Presentation is loading. Please wait.

Presentation is loading. Please wait.


Similar presentations

Presentation on theme: "ACCOUNTING INFORMATION SYSTEMS"— Presentation transcript:

Core Concepts of ACCOUNTING INFORMATION SYSTEMS Moscove, Simkin & Bagranoff Developed by: S. Bhattacharya, Ph.D. Florida Atlantic University John Wiley & Sons, Inc.

2 Chapter 14 Auditing Computerized Accounting Information Systems
Introduction The Audit Function Auditing Through the Computer The IT Auditor’s Toolkit Information Technology Auditing Today

3 The Audit Function To audit is to examine and to assure.
The nature of auditing differs according to the subject under examination. Audits can be internal, external, and audits of information systems. 4

4 Internal versus External Auditing
In an internal audit a company’s own accounting employees perform the audit. Accountants working for an independent CPA firm normally perform the external audit. The chief purpose of the external audit is the attest function. The fairness evaluation of financial statements in an external audit is conducted according to GAAP. Fraud auditors specialize in investigating fraud. 7

5 Information Technology Auditing
Information technology auditing or electronic data processing (EDP) auditing involves evaluating the computer’s role in achieving audit and control objectives. The AIS components of a computer-based AIS are people, procedures, hardware, data communications, software and databases. These components are a system of interacting elements that auditors examine to accomplish the purposes of their audits.

6 The Information Technology Audit Process
If computer controls are weak or nonexistent, auditors will need to do more substantive testing, or detailed tests of transactions and account balances. Compliance testing is performed to ensure that the controls are in place and working as prescribed. This may entail using computer-assisted audit techniques (CAATs) to audit through the computer.

7 The Six Components of a Computer-Based AIS Examined in an IT Audit
Procedures Hardware Information Technology Audit Function Data Communications People Databases Software

8 Careers in Information Systems Auditing
Information systems auditors may choose to obtain professional certification as a Certified Information Systems Auditor (CISA). Applicants must pass an examination given by the Information Systems Audit and Control Association (ISACA). Specialized skills and broad-based set of technical knowledge needed.

9 Risk Assessment An external auditor’s main objective in reviewing information systems control procedures is to evaluate the risks to the integrity of accounting data presented in financial reports. A secondary objective is to make recommendations to managers about improving these controls. 9

10 Risk-Based Audit Approach
Determine threats facing the AIS. Identify the control procedures that should be in place to minimize threats. Evaluate the control procedures within the AIS (systems review). Evaluate weaknesses within the AIS to ascertain their effect on auditing procedures. 8

11 Information Systems Risk Assessment
Information Systems Risk Assessment evaluates the desirability of IT-related controls for a particular aspect of business risk. Auditors and managers must answer each of the following questions: What assets or information does the company have that unauthorized individuals would want? What is the value of these identified assets of information? How can unauthorized individuals obtain valuable assets or information? What are the chances of unauthorized individuals obtaining valuable assets or information?

12 Guidance in Reviewing and Evaluating IT Controls
Systems Auditability and Control (SAC) report identifies important information technologies and the specific risks related to these technologies. Control Objectives for Information and Related Technology (COBIT) provides auditors with guidance in assessing and controlling for business risk associated with IT environments.

13 Objectives of an Information Systems Audit
As part of the process of performing an IT audit, auditors should determine that the following objectives are met: Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. Program development and acquisition are performed in accordance with management’s authorization. Program modifications have authorization and approval from management. Processing of transactions, files, reports, and other computer records is accurate and complete. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. Computer data files are accurate, complete, and confidential.

14 Auditing Computerized AIS -Auditing Around the Computer
Auditing around the computer assumes that the presence of accurate output verifies proper processing operations. This type of auditing pays little or no attention to the control procedures within the IT environment. Generally not an effective approach to auditing a computerized environment. 10

15 Auditing Computerized AIS- Auditing Through the Computer
When auditing through the computer, an auditor follows the audit trail through the internal computer operations phase of automated data processing. Through-the-computer auditing attempts to verify the processing controls involved in the AIS programs. 14

16 Approaches to Auditing through the Computer
Primary approaches to auditing through the computer using CAAT are: testing programs validating computer programs reviewing systems software continuous auditing.

17 Testing Computer Programs - Test Data
The test data approach uses a set of hypothetical transactions to test the edit checks in programs. Auditor should use as many different exception situations as possible. Auditor can also use software programs called test data generators to develop a set of test data. 15

18 Testing Computer Programs -Integrated Test Facility
An Integrated Test Facility (ITF) is effective in evaluating integrated online systems and complex programming logic. Its purpose is to audit an AIS in an operational setting. The auditor’s role is to examine results of transaction processing to find out how well the AIS does the tasks required of it. An auditor will introduce artificial transactions into the data processing stream of the AIS. 17

19 Testing Computer Programs -Parallel Simulation
With Parallel Simulation, the auditor uses live input data, rather than test data, in a program written or controlled by the auditor. The auditor’s program simulates all or some of the operations of the real program that is actually in use. Auditors need complete understanding of client system and sufficient technical knowledge. Parallel simulation eliminates the need to prepare a set of test data.

20 Validating Computer Programs
Auditors must validate any program presented to them. Procedures that assist in program validation are 1) tests of program change control, 2) program comparison, and 3) surprise audits and surprise use of programs.

21 Tests of Program Change Control
Program change control is a set of internal controls developed to ensure against unauthorized program changes. Requires documentation of every request for application program changes. Test begins with inspection of documentation maintained by information processing subsystem.

22 Program Comparison To guard against unauthorized program tampering, a test of length control total can be performed. A comparison program can compare code line-by-line to ensure consistency between authorized version and version being used. Both tests can detect Trojan horse computer programs.

23 Surprise Audits and Surprise Use of Programs
The Surprise audit approach involves examining application programs unexpectedly. With the Surprise use approach, an auditor visits the computer center unannounced and requests that previously obtained authorized programs be used for the required data processing.

24 Review of Systems Software
Systems software includes 1) operating system software, 2) utility programs, 3) program library software, and 4) access control software. Auditors should review systems software documentation. Systems software can generate incident reports, which are reports listing events encountered by the system that are unusual or interrupt operations.

25 Continuous Approach Audit tools can be installed within an information system to achieve continuous auditing. This is particularly effective when most of an application’s data is in electronic form. Examples: 1) embedded audit modules, ) exception reporting, 3) transaction tagging, and 4) snapshot technique.

26 Auditing with the Computer
Auditing with the Computer entails using computer-assisted audit techniques (CAATs) to help in various auditing tasks. This approach is virtually mandatory since data are stored on computer media and manual access is impossible. CAATs is effective and saves time. 22

27 General-Use Software Auditors use general-use software such as spreadsheets and database management systems as productivity tools to improve their work. Auditors use structured query language (SQL) to retrieve a client’s data and display these data in a variety of formats for audit purposes. 23

28 Generalized Audit Software
Generalized audit software (GAS) packages enable auditors to review computer files without continually rewriting processing programs. GAS programs are specifically tailored to auditor tasks. Audit Command Language (ACL) and Interactive Data Extraction and Analysis (IDEA) are examples of GAS. 24

29 Automated Workpaper Software
Automated workpaper software is similar to general ledger software but is much more flexible. Features include: 1) generated trial balances, 2) adjusting entries, 3) consolidations,and 4) analytical procedures.

30 Auditing in the Information Age
Software can control audit Audit tools stored on CD-ROM Electronic spreadsheets Third party assurance services Systems reliability assurance 27

31 Auditing Electronic Spreadsheets
Building auditing models in spreadsheets Auditing spreadsheet data and formulas Display formulas Use data validation rules Excel’s audit toolbar Specialized spreadsheet audit software

32 Third-Party Assurance
TRUSTe BBBOnline WebTrust Betterweb

33 Information Systems Reliability Assurance
SAS 78 SysTrust

34 Information Technology Auditing Today
Information Technology Governance Auditing for Fraud – Statement on Auditing Standards No. 99 The Sarbanes-Oxley Act of 2002 Third-Party and Information Systems Reliability Assurances

35 Summary of the Key Provisions of the Sarbanes-Oxley Act of 2002
Section 201: Services outside the scope of practice of auditors; prohibited activities Section 302: Corporate responsibility for financial reports Section 404: Management assessment of internal controls

36 Copyright Copyright 2005 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

37 Chapter 14


Similar presentations

Ads by Google