AIS Ch-6 Control and Auditing of AIS

ACCOUNTING INFORMATION SYSTEMS
ACFN 4121 CREDIT=3

B. A., Accounting and Finance, 4th Year First
Semester
CHAPTER- SIX
CONTROL AND AUDIT OF AIS
PROF.DR.CHINNIAH ANBALAGAN
PROFESSOR OF ACCOUNITNG AND FINANCE
COLLEGE OF BUSINESS AND ECONOMICS
SAMARA UNIVERSITY, AFAR, ETHIOPIA EAST AFRICA
MAIL ID: DR.CHINLAKSHANBU@GMAIL.COM
1
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Information Technology Auditing
• Introduction
• The Audit Function
• The Information Technology Auditor’s Toolkit
• Auditing Computerized Accounting Information Systems
• Information Technology Auditing Today
2
Overview of Control Concepts
• The concept of controlling involves the

process of an assessment of an organisation's
progress.
• With proper control, an organisation can
achieve its organisational goals.
• In controlling, managers monitor how a plan
is implemented. If things don't go according to
plan, they make necessary corrections.
3
Main Objectives Of Control
• The main objectives of controlling is to

check and ensure the performance of work
is in accordance with the plans.
• To operational, reporting, and compliance.
4
Five Key Control Objectives
The purposes of internal controls are to:
•Protect assets;
•Ensure that records are accurate;
•Promote operational efficiency;
•Achieve organizational mission and goals; and
•Ensure compliance with policies, rules,
regulations, and laws.
5
Overview of Control Concepts
6
Audits of AISs
• Audits of AISs
– Ensure controls are functioning properly
– Confirm additional controls not necessary
• Nature of Auditing
– Internal and external auditing
– IT Audit and financial audit
– Tools of an IT auditor
7
The Audit Function
• Internal versus External Auditing

• Information Technology Auditing
• Evaluating the Effectiveness of Information Systems Controls
8
Internal Auditing
• Responsibility of Performance
– Company’s own employees
– External of the department being audited
• Evaluation of:
– Employee compliance with policies and procedures
– Effectiveness of operations
– Compliance with external laws and regulations
– Reliability of financial reports
– Internal controls
9
External Auditing
• Responsibility of Performance
– Those outside the organization
– Accountants working for independent CPA
• Audit Purpose
– Performance of the attest function
– Evaluate the accuracy and fairness of the financial statements
relative to GAAP
10
The Nature of Auditing
• The IIA’s five audit scope standards outline the internal
auditor’s responsibilities:
– Review the reliability and integrity of operating and financial
information and how it is identified, measured, classified, and reported.
– Determine if the systems designed to comply with these policies, plans,
procedures, laws, and regulations are being followed.
– Review how assets are safeguarded, and verify their existence.
– Examine company resources to determine how effectively and
efficiently they are used.
– Review company operations and programs to determine if they are
being carried out as planned and if they are meeting their objectives.
11
Information Technology Auditing
• Function
– Evaluate computer’s role in achieving audit and control
objectives
• Assurance Provided
– Data and information are reliable, confidential, secure, and
available
– Safeguarding assets, data integrity, and operational
effectiveness
12
The Components of an IT Audit
13
The IT Audit Process
• Computer-Assisted Audit Techniques (CAAT)

– Use of computer processes to perform audit functions
– Performing substantive tests
• Approaches
– Auditing through the computer
– Auditing with the computer
14
The IT Audit Process
15
THE NATURE OF AUDITING
• Types of internal auditing work
– Three different types of audits are commonly performed.
• Financial audit
• Examines reliability and integrity of accounting

records (financial and operating).
• Correlates with the first of the five scope standards.
16
• Financial audit
• Information systems audit
• Reviews the controls of an AIS to assess:

– Compliance with internal control policies and
procedures; and
– Effectiveness in safeguarding assets.
• Scope roughly corresponds to the IIA’s second and
third standards.
17
• Financial audit
• Information systems audit
• Operational or management audit
• Concerned with economical and efficient use of

resources and accomplishment of established goals
and objectives.
• Scope corresponds to fourth and fifth standards.
18
Planning • An overview of the auditing process
– All audits follow a similar sequence
of activities and may be divided
into four stages:
• Planning
19
into four stages:
Collecting Evidence • Planning
• Collecting Evidence
20
into four stages:
• Collecting evidence
• Evaluating evidence
Evaluating Evidence
21
into four stages:
• Collecting evidence
• Evaluating evidence
Evaluating Evidence • Communicating audit results
Communicating Audit
Results
22
• Audit planning
Planning
– Purpose: Determine why, how, when, and by
whom the audit will be performed.
– The first step in audit planning is to establish
the scope and objectives of the audit.
Collecting Evidence – An audit team with the necessary experience
and expertise is formed.
– Team members become familiar with the
auditee by:
• Conferring with supervisory and
Evaluating Evidence
operating personnel;
• Reviewing system documentation; and
• Reviewing findings of prior audits.
Communicating Audit
Results
23
• The audit should be planned so that the greatest amount of
audit work focuses on areas with the highest risk factors.
• There are three types of risk when conducting an audit:
– Inherent risk
• How susceptible the area would be to threats if there

were no controls.
24
• The risk that a material misstatement will get
through the internal control structure and into the
• The audit shouldfinancial
be planned so that the greatest amount of
statements.
audit work focuses on areas
• Inversely withtothe
related the highest
strengthrisk factors.
of the company’s
internal
• There are three types ofcontrols,
risk wheni.e.,conducting
stronger controls means lower
an audit:
control risk.
– Inherent risk
• Can be determined by:
– Control risk – Reviewing the control environment.
– Considering control weaknesses identified in
prior audits and evaluating how they have been
rectified.
25
• The audit should be planned so that the greatest amount of
audit work focuses on areas with the highest risk factors.
• There are three types of risk when conducting an audit:
– Inherent risk
– Control risk
– Detection risk
• The risk that auditors and their procedures will miss

a material error or misstatement.
26
• To conclude the planning stage:
– A preliminary audit program is prepared to show the
nature, extent, and timing of the procedures necessary to
achieve audit objectives and minimize audit risks.
– A time budget is prepared.
– Staff members are assigned to perform specific audit steps.
27
Planning • Collection of audit
evidence
– Much audit effort is spent
Collecting Evidence collecting evidence.
Evaluating Evidence
Communicating Audit
Results
28
• Collection of audit evidence
– The following are among the most commonly used
evidence collection methods:
• Observation
• Watch the activities being audited, e.g., how employees
enter the site or handle a particular form.
29
• Observation
• Review of documentation
• Review documents to understand how an AIS or an
internal control system is supposed to function.
30
• Observation
• Discussions
• Talk with employees about their jobs and how they
carry out certain procedures.
31
• Observation
• Discussions
• Physical examination
• Examine quantity and/or condition of tangible
assets, such as equipment, inventory, or cash.
32
• Observation
• Discussions
• Confirmation
• Communicate with third parties to check the
accuracy of information such as customer account
balances.
33
• Observation
• Discussions
• Confirmation
• Re-performance
• Repeat a calculation to verify quantitative
information on records and reports.
34
• Observation
• Discussions
• • Examine supporting documents to ensure the
Confirmation
validity of the transaction.
• Re-performance
• Vouching
35
• Collection of Audit Evidence
• Observation
• • of
Review Examine relationships and trends among information
documentation
• items to detect those that deserve further
Discussions
• investigation.
Physical examination
• • Example: If the inventory turnover ratio has
Confirmation
• plummeted, it’s time to investigate why the change
Re-performance
has occurred.
• Vouching
• Analytical review
36
• Because many audit tests and procedures cannot feasibly be
performed on the entire set of activities, records, assets, or
documents, they are often performed on a sample basis.
• A typical audit will be a mix of audit procedures.
37
• An audit designed to evaluate AIS internal controls would
make greater use of:
– Observation
– Review of documentation
– Discussions
– Re-performance
• An audit of financial information would focus on:
– Physical examination
– Confirmation
– Vouching
– Analytical review
– Re-performance
38
• Because errors will occur anywhere,
THE NATURE OF AUDITING auditors focus on those that have a
significant impact on management’s
interpretation of the audit findings.
• •Evaluation
Materiality of Auditwhat
dictates Evidence
is and is not
Planning
– important
The auditorin evaluates
a given set the of circumstances—
evidence
primarily
gathered ainmatter
light ofofthejudgment.
specific audit
• Itobjective and decides
is generally if it supports
more important a
to external
favorable
audits, or unfavorable
when the overall conclusion.
emphasis is on the
Collecting Evidence – fairness
If inconclusive, the auditor
of financial statement plans and
executes additional
presentations, thanprocedures
to internaluntilaudits, where
sufficient evidence is obtained.
the focus is on determining adherence to
– Two important factors when deciding how
management’s policies.
much audit work is necessary and in
Evaluating Evidence evaluating audit evidence are:
• Materiality
Communicating Audit
Results
39
• Reasonable assurance is somewhat of a
cost-benefit notion.
• It is prohibitively expensive for the auditor to
• Evaluation
seek completeof Audit Evidence
assurance that no material
Planning
– error exists, evaluates
The auditor so he must the accept
evidencerisk that the
gathered
audit in light of
conclusion is the specific audit
incorrect.
objective and
• Therefore decidesreasonable
he seeks if it supportsassurance,
a
favorable or unfavorable conclusion.
as opposed to absolute assurance.
Collecting Evidence – If inconclusive, the auditor plans and
• Note that additional
executes when inherent
proceduresor control
until risk is
high, the auditor
sufficient evidencemust obtain greater
is obtained.
– assurance to offset
Two important factorsthe greater
when uncertainty
deciding how
and
muchrisks.
audit work is necessary and in
Evaluating Evidence evaluating audit evidence are:
• Materiality
• Reasonable assurance
Communicating Audit
Results
40
• At all stages of the audit, findings and conclusions are
carefully documented in working papers.
• Documentation is critical at the evaluation stage,
when final conclusions must be reached and
supported.
41
• Communication of audit results
Planning
– The auditor prepares a written (and
sometimes oral) report summarizing audit
findings and recommendations, with
references to supporting evidence in the
Collecting Evidence working papers.
– Report is presented to:
• Management
• The audit committee
• The board of directors
Evaluating Evidence
• Other appropriate parties
– After results are communicated, auditors
often perform a follow-up study to see if
Communicating Audit recommendations have been implemented.
Results
42
• The risk-based audit approach
– A risk-based audit approach is a four-step approach to
internal control evaluation that provides a logical
framework for carrying out an audit. Steps are:
• Determine the threats (errors and irregularities) facing the
AIS.
43
• Determine the threats (errors and irregularities) facing the AIS.
• Identify control procedures implemented to minimize each
threat by preventing or detecting such errors and
irregularities.
44
• Perform a systems review to determine if necessary
procedures are in place. Involves:
• The risk-based–auditReviewing system documentation
approach
– A risk-based–audit
Interviewing
approach appropriate personnel
is a four-step approach to
internal •control
Conduct tests of controls
evaluation to determine
that provides if the
a logical
procedures are satisfactorily followed. Involves:
– Observing system operations
– Inspecting documents, records, and reports
• Identify control procedures implemented to minimize each threat
–
by preventingChecking samples
or detecting of system
such errors inputs and outputs
and irregularities.
– Tracing transactions through the system
• Evaluate the control procedures.
45
• Focuses on control risks and whether the control
system as a whole adequately addresses them.
• If a control deficiency is identified, the auditor asks
about compensating controls—procedures that
make up for the deficiency.
• Identify control procedures implemented to minimize each threat
• A control
by preventing weakness
or detecting such in oneand
errors area may be acceptable
irregularities.
if compensated for by control strengths in other
• Evaluate the control procedures.
areas.
• Evaluate weaknesses (errors and irregularities not covered by
control procedures) to determine their effect on the nature,
timing, or extent of auditing procedures and client suggestions.
46
• The risk-based approach to auditing provides auditors
with a clear understanding of the errors and
irregularities that can occur and the related risks and
exposures.
• This understanding provides a basis for developing
recommendations to management on how the AIS
control system should be improved.
47
Careers in IT Auditing
• Background
– Accounting skills
– Information systems or computer science skills
• Certified Information System Auditor (CISA)
– Successfully complete examination
– Experience requirements
– Comply with Code of Professional Ethics
– Continuing professional education
– Comply with standards
48
INFORMATION SYSTEMS AUDITS
• The purpose of an information systems audit is to review and
evaluate the internal controls that protect the system.
• When performing an information system audit, auditors should
ascertain that the following objectives are met:
– Security provisions protect computer equipment, programs,
communications, and data from unauthorized access, modification, or
destruction.
– Program development and acquisition are performed in accordance
with management’s general and specific authorization.
– Program modifications have management’s authorization and approval.
49
INFORMATION SYSTEMS AUDITS
– Processing of transactions, files, reports, and other computer records are
accurate and complete.
– Source data that are inaccurate or improperly authorized are identified and
handled according to prescribed managerial policies.
– Computer data files are accurate, complete, and confidential.
• The following slide depicts the relationship among these six objectives and
information systems components.
• The objectives are then discussed in detail in the following section.
• Each description includes an audit plan to accomplish the objective, as well as the
techniques and procedures to carry out the plan.
50
IS COMPONENTS AND AUDIT OBJECTIVES
Objective 1: Overall Security
Objective 5: Source Data
Source
Data
Data
Entry
Objective 2:
Program Development Source
and Acquisition Data
Processing
Programs Files
Output
Objective 3: Objective 6:
Program Modification Objective 4: Computer Processing Data Files
51
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
52
OBJECTIVE 1: OVERALL SECURITY
• Types of security errors and fraud faced by companies:
– Accidental or intentional damage to system assets.
– Unauthorized access, disclosure, or modification of data
and programs.
– Theft.
– Interruption of crucial business activities.
53
• Control procedures to minimize security errors and fraud:
– Developing an information security/protection plan.
– Restricting physical and logical access.
– Encrypting data.
– Protecting against viruses.
– Implementing firewalls.
– Instituting data transmission controls.
– Preventing and recovering from system failures or disasters, including:
• Designing fault-tolerant systems.
• Preventive maintenance.
• Backup and recovery procedures.
• Disaster recovery plans.
• Adequate insurance.
54
• Audit procedures: Systems review
– Inspecting computer sites.
– Interviewing personnel.
– Reviewing policies and procedures.
– Examining access logs, insurance policies, and the disaster
recovery plan.
55
• Audit procedures: Tests of controls
– Auditors test security controls by:
• Observing procedures.
• Verifying that controls are in place and work as
intended.
• Investigating errors or problems to ensure they were
handled correctly.
• Examining any tests previously performed.
– One way to test logical access controls is to try to break
into a system.
56
• Compensating controls
– If security controls are seriously deficient, the organization
faces substantial risks.
– Partial compensation for poor computer security can be
provided by:
• Sound personnel policies
• Effective segregation of incompatible duties
• Effective user controls, so that users can recognize unusual system
output.
– These compensations aren’t likely to be enough, so
auditors should strongly recommend that security
weaknesses be corrected.
57
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
58
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
59
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
• Types of errors and fraud:
– Two things can go wrong in program development:
• Inadvertent errors due to careless programming or
misunderstanding specifications; or
• Deliberate insertion of unauthorized instructions into
the programs.
60
• Control procedures:
– The preceding problems can be controlled by requiring:
• Management and user authorization and approval
• Thorough testing
• Proper documentation
61
– The auditor’s role in systems development should be
limited to an independent review of system development
activities.
• To maintain necessary objectivity for performing an independent
evaluation, the auditor should not be involved in system
development.
• During the systems review, the auditor should gain an
understanding of development procedures by discussing them with
management, users, and IS personnel.
• Should also review policies, procedures, standards, and
documentation for systems and programs.
62
– To test systems development controls, auditors should:
• Interview managers and system users.
• Examine development approvals.
• Review the minutes of development team meetings.
• Thoroughly review all documentation relating to the testing
process and ascertain that all program changes were tested.
• Examine the test specifications, review the test data, and evaluate
the test results.
– If results were unexpected, ascertain how the
problem was resolved.
63
– Strong processing controls can sometimes compensate for
inadequate development controls.
• If auditors rely on compensatory processing controls,
they should obtain persuasive evidence of compliance.
– Use techniques such as independent processing of
test data to do so.
• If this type of evidence can’t be obtained, they may
have to conclude there is a material weakness in internal
control.
64
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
65
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
66
MODIFICATION
• Types of errors and fraud
– Same that can occur during program development:
• Inadvertent programming errors
• Unauthorized programming code
67
OBJECTIVE 3: PROGRAM MODIFICATION
• Control procedures
– When a program change is submitted for approval, a list of all required
updates should be compiled by management and program users.
– Changes should be thoroughly tested and documented.
– During the change process, the developmental version of the program
must be kept separate from the production version.
– When the amended program has received final approval, it should
replace the production version.
– Changes should be implemented by personnel independent of users or
programmers.
– Logical access controls should be employed at all times.
68
• Audit procedures: System review

– During systems review, auditors should:
• Gain an understanding of the change process by discussing it with
management and user personnel.
• Examine the policies, procedures, and standards for approving,
modifying, testing, and documenting the changes.
• Review a complete set of final documentation materials for recent
program changes, including test procedures and results.
• Review the procedures used to restrict logical access to the
developmental version of the program.
69

– An important part of these tests is to verify that program changes were
identified, listed, approved, tested, and documented.
– Requires that the auditor observe how changes are implemented to
verify that:
• Separate development and production programs are maintained;
and
• Changes are implemented by someone independent of the user and
programming functions.
– The auditor should review the development program’s access control
table to verify that only those users assigned to carry out modification
had access to the system.
70
– To test for unauthorized program changes, auditors can use

a source code comparison program to compare the current
version of the program with the original source code.
• Any unauthorized differences should result in an
investigation.
• If the difference represents an authorized change, the
auditor can refer to the program change specifications
to ensure that the changes were authorized and correctly
incorporated.
71
– Two additional techniques detect unauthorized program

changes:
• Reprocessing
– On a surprise basis, the auditor uses a verified copy of
the source code to reprocess data and compare that
output with the company’s data.
– Discrepancies are investigated.
• Parallel simulation
– Similar to reprocessing except that the auditor writes
his own program instead of using verified source code.
– Can be used to test a program during the
implementation process.
72
– Auditors should observe testing and implementation,

review related authorizations, and, if necessary, perform
independent tests for each major program change.
– If this step is skipped and program change controls are
subsequently deemed inadequate, it may not be possible to
rely on program outputs.
– Auditors should always test programs on a surprise basis to
protect against unauthorized changes being inserted after
the examination is completed and then removed prior to
scheduled audits.
73
– If internal controls over program changes are deficient,
compensation controls are:
• Source code comparison;
• Reprocessing; and/or
• Parallel simulation.
– The presence of sound processing controls, independently
tested by the auditor, can also partially compensate for
deficiencies.
– But if deficiencies are caused by inadequate restrictions on
program file access, the auditor should strongly
recommend actions to strengthen the organization’s logical
access controls.
74
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
75
Source
Data
Data
Entry
Objective 2:
Processing
Programs Files
Output
76
OBJECTIVE 4: COMPUTER PROCESSING

– During computer processing, the system may:
• Fail to detect erroneous input.
• Improperly correct input errors.
• Process erroneous input.
• Improperly distribute or disclose output.
77
– Computer data editing routines.
– Proper use of internal and external file labels.
– Reconciliation of batch totals.
– Effective error correction procedures.
– Understandable operating documentation and run manuals.
– Competent supervision of computer operations.
– Effective handling of data input and output by data control personnel.
– File change listings and summaries prepared for user department
review.
– Maintenance of proper environmental conditions in computer facility.
78

– Review administrative documentation for processing
control standards.
– Review systems documentation for data editing and other
processing controls.
– Review operating documentation for completeness and
clarity.
– Review copies of error listings, batch total reports, and file
change lists.
– Observe computer operations and data control functions.
– Discuss processing and output controls with operations and
IS supervisory personnel.
79

– Evaluate adequacy of processing control standards and procedures.
– Evaluate adequacy and completeness of data editing controls.
– Verify adherence to processing control procedures by observing
computer operations and the data control function.
– Verify that selected application system output is properly distributed.
– Reconcile a sample of batch totals, and follow up on discrepancies.
– Trace disposition of a sample of errors flagged by data edit routines to
ensure proper handling.
– Verify processing accuracy for a sample of sensitive transactions.
80
– Verify processing accuracy for selected computer-generated

transactions.
– Search for erroneous or unauthorized code via analysis of program
logic.
– Check accuracy and completeness of processing controls using test
data.
– Monitor online processing systems using concurrent audit techniques.
– Recreate selected reports to test for accuracy and completeness.
81
– Auditors must periodically re-evaluate processing controls
to ensure their continued reliability.
• If controls are unsatisfactory, user and source data
controls may be strong enough to compensate.
• If not, a material weakness exists and steps should be
taken to eliminate the control deficiencies.
82
• The purpose of the preceding audit procedures is to gain an

understanding of the controls, evaluate their adequacy, and
observe operations for evidence that the controls are in use.
• Several specialized techniques allow the auditor to use the
computer to test processing controls:
– Processing test data.
– Using concurrent audit techniques.
– Analyzing program logic.
• Each has its own advantages and disadvantages:
– Appropriateness of each technique depends on the situation.
– No one technique is good for all circumstances.
• Auditors should not disclose which technique they use.
83

84
• Processing test data

– Involves testing a program by processing a hypothetical
series of valid and invalid transactions.
– The program should:
• Process all the valid transactions correctly.
• Identify and reject the invalid ones.
– All logic paths should be checked for proper functioning by
one or more test transactions, including:
• Records with missing data.
• Fields containing unreasonably large amounts.
• Invalid account numbers or processing codes.
• Non-numeric data in numeric fields.
• Records out of sequence.
85
• The following resources are helpful when preparing

test data:
– A listing of actual transactions.
– The transactions that the programmer used to test the
program.
– A test data generator program, which automatically
prepares test data based on program specifications.
86
• In a batch processing system, the company’s program and a

copy of relevant files are used to process the test data.
– Results are compared with the predetermined correct output.
– Discrepancies indicate processing errors or control deficiencies that
should be investigated.
• In an online system, auditors enter test data using a data entry
device, such as a PC or terminal.
– The auditor observes and logs the system’s response.
– If the system accepts erroneous or invalid test transactions, the auditor
reverses the effects of the transactions, investigates the problem, and
corrects the deficiency.
87
• Although processing test transactions is usually

effective, it has the following disadvantages:
– The auditor must spend considerable time understanding
the system and preparing an adequate set of test
transactions.
– Care must be taken to ensure test data do not affect the
company’s files and databases.
• The auditor can reverse the effects of the test transactions or
process them in a separate run, using a copy of the file or database.
– Reversal procedures may reveal the existence and
nature of the auditor’s test to key personnel.
– A separate run removes some of the authenticity.
88

89
• Concurrent audit techniques

– Millions of dollars of transactions can be processed in an
online system without leaving a satisfactory audit trail.
– In such cases, evidence gathered after data processing is
insufficient for audit purposes.
– Also, because many online systems process transactions
continuously, it is difficult or impossible to stop the system
to perform audit tests.
– Consequently, auditors use concurrent audit techniques to
continually monitor the system and collect audit evidence
while live data are processed during regular operating
hours.
90
OBJECTIVE 5: SOURCE DATA
– Inaccurate source data
– Unauthorized source data
91
– Effective handling of source data input by data control personnel
– User authorization of source data input
– Preparation and reconciliation of batch control totals
– Logging of the receipt, movement, and disposition of source data input
– Check digit verification
– Key verification
– Use of turnaround documents
– Computer data editing routines
– File change listings and summaries for user department review
– Effective procedures for correcting and resubmitting erroneous data
92
• Audit procedures: System review
– Review documentation about responsibilities of data control function.
– Review administrative documentation for source data control
standards.
– Review methods of authorization and examine authorization
signatures.
– Review accounting systems documentation to identify source data
content and processing steps and specific source data controls used.
– Document accounting source data controls using an input control
matrix.
– Discuss source data control procedures with data control personnel as
well as the users and managers of the system.
93
– Observe and evaluate data control department operations
and specific data control procedures.
– Verify proper maintenance and use of data control log.
– Evaluate how items recorded in the error log are handled.
– Examine samples of accounting source data for proper
authorization.
– Reconcile a sample of batch totals and follow up on
discrepancies.
– Trace disposition of a sample of errors flagged by data edit
routines.
94
– Strong user controls
– Strong processing controls
95
CISA Exam Components
96
Careers in IT Auditing
• Certified Information Security Manager (CISM)

– Business orientation
– Understand risk management and security
• CISM Knowledge
– Information security governance
– Information security program management
– Risk management
– Information security management
– Response management
97
Evaluating the Effectiveness of
Information Systems Controls
• Impact on Substantive Testing
– Strong controls, less substantive testing
– Weak controls, more substantive testing
• Risk Assessment
– Evaluate the risks associated with control weaknesses
– Make recommendations to improve controls
98
Risk Assessment
• Risk-Based Audit Approach

– Determine the threats
– Identify the control procedures needed
– Evaluate the current control procedures
– Evaluate the weaknesses within the AIS
• Benefits
– Understanding of errors and irregularities
– Sound basis for recommendations
99
Information Systems Risk Assessment
• Method of evaluating desirability of IT controls

• Types of Risks
– Errors and accidents
– Loss of company secrets
– Unauthorized manipulation of company files
– Interrupted computer access
• Penetration Testing
100
Study Break #1
An IT auditor:
A. Must be an external auditor

B. Must be an internal auditor
C. Can be either an internal or external auditor
D. Must be a Certified Public Accountant
101
Study Break #2
In determining the scope of an IT audit, the auditor should pay

most attention to:
A. Threats and risks

B. The cost of the audit
C. What the IT manager asks to be evaluated
D. Listings of standard control procedures
102
The IT Auditor’s Toolkit
• Utilization of CAATs
– Auditing with the computer
– Manual access to data stored on computers is impossible
• Tools
– Auditing Software
– People Skills
103
General-Use Software
• Productivity tools that improve the auditor’s work

• Types
– Word processing programs
– Spreadsheet software
– Database management systems (DBMS)
– Structured Query Language (SQL)
104
Generalized Audit Software
• Overview
– Allow for reviewing of files without rewriting processing
programs
– Basic data manipulation
– Tailored to auditor tasks
• Common Programs
– Audit Command Language (ACL)
– Interactive Data Extraction and Analysis (IDEA)
105
Generalized Audit Software - Inventory
106
Automated Workpapers
• Overview
– Automate and standardize audit tests
– Can prepare financial statements and other financial measures
• Features
– Generate trial balances
– Make adjusting entries
– Perform consolidations
– Conduct analytical procedures
– Document audit procedures and conclusions
107
People Skills
• Examples
– Working as a team
– Interact with clients and other auditors
– Interviewing clients
• Importance of Interviews
– Gain understanding of organization
– Evaluate internal controls
108
Auditing Computerized AISs
• Auditing Around the Computer

– Assumes accurate output verifies proper processing
– Not effective in a computerized environment
• Auditing Through the Computer
– Follows audit trail through the computer
– Verifies proper functioning of processing controls in AIS
programs
109
Auditing Computerized AISs
• Testing Computer Programs

• Validating Computer Programs
• Review of Systems Software
• Validating Users and Access Privileges
• Continuous Auditing
110
Testing Computer Programs
• Test Data
– Create set of transactions
– Covering range of exception situations
– Compare results and investigate further
• Integrated Test Facility
– Establish a fictitious entity
– Enter transactions for that entity
– Observe how they are processed
111
Testing Computer Programs
• Parallel Simulation
– Utilized live input data
– Simulates all or some of the operations
– Compare results
– Very time-consuming and cost-prohibitive
112
Edit Tests and Test Data
113
Validating Computer Programs
• Tests of Program Change Controls

– Protect against unauthorized program changes
– Documentation of requests for program changes
– Utilize special forms for authorization
• Program Comparison
– Test of Length
– Comparison Program
114
Reviewing a Responsibility System
115
Review of Systems Software
• Systems Software Controls

– Operating system software
– Utility programs
– Program library software
– Access control software
• Inspect Outputs
– Logs
– Incident reports
116
Password Parameters
117
Validating Users and Access Privileges
• Purpose
– Ensure all system users are valid
– Appropriate access privileges
• Utilize Software Tools
– Examine login times
– Exception conditions
– Irregularities
118
Continuous Auditing
• Embedded Audit Modules (Audit Hooks)

– Capture data for audit purposes
• Exception Reporting
– Transactions falling outside given parameters are rejected
• Transaction Tagging
– Certain transactions tagged and progress recorded
119
Continuous Auditing
• Snapshot Technique
– Examines how transactions are processed
• Continuous and Intermittent Simulation (CIS)
– Embeds audit module in a database management system
(DBMS)
– Similar to parallel simulation
120
Continuous Auditing – Spreadsheet
Errors
121
Study Break #3
Which of the following is NOT an audit technique for auditing

computerized AIS?
A. Parallel simulation
B. Use of specialized control software
C. Continuous auditing
D. All of the above are techniques used to audit computerized
AIS
122
Study Break #4
Continuous auditing:
A. Has been talked about for years but will never catch on
B. Will likely become popular if organizations adopt XBRL in
their financial reporting
C. Does not include techniques such as embedded audit
modules
D. Will never allow IT auditors to provide some types of
assurance on a real-time basis
123
IT Governance
• Overview
– Process of using IT resources effectively
– Efficient, responsible, strategic use of IT
• Objectives
– Using IT strategically to fulfill mission of organization
– Ensure effective management of IT
124
IT Auditing Today
• The Sarbanes-Oxley Act of 2002

• Auditing Standard No. 5 (AS5)
• Third Party and Information Systems Reliability Assurances
125
The Sarbanes-Oxley Act of 2002
• Overview
– Limits services that auditors can provide clients while they
are conducting audits
• Groups of Compliance Requirements
– Audit committee/corporate governance requirements
– Certification, disclosure, and internal control
– Financial statement reporting rules
– Executive reporting and conduct
126
The Sarbanes-Oxley Act of 2002
• Section 302
– CEOs and CFOs are required to certify the financial statements
– Internal controls and disclosures are adequate
• Section 404
– CEOs and CFOs assess and attest to the effectiveness of
internal controls
127
Key Provisions of SOX
128
Key Provisions of SOX
129
Auditing Standard No. 5 (AS5)
• Purpose
– Public Company Accounting Oversight Board (PCAOB)
guidance
– Focus on most critical controls
• Rebalancing of Auditor’s Work
– Internal auditors help to advise board of directors
– External auditors reduce redundant testing
130
Third Party and Information
Systems Reliability Assurances
• Growth of Electronic Commerce
– Area of growing risk
– Security and privacy concerns
– Difficult to audit
• AICPA Trust Services
– CPA WebTrust
– SysTrust
131
Third Party and Information
Systems Reliability Assurances
• Principles of Trust Services
– Security
– Availability
– Processing integrity
– Online privacy
– Confidentiality
132
THANKS
END OF CHAPTER SIX
133

AIS Ch-6 Control and Auditing of AIS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIS Ch-6 Control and Auditing of AIS

Uploaded by

Copyright:

Available Formats

ACCOUNTING INFORMATION SYSTEMS

ACFN 4121 CREDIT=3

• The concept of controlling involves the

• The main objectives of controlling is to

• Internal versus External Auditing

• Computer-Assisted Audit Techniques (CAAT)

• Examines reliability and integrity of accounting

• Reviews the controls of an AIS to assess:

• Concerned with economical and efficient use of

• How susceptible the area would be to threats if there

• The risk that auditors and their procedures will miss

• Audit procedures: System review

• Audit procedures: Tests of controls

– To test for unauthorized program changes, auditors can use

– Two additional techniques detect unauthorized program

– Auditors should observe testing and implementation,

• Types of errors and fraud

• Audit procedures: Systems review

• Audit procedures: Tests of controls

– Verify processing accuracy for selected computer-generated

• The purpose of the preceding audit procedures is to gain an

• The purpose of the preceding audit procedures is to gain an

• Processing test data

• The following resources are helpful when preparing

• In a batch processing system, the company’s program and a

• Although processing test transactions is usually

• The purpose of the preceding audit procedures is to gain an

• Concurrent audit techniques

• Certified Information Security Manager (CISM)

• Risk-Based Audit Approach

• Method of evaluating desirability of IT controls

A. Must be an external auditor

In determining the scope of an IT audit, the auditor should pay

A. Threats and risks

• Productivity tools that improve the auditor’s work

• Auditing Around the Computer

• Testing Computer Programs

• Tests of Program Change Controls

• Systems Software Controls

• Embedded Audit Modules (Audit Hooks)

Which of the following is NOT an audit technique for auditing

• The Sarbanes-Oxley Act of 2002

You might also like