Professional Documents
Culture Documents
CH08
CH08
ANALYSIS APPROACH
5th edition
Larry F. Konrath
Electronic Presentation
by Harold
O. Wilson
Chapter 8
KEY CONCEPTS OVERVIEW
Computer Based Information Systems
(CBIS) impact on firm policies &
procedures, and on auditing (controls
& testing)
CBIS are unique (hardware, processing,
files, storage, scope, especially in global
e-commerce)
CBIS Controls (General controls,
Application controls, User controls)
KEY CONCEPTS OVERVIEW
Auditors audit around the computer
and/or through the computer
Audit risks in CBIS scenarios escalate
each year (due to direct data inputs,
minimal hard-copy, internal storage)
Applications of computer assisted testing,
changes in evidence gathering
LEARNING
OBJECTIVES
Differentiate auditing around vs.
through the computer
Identify various types of CBIS
Define major CBIS accounting controls
Develop an approach to assessing control
risk in CBIS accounting applications
Evaluate/manage audit risk factors in
CBIS accounting applications
COMPUTER BASED
INFORMATION SYSTEMS
Personal Computerscommonplace
Wide Area Networks(WAN) & Local Area
Networks (LAN)--end-user sharing
Database Management Systems (DBMS)--
integrated collections of stored data
Internet and Intranet applications
Artificial Intelligence (sequenced decision rules)
programs using Knowledge Engineers and
Knowledge Bases (embedded cases)
A note on technology
Information processing systems have
encouraged continuous auditing throughout
a clients fiscal year. Computer systems and
personnel (and changes) tend to obscure (or
destroy) audit trails traditionally traced by
auditors.
Optimal segregation of
functions exists when
collusion is necessary
in order to circumvent
controls.
IMPACTS ON AUDITING
Changes in the audit trail
Less documentation, but more consistency
Less hard-copy available, but better data access
Combining of functions
Computerized checking, transaction logs
Less segmentation of details, and/or people
Auditing around the black box
vs. through the white box
FAQ?
controls
Auditor considerations:
Organization of the CBIS functions
Flowcharts (inputs, outputs, controls, sequences)
Access to files, programs, hardware
Modification processes
Back files, disaster recovery plans
Data Control Group functions
AUDIT TECHNIQUES
for testing CBIS controls
Auditor concerns in evaluating & testing
General Controls:
Possible manipulation of data, misreporting
Lack of documentation, physical safeguards
Access controls (passwords, security levels, etc.)
Improper system design, unauditable data
Organizational controls (e.g., debugging, exception
reports, etc.)
AUDIT TECHNIQUES
for testing CBIS controls
Auditor concerns--General Controls:
Extent of internal auditor involvement
Authorization issues
Data protection (antivirus software, backups,
e-commerce security, network monitoring,
protocol controls)
Assurance that programs designed and intended
to be used are, in fact, the programs in use.
FAQ?
Would auditor involvement in the design of
the clients CBIS and its controls, be an
advantage or disadvantage in audit practice?