2004 prentice hall business publishing, accounting information systems, 9/e, by bodnar/hopwood 13...

13 – 1 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

Chapter Chapter 1313

Auditing InformationAuditing Information

TechnologyTechnology


Learning Objective 1Learning Objective 1

Distinguish between “auditingDistinguish between “auditing

through the computer” andthrough the computer” and

““auditing with the computer.”auditing with the computer.”


Information SystemsInformation SystemsAuditing ConceptsAuditing Concepts


Structure of a FinancialStructure of a FinancialStatement AuditStatement Audit

The primary objective and responsibilityThe primary objective and responsibilityof the of the external auditorexternal auditor is to attest to the is to attest to the

fairness of a firm’s financial reports.fairness of a firm’s financial reports.

The The internal auditorinternal auditor serves servesa firm’s management.a firm’s management.

The The external auditorexternal auditor serves outsiders. serves outsiders.


Structure of a Financial Structure of a Financial Statement AuditStatement Audit

TransactionsTransactions

Compliance testingCompliance testingInterim auditInterim audit

AccountingAccountingsystemsystem

FinancialFinancialreportsreports

Substantive testingSubstantive testingFinancial statement auditFinancial statement audit

CashCash BankBankReceivablesReceivables CustomersCustomers Confirm balancesConfirm balances


Auditing Around the ComputerAuditing Around the Computer

Accounting systemAccounting system

InputInput OutputOutput

In the In the around-the-computeraround-the-computer approach,approach,the processing portion is ignored.the processing portion is ignored.

ProcessingProcessing


Auditing Around the ComputerAuditing Around the Computer

Totals are accumulated forTotals are accumulated foraccepted and rejected records.accepted and rejected records.

The The around-the-computeraround-the-computer approach approachis no longer widely used.is no longer widely used.

Auditors emphasize control overAuditors emphasize control overrejected transactions, their correction,rejected transactions, their correction,

and then resubmission.and then resubmission.


Auditing Through the Auditing Through the ComputerComputer

Auditing Auditing through the computerthrough the computer may maybe defined as the verification ofbe defined as the verification of

controls in a computerized system.controls in a computerized system.


Control FrameworkControl Frameworkin IT Environmentin IT Environment

InternalInternalcontrolscontrols

ApplicationsApplicationscontrolscontrols

GeneralGeneralcontrolscontrols

ComputerComputerapplicationapplicationsystems andsystems andprogramsprograms

ApplicationApplicationsystemssystems

developmentdevelopment

ComputerComputerserviceservicecentercenter


Auditing With the ComputerAuditing With the Computer

Auditing Auditing with the computerwith the computer is the process is the processof using information technology in auditing.of using information technology in auditing.

The use of information technologyThe use of information technologyis no longer optional.is no longer optional.



What are some of the potential benefitsWhat are some of the potential benefitsof using information systemsof using information systems

technology in an audit?technology in an audit?

2. Time may be saved by eliminating2. Time may be saved by eliminatingmanual footing, cross footing,manual footing, cross footing,and other routine calculations.and other routine calculations.

1. Computer-generated working papers are1. Computer-generated working papers aregenerally more legible and consistent.generally more legible and consistent.



3. Calculations, comparisons, and other3. Calculations, comparisons, and otherdata manipulations are moredata manipulations are more

accurately performed.accurately performed.

5. Project information may be more5. Project information may be moreeasily generated and analyzed.easily generated and analyzed.

4. Analytical review calculations may4. Analytical review calculations maybe more efficiently performed.be more efficiently performed.



6. Standardized audit correspondence6. Standardized audit correspondencemay be stored and easily modified.may be stored and easily modified.

7. Morale and productivity may7. Morale and productivity maybe improved by reducing thebe improved by reducing thetime spent on clerical tasks.time spent on clerical tasks.



8. Increased cost-effectiveness is obtained8. Increased cost-effectiveness is obtainedby reusing and extending existing electronicby reusing and extending existing electronic

audit applications to subsequent audits.audit applications to subsequent audits.

9. Increased independence from information9. Increased independence from informationsystems personnel is obtained.systems personnel is obtained.



Describe and evaluateDescribe and evaluate

alternative informationalternative information

systems audit technologies.systems audit technologies.


Information SystemsInformation SystemsAuditing TechnologyAuditing Technology

Information system audit technologyInformation system audit technologyhas evolved along with computerhas evolved along with computer

system development.system development.

Rather, there is a variety of toolsRather, there is a variety of toolsand techniques that may be usedand techniques that may be used

to accomplish an audit’s objective.to accomplish an audit’s objective.

There is no one overall auditing technology.There is no one overall auditing technology.


Test Data TechniqueTest Data Technique

Test data are input containingTest data are input containingboth valid and invalid data.both valid and invalid data.

Payroll transactions for fictitious employeesPayroll transactions for fictitious employeesare processed concurrently with validare processed concurrently with valid

payroll transactions.payroll transactions.


Test Data ApproachTest Data Approach

Test dataTest datahypotheticalhypotheticaltransactionstransactions

Computer processingComputer processingusing master programusing master program

Error listingError listingAuditor’sAuditor’sexpectedexpectedoutputoutput

CompareCompare


Integrated-Test-Facility Integrated-Test-Facility TechniqueTechnique

ITF involves both the use of test data and theITF involves both the use of test data and thecreation of fictitious records (vendors, employees)creation of fictitious records (vendors, employees)

on the master files of a computer system.on the master files of a computer system.

Payroll transactions for fictitious employeesPayroll transactions for fictitious employeesare processed concurrently withare processed concurrently with

valid payroll transactions.valid payroll transactions.


Integrated-Test-Facility Integrated-Test-Facility ApproachApproach

TransactionsTransactions ITFITFtransactionstransactions

ComputerComputerapplicationapplication

systemsystem

ReportsReportscontainingcontaining

ITF informationITF information

ReportsReportswithoutwithout

ITF dataITF data

Data filesData files

ITF dataITF data


Parallel Simulation TechniqueParallel Simulation Technique

Processing real data through audit programs.Processing real data through audit programs.The simulated output and the regularThe simulated output and the regular

output are then compared.output are then compared.

Depreciation calculations are verifiedDepreciation calculations are verifiedby processing the fixed-asset masterby processing the fixed-asset master

file with an audit program.file with an audit program.


Parallel SimulationParallel Simulation

TransactionsTransactions

CompareCompare

ParallelParallelsimulationsimulationprogramprogram

ReportReport SimulationSimulationreportreport

ComputerComputerapplicationapplication

systemsystem

Function toFunction tobe verifiedbe verified


Audit Software TechniqueAudit Software Technique

Computer programs that permit theComputer programs that permit thecomputer to be used as an auditing tool.computer to be used as an auditing tool.

An auditor uses a computer program toAn auditor uses a computer program toextract data records from a master file.extract data records from a master file.


Generalized Audit SoftwareGeneralized Audit Software(GAS) Technique(GAS) Technique

GAS is audit software that has been specificallyGAS is audit software that has been specificallydesigned to allow auditors to performdesigned to allow auditors to perform

audit-related data processing functions.audit-related data processing functions.

An auditor uses GAS to searchAn auditor uses GAS to searchcomputer files for unusual items.computer files for unusual items.


PC Software TechniquePC Software Technique

Software that allows the auditorSoftware that allows the auditorto use a PC to perform audit tasks.to use a PC to perform audit tasks.

A PC spreadsheet package is used to maintainA PC spreadsheet package is used to maintainaudit working papers and audit schedules.audit working papers and audit schedules.


Embedded Audit Routines Embedded Audit Routines TechniqueTechnique

Special auditing routines included in regularSpecial auditing routines included in regularcomputer programs so that transactioncomputer programs so that transactiondata can be subjected to audit analysis.data can be subjected to audit analysis.

Data items that are exceptions to auditor-Data items that are exceptions to auditor-specified edit tests included in a programspecified edit tests included in a program

are written to a special audit file.are written to a special audit file.


Embedded Audit Data Embedded Audit Data CollectionCollection

ProductionProductiontransactionstransactions

ProductionProductioncomputercomputer

applicationapplicationsystemsystem

EmbeddedEmbeddedaudit dataaudit datacollectioncollectionmodulemodule

ProductionProductionreportsreports

AuditAuditreportsreports


Extended Records TechniqueExtended Records Technique

Modification of programs to collectModification of programs to collectand store data of audit interest.and store data of audit interest.

A payroll program is modified to collectA payroll program is modified to collectdata pertaining to overtime pay.data pertaining to overtime pay.


Snapshot TechniqueSnapshot Technique

Modifications of programs toModifications of programs tooutput data of audit interest.output data of audit interest.

A payroll program is modified toA payroll program is modified tooutput data pertaining to overtime pay.output data pertaining to overtime pay.


Tracing TechniqueTracing Technique

Tracing provides a detailed audit Tracing provides a detailed audit trail of thetrail of theinstructions executed during the program’s operation.instructions executed during the program’s operation.

A payroll program is traced to determine ifA payroll program is traced to determine ifcertain edit tests are performed in the correct order.certain edit tests are performed in the correct order.


Review of SystemReview of SystemDocumentation TechniqueDocumentation Technique

Existing system documentation as programExisting system documentation as programflowcharts are reviewed for audit purposes.flowcharts are reviewed for audit purposes.

An auditor desk checks the An auditor desk checks the processingprocessinglogic of a payroll program.logic of a payroll program.


Control Flowcharting Control Flowcharting TechniqueTechnique

Analytic flowcharts or other graphic techniquesAnalytic flowcharts or other graphic techniquesare used to describe the controls in a system.are used to describe the controls in a system.

An auditor prepares an analytic flowchart toAn auditor prepares an analytic flowchart toreview controls in the payroll application system.review controls in the payroll application system.


Mapping TechniqueMapping Technique

Special software is used to monitorSpecial software is used to monitorthe execution of a program.the execution of a program.

The execution of a program with The execution of a program with test data astest data asinput is mapped to indicate how extensivelyinput is mapped to indicate how extensively

the input tested compares with individualthe input tested compares with individualprogram statements.program statements.



Characterize various types ofCharacterize various types of

information systems audits.information systems audits.


General Approach to an General Approach to an Information Systems AuditInformation Systems Audit

Initial review and evaluation of the areaInitial review and evaluation of the areato be audited and audit plan preparation.to be audited and audit plan preparation.

Detailed review andDetailed review andevaluation of controls.evaluation of controls.

Compliance testing which is followedCompliance testing which is followedby analysis and reporting of results.by analysis and reporting of results.



The The initial reviewinitial review phase determines phase determinesthe course of action the audit will take.the course of action the audit will take.

Decisions concerning specificDecisions concerning specificareas to be investigatedareas to be investigated

Deployment of audit laborDeployment of audit labor

Audit technology to be usedAudit technology to be used

Development of a time and/orDevelopment of a time and/orcost budget for the auditcost budget for the audit



What is an What is an audit programaudit program??

Standardized audit programs for particularStandardized audit programs for particularaudit areas have been developed andaudit areas have been developed andare common in all types of auditing.are common in all types of auditing.

It is a detailed list of the audit proceduresIt is a detailed list of the audit proceduresto be applied on a particular audit.to be applied on a particular audit.



In the In the second general phasesecond general phase of the audit, of the audit,is detailed review and evaluation.is detailed review and evaluation.

Data concerning the operationData concerning the operationof the system are reviewed.of the system are reviewed.

Documentation of the applicationDocumentation of the applicationarea is reviewed.area is reviewed.



The The third phasethird phase of the audit is testing. of the audit is testing.

This phase produces evidenceThis phase produces evidenceof compliance with procedures.of compliance with procedures.


Information SystemsInformation SystemsApplication AuditsApplication Audits

Application controls are dividedApplication controls are dividedinto three general areas.into three general areas.

InputInput OutputOutput

ProcessingProcessing


Application SystemsApplication SystemsDevelopment AuditsDevelopment Audits

Systems development audits areSystems development audits aredirected at the activities of systemsdirected at the activities of systems

analysts and programmers.analysts and programmers.

Controls governing the systemsControls governing the systemsdevelopment process directlydevelopment process directly

affect the reliability of theaffect the reliability of theapplication programsapplication programsthat are developed.that are developed.


Application SystemsApplication SystemsDevelopment AuditsDevelopment Audits

There are three general areas of audit concernThere are three general areas of audit concernin the systems development process.in the systems development process.

Systems development standardsSystems development standards

Project managementProject management

Program change controlProgram change control


Systems Development Systems Development StandardsStandards

Systems development standards Systems development standards are theare thedocumentation governing the design,documentation governing the design,

development, and implementationdevelopment, and implementationof application systems.of application systems.


Project ManagementProject Management

It consists of project planningIt consists of project planningand project supervision.and project supervision.

What is What is project managementproject management??


Program Change ControlsProgram Change Controls

It is to prevent unauthorized and potentiallyIt is to prevent unauthorized and potentiallyfraudulent changes from being introducedfraudulent changes from being introduced

into previously tested and accepted programs.into previously tested and accepted programs.

What is the objective ofWhat is the objective ofprogram changeprogram change controlscontrols??


Computer Service Center Computer Service Center AuditsAudits

Normally, an audit of the Normally, an audit of the computer servicecomputer servicecentercenter is undertaken before any application is undertaken before any applicationaudits to ensure the general integrity of theaudits to ensure the general integrity of the

environment in which the application will function.environment in which the application will function.

What are some examples?What are some examples?

Audits might be undertaken in several areas.Audits might be undertaken in several areas.



Environmental controlsEnvironmental controls

Data release, reports, and computer programsData release, reports, and computer programs

Physical security of the centerPhysical security of the center

Management controlsManagement controls



Audits of computer service center operationsAudits of computer service center operationsrequire a high degree of technical trainingrequire a high degree of technical trainingand familiarity with systems operations.and familiarity with systems operations.


End of Chapter End of Chapter 1313

2004 prentice hall business publishing, accounting information systems, 9/e, by bodnar/hopwood 13...

Documents

accounting information

computer auditing

information systems

use of information technology

processing slide

computer approach

computer totals

external auditor