoring and storing of transactions that meet pre-specificationsAudit Hooks•Notify auditors of questionable transactionsContinuous and Intermittent Simulation•Similar to SCARF for DBMSIS 630 : Lecture 10 165. Source Data & 6. Data Files5. Source Data &
View Full Document