We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published bySebastian Pratt
Modified over 2 years ago
Electronic Presentations in Microsoft ® PowerPoint ® Prepared by Brad MacDonald SIAST © 2003 McGraw-Hill Ryerson Limited
Copyright © 2003 McGraw-Hill Ryerson Limited Chapte r 8 2 Auditing in a Computer Environment
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 83 Learning Objective 1 Explain how a computer accounting system differs from a manual accounting system.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 84 Computer Environment The CICA Handbook prefers the use of EDP or Electronic Data Processing. –There is no fundamental difference between computer auditing and auditing. –Certain areas are not changed: the definition of auditing the purposes of auditing the generally accepted auditing standards the control objectives the requirement to gather sufficient and appropriate evidence the audit report
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 85 Elements of a Computer-Based System Hardware: –The physical equipment. Software: –System programs: Perform generalized functions for more than one program. –Application programs: Sets of computer instructions that perform data processing tasks.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 86 Elements of a Computer-Based System Documentation: –A description of the system and control structures. Personnel: –Persons who manage, design, program, operate,or control the system.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 87 Elements of a Computer-Based System Data: –Transactions and related information entered, stored, and processed by the system. Control procedures: –Activities designed to ensure proper recording of transactions and to prevent or detect errors or irregularities.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 88 Elements of a Computer-Based System Management is responsible for internal controls; the auditor is responsible to understand controls and assess control risk. –Management can meet responsibilities and assist the auditor by ensuring documentation is current ensuring that systems produce an audit trail making computer resources and personnel available to the auditor as required
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 89 Effect of Computer Processing Characteristics that distinguish computer processing from manual processing: –Transaction trails may not exist, or may exist only in machine readable formats. –Uniform processing of transactions eliminates random errors, but may cause systematic errors. –Many internal controls may be concentrated in the computer systems; persons who have access to the computer may be in a position to perform incompatible functions.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 810 Computer Processing Characteristics that distinguish computer processing from manual processing: –The potential for errors and irregularities through inappropriate access to computer data or systems may be greater. –A potential for increased management supervision with a wide variety of analytical tools is created in computerized processing. –Initiation or subsequent execution of transactions by computer may not generate evidence of authorization.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 811 Learning Objective 2 List and discuss additional matters of planning auditors should consider for clients who use computers.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 812Planning The extent and complexity of computer processing may affect the nature, extent, and timing of procedures. The auditor should consider: –the extent to which computers are used in accounting applications Auditors will need computer-related skills to understand the flow of transactions processed by computers.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 813Planning The auditor should consider: –the complexity of computer operations: Auditors will need to assess training and experience relative to the methods of computer processing. –the organizational structure of computer processing activities: Auditors must consider the degree of centralization and standardization in computer-related operations.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 814Planning The auditor should consider: –the availability of data from the computer system Auditors must consider when information may no longer be available for review. –the use of computer-assisted audit techniques (CAATs) to increase the efficiency of audit procedures –the need for audit personnel with specialized skills
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 815 Learning Objective 3 Describe how the phases of control risk assessment are affected by computer processing.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 816 Phase 1 - Understanding The purpose of Phase 1 is to obtain sufficient knowledge of controls for planning the audit. –This will include a general knowledge of the organizational structure methods used to communicate responsibility and authority methods used to supervise the system –Computer processing may affect each of these elements.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 817 Organizational Structure Understanding of the organization of the client computer functions is required for assessment of risk. –The auditor should obtain and evaluate a description of computer resources and computer operating activities a description of the organizational structure of computer operations and related policies –This understanding helps the auditor decide on the amount of reliance to place on system controls.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 818 Methods Used to Communicate Responsibility and Authority Auditors should understand how the computer resources are managed and how priorities for use are determined. –Auditors should obtain evidence and evaluate information about the existence of accounting and other policy manuals formal job descriptions for computer department personnel
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 819 Methods Used by Management to Supervise the System Auditors should learn the procedures management uses to monitor the computer operations. –Auditors should evaluate: a) systems design and documentation b) procedures for modification c) procedures limiting access d) financial and other reports e) internal audit function
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 820 Understanding the Accounting System Auditors should gain an understanding of the flow of transactions through the accounting system for each significant accounting application.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 821 Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following: –Identify specific control objectives based on the types of misstatements that may be present. –Identify the points in the flow of transactions where specific types of misstatement could occur. –Identify specific control activities designed to prevent or detect misstatements.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 822 Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following: –Identify the control activities that must function to prevent or detect misstatements. –Evaluate the control activities to determine whether they suggest a low control risk and whether tests of controls might be cost effective.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 823 Assessing Control Risk The information gathered should allow the auditor to decide the following: That: –Control risk is assessed low, and it is cost effective to perform test of controls. Continue with testing of control. –Control risk is assessed low, but it is not cost effective to perform tests of controls. Concentrate on substantive procedures. –Control risk is assessed high. Concentrate on substantive procedures.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 824 Learning Objective 4 Describe and explain general control procedures and place the application control procedures covered in Chapter 6 in the context of computerized error checking routines.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 825 Simple Computer Systems Characteristics of a simple computer system: –All processing occurs at a central processing facility. –Three or four people are involved in operations of a simple system. –System may use batch processing or online processing.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 826 Simple Computer Systems General control procedures: –Those controls that relate to all or many computerized accounting functions. Organization and physical access Weakness or absence of access controls decreases the overall integrity of the computer system. Documentation and systems development Weakness or absence of documentation and development standards also decrease the integrity of the system.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 827 Simple Computer Systems General control procedures: Hardware Auditor should be familiar with hardware controls. Data file and program control and security Controls are necessary to determine that the proper files and programs are being used, and that files are appropriately backed up.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 828 Application Control Procedures Application controls are those used in each application. Application controls are grouped under three categories: –input controls –processing controls –output controls
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 829 Application Control Procedures Input controls: –Controls at input are primarily preventative. –It is generally more cost effective to prevent errors than it is to detect and correct them. Processing controls: –Primarily oriented at detecting misstatements. Output controls: –Primarily oriented at correcting misstatements.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 830 Control Risk in Simple Systems The purpose of review of controls is to understand the strengths and weakness of control systems. –The general controls must be good in order for any application controls to be considered in planning the substantive procedures. The usual approach is to evaluate general controls first, then application controls.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 831 Learning Objective 5 Describe the characteristics and control problems of personal computer installations.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 832 Personal Computer Environment Computer activity involving PCs should be included in determination of risk. PCs may be standalone systems or part of a distributed system. –The control environment, not the technology, is the important consideration for the auditor –In a PC environment, lack of segregation of duties may be a significant risk.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 833 Personal Computer Environment PC Control Considerations: –Most control problems can be traced to lack of segregation of duties and lack of computerized control procedures. –Auditors should consider the entire control structure and look for compensating control strengths.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 834 Personal Computer Environment Organizational control procedures: –Limit concentration of functions as much as possible. –Establish proper supervision. Operation control procedures: –Controls over online entry are important. Restrict access to input devices. Use standard screens, computer prompting, and online editing procedures.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 835 Personal Computer Environment Processing control procedures: –Ensure processing is correct and complete. Capture entries in transaction logs. Make use of control totals. Perform periodic reconciliation of input to output. Systems development and modification: –Purchased applications should be reviewed carefully.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 836 Learning Objective 6 Explain the differences among auditing around the computer, auditing through the computer, and auditing with the computer.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 837 Evaluation Approaches Auditing around the computer: –Treat the computer as a black box and vouch and trace source documents and output. –Adequate procedure where the computer is simply used as a calculator and printer. Auditing through the computer: –Evaluate hardware, software, and controls. –Uses computerized controls.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 838 Learning Objective 7 Explain how the auditor can perform the test of controls audit of computerized controls in a simple computer system.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 839 Tests of Computer Controls There are two approaches to using the computer in test of controls procedures: – Test data: Test the programmed controls using simulated data. – Parallel simulation: Audit the programmed controls with live data reprocessed with an independent audit program.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 840 Test Data A computer will process every transaction in a certain logical way exactly the same every time. –Create hypothetical transactions to determine how the computer will handle errors. –Test data is a sample of combinations of input data that may be processed through a system. Test data will contain planted errors in addition to good transactions.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 841 Parallel Simulation Auditors prepare a program to process data correctly and compare results to results of actual client processing. –Generalized audit software makes the process more attractive. –First audit using a parallel simulation is time consuming and expensive. Economies are realized in subsequent audits of the same client.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 842 Learning Objective 8 Describe the use of generalized audit software.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 843 Generalized Audit Software Generalized audit software (GAS) programs are a set of functions that may be utilized to read, compute, and operate on machine- readable records. –Used on audits where records are stored in computer files or databases.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 844 Generalized Audit Software Auditing with the computer: –GAS was developed to access machine- readable detail records. Original programming is no longer required. The GAS consists of a set of pre-programmed editing, operating, and output subroutines. Required programming is easy. Simple, limited set of programming instructions is used to call the subroutines.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 845 Generalized Audit Software Audit procedures performed by generalized audit software: –GAS can access huge volumes of machine- readable records, organizing them into a useful format for the audit team. –GAS can be used for the following: computation confirmation inspection analysis
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 846 Using Generalized Audit Software Five phases in developing a GAS application: –Define the audit objective. GAS is a tool, not an objective. –Feasibility and planning Determine if GAS is efficient and effective for the audit at hand. –Application design –Coding and testing –Processing and evaluation
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 847 Learning Objective 9 Describe how the personal computer can be used as an audit tool.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 848 Using the Personal Computer as an Audit Tool The PC is being used to perform clerical steps: –working trial balance –posting adjustments –grouping accounts –computing comparative statements –computing common ratios –preparing supporting working papers –producing draft statements PCs are also used to –assess control risk –perform analytical functions –access databases –run decision-making support software –perform CAATs
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 849 Learning Objective 10 Describe the effects of e-business on auditing.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 850E-Business Electric commerce (e-commerce) is any trade that takes place by electronic means. –This economic activity has been greatly facilitated by the growing use of the Internet. –Segments of e-commerce include: B2B – Business to business B2C – Business to consumer C2B – Consumer to business C2C – Consumer to consumer
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 851E-Business The audit strategy in e-business is to first evaluate general controls and then consider application controls. –General control risks include confidentiality, integrity, authentication, repudiation, and unauthorized access. Controls include use of encryption, hashing, digital signatures, passwords, transaction certificates, confirmation services, firewalls, and biometric devices.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 852 Application Controls Credit card payments: –Primary concern is the secure transmission credit card information. Protocols to ensure security include: Secure Socket Layers (SSL) Secure Electronic Transactions (SET) Auditors will need to compliance test the authentication, access, and confidentiality controls.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 853 Effects of E-Business on Auditors Auditors should expect to encounter electronic records rather than paper. Auditors will need to put more reliance on controls. –The quality of audit evidence will become very dependent on controls over accuracy and completeness.
Copyright © 2003 McGraw-Hill Ryerson Limited Chapter 854 Internet-based and Continuous Auditing A continuous audit enables the auditor to issue written assurance simultaneously, or shortly after the occurrence of the underlying events. –Subject matter could be any type of information; for example, authenticity, integrity, or non-repudiation of e-commerce transactions. –A CICA study has identified conditions necessary for a continuous audit.
Electronic Presentations in Microsoft ® PowerPoint ® Prepared by Brad MacDonald SIAST © 2003 McGraw-Hill Ryerson Limited.
Part Three Tests of Controls and Tests of Details 9-1 Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
Audit Standards Update with Focus on Risk Suite and Impact on IT Audit Anne Skorija and Mike Billo Commonwealth of Pennsylvania Department of the Auditor.
Federal Information System Controls Audit Manual (FISCAM)
Chapter 10 Substantive tests of transactions and balances 10-1 Copyright 2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Audit Planning With Analytical Procedures, Risk, and Materiality Edward A. Dion County Auditor's Office.
1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006 Nashville, TN Presented by: Michael A. Billo, CISA, CGAP.
Logical IT Security By Prashant Mali.
MFG Assessment Application: Assessment Criteria and Metrics 1 Performance assessment criteria and metrics may be used as the basis for determining the.
1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA.
Computing Higher - SD Process – Topic 2 St Andrew’s High School Unit 2 Software Development Process.
The External Auditors Perspective and use of Internal Audit Brent Currey Live Seminar 9:00am – 4:30pm October 12, 2011 Relationships backed by performance.
Auditing Overview for Employee Benefit Plans Pugh & Company, P.C.
Internal Control Chapter 7 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Assessing Evidence Reliability In Performance Audits NSAA April 14, 2008.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Audit Sampling: An Overview and Application to Tests of Controls Chapter Eight.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Sales Order Cycle Review Report Insert Date. Source: 2 Table of Contents Executive Summary 3 Objective, Scope & Procedures Performed4.
1 Audit Risk Week Risk Assessment in Planning AR = IR x CR x DR To meet desired level of Audit Risk Need to assess each component IR & CR can be.
Testing Relational Database. Overview Once the design of a database system has been completed, the developers are ready to move into the implementation.
Competence is the demonstrated ability to apply knowledge and/or skills and, where relevant, personal attributes. A certification scheme contains.
Radiopharmaceutical Production Job responsibilities and Authorities STOP.
Management Information Systems MANAGING THE DIGITAL FIRM, 12 TH EDITION GLOBAL EDITION BUILDING INFORMATION SYSTEMS Chapter 13 VIDEO CASES Case 1: IBM:
Copyright 2007 John Wiley & Sons, Inc. Chapter 81 Introduction to Information Systems, 1 st Edition Authors: Rainer, Turban and Potter Publisher: John.
Good Clinical Practices Guilin, PRC Dr AJ van Zyl for Quality Assurance and Safety: Medicines Medicines Policy and Standards Health Technology and Pharmaceuticals.
Project Management Dr. Anbang Qi Prof. of International Business School of Nankai University.
Learning Objectives 13.1 Explain how businesses benefit from the use of information technology (IT) Describe the components that enable IT– networks,
2010 Foster Business School Acctg. 320 AIS L.DuCharme 1 AIS Development Strategies Chapter 19.
© 2016 SlidePlayer.com Inc. All rights reserved.