Chapter 10: Auditing of Information Systems Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo, Raval, and Wong-On-Wing Chapter 10: Auditing of Information Systems Slides Authored by Somnath Bhattacharya, Ph.D. Florida Atlantic University

Nature of Audits Audits are examinations performed to assess and evaluate an activity or object, such as whether the internal controls implemented into the AIS are working as prescribed by management

Types of Audits Operational Audits Compliance Audits Project Management and Change Control Audits Internal Control Audits Financial Audits Fraud Audits Figure 10-1

Types of Auditors Internal Auditors External Auditors Government Auditors Fraud Auditors

Basic Auditing Considerations Ethics and Auditing Standards Need for Ethics Content of Standards Effect of Automation on Standards Impact of Computerization on Audit Procedures Transaction Cycle Approach to Auditing

The Auditing Process The 5 phases of a financial audit are: Planning the Audit Analytical Procedures Preliminary Review & Assessment of the Internal Control Structure Completion of the Review Detailed Evaluation and Testing of Controls Analytical and Substantive Review Audit Reporting

Preliminary Assessment of the Internal Control Structure Review, Document, and Assess the ICS Assess and Set the level of Control Risk Control Risk is the risk that material misstatements in assertions, leading to significant errors in the financial statements, will fail to be prevented or detected by the internal control structure The level of Control Risk may be expressed numerically or subjectively An Assertion is an expressed account balance, transaction classification, or disclosure in the financial statements being examined Cost Effectiveness of Testing Controls

Testing of Controls Perform Tests of Controls Evaluate the Findings of the Tests of Controls Final Assessment of Control Risk for each transaction cycle Determine level of Planned Detection Risk The Planned Detection Risk is the risk that a material misstatement in the financial statements or in individual account balances will fail to be uncovered by substantive testing procedures Determine the nature, timing, and extent of substantive testing procedures Develop Final Audit Program

Substantive Testing Choose and Perform Substantive Tests Perform Final Analytical Procedures Test Account Balances Test Details of Transaction Classes Evaluate Substantive Tests

Document the Conclusions Writing the Audit Report Unqualified Opinion: Financial Statements present fairly, in all material respects, the financial status, results of operations, and cash flow of the firm being audited Qualified Opinion: Issued when a significant condition, such as a departure from GAAP, prevents the issuance of an unqualified opinion Adverse Opinion: Given when the auditor concludes that the overall financial statements are so materially misleading that they cannot be relied upon A Disclaimer of Opinion: The Auditor refuses to express an opinion on the overall financial statements due to major restrictions placed on the scope of the audit or the failure to collect sufficient evidence Letter of Reportable Conditions

Auditing Around the Computer - I Computer is a “black-box.” Assumption: If the auditor can show that the actual outputs are the correct results to be expected from a set of inputs to the processing system, then the computer processing must be functioning in a reliable manner Involves tracing selected transactions from source documents to summary accounts and records, and vice-versa A “Non-Processing of Data” Method

Auditing Around the Computer - II Suitable only under the following 3 conditions: The audit trail is complete and visible The processing operations are relatively straightforward, uncomplicated, and low volume Complete documentation, such as DFDs and Systems Flowcharts, are available to the auditor Best suited for independent periodic processing applications: cash disbursements payroll processing

Auditing Around the Computer - III Limitations is that it does not allow the auditor to determine exactly how the computer processing programs handle edit checks and programmed checks

Auditing Around the Computer: An Illustration Normal Processing Audit Test Master File Regular Transactions Selected Transactions Predetermined Results Regular Processing Run Exception Report Documents, Listings, Registers, Reports Auditor Comparison Figure 10-4a

Auditing Through the Computer Should be applied to all complex automated processing systems Periodic direct and real-time processing applications where the audit trail is impaired Methods include: Test Data Integrated Test Facility Embedded Audit Module Techniques Program Code Checking Parallel Processing Parallel Simulation Controlled Processing All auditing-through-the-computer techniques provide evidence concerning the level of control risk.

Auditing Through the Computer: An Illustration Master File Regular Transactions Regular Processing Run Exception Report Documents, Listings, Registers, Reports Normal Processing Audit Test Transactions Regular Processing Run Exception Report Summary Results from Tests Predetermined Results Audit Comparison Audit Test Master File Figure 10-4 b

Auditing with the Computer - I Microcomputer Audit Assist Software The Generalized Audit Software (GAS) Package The Template Prepare trial balances Maintain recurring journal entries Evaluate sample results Schedule and manage auditor time in field audits Perform reasonableness tests of expenses Estimate expenses

Auditing with the Computer - II Audit Software: A collection of program routines, each serving a mechanistic audit function GAS (e.g., ACL) Attribute Sampling Histogram Generation Record Aging File Comparison Duplicate Checking File Printing

Typical Audit Functions Available in a GAS package Extracting Data from Files Calculating with Data Summarizing Data Analyzing Data Reorganizing Data Selecting Sample Data for Testing Gathering Statistical Data Printing Confirmation Requests, Analyses, and other outputs

Applications of a GAS Package Computer runs involving such audit functions as Extracting data from files Calculating with data Performing comparisons with data Summarizing data Analyzing data Reorganizing data Selecting sample data for testing Gathering statistical data Printing confirmation requests, analyses, and other outputs Master File Transaction File Control and Specification File GAS Package Requests for confirmation listings, Sample data items, Reports, Analyses, Control Totals Exception Report Figure 10-5

Advantages of GAS Packages Allow auditors to access computer-readable records for a wide variety of applications and organizations Enable auditors to examine much more data than could be examined through manual means Rapidly and accurately perform a variety of routine audit functions, including the statistical selection of samples Reduce dependence on non-auditing personnel for performing routine functions like summarizing data, thereby enabling auditors to maintain better control over the audit Require only minimal computer knowledge on the part of the auditor

Disadvantages of GAS Packages They do not directly examine the applications program and programmed checks. They cannot replace audit- through-the-computer techniques

Situations Triggering DP Operational Audits An apparently excessive cost for computer services A major shift in corporate plans A proposal for a major hardware or software upgrade or acquisition An inability to attract and retain computer DP executives A new DP executive’s need for an intensive assessment An inordinate amount of personnel turnover within the DP department A proposal to consolidate or distribute DP resources A major system that appears unresponsive to needs or is difficult to enhance or maintain An excessive or increasing number of user complaints

Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo, Raval, and Wong-On-Wing Copyright © 2000 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.