Information Systems Auditing (ISMT 350) week #2 Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: Office: 852 2358 7643 Fax: 852 2358 2421 Email: westland@ust.hk URL: http://teaching.ust.hk/~ismt350/

Course Topics Topic Readings Practicum Competency Case Study   Competency Case Study What is Information Systems (IS) Auditing? Industry Profile: The Job of the IS Auditor Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks Jacksonville Jaguars IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey IS Security Chapter 3 Recognizing Fraud The Anonymous Caller Utility Computing and IS Service Organizations Chapter 4 Evaluating a Prospective Audit Client Ocean Manufacturing Physical Security Chapters7 Inherent Risk and Control Risk Comptronix Corporation Logical Security Chapter 8 Evaluating the Internal Control Environment Easy Clean IS Operations Chapter 9 Fraud Risk and the Internal Control Environment Cendant Corporation Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems St James Clothiers Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement Dell Computer New Challenges from the Internet: Privacy, Piracy, Viruses and so forth Course Wrap-up Information Systems and Audit Evidence Henrico Retail

Logical Structure of the Course With Readings from the Text

IS Audit Programs The first step in Audits

Auditing

How Auditors Should Visualize Computer Systems

The IS Auditor’s Challenge Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to Accounting Information that is needed for an Audit is often hidden from easy access by auditors Making computer knowledge an important prerequisite for auditing IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

The Challenge to Auditing Presented by Computers Transaction flows are less visible Fraud is easier Computers do exactly what you tell them To err is human But, to really screw up you need a computer Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the auditor) Audits grow bigger and bigger from year to year And there is more pressure to eat hours Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk (10 years ago it was employees)

The Challenge to Auditing Presented by The Internet Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems require giving control to outsiders with different incentives Audit samples may be impossible to obtain Because they require access to 3rd party databases Transaction flows are intermingled between companies Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk (10 years ago it was employees)

How Accounting has had to Change Because of Business Automation

Ideas, not Things, have Value … and these ideas are tracked in the computer

What is Auditing?

What is Auditing? Nature of Procedures / Work Accountants prepare, analyze, and verify financial reports and taxes, and furnish this information to individuals and managers in business, industry, and government The three major fields in accounting are: Auditing Public Consulting Corporate / Internal

Public Accounting Auditor: An auditor examines an organization's financial statements, verifies the accuracy of the financial records, examines management procedures and internal controls to ensure accuracy, and checks for mismanagement, waste, or fraud. The auditor may review company operations compliance with corporate policies, laws, and government regulations. The auditor, or reports to investors and authorities such as the federal government that financial statements have been prepared and reported correctly. Other Public: Public accountants perform accounting, auditing, tax, and consulting activities for public accounting firms, their own businesses, governments, nonprofit organizations, or individuals. Typically, accountants specialize in one aspect of accounting, concentrating on taxes or bankruptcies, for example. Some become consultants who offer advice on compensation, employee benefits, the design of accounting processing systems, or how to safeguard assets.

Corporate / Internal Often called management, industrial, or corporate accountants, private accountants record and analyze financial information for the employer and prepare financial reports for stockholders, creditors, regulatory agencies, and tax authorities. Duties may include budgeting, performance evaluation, cost management, and asset management. An accountant also may work as part of an executive team in strategic planning or new product development. Entry-level private accountants often start as cost accountants, junior internal auditors, or as trainees for other accounting positions.

Qualifications Auditors must have: ability to analyze, compare, and interpret facts and figures quickly; and be able sound judgments based on this information. should have good oral and written communication skills, well-developed interpersonal skills, and ability to work in cross-functional teams. Business systems and computer skills are required. Some employers prefer hiring individuals with a master's degree in accounting or a master's degree in business administration. Most want to hire someone who is familiar with computers and accounting and internal auditing software applications. Changing legislation regarding taxes, financial reporting standards, international competition, business investments, mergers, and other financial matters require accountants and auditors to continuously update their knowledge.

CPAs Most accounting positions require at least a bachelor's degree in accounting or a related field. Based on recommendations made by the American Institute of Certified Public Accountants (AICPA), certified public accountant (CPA) candidates must complete 150 semester hours of college coursework – an additional 30 hours beyond the usual four-year bachelor's degree to become licensed. CPA certificate applicants to have some accounting experience. Almost all states require a CPA and other public accountants to complete a minimum number of hours of continuing education before a license can be renewed.

Employment Outlook Job opportunities for accountants are expected to grow 10 to 40 percent per year through 2006 due to the increasing number of new businesses spurred by China’s growing economy. Jobs with major accounting and business firms remain the most sought after by new graduates. More jobs will be available replacing thousands of accountants and auditors who retire or transfer to other occupations each year. Accountants and auditors who have earned certification or licensure or who have advanced degrees will have the best job prospects.

Audit Procedures Analytical Review Tests for internal consistency of accounts, cross-sectional and over time Internal Control Tests (Tests of Transactions; Mid-Year Tests) Tests that Actual Accounting System is doing what it should be Substantive Tests Tests that Financial Statements accurately reflect reality (within material error)

Auditing = Statistics All three classes of procedures share a goal with Statistics Objective: use ‘data’ to guess what is ‘true’ Problems: Type I error: Auditor says F/S are Wrong when they are Fairly Stated Type II error: Auditor says F/S are Fairly Stated when they are Wrong Consequence of either: LAWSUITS

Auditing Procedures These are formally laid out in the Audit Program The Planning and Risk Assessment phase of the Audit Writes the Audit Program Which is a sequence of Statistical Tests (Auditors call the sloppier of these ‘Judgment Tests’)

(Where Do Information Systems Fit in (Where Do Information Systems Fit in?) Compare an Accounting Department in the early 1900s

Computers Interface of the Future c. 1950 SAGE Computer

(Where Do Information Systems Fit in (Where Do Information Systems Fit in?) With an Accounting Department in the 1970s

(Where Do Information Systems Fit in (Where Do Information Systems Fit in?) With an Accounting Department Today (well … not everywhere, but you see the potential….)

(Where Do Information Systems Fit in (Where Do Information Systems Fit in?) With an Accounting Department of 2020 (… at least my prediction….)

Industry Structure, c. 2006 Operations & Accounting 500 2000 US, India Information Technology Market Annual Expenditures ($US billion) Employees (thousand) Major Suppliers Operations & Accounting 500 2000 US, India Search & Storage 1000. 5000 US Tools 300 US, Germany Embedded 1500 700 US, Japan, Korea, Greater China Communications US, Germany, Japan, Greater China Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion) US GDP ~$10 trillion (Pop: 300 million)

Tools & Toolsmiths

Hardware Taxonomy Fast Slow

Software Taxonomy

Major Players Hardware, Software, Communication Leaders

IS Audit Programs Chapter 2 What is IS Auditing? Why is it Important? What is the Industry Structure? Attestation and Assurance

The Auditing World

Auditors and Information Systems

The IS Auditor’s Challenge Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to Accounting Information that is needed for an Audit is often hidden from easy access by auditors Making computer knowledge an important prerequisite for auditing IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations

The Challenge to Auditing Presented by Computers Transaction flows are less visible Fraud is easier Computers do exactly what you tell them To err is human But, to really screw up you need a computer Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the auditor) Audits grow bigger and bigger from year to year And there is more pressure to eat hours Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk (10 years ago it was employees)

The Challenge to Auditing Presented by The Internet Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems require giving control to outsiders with different incentives Audit samples may be impossible to obtain Because they require access to 3rd party databases Transaction flows are intermingled between companies Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk (10 years ago it was employees)

Flowcharting Accounting Systems the first step in audit planning A picture is worth 1000 words Flowcharts are the accountants’ pictures / shorthand They are the first step in an audit

Flowcharting Accounting Systems A data flow diagram Data Flow Diagram Notations

Flowcharting Accounting Systems A process transforms incoming data flow into outgoing data flow.

Flowcharting Accounting Systems Datastores are repositories of data in the system. They are sometimes also referred to as databases or files.

Flowcharting Accounting Systems Dataflows are pipelines through which transactions (packets of information) flow. Label the arrows with the name of the data that moves through it.

Flowcharting Accounting Systems External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers, advertisers, etc. External entities are sources and destinations of the transaction input and output

Flowcharting Accounting Systems The Context diagram lists all of the external relationships

Flowcharting Accounting Systems …Levels Context known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities. DFD levels The first level DFD shows the main processes within the system. Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.

The Datastore The Datastore is used to represent Ledgers, Journals Or more often in the current world Their computer implemented counterpart Since almost no one keeps physical records

Flowcharting Accounting Systems …Lower Level with Multiple Processes Data Flow Diagram Layers Draw data flow diagrams in several nested layers. A single process node on a high level diagram can be expanded to show a more detailed data flow diagram

Control Concepts Each bubble is associated with a person or entity that is responsible for that process The same individuals with: Managerial Control Accountability Responsibility for the process Should all be responsible for the same bubble Internal Controls Are processes that insure procedures (bubbles) operate as they should And produce accurate account values

Prac·ti·cum (prăk-tĭ-kəm) noun Lessons in a specialized field of study designed to give students supervised practical application of previously studied theory   Student Competence Case Study 1 Evaluating IT Benefits and Risks Jacksonville Jaguars 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey 3 Recognizing Fraud The Anonymous Caller 4 Evaluating a Prospective Audit Client Ocean Manufacturing 5 Inherent Risk and Control Risk Comptronix Corporation 6 Evaluating the Internal Control Environment Easy Clean 7 Fraud Risk and the Internal Control Environment Cendant Corporation 8 IT-based vs. Manual Accounting Systems St James Clothiers 9 Materiality / Tolerable Misstatement Dell Computer 10 Analytical Procedures as Substantive Tests Burlington Bees 11 Information Systems and Audit Evidence Henrico Retail

Practicum: Jacksonville Jaguars Assurance Services for the Electronic Payments System of a privately held company Try making a simple flowchart of the system Identify benefits, costs and risks to businesses from implementing information technologies Determine how CPAs can provide assurance about processes designed to reduce risks created when new IT systems are introduced Understand ways CPAs can identify new assurance services opportunities (i.e., new areas for revenue generation)