1 / 17

Auditing Computer-based Information Systems

IS 630 : Accounting Information Systems http://www.csun.edu/~dn58412/IS630/IS630_F13.htm. Auditing Computer-based Information Systems. Lecture 10. Learning Objectives. Scope and objectives of audit work, and major steps in the audit process.

deon
Download Presentation

Auditing Computer-based Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS 630 : Accounting Information Systems http://www.csun.edu/~dn58412/IS630/IS630_F13.htm Auditing Computer-based Information Systems Lecture 10

  2. Learning Objectives • Scope and objectives of audit work, and major steps in the audit process. • Objectives of an information system audit, and four-step approach necessary for meeting these objectives. • Design a plan for the study and evaluation of internal control in an AIS. • Describe computer audit software, and explain how it is used in the audit of an AIS • Describe the nature and scope of an operational audit. IS 630 : Lecture 10

  3. Auditing • The systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria IS 630 : Lecture 10

  4. Types of Audits • Financial • Examines the reliability and integrity of: • Financial transactions, accounting records, and financial statements. • Information System • Reviews the controls of an AIS to assess compliance with: • Internal control policies and procedures and effectiveness in safeguarding assets • Operational • Economical and efficient use of resources and the accomplishment of established goals and objectives • Compliance • Determines whether entities are complying with: • Applicable laws, regulations, policies, and procedures • Investigative • Incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities. IS 630 : Lecture 10

  5. The Audit Process • Planning • Collecting Evidence • Evaluating Evidence • Communicating Audit Results IS 630 : Lecture 10

  6. Planning the Audit • Why, when, how, whom • Work targeted to area with greatest risk: • Inherent • Chance of risk in the absence of controls • Control • Risk a misstatement will not be caught by the internal control system • Detection • Chance a misstatement will not be caught by auditors or their procedures IS 630 : Lecture 10

  7. Collection Of Audit Evidence • Not everything can be examined so samples are collected • Observation activities to be audited • Review of documentation • Gain understanding of process or control • Discussions • Questionnaires • Physical examination • Confirmations • Testing balances with external 3rd parties • Re-performance • Recalculations to test values • Vouching • Examination of supporting documents • Analytical review • Examining relationships and trends IS 630 : Lecture 10

  8. Evaluation of Audit Evidence • Does evidence support favorable or unfavorable conclusion? • Materiality • How significant is the impact of the evidence? • Reasonable Assurance • Some risk remains that the audit conclusion is incorrect. IS 630 : Lecture 10

  9. Communication of Audit Conclusion • Written report summarizing audit findings and recommendations: • To management • The audit committee • The board of directors • Other appropriate parties IS 630 : Lecture 10

  10. Risk-Based Audit • Determine the threats (fraud and errors) facing the company. • Accidental or intentional abuse and damage to which the system is exposed • Identify the control procedures that prevent, detect, or correct the threats. • These are all the controls that management has put into place and that auditors should review and test, to minimize the threats • Evaluate control procedures. • A systems review • Are control procedures in place • Tests of controls • Are existing controls working • Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures. IS 630 : Lecture 10

  11. Information Systems Audit • Purpose: • To review and evaluate the internal controls that protect the system • Objectives: • Overall information security • Program development and acquisition • Program modification • Computer processing • Source files • Data files IS 630 : Lecture 10

  12. 1. Information System Threats • Accidental or intentional damage to system assets • Unauthorized access, disclosure, or modification of data and programs • Theft • Interruption of crucial business activities IS 630 : Lecture 10

  13. 2. Program Development and Acquisition • Inadvertent programming errors due to misunderstanding system specifications or careless programming • Unauthorized instructions deliberately inserted into the programs • Controls: • Management and user authorization and approval, thorough testing, and proper documentation IS 630 : Lecture 10

  14. 3. Program Modification • Source Code Comparison • Compares current program against source code for any discrepancies • Reprocessing • Use of source code to re-run program and compare for discrepancies • Parallel Simulation • Auditor-created program is run and used to compare against source code IS 630 : Lecture 10

  15. 4. Computer Processing • System fails to detect: • Erroneous input • Improper correction of input errors • Process erroneous input • Improperly distribute or disclose output • Concurrent audit techniques • Continuous system monitoring while live data are processed during regular operating hours • Using embedded audit modules • Program code segments that perform audit functions, report test results, and store the evidence collected for auditor review IS 630 : Lecture 10

  16. Types of Concurrent Audits • Integrated Test Facility • Uses fictitious inputs • Snapshot Technique • Master files before and after update are stored for specially marked transactions • System Control Audit Review File (SCARF) • Continuous monitoring and storing of transactions that meet pre-specifications • Audit Hooks • Notify auditors of questionable transactions • Continuous and Intermittent Simulation • Similar to SCARF for DBMS IS 630 : Lecture 10

  17. 5. Source Data & 6. Data Files • Accuracy • Integrity • Security of data IS 630 : Lecture 10

More Related