Beruflich Dokumente
Kultur Dokumente
HAPTER 9
Romney/Steinbart
1 of 151
INTRODUCTION
Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an information systems audit, and what is the four-step approach for meeting those objectives? How can a plan be designed to study and evaluate internal controls in an AIS? How can computer audit software be useful in the audit of an AIS? What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 151
INTRODUCTION
This chapter focuses on the concepts and techniques used in auditing an AIS. Auditors are employed for a wide range of tasks and responsibilities:
Organizations employ internal auditors to evaluate company operations. The GAO and state governments employ auditors to evaluate management performance and compliance with legislative intent. The Defense Department employs auditors to review financial records of defense contractors. Publicly-held corporations hire external auditors to provide an independent review of their financial statements.
Romney/Steinbart
3 of 151
INTRODUCTION
This chapter is written primarily from the perspective of an internal auditor.
They are directly responsible for helping management improve organizational efficiency and effectiveness. They assist in designing and implementing an AIS that contributes to the entitys goals.
Romney/Steinbart
4 of 151
INTRODUCTION
Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an information systems audit, and what is the four-step approach for meeting those objectives? How can a plan be designed to study and evaluate internal controls in an AIS? How can computer audit software be useful in the audit of an AIS? What is the nature and scope of an operational audit?
Romney/Steinbart
5 of 151
Romney/Steinbart
6 of 151
Romney/Steinbart
7 of 151
INTRODUCTION
Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an information systems audit, and what is the four-step approach for meeting those objectives? How can a plan be designed to study and evaluate internal controls in an AIS? How can computer audit software be useful in the audit of an AIS? What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 151
Romney/Steinbart
10 of 151
Romney/Steinbart
11 of 151
Romney/Steinbart
12 of 151
Romney/Steinbart
13 of 151
Romney/Steinbart
14 of 151
Romney/Steinbart
15 of 151
Romney/Steinbart
16 of 151
Romney/Steinbart
17 of 151
Collecting Evidence
Romney/Steinbart
18 of 151
Collecting Evidence
Evaluating Evidence
Romney/Steinbart
19 of 151
Collecting Evidence
Evaluating Evidence
Collecting Evidence
Evaluating Evidence
Conferring with supervisory and operating personnel; Reviewing system documentation; and Reviewing findings of prior audits.
Accounting Information Systems, 11/e Romney/Steinbart 21 of 151
Romney/Steinbart
22 of 151
The risk that a material misstatement will get through the internal control structure and into the financial planned The audit should bestatements. so that the Inversely related to the strength of the companys internal controls, i.e., stronger areas with controls means lower control risk. the highest risk factors. Can be determined by: There are three types of riskenvironment. Reviewing the control when conducting Considering control weaknesses identified in an audit: prior audits and evaluating how they have Inherent riskbeen rectified.
Control risk
Romney/Steinbart
23 of 151
Romney/Steinbart
25 of 151
Collecting Evidence
Evaluating Evidence
Romney/Steinbart
27 of 151
Romney/Steinbart
28 of 151
Romney/Steinbart
29 of 151
Romney/Steinbart
30 of 151
Romney/Steinbart
31 of 151
Romney/Steinbart
32 of 151
Romney/Steinbart
33 of 151
Romney/Steinbart
34 of 151
Romney/Steinbart
35 of 151
Collecting Evidence
Evaluating Evidence
Because errors will occur anywhere, auditors focus on those that have a significant impact on managements interpretation of the audit findings. Evaluation dictates what is and is not Materiality of Audit Evidence important inevaluates the evidence The auditor a given set of circumstancesprimarily a matter of gathered in light of the specific audit objective judgment.and decides if it supports a Itfavorable or unfavorable conclusion. is generally more important to external audits, when the overall emphasis is on If inconclusive, the auditor plans and executes additional procedures until the fairness of financial statement sufficient evidence is obtained. presentations, than to internal audits, where the focus is on when deciding Two important factors determining how much audit work is necessary and adherence to managements policies. in evaluating audit evidence are: Materiality
Planning
Collecting Evidence
Evaluating Evidence
cost-benefit notion. It is prohibitively expensive for the Evaluationseek complete assurance that auditor to of Audit Evidence no material error exists, so he must The auditor evaluates the evidence gathered in light of audit conclusion accept risk that thethe specific audit is objective incorrect. and decides if it supports a favorable or unfavorable conclusion. Therefore he seeks reasonable assurance, as opposed toplans and If inconclusive, the auditor absolute executes additional procedures until assurance. sufficient evidence is obtained. Note that whenfactors when control risk is Two important inherent or deciding high, much audit work isobtain greater how the auditor must necessary and assurance to audit evidence are: in evaluating offset the greater uncertainty and risks. Materiality Reasonable assurance
Romney/Steinbart
39 of 151
Collecting Evidence
Evaluating Evidence
Romney/Steinbart
41 of 151
Romney/Steinbart
42 of 151
Romney/Steinbart
43 of 151
44 of 151
Romney/Steinbart
45 of 151
INTRODUCTION
Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an information systems audit, and what is the four-step approach for meeting those objectives? How can a plan be designed to study and evaluate internal controls in an AIS? How can computer audit software be useful in the audit of an AIS? What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 46 of 151
Romney/Steinbart
48 of 151
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Romney/Steinbart
51 of 151
Romney/Steinbart
53 of 151
One way to test logical access controls is to try to break into a system.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 54 of 151
These compensations arent likely to be enough, so auditors should strongly recommend that security weaknesses be corrected.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 55 of 151
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Romney/Steinbart
58 of 151
Romney/Steinbart
59 of 151
Romney/Steinbart
60 of 151
Romney/Steinbart
61 of 151
If this type of evidence cant be obtained, they may have to conclude there is a material weakness in internal control.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 62 of 151
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Romney/Steinbart
65 of 151
Romney/Steinbart
66 of 151
Romney/Steinbart
67 of 151
Romney/Steinbart
68 of 151
Romney/Steinbart
69 of 151
Parallel simulation
Similar to reprocessing except that the auditor writes his own program instead of using verified source code. Can be used to test a program during the implementation process.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 151
Romney/Steinbart
71 of 151
The presence of sound processing controls, independently tested by the auditor, can also partially compensate for deficiencies. But if deficiencies are caused by inadequate restrictions on program file access, the auditor should strongly recommend actions to strengthen the organizations logical access controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 72 of 151
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Romney/Steinbart
75 of 151
Romney/Steinbart
76 of 151
Romney/Steinbart
78 of 151
Romney/Steinbart
79 of 151
Romney/Steinbart
80 of 151
All logic paths should be checked for proper functioning by one or more test transactions, including:
Records with missing data. Fields containing unreasonably large amounts. Invalid account numbers or processing codes. Non-numeric data in numeric fields. Records out of sequence.
Accounting Information Systems, 11/e Romney/Steinbart 83 of 151
Romney/Steinbart
84 of 151
In an online system, auditors enter test data using a data entry device, such as a PC or terminal.
The auditor observes and logs the systems response. If the system accepts erroneous or invalid test transactions, the auditor reverses the effects of the transactions, investigates the problem, and corrects the deficiency.
Romney/Steinbart
85 of 151
Romney/Steinbart
86 of 151
Romney/Steinbart
88 of 151
Are time-consuming and difficult to use, but less so if incorporated when programs are developed.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 89 of 151
Romney/Steinbart
90 of 151
Romney/Steinbart
91 of 151
The auditor compares processing with expected results to verify system and controls are operating correctly.
Romney/Steinbart
93 of 151
Can all be accomplished without disrupting regular processing operations. Care must be taken not to include dummy records in the reporting process.
Romney/Steinbart
94 of 151
Romney/Steinbart
95 of 151
Romney/Steinbart
97 of 151
Romney/Steinbart
98 of 151
Romney/Steinbart
99 of 151
Romney/Steinbart
100 of 151
Romney/Steinbart
101 of 151
If there are discrepancies, details are written to an audit log for subsequent investigation. Serious discrepancies may prevent the DBMS from executing the update.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 151
Romney/Steinbart
103 of 151
Romney/Steinbart
104 of 151
Romney/Steinbart
105 of 151
Romney/Steinbart
106 of 151
Romney/Steinbart
107 of 151
Sequentially prints all program steps executed during a program run. The following list is intermingled with regularcan software packages output This so auditors can observe the precise sequence of events that unfold during Automatedprogram execution. flowcharting programs decision table programs AutomatedHelps auditors detect: Unauthorized program instructions Scanning routines logic paths Incorrect Unexecuted program code Mapping programs
help:
Program tracing
Romney/Steinbart
108 of 151
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Romney/Steinbart
111 of 151
Effective handling of source data input by data control personnel User authorization of source data input Preparation and reconciliation of batch control totals Logging of the receipt, movement, and disposition of source data input Check digit verification Key verification Use of turnaround documents Computer data editing routines File change listings and summaries for user department review Effective procedures for correcting and resubmitting erroneous data
Romney/Steinbart
112 of 151
Romney/Steinbart
113 of 151
Romney/Steinbart
115 of 151
Romney/Steinbart
116 of 151
Field Names
Input Controls Financial totals Hash totals Record counts Cross-footing balance Key verification Visual inspection Check digit verification Pre-numbered forms Turnaround document Edit program Sequence check Field check Sign check Validity check Limit check Reasonableness test Redundant data check Completeness test Overflow procedure Other
2008 Prentice Hall Business Publishing
oy ee La Nu st m Na be m De r e pa rtm en Tr an tN sa um ct be W io ee n r Co k En de Re di ng gu (D la rH at Ov e) ou er rs tim e Ho ur s
Romney/Steinbart
Record Name
Em pl
Comments
117 of 151
Usually, not feasible for small businesses and PC installations to have an independent data control function.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 118 of 151
These procedures should be the focus of the auditors systems review and tests of controls when there is no independent data control function.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 151
Romney/Steinbart
121 of 151
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Source Data
Data Entry
Objective 2: Program Development and Acquisition
Source Data
Output
Objective 3: Program Modification
Objective 4: Computer Processing
Accounting Information Systems, 11/e
Many of the controls discussed in Chapter 8 protect against the preceding risks. If file controls are seriously deficient, especially with respect to access or backup and recovery, the auditor should strongly recommend they be rectified.
Romney/Steinbart
124 of 151
A separate version of the checklist should be completed for each significant application.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 151
Romney/Steinbart
127 of 151
Romney/Steinbart
129 of 151
Examine disaster recovery plan. Discuss data file control procedures with systems managers and operators.
Romney/Steinbart
130 of 151
Romney/Steinbart
131 of 151
Romney/Steinbart
132 of 151
INTRODUCTION
Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an information systems audit, and what is the four-step approach for meeting those objectives? How can a plan be designed to study and evaluate internal controls in an AIS? How can computer audit software be useful in the audit of an AIS? What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 151
COMPUTER SOFTWARE
Computer audit software (CAS) or generalized audit software (GAS) are computer programs that have been written especially for auditors. Two of the most popular:
Audit Control Language (ACL) IDEA
Based on auditors specifications, CAS generates programs that perform the audit function. CAS is ideally suited for examination of large data files to identify records needing further audit scrutiny.
Romney/Steinbart
134 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
Converting data into a different format or structure to facilitate testing.
Romney/Steinbart
135 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation
Sorting records or merging records from different files.
Romney/Steinbart
136 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation Calculation
Performing arithmetic operations on the data.
Romney/Steinbart
137 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation Calculation Data selection
Retrieving records that meet specific criteria.
Romney/Steinbart
138 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation Calculation Data selection Data analysis
Examining data for errors or missing values. Comparing fields in related records for inconsistencies.
Romney/Steinbart
139 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation Calculation Data selection Data analysis File processing
Programming to create, update, and download files to a personal computer.
Romney/Steinbart
140 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation Calculation Data selection Data analysis File processing Stratifying file records on various criteria, selecting statistical samples, and analyzing Statistics
statistical results.
Romney/Steinbart
141 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting File manipulation Calculation Data selection Data analysis File processing Formatting and printing reports and Statistics documents. Report generation
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 142 of 151
COMPUTER SOFTWARE
How CAS is used:
The auditor:
Decides on audit objectives; Learns about the files and databases to be audited; Designs the audit reports; and Determines how to produce them.
This information is recorded on specification sheets and entered into the system. The program creates specification records used to produce auditing programs. The auditing programs process the source files and produce specified audit reports.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 143 of 151
COMPUTER SOFTWARE
The primary purpose of CAS is to assist the auditor in reviewing and retrieving information. When the auditor receives the CAS reports, most of the audit work still needs to be done.
Items on exception reports must be investigated. File totals must be verified against other sources. Audit samples must be examined and evaluated.
Advantages of CAS are numerous, but it does not replace the auditors judgment or free the auditor from other phases of the audit.
Romney/Steinbart
144 of 151
INTRODUCTION
Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an information systems audit, and what is the four-step approach for meeting those objectives? How can a plan be designed to study and evaluate internal controls in an AIS? How can computer audit software be useful in the audit of an AIS? What is the nature and scope of an operational audit?
Romney/Steinbart
145 of 151
Objectives are also different in that operational audit objectives include evaluating factors such as:
Effectiveness Efficiency Goal achievement
Romney/Steinbart
146 of 151
Romney/Steinbart
147 of 151
Romney/Steinbart
148 of 151
Finally, the auditor should thoroughly document findings and conclusions and communicate audit results to management.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 149 of 151
Romney/Steinbart
150 of 151
SUMMARY
In this chapter, youve learned about the scope and objectives of audit work and the major steps that take place in the audit process. Youve also learned about the objectives of an information systems audit and the four-step approach for meeting those objectives. Youve learned how a plan can be designed to study and evaluate internal controls in an AIS and how computer audit software can be useful in the audit of an AIS. Finally, youve learned about the nature and scope of an operational audit.
Romney/Steinbart
151 of 151