information systems auditing (ismt 350) week #2
DESCRIPTION
Information Systems Auditing (ISMT 350) week #2. Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: - PowerPoint PPT PresentationTRANSCRIPT
Information Systems Auditing (ISMT 350)week #2
Instructor: Professor J. Christopher Westland, PhD, CPA
Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec
Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003
Contact: Office: 852 2358 7643 Fax: 852 2358 2421 Email: [email protected] URL: http://teaching.ust.hk/~ismt350/
Course TopicsTopic Readings Practicum
Competency Case Study
What is Information Systems (IS) Auditing?
Industry Profile: The Job of the IS Auditor
Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks
Jacksonville Jaguars
IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey
IS Security Chapter 3 Recognizing Fraud The Anonymous Caller
Utility Computing and IS Service Organizations
Chapter 4 Evaluating a Prospective Audit Client
Ocean Manufacturing
Physical Security Chapters7 Inherent Risk and Control Risk
Comptronix Corporation
Logical Security Chapter 8 Evaluating the Internal Control Environment
Easy Clean
IS Operations Chapter 9 Fraud Risk and the Internal Control Environment
Cendant Corporation
Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems
St James Clothiers
Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement
Dell Computer
New Challenges from the Internet: Privacy, Piracy, Viruses and so forth
Course Wrap-up Information Systems and Audit Evidence
Henrico Retail
Logical Structure of the CourseWith Readings from the Text
I S Au d itin g
C u r r en t an dF u tu r e I s s u es in
I S Au d itin g
I S C o m p o n en tsC h . 1 & 2
Au d it C o m p o n en tsC h 3 & 4
C o n tr o ls o v er I SAs s e ts
C h . 7 & 8
P r o c ed u r a lC o n tr o ls
C h . 9
Au d it S tan d ar d san d P r o c ed u r es
C h . 1 0
F o r en s ic s an dF r au d Au d its
C h . 1 2
E n c r y p tio nC h . 11
IS Audit Programs
The first step in Audits
Auditing
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
How Auditors Should Visualize Computer Systems
Bu s in es s Ap p lic a tio nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r tin g R is k s( E x ter n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
The IS Auditor’s Challenge
Corporate Accounting is in a constant state of flux Because of advances in Information
Technology applied to Accounting • Information that is needed for an Audit is often
hidden from easy access by auditors
• Making computer knowledge an important prerequisite for auditing
IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
The Challenge to Auditing Presented by Computers Transaction flows are less visible
• Fraud is easier• Computers do exactly what you tell them
• To err is human• But, to really screw up you need a computer
Audit samples require computer knowledge and access Transaction flows are much larger (good for the
company, bad for the auditor)• Audits grow bigger and bigger from year to year
• And there is more pressure to eat hours Environmental, physical and logical security problems
grow exponentially• Externally originated viruses and hacking • are the major source of risk
• (10 years ago it was employees)
The Challenge to Auditing Presented by The Internet Transaction flows are External
External copies of transactions on many Internet nodes External Service Providers for accounting systems
• require giving control to outsiders with different incentives
Audit samples may be impossible to obtain Because they require access to 3rd party databases
Transaction flows are intermingled between companies
Environmental, physical and logical security problems grow exponentially
• Externally originated viruses and hacking • are the major source of risk
• (10 years ago it was employees)
How Accounting has had to ChangeBecause of Business Automation
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 0 %
3 0 %
2 0 %
1 1 0 %
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 %
5 %
1 0 %Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d
p ro p erty rig h t s )
8 0 %
11 0 %
M an u fac tu ring
S p ec if ica tio n s
F in ished
P ro d u c t 2 0 %
Ideas, not Things, have Value
… and these ideas are tracked in the computer
0
2
4
6
8
10
12
14
16
Rank order by increasing return
Ass
et In
tens
ity (F
ixed
Ass
ets
/ Sal
es)
-100
0
100
200
300
400
500
600
5-yr
Sha
reho
lder
Ret
urn
%
What is Auditing?
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Tes
ts
Te st s of T
ra n sa c t io ns
Atte s ta tio n
A n a ly tic a l T ests
What is Auditing?Nature of Procedures / Work
• Accountants prepare, analyze, and verify financial reports and taxes, • and furnish this information to individuals and
managers in business, industry, and government
• The three major fields in accounting are:• Auditing• Public Consulting• Corporate / Internal
Public Accounting
Auditor: An auditor examines an organization's financial statements, verifies the accuracy of the financial records, examines management procedures and internal controls to ensure accuracy, and checks for mismanagement, waste, or fraud. The auditor may review company operations compliance with corporate
policies, laws, and government regulations. The auditor, or reports to investors and authorities such as the federal government that financial statements have been prepared and reported correctly.
Other Public: Public accountants perform accounting, auditing, tax, and consulting activities for public accounting firms, their own businesses, governments, nonprofit organizations, or individuals. Typically, accountants specialize in one aspect of accounting, concentrating on
taxes or bankruptcies, for example. Some become consultants who offer advice on compensation, employee benefits, the design of accounting processing systems, or how to safeguard assets.
Corporate / Internal
Often called management, industrial, or corporate accountants, private accountants record and analyze financial information for the employer and prepare financial reports for stockholders, creditors, regulatory agencies, and tax authorities. Duties may include budgeting, performance
evaluation, cost management, and asset management. An accountant also may work as part of an executive team in strategic planning or new product development.
Entry-level private accountants often start as cost accountants, junior internal auditors, or as trainees for other accounting positions.
Qualifications
Auditors must have: ability to analyze, compare, and interpret facts and figures quickly; and be
able sound judgments based on this information. should have good oral and written communication skills, well-developed
interpersonal skills, and ability to work in cross-functional teams.
Business systems and computer skills are required.
Some employers prefer hiring individuals with a master's degree in accounting or a master's degree in business administration.
Most want to hire someone who is familiar with computers and accounting and internal auditing software applications.
Changing legislation regarding taxes, financial reporting standards, international competition, business investments, mergers, and other financial matters require accountants and auditors to continuously update their knowledge.
CPAs Most accounting positions require at least a bachelor's degree in
accounting or a related field.
Based on recommendations made by the American Institute of Certified Public Accountants (AICPA), certified public accountant (CPA) candidates must complete 150 semester hours of college coursework – an additional 30 hours beyond the usual four-year bachelor's degree to become licensed.
CPA certificate applicants to have some accounting experience. Almost all states require a CPA and other public accountants to complete a minimum number of hours of continuing education before a license can be renewed.
Employment Outlook Job opportunities for accountants are expected to grow 10 to 40
percent per year through 2006 due to the increasing number of new businesses spurred by China’s growing economy.
Jobs with major accounting and business firms remain the most sought after by new graduates.
More jobs will be available replacing thousands of accountants and auditors who retire or transfer to other occupations each year.
Accountants and auditors who have earned certification or licensure or who have advanced degrees will have the best job prospects.
Audit Procedures
Analytical Review• Tests for internal consistency of accounts, cross-
sectional and over time Internal Control Tests (Tests of
Transactions; Mid-Year Tests)• Tests that Actual Accounting System is doing
what it should be Substantive Tests
• Tests that Financial Statements accurately reflect reality (within material error)
Auditing = Statistics
All three classes of procedures share a goal with Statistics Objective: use ‘data’ to guess what is ‘true’ Problems:
• Type I error: Auditor says F/S are Wrong when they are Fairly Stated
• Type II error: Auditor says F/S are Fairly Stated when they are Wrong
Consequence of either: LAWSUITS
Auditing Procedures
These are formally laid out in the Audit Program
The Planning and Risk Assessment phase of the AuditWrites the Audit ProgramWhich is a sequence of Statistical Tests(Auditors call the sloppier of these
‘Judgment Tests’)
(Where Do Information Systems Fit in?)
Compare an Accounting Department in the early 1900s
ComputersInterface of the Future c. 1950 SAGE Computer
(Where Do Information Systems Fit in?)
With an Accounting Department in the 1970s
(Where Do Information Systems Fit in?)
With an Accounting Department Today (well … not everywhere, but you see the potential….)
(Where Do Information Systems Fit in?)
With an Accounting Department of 2020 (… at least my prediction….)
Industry Structure, c. 2006
InformationTechnology Market
Annual Expenditures($US billion)
Employees(thousand)
Major Suppliers
Operations & Accounting
500 2000 US, India
Search & Storage 1000. 5000 US
Tools 300 300 US, Germany
Embedded 1500 700 US, Japan, Korea, Greater China
Communications 700 2000 US, Germany, Japan, Greater China
Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)US GDP ~$10 trillion (Pop: 300 million)
Tools & Toolsmiths
Hardware Taxonomy
Central Processing Unit
MemoryPeripheral Processor
(Video, Bus, Etc.)Network Devices
Cache RAM / ROMOptical &
Magnetic Media
Fast Slow
Software Taxonomy
Operating Systems
Specialized O/S
Utilities
Network O/S Database O/SProgramming Languages,
Tools & EnvironmentsUtilities and Services
Applications
Major PlayersHardware, Software, Communication Leaders
IS Audit Programs
Chapter 2What is IS Auditing?Why is it Important? What is the Industry Structure?Attestation and Assurance
The Auditing World
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
Auditors and Information Systems
Bu s in es s Ap p lic a tio nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r tin g R is k s( E x ter n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
The IS Auditor’s Challenge
Corporate Accounting is in a constant state of flux Because of advances in Information Technology
applied to Accounting • Information that is needed for an Audit is often hidden from
easy access by auditors• Making computer knowledge an important prerequisite for
auditing
IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
The Challenge to Auditing Presented by Computers Transaction flows are less visible
• Fraud is easier• Computers do exactly what you tell them
• To err is human• But, to really screw up you need a computer
Audit samples require computer knowledge and access Transaction flows are much larger (good for the
company, bad for the auditor)• Audits grow bigger and bigger from year to year
• And there is more pressure to eat hours Environmental, physical and logical security problems
grow exponentially• Externally originated viruses and hacking • are the major source of risk
• (10 years ago it was employees)
The Challenge to Auditing Presented by The Internet Transaction flows are External
External copies of transactions on many Internet nodes External Service Providers for accounting systems
• require giving control to outsiders with different incentives
Audit samples may be impossible to obtain Because they require access to 3rd party databases
Transaction flows are intermingled between companies
Environmental, physical and logical security problems grow exponentially
• Externally originated viruses and hacking • are the major source of risk
• (10 years ago it was employees)
Flowcharting Accounting Systemsthe first step in audit planning
A picture is worth 1000 words
Flowcharts are the accountants’ pictures / shorthand
They are the first step in an audit
Flowcharting Accounting Systems
A data flow diagram
Data Flow Diagram Notations
Flowcharting Accounting Systems
A process transforms incoming data flow into outgoing data flow.
Flowcharting Accounting Systems
Datastores are repositories of data in the system.
They are sometimes also referred to as databases or files.
Flowcharting Accounting Systems
Dataflows are pipelines through which transactions (packets of information) flow.
Label the arrows with the name of the data that moves through it.
Flowcharting Accounting Systems
External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,
advertisers, etc.
External entities are sources and destinations of the transaction input and output
Flowcharting Accounting Systems
The Context diagram lists all of the external relationships
Flowcharting Accounting Systems …Levels Context
known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.
DFD levels
The first level DFD shows the main processes within the system.
Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place
If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.
The Datastore
The Datastore is used to represent Ledgers, Journals
Or more often in the current world Their computer
implemented counterpart
Since almost no one keeps physical records
Flowcharting Accounting Systems …Lower Level with Multiple Processes
Data Flow Diagram Layers Draw data flow
diagrams in several nested layers.
A single process node on a high level diagram can be expanded to show a more detailed data flow diagram
Control Concepts
Each bubble is associated with a person or entity that is responsible for that process
The same individuals with: Managerial Control Accountability Responsibility for the process
Should all be responsible for the same bubble Internal Controls
Are processes that insure procedures (bubbles) operate as they should
And produce accurate account values
Prac·ti·cum (prăk-tĭ-kəm) nounLessons in a specialized field of study designed to give students supervised practical application of previously studied theory
Student Competence Case Study
1 Evaluating IT Benefits and Risks Jacksonville Jaguars
2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey
3 Recognizing Fraud The Anonymous Caller
4 Evaluating a Prospective Audit Client Ocean Manufacturing
5 Inherent Risk and Control Risk Comptronix Corporation
6 Evaluating the Internal Control Environment Easy Clean
7 Fraud Risk and the Internal Control Environment Cendant Corporation
8 IT-based vs. Manual Accounting Systems St James Clothiers
9 Materiality / Tolerable Misstatement Dell Computer
10 Analytical Procedures as Substantive Tests Burlington Bees
11 Information Systems and Audit Evidence Henrico Retail
Practicum:
Jacksonville Jaguars Assurance Services for the Electronic Payments System of
a privately held company
Try making a simple flowchart of the system Identify benefits, costs and risks to businesses from
implementing information technologies Determine how CPAs can provide assurance about
processes designed to reduce risks created when new IT systems are introduced
Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)