Kế toán, kiểm toán - Chapter 11: Auditing computer - Based information systems

Chapter 11Auditing Computer-Based Information SystemsCopyright © 2012 Pearson Education11-1Learning ObjectivesDescribe the scope and objectives of audit work, and identify the major steps in the audit process.Identify the objectives of an information system audit, and describe the four-step approach necessary for meeting these objectives.Design a plan for the study and evaluation of internal control in an AIS.Describe computer audit software, and explain how it is used in the audit of an AISDescribe the nature and scope of an operational audit.Copyright © 2012 Pearson Education11-2AuditingThe systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteriaCopyright © 2012 Pearson Education11-3Types of AuditsFinancialExamines the reliability and integrity of:Financial transactions, accounting records, and financial statements.Information SystemReviews the controls of an AIS to assess compliance with:Internal control policies and procedures and effectiveness in safeguarding assetsOperationalEconomical and efficient use of resources and the accomplishment of established goals and objectivesComplianceDetermines whether entities are complying with: Applicable laws, regulations, policies, and proceduresInvestigativeIncidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.Copyright © 2012 Pearson Education11-4The Audit ProcessPlanningCollecting EvidenceEvaluating EvidenceCommunicating Audit ResultsCopyright © 2012 Pearson Education11-5Planning the AuditWhy, when, how, whomWork targeted to area with greatest risk:InherentChance of risk in the absence of controlsControlRisk a misstatement will not be caught by the internal control systemDetectionChance a misstatement will not be caught by auditors or their proceduresCopyright © 2012 Pearson Education11-6Collection of Audit EvidenceNot everything can be examined so samples are collectedObservation activates to be auditedReview of documentationGain understanding of process or controlDiscussionsQuestionnairesPhysical examinationConfirmationsTesting balances with external 3rd partiesRe-performanceRecalculations to test valuesVouchingExamination of supporting documentsAnalytical reviewExamining relationships and trendsCopyright © 2012 Pearson Education11-7Evaluation of Audit EvidenceDoes evidence support favorable or unfavorable conclusion?MaterialityHow significant is the impact of the evidence?Reasonable AssuranceSome risk remains that the audit conclusion is incorrect.Copyright © 2012 Pearson Education11-8Communication of Audit Conclusion Written report summarizing audit findings and recommendations:To managementThe audit committeeThe board of directorsOther appropriate parties Copyright © 2012 Pearson Education11-9Risk-Based AuditDetermine the threats (fraud and errors) facing the company.Accidental or intentional abuse and damage to which the system is exposedIdentify the control procedures that prevent, detect, or correct the threats.These are all the controls that management has put into place and that auditors should review and test, to minimize the threatsEvaluate control procedures.A systems reviewAre control procedures in placeTests of controlsAre existing controls workingEvaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures.Copyright © 2012 Pearson Education11-10Information Systems AuditPurpose:To review and evaluate the internal controls that protect the systemObjectives:Overall information securityProgram development and acquisitionProgram modificationComputer processingSource filesData filesCopyright © 2012 Pearson Education11-111. Information System ThreatsAccidental or intentional damage to system assetsUnauthorized access, disclosure, or modification of data and programsTheftInterruption of crucial business activitiesCopyright © 2012 Pearson Education11-122. Program Development and AcquisitionInadvertent programming errors due to misunderstanding system specifications or careless programmingUnauthorized instructions deliberately inserted into the programsControls:Management and user authorization and approval, thorough testing, and proper documentationCopyright © 2012 Pearson Education11-133. Program ModificationSource Code ComparisonCompares current program against source code for any discrepanciesReprocessingUse of source code to re-run program and compare for discrepanciesParallel SimulationAuditor-created program is run and used to compare against source codeCopyright © 2012 Pearson Education11-144. Computer ProcessingSystem fails to detect:Erroneous inputImproper correction of input errorsProcess erroneous inputImproperly distribute or disclose output Concurrent audit techniquesContinuous system monitoring while live data are processed during regular operating hoursUsing embedded audit modulesProgram code segments that perform audit functions, report test results, and store the evidence collected for auditor reviewCopyright © 2012 Pearson Education11-15Types of Concurrent AuditsIntegrated Test FacilityUses fictitious inputsSnapshot TechniqueMaster files before and after update are stored for specially marked transactionsSystem Control Audit Review File (SCARF)Continuous monitoring and storing of transactions that meet pre-specificationsAudit HooksNotify auditors of questionable transactionsContinuous and Intermittent SimulationSimilar to SCARF for DBMSCopyright © 2012 Pearson Education11-165. Source Data and6. Data FilesAccuracyIntegritySecurity of data Copyright © 2012 Pearson Education11-17