2 broad categories of audits:
FS: standard unqualified, unqualified with explanatory paragraph, qualified, adverse, disclaimer
FS: audit report
Which approach is best?
Let’s look at the audit guidelines…..
Which is the best approach?
Auditing Through the computer
1. Testing Computer Programs
2. Validate Computer Programs
3. Review of systems software
4. Continuous Auditing:
Audit tools installed within the IS
Match these terms
With their definitions
On the next slides
Application subroutine that captures data for audit purposes
Write to a special log file called SCARF (systems control audit review file)
Ex: transactions affecting inactive accounts, deviating from company policy, write-downs of asset values
audit routine that flags suspicious transactions (real-time notification)
mechanisms that reject certain transactions that fall outside predefined specifications
Place a special identifier on transactions so that they can be recorded as they pass through the IS.
EX: tag an employee’s transaction records, manually calculate & compare
audit modules record selected transactions before and after processing. Auditor reviews to make sure all processing steps performed properly.
- audit module in DBMS
- examines all transactions that update the DBMS. If a transaction has special audit significance, the audit module independently processes the data, records the results and compares them with the DBMS results. If discrepancies, written to an audit log for subsequent review OR may stop DBMS from executing the update process.
How do auditors put it all together?
GOAL: Provide a clear understanding of the errors and irregularities that can occur and the related risks and exposures
Evaluate Control Procedures
EX: review docs, interviews
Ex: observe operations, check samples of input, verify use, trace transactions
Auditor can control this
and application controls
applicable to each FS assertion;
Tests of controls =Compliance tests
-apply edit checks
- file operations (join, merge, sort)