information systems auditing (ismt 350) week #2

50
Information Systems Auditing (ISMT 350) week #2 Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: Office: 852 2358 7643 Fax: 852 2358 2421 Email: [email protected] URL: http://teaching.ust.hk/~ismt350/

Upload: elmo-perry

Post on 02-Jan-2016

49 views

Category:

Documents


1 download

DESCRIPTION

Information Systems Auditing (ISMT 350) week #2. Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Information Systems Auditing (ISMT 350) week #2

Information Systems Auditing (ISMT 350)week #2

Instructor: Professor J. Christopher Westland, PhD, CPA

Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec

Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003

Contact: Office: 852 2358 7643 Fax: 852 2358 2421 Email: [email protected] URL: http://teaching.ust.hk/~ismt350/

Page 2: Information Systems Auditing (ISMT 350) week #2

Course TopicsTopic Readings Practicum

    Competency Case Study

What is Information Systems (IS) Auditing?

Industry Profile: The Job of the IS Auditor

Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks

Jacksonville Jaguars

IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey

IS Security Chapter 3 Recognizing Fraud The Anonymous Caller

Utility Computing and IS Service Organizations

Chapter 4 Evaluating a Prospective Audit Client

Ocean Manufacturing

Physical Security Chapters7 Inherent Risk and Control Risk

Comptronix Corporation

Logical Security Chapter 8 Evaluating the Internal Control Environment

Easy Clean

IS Operations Chapter 9 Fraud Risk and the Internal Control Environment

Cendant Corporation

Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems

St James Clothiers

Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement

Dell Computer

New Challenges from the Internet: Privacy, Piracy, Viruses and so forth

Course Wrap-up Information Systems and Audit Evidence

Henrico Retail

Page 3: Information Systems Auditing (ISMT 350) week #2

Logical Structure of the CourseWith Readings from the Text

I S Au d itin g

C u r r en t an dF u tu r e I s s u es in

I S Au d itin g

I S C o m p o n en tsC h . 1 & 2

Au d it C o m p o n en tsC h 3 & 4

C o n tr o ls o v er I SAs s e ts

C h . 7 & 8

P r o c ed u r a lC o n tr o ls

C h . 9

Au d it S tan d ar d san d P r o c ed u r es

C h . 1 0

F o r en s ic s an dF r au d Au d its

C h . 1 2

E n c r y p tio nC h . 11

Page 4: Information Systems Auditing (ISMT 350) week #2

IS Audit Programs

The first step in Audits

Page 5: Information Systems Auditing (ISMT 350) week #2

Auditing

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng

L ed g er s :D atab as es

Audi t i ng

C o r p o r a te L aw

Su b

stan

tiv e

Te s

ts

Te st s o f T

ran sa c ti o n s

Attes ta tion

A n a ly tic a l T ests

Page 6: Information Systems Auditing (ISMT 350) week #2

How Auditors Should Visualize Computer Systems

Bu s in es s Ap p lic a tio nS y s tem s

T r an s ac tio n F lo w s

As s e t L o s s R is k s( I n te r n a l Au d its )

R ep o r tin g R is k s( E x ter n a l Au d it)

C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l

Au d its )

O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )

Har d w ar e P la tf o r m

Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t

A u dit O bje ct iv e s

Page 7: Information Systems Auditing (ISMT 350) week #2

The IS Auditor’s Challenge

Corporate Accounting is in a constant state of flux Because of advances in Information

Technology applied to Accounting • Information that is needed for an Audit is often

hidden from easy access by auditors

• Making computer knowledge an important prerequisite for auditing

IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

Page 8: Information Systems Auditing (ISMT 350) week #2

The Challenge to Auditing Presented by Computers Transaction flows are less visible

• Fraud is easier• Computers do exactly what you tell them

• To err is human• But, to really screw up you need a computer

Audit samples require computer knowledge and access Transaction flows are much larger (good for the

company, bad for the auditor)• Audits grow bigger and bigger from year to year

• And there is more pressure to eat hours Environmental, physical and logical security problems

grow exponentially• Externally originated viruses and hacking • are the major source of risk

• (10 years ago it was employees)

Page 9: Information Systems Auditing (ISMT 350) week #2

The Challenge to Auditing Presented by The Internet Transaction flows are External

External copies of transactions on many Internet nodes External Service Providers for accounting systems

• require giving control to outsiders with different incentives

Audit samples may be impossible to obtain Because they require access to 3rd party databases

Transaction flows are intermingled between companies

Environmental, physical and logical security problems grow exponentially

• Externally originated viruses and hacking • are the major source of risk

• (10 years ago it was employees)

Page 10: Information Systems Auditing (ISMT 350) week #2

How Accounting has had to ChangeBecause of Business Automation

M an u f ac tu r in gValu e Ad d ed

C o n s u m er

M ater ia lL ab o r

C ap ita l

5 0 %

3 0 %

2 0 %

1 1 0 %

M an u f ac tu r in gValu e Ad d ed

C o n s u m er

M ater ia lL ab o r

C ap ita l

5 %

5 %

1 0 %Kn o w led g eI n teg r a to r

Kn o w led g eI n teg r a to r

Kn o w led g eI n teg r a to r

Kn o w led g eI n teg r a to r

K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d

p ro p erty rig h t s )

8 0 %

11 0 %

M an u fac tu ring

S p ec if ica tio n s

F in ished

P ro d u c t 2 0 %

Page 11: Information Systems Auditing (ISMT 350) week #2

Ideas, not Things, have Value

… and these ideas are tracked in the computer

0

2

4

6

8

10

12

14

16

Rank order by increasing return

Ass

et In

tens

ity (F

ixed

Ass

ets

/ Sal

es)

-100

0

100

200

300

400

500

600

5-yr

Sha

reho

lder

Ret

urn

%

Page 12: Information Systems Auditing (ISMT 350) week #2

What is Auditing?

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng

L ed g er s :D atab as es

Audi t i ng

C o r p o r a te L aw

Su b

stan

tiv e

Tes

ts

Te st s of T

ra n sa c t io ns

Atte s ta tio n

A n a ly tic a l T ests

Page 13: Information Systems Auditing (ISMT 350) week #2

What is Auditing?Nature of Procedures / Work

• Accountants prepare, analyze, and verify financial reports and taxes, • and furnish this information to individuals and

managers in business, industry, and government

• The three major fields in accounting are:• Auditing• Public Consulting• Corporate / Internal

Page 14: Information Systems Auditing (ISMT 350) week #2

Public Accounting

Auditor: An auditor examines an organization's financial statements, verifies the accuracy of the financial records, examines management procedures and internal controls to ensure accuracy, and checks for mismanagement, waste, or fraud. The auditor may review company operations compliance with corporate

policies, laws, and government regulations. The auditor, or reports to investors and authorities such as the federal government that financial statements have been prepared and reported correctly.

Other Public: Public accountants perform accounting, auditing, tax, and consulting activities for public accounting firms, their own businesses, governments, nonprofit organizations, or individuals. Typically, accountants specialize in one aspect of accounting, concentrating on

taxes or bankruptcies, for example. Some become consultants who offer advice on compensation, employee benefits, the design of accounting processing systems, or how to safeguard assets.

Page 15: Information Systems Auditing (ISMT 350) week #2

Corporate / Internal

Often called management, industrial, or corporate accountants, private accountants record and analyze financial information for the employer and prepare financial reports for stockholders, creditors, regulatory agencies, and tax authorities. Duties may include budgeting, performance

evaluation, cost management, and asset management. An accountant also may work as part of an executive team in strategic planning or new product development.

Entry-level private accountants often start as cost accountants, junior internal auditors, or as trainees for other accounting positions.

Page 16: Information Systems Auditing (ISMT 350) week #2

Qualifications

Auditors must have: ability to analyze, compare, and interpret facts and figures quickly; and be

able sound judgments based on this information. should have good oral and written communication skills, well-developed

interpersonal skills, and ability to work in cross-functional teams.

Business systems and computer skills are required.

Some employers prefer hiring individuals with a master's degree in accounting or a master's degree in business administration.

Most want to hire someone who is familiar with computers and accounting and internal auditing software applications.

Changing legislation regarding taxes, financial reporting standards, international competition, business investments, mergers, and other financial matters require accountants and auditors to continuously update their knowledge.

Page 17: Information Systems Auditing (ISMT 350) week #2

CPAs Most accounting positions require at least a bachelor's degree in

accounting or a related field.

Based on recommendations made by the American Institute of Certified Public Accountants (AICPA), certified public accountant (CPA) candidates must complete 150 semester hours of college coursework – an additional 30 hours beyond the usual four-year bachelor's degree to become licensed.

CPA certificate applicants to have some accounting experience. Almost all states require a CPA and other public accountants to complete a minimum number of hours of continuing education before a license can be renewed.

Page 18: Information Systems Auditing (ISMT 350) week #2

Employment Outlook Job opportunities for accountants are expected to grow 10 to 40

percent per year through 2006 due to the increasing number of new businesses spurred by China’s growing economy.

Jobs with major accounting and business firms remain the most sought after by new graduates.

More jobs will be available replacing thousands of accountants and auditors who retire or transfer to other occupations each year.

Accountants and auditors who have earned certification or licensure or who have advanced degrees will have the best job prospects.

Page 19: Information Systems Auditing (ISMT 350) week #2

Audit Procedures

Analytical Review• Tests for internal consistency of accounts, cross-

sectional and over time Internal Control Tests (Tests of

Transactions; Mid-Year Tests)• Tests that Actual Accounting System is doing

what it should be Substantive Tests

• Tests that Financial Statements accurately reflect reality (within material error)

Page 20: Information Systems Auditing (ISMT 350) week #2

Auditing = Statistics

All three classes of procedures share a goal with Statistics Objective: use ‘data’ to guess what is ‘true’ Problems:

• Type I error: Auditor says F/S are Wrong when they are Fairly Stated

• Type II error: Auditor says F/S are Fairly Stated when they are Wrong

Consequence of either: LAWSUITS

Page 21: Information Systems Auditing (ISMT 350) week #2

Auditing Procedures

These are formally laid out in the Audit Program

The Planning and Risk Assessment phase of the AuditWrites the Audit ProgramWhich is a sequence of Statistical Tests(Auditors call the sloppier of these

‘Judgment Tests’)

Page 22: Information Systems Auditing (ISMT 350) week #2

(Where Do Information Systems Fit in?)

Compare an Accounting Department in the early 1900s

Page 23: Information Systems Auditing (ISMT 350) week #2

ComputersInterface of the Future c. 1950 SAGE Computer

Page 24: Information Systems Auditing (ISMT 350) week #2

(Where Do Information Systems Fit in?)

With an Accounting Department in the 1970s

Page 25: Information Systems Auditing (ISMT 350) week #2

(Where Do Information Systems Fit in?)

With an Accounting Department Today (well … not everywhere, but you see the potential….)

Page 26: Information Systems Auditing (ISMT 350) week #2

(Where Do Information Systems Fit in?)

With an Accounting Department of 2020 (… at least my prediction….)

Page 27: Information Systems Auditing (ISMT 350) week #2

Industry Structure, c. 2006

InformationTechnology Market

Annual Expenditures($US billion)

Employees(thousand)

Major Suppliers

Operations & Accounting

500 2000 US, India

Search & Storage 1000. 5000 US

Tools 300 300 US, Germany

Embedded 1500 700 US, Japan, Korea, Greater China

Communications 700 2000 US, Germany, Japan, Greater China

Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)US GDP ~$10 trillion (Pop: 300 million)

Page 28: Information Systems Auditing (ISMT 350) week #2

Tools & Toolsmiths

Page 29: Information Systems Auditing (ISMT 350) week #2

Hardware Taxonomy

Central Processing Unit

MemoryPeripheral Processor

(Video, Bus, Etc.)Network Devices

Cache RAM / ROMOptical &

Magnetic Media

Fast Slow

Page 30: Information Systems Auditing (ISMT 350) week #2

Software Taxonomy

Operating Systems

Specialized O/S

Utilities

Network O/S Database O/SProgramming Languages,

Tools & EnvironmentsUtilities and Services

Applications

Page 31: Information Systems Auditing (ISMT 350) week #2

Major PlayersHardware, Software, Communication Leaders

Page 32: Information Systems Auditing (ISMT 350) week #2

IS Audit Programs

Chapter 2What is IS Auditing?Why is it Important? What is the Industry Structure?Attestation and Assurance

Page 33: Information Systems Auditing (ISMT 350) week #2

The Auditing World

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng

L ed g er s :D atab as es

Audi t i ng

C o r p o r a te L aw

Su b

stan

tiv e

Te s

ts

Te st s o f T

ran sa c ti o n s

Attes ta tion

A n a ly tic a l T ests

Page 34: Information Systems Auditing (ISMT 350) week #2

Auditors and Information Systems

Bu s in es s Ap p lic a tio nS y s tem s

T r an s ac tio n F lo w s

As s e t L o s s R is k s( I n te r n a l Au d its )

R ep o r tin g R is k s( E x ter n a l Au d it)

C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l

Au d its )

O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )

Har d w ar e P la tf o r m

Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t

A u dit O bje ct iv e s

Page 35: Information Systems Auditing (ISMT 350) week #2

The IS Auditor’s Challenge

Corporate Accounting is in a constant state of flux Because of advances in Information Technology

applied to Accounting • Information that is needed for an Audit is often hidden from

easy access by auditors• Making computer knowledge an important prerequisite for

auditing

IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

Page 36: Information Systems Auditing (ISMT 350) week #2

The Challenge to Auditing Presented by Computers Transaction flows are less visible

• Fraud is easier• Computers do exactly what you tell them

• To err is human• But, to really screw up you need a computer

Audit samples require computer knowledge and access Transaction flows are much larger (good for the

company, bad for the auditor)• Audits grow bigger and bigger from year to year

• And there is more pressure to eat hours Environmental, physical and logical security problems

grow exponentially• Externally originated viruses and hacking • are the major source of risk

• (10 years ago it was employees)

Page 37: Information Systems Auditing (ISMT 350) week #2

The Challenge to Auditing Presented by The Internet Transaction flows are External

External copies of transactions on many Internet nodes External Service Providers for accounting systems

• require giving control to outsiders with different incentives

Audit samples may be impossible to obtain Because they require access to 3rd party databases

Transaction flows are intermingled between companies

Environmental, physical and logical security problems grow exponentially

• Externally originated viruses and hacking • are the major source of risk

• (10 years ago it was employees)

Page 38: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systemsthe first step in audit planning

A picture is worth 1000 words

Flowcharts are the accountants’ pictures / shorthand

They are the first step in an audit

Page 39: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems

A data flow diagram

Data Flow Diagram Notations

Page 40: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems

A process transforms incoming data flow into outgoing data flow.

Page 41: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems

Datastores are repositories of data in the system.

They are sometimes also referred to as databases or files.

Page 42: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems

Dataflows are pipelines through which transactions (packets of information) flow.

Label the arrows with the name of the data that moves through it.

Page 43: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems

External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,

advertisers, etc.

External entities are sources and destinations of the transaction input and output

Page 44: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems

The Context diagram lists all of the external relationships

Page 45: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems …Levels Context

known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.

DFD levels

The first level DFD shows the main processes within the system.

Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place

If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.

Page 46: Information Systems Auditing (ISMT 350) week #2

The Datastore

The Datastore is used to represent Ledgers, Journals

Or more often in the current world Their computer

implemented counterpart

Since almost no one keeps physical records

Page 47: Information Systems Auditing (ISMT 350) week #2

Flowcharting Accounting Systems …Lower Level with Multiple Processes

Data Flow Diagram Layers Draw data flow

diagrams in several nested layers.

A single process node on a high level diagram can be expanded to show a more detailed data flow diagram

Page 48: Information Systems Auditing (ISMT 350) week #2

Control Concepts

Each bubble is associated with a person or entity that is responsible for that process

The same individuals with: Managerial Control Accountability Responsibility for the process

Should all be responsible for the same bubble Internal Controls

Are processes that insure procedures (bubbles) operate as they should

And produce accurate account values

Page 49: Information Systems Auditing (ISMT 350) week #2

Prac·ti·cum (prăk-tĭ-kəm) nounLessons in a specialized field of study designed to give students supervised practical application of previously studied theory

  Student Competence Case Study

1 Evaluating IT Benefits and Risks Jacksonville Jaguars

2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey

3 Recognizing Fraud The Anonymous Caller

4 Evaluating a Prospective Audit Client Ocean Manufacturing

5 Inherent Risk and Control Risk Comptronix Corporation

6 Evaluating the Internal Control Environment Easy Clean

7 Fraud Risk and the Internal Control Environment Cendant Corporation

8 IT-based vs. Manual Accounting Systems St James Clothiers

9 Materiality / Tolerable Misstatement Dell Computer

10 Analytical Procedures as Substantive Tests Burlington Bees

11 Information Systems and Audit Evidence Henrico Retail

Page 50: Information Systems Auditing (ISMT 350) week #2

Practicum:

Jacksonville Jaguars Assurance Services for the Electronic Payments System of

a privately held company

Try making a simple flowchart of the system Identify benefits, costs and risks to businesses from

implementing information technologies Determine how CPAs can provide assurance about

processes designed to reduce risks created when new IT systems are introduced

Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)