22 - 1  2003 Pearson Education Canada Inc. CHAPTER 22 Auditing Automated Information Systems: Special Topics.

Slides:



Advertisements
Similar presentations
The Revenue Cycle: Sales to Cash Collections
Advertisements

ITAuditing Using GAS & CAATs
General Ledger and Reporting System
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Information Technology Control Day IV Afternoon Sessions.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Auditing Computer-Based Information Systems
Chapter 3 with added info
Auditing Computer Systems
Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.
Copyright  2003 Pearson Education Canada Inc. CHAPTER 16 Audit of the Acquisition and Payment Cycle.
Chapter 10: Auditing the Expenditure Cycle
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Processing Integrity and Availability Controls
Chapter 4-1 The Islamic University of Gaza Accounting Information System The Expenditure Cycle : Purchases and Cash Disbursements Procedures Dr. Hisham.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
General Ledger and Reporting System
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Software Development Unit 2 Databases What is a database? A collection of data organised in a manner that allows access, retrieval and use of that data.
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Today’s Lecture application controls audit methodology.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
CHAPTER 11 SUBTANTIVE AUDIT TESTING: Revenue Cycle
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Islamic University of Gaza
Copyright  2003 Pearson Education Canada Inc. CHAPTER 11 Audit Sampling Concepts.
Chapter 13 Sequential File Processing. Master Files Set of files used to store companies data in areas like payroll, inventory Usually processed by batch.
Chapter 16: Audit of Cash Balances
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
Auditing Complex EDP Systems
Implications of Information Technology for the Audit Process
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
S4: Understanding the IT environment of the entity.
Auditing: The Art and Science of Assurance Engagements
Copyright © 2007 Pearson Education Canada 1 Chapter 14: Completing the Tests in the Sales and Collection Cycle: Accounts Receivable.
 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Chapter 10 Electronic Data Processing Systems.
Today’s Lecture Covers
AUDIT IN COMPUTERIZED ENVIRONMENT
Auditing Data Management Systems Chapter 3 with added info.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Copyright © 2007 Pearson Education Canada 1 Chapter 15: Audit of Cash Balances.
Copyright  2003 Pearson Education Canada Inc. CHAPTER 12 Audit of the Sales and Collection Cycle: Tests of Controls.
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
The Impact of Information Technology on the Audit Process
Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.
Audit of the Sales and Collection Cycle. Identify the accounts and the classes of transactions in the sales and collection cycle. Describe the business.
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Electronic Data Processing Systems Chapter 6.
Auditing Information Technology
Controlling Computer-Based Information Systems, Part II
Managing the IT Function
The Impact of Information Technology on the Audit Process
The Impact of Information Technology on the Audit Process
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Chapter 10: Auditing the Expenditure Cycle
Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018.
CHAPTER 15 AUDITING EDP SYSTEMS.
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Presentation transcript:

 2003 Pearson Education Canada Inc. CHAPTER 22 Auditing Automated Information Systems: Special Topics

 2003 Pearson Education Canada Inc. As client computing facilities become more sophisticated, “paperless” accounting systems evolve wherein little “hard copy” documentation is produced. A / R master monday’s A / R transactions

 2003 Pearson Education Canada Inc. What challenges does a sophisti- cated EDP accounting system present for an auditor?

 2003 Pearson Education Canada Inc. - audit trails, documentation may only exist on disk (no printed copies) What challenges does a sophisti- cated EDP accounting system present for an auditor?

 2003 Pearson Education Canada Inc. - audit trails, documentation may only exist on disk (no printed copies) - program errors may exist that cause uniform transaction errors What challenges does a sophisti- cated EDP accounting system present for an auditor? ERROR!!!

 2003 Pearson Education Canada Inc. - audit trails, documentation may only exist on disk (no printed copies) - program errors may exist that cause uniform transaction errors - in some circumstances, controls may have to make up for a lack of adequate segregation of duties What challenges does a sophisti- cated EDP accounting system present for an auditor?

 2003 Pearson Education Canada Inc. - audit trails, documentation may only exist on disk (no printed copies) - program errors may exist that cause uniform transaction errors - in some circumstances, controls may have to make up for a lack of adequate segregation of duties - detecting unauthorized access may be difficult What challenges does a sophisti- cated EDP accounting system present for an auditor?

 2003 Pearson Education Canada Inc. - electronic method of sending documents between companies - no “paper trail” for the auditor to follow - increased emphasis on front-end controls -security becomes key element in controlling system Electronic Data Interchange (EDI) Presents Even More Challenges

 2003 Pearson Education Canada Inc. - also referred to as electronic commerce, or e-commerce - greatly increased through “internet shopping” - direct payment systems, e.g. payroll, remove the paper trail once relied upon by auditors Electronic Funds Transfer (EFT) Also Presents Challenges

 2003 Pearson Education Canada Inc. - loss of confidential information, through corporate espionage or “hackers” -create multiple levels of passwords; change regularly -data intercepted during data communication -encrypt (scramble) information during transmission Data Communications Risks and Control Procedures

 2003 Pearson Education Canada Inc. - inappropriate access to information via the Internet -use of firewalls - physically separate homepage equipment and software from other systems -viruses invading systems -same as above - use current anti-virus software Data Communications Risks and Control Procedures

 2003 Pearson Education Canada Inc. 1.Management commitment to disaster recovery planning. 2.Ranking of business processes: What will happen if process x fails? 3.Identifying minimum resources required to restore vital operations. Disaster Recovery Process

 2003 Pearson Education Canada Inc. 4.Prepare a data centre plan and a user plan. 5.Test the plan, to discover any shortcomings in the plan before disaster strikes. Disaster Recovery Process

 2003 Pearson Education Canada Inc. Categories of Controls in an EDP Environment APPLICATION CONTROLSGENERAL CONTROLS

 2003 Pearson Education Canada Inc. revenue system payroll system expenditure system GENERAL CONTROLS relate to all parts of the EDP system. Categories of Controls in an EDP Environment

 2003 Pearson Education Canada Inc. revenue system payroll system expenditure system GENERAL CONTROLS relate to all parts of the EDP system. Categories of Controls in an EDP Environment APPLICATION CONTROLS relate to one specific use of the system revenue system

 2003 Pearson Education Canada Inc. Categories of General Controls 1. plan of organization Separate duties in EDP systems as discussed in chapter 9.

 2003 Pearson Education Canada Inc. 2. systems development and documentation controls - each system should have documented, authorized specifications Categories of General Controls System Specifications -Confidential-

 2003 Pearson Education Canada Inc. Categories of General Controls 2. systems development and documentation controls - each system should have documented, authorized specifications - any system changes should be author- ized and documented System Changes authorized

 2003 Pearson Education Canada Inc. 3. hardware controls Categories of General Controls

 2003 Pearson Education Canada Inc. - diagnostic routines - hardware or software that checks the system’s internal operations and devices Categories of General Controls 3. hardware controls

 2003 Pearson Education Canada Inc. - boundary protection - ensures that simulta- neous jobs do not interfere with one another CENTRAL PROCESSING UNIT boundary weekly payroll calculation daily accounts payable update Categories of General Controls 3. hardware controls

 2003 Pearson Education Canada Inc. - periodic maintenance - hardware should be examined periodically by qualified technicians Categories of General Controls 3. hardware controls

 2003 Pearson Education Canada Inc. 4. controls over access to equipment, pro- grams, and data files ACCESS TO: program documentation data files & programs computer hardware Categories of General Controls

 2003 Pearson Education Canada Inc. 4. controls over access to equipment, pro- grams, and data files ACCESS TO: program documentation data files & programs computer hardware Categories of General Controls SHOULD BE LIMITED TO: those who need access to perform their duties

 2003 Pearson Education Canada Inc. Physical Access Controls security guards manual key locks controls regarding visitors visitor

 2003 Pearson Education Canada Inc. - access control software - passwords and ID codes which should be changed periodically. A password may provide access to only part of the system. user ID? password? Electronic Access Controls

 2003 Pearson Education Canada Inc. - encryption boards - devices that are programmed with a unique key that makes data unread- able to anyone who may intercept a transmission ajdienal k448an*& ddb dueb8 ao0#$ dd87cbd ^^7dbd8cba sbc((su c38,s dus8 s8d890++s8 !! Electronic Access Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control - senior management, user management and information systems management has responsibilities Objectives of General Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control 2. Information system meets needs of entity Objectives of General Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems Objectives of General Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4.Efficient and effective maintenance of information systems Objectives of General Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4.Efficient and effective maintenance of information systems 5.Effective and efficient development and acquisition of information systems Objectives of General Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4.Efficient and effective maintenance of information systems 5.Effective and efficient development and acquisition of information systems 6.Present and future requirements of users can be met Objectives of General Controls

 2003 Pearson Education Canada Inc. 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4.Efficient and effective maintenance of information systems 5.Effective and efficient development and acquisition of information systems 6.Present and future requirements of users can be met 7.Efficient and effective use of resources within information systems processing Objectives of General Controls

 2003 Pearson Education Canada Inc. 8.Complete, accurate and timely processing of authorized information systems Objectives of General Controls

 2003 Pearson Education Canada Inc. 8.Complete, accurate and timely processing of authorized information systems 9.Appropriate segregation of incompatible functions Objectives of General Controls

 2003 Pearson Education Canada Inc. 8.Complete, accurate and timely processing of authorized information systems 9.Appropriate segregation of incompatible functions 10.All access to information and information systems is authorized Objectives of General Controls

 2003 Pearson Education Canada Inc. 8.Complete, accurate and timely processing of authorized information systems 9.Appropriate segregation of incompatible functions 10.All access to information and information systems is authorized 11.Hardware facilities are physically protected from unauthorized access, loss or damage Objectives of General Controls

 2003 Pearson Education Canada Inc. 8.Complete, accurate and timely processing of authorized information systems 9.Appropriate segregation of incompatible functions 10.All access to information and information systems is authorized 11.Hardware facilities are physically protected from unauthorized access, loss or damage 12. Recovery and resumption of information systems processing Objectives of General Controls

 2003 Pearson Education Canada Inc. 8.Complete, accurate and timely processing of authorized information systems 9.Appropriate segregation of incompatible functions 10.All access to information and information systems is authorized 11.Hardware facilities are physically protected from unauthorized access, loss or damage 12. Recovery and resumption of information systems processing 13.Maintenance and recovery of critical user activities Objectives of General Controls

 2003 Pearson Education Canada Inc. input processing output Application controls can be grouped into three categories:

 2003 Pearson Education Canada Inc. Input Controls - input data should be authorized & approved

 2003 Pearson Education Canada Inc. - input data should be author- ized & approved - the system should edit the input data Input Controls ERROR!!! Try again!

 2003 Pearson Education Canada Inc. Examples of Input Controls adequate documents - data has an assigned place and format SALES INVOICE 4527 Date: Ace Company Customer: 834 Reynolds Rd. Winnipeg, MB R2V 4E3 Sales Representative: Quantity Description Price total invoice amount Est. shipment date: Terms of sale (including discounts and freight costs): Carrier: Credit authorization:

 2003 Pearson Education Canada Inc. Acct# description $amount_ factory wage-reg 54, factory wage-ot 11, office wage-reg 32, office wage-ot , Examples of Input Controls check digit- an extra digit is added to numbers to detect errors in transmission check digits

 2003 Pearson Education Canada Inc. Examples of Input Controls record count - a control total of records processed (example: number of employee records processed in calculating payroll) SI number Emp. name Hours Rate Jon Duchac Paul Juras Dale Martin Tom Taylor RECORD COUNT = 4

 2003 Pearson Education Canada Inc. Examples of Input Controls reasonableness and limit tests - deter- mine if amounts are too high, too low, or unreasonable (example: the maximum employee pay rate may be $15/hour) SS number Emp. name Hours Rate Jon Duchac Paul Juras Dale Martin Tom Taylor ERROR MESSAGE: Rate exceeds specified parameters.

 2003 Pearson Education Canada Inc. Examples of Input Controls field size check - results in an error message if more or less than a certain number of characters is input (example: social insurance numbers always have 9 characters) SI number Emp. name Hours Rate Jon Duchac Paul Juras Dale Martin Tom Taylor ERROR MESSAGE: SIN has excess characters.

 2003 Pearson Education Canada Inc. Examples of Input Controls field check - ensures that only numbers, alphabetic characters, or special characters are accepted into a specific field (example: SI numbers always have numeric characters) SI number Emp. name Hours Rate Jon Duchac Paul Juras Dale Martin at6868 Tom Taylor ERROR MESSAGE: SIN has non- numeric characters.

 2003 Pearson Education Canada Inc. Examples of Input Controls validity check - allows only previously-defined valid data to be entered into a data field (example: employee status must be either “hourly” or “salary”) Emp. name Status Hours Rate Jon Duchac hourly Paul Juras hourly Dale Martin salary - - Tom Taylor unknown - - ERROR MESSAGE: status must be either “hourly” or “salary”

 2003 Pearson Education Canada Inc. Processing Controls assure that data entered into the system are processed, processed only once, and processed accurately

 2003 Pearson Education Canada Inc. Examples of Processing Controls control, batch, or proof total - a total of a numerical field for all the records of a batch that normally would be added (example: wages expense) Acct# description $amount_ 5001 factory wage-reg 54, factory wage-ot 11, office wage-reg 32, office wage-ot 1.64 wages expense 98, control

 2003 Pearson Education Canada Inc. Examples of Processing Controls logic test - ensures against illogical combina- tions of information (example: a salaried em- ployee does not report hours worked) Emp. name Status Hours Rate Jon Duchac hourly Paul Juras hourly Dale Martin salary - - Tom Taylor salary 43 - ERROR MESSAGE: for salaried employees, “Hours” should be “-”

 2003 Pearson Education Canada Inc. Examples of Processing Controls completeness check - results in an error if information is incomplete SI number Emp. name Hours Rate Jon Duchac Paul Juras Dale Martin Tom Taylor ERROR MESSAGE: Tom Taylor’s SIN has not been input.

 2003 Pearson Education Canada Inc. Output Controls assure that data generated by the system are valid, accurate, complete, and distributed to authorized persons in appropriate quantities

 2003 Pearson Education Canada Inc. Examples of Output Controls - limits on quantity of output and/or processing time programmed constraints on time and/or output that prevent waste of resources you’re wasting my CPU time!!!

 2003 Pearson Education Canada Inc. 1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems Objectives of Application Controls

 2003 Pearson Education Canada Inc. 1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems 2. Information provided by the systems is: - complete - accurate - authorized Objectives of Application Controls

 2003 Pearson Education Canada Inc. 1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems 2. Information provided by the systems is: - complete - accurate - authorized 3. Existence of adequate management trails Objectives of Application Controls

 2003 Pearson Education Canada Inc. general approaches There are two general approaches to auditing EDP systems:

 2003 Pearson Education Canada Inc. general approaches There are two general approaches to auditing EDP systems: 1. Auditing “around” the computer

 2003 Pearson Education Canada Inc. 1. Auditing “around” the computer in- volves extensive testing of the inputs and outputs of the EDP system and little or no testing of processing or computer hardware. inputs processing output general approaches There are two general approaches to auditing EDP systems:

 2003 Pearson Education Canada Inc. inputs processing outputs This approach involves no tests of the computer programs and no auditor use of the computer. 1. Auditing “around” the computer

 2003 Pearson Education Canada Inc. 1. Auditing “around” the computer inputs processing outputs The logic of this approach is: “If we understand what went in and what came out, we understand the system.”

 2003 Pearson Education Canada Inc. 1. Auditing “around” the computer depends on a visible, traceable, hard copy audit trail made of manually- prepared and computer-prepared documents.

 2003 Pearson Education Canada Inc. Can an auditor effectively “audit around” a client’s EDP system?

 2003 Pearson Education Canada Inc. Possibly! Many clients, however, do not have a hard copy audit trail. Increasingly, data are recorded on computer disk and never printed. Can an auditor effectively “audit around” a client’s EDP system?

 2003 Pearson Education Canada Inc. 1. Auditing “around” the computer 2. Auditing with use of the computer involves extensive testing of com- puter hardware and software. general approaches There are two general approaches to auditing EDP systems:

 2003 Pearson Education Canada Inc. 2. Auditing with use of the computer em- phasizes the input and processing phases of EDP systems. inputs processing outputs

 2003 Pearson Education Canada Inc. 1. Test data involves auditor preparation of a series of fictitious transactions; many of those transactions will contain intentional errors. The auditor examines the results and determines whether the errors were detected by the client’s system. test data Techniques for auditing with use of the computer

 2003 Pearson Education Canada Inc. Test data involves the use of auditor- prepared data, client programs, and client hardware. auditor data client program } client hardware

 2003 Pearson Education Canada Inc. What are the shortcomings of the use of test data?

 2003 Pearson Education Canada Inc. What are the shortcomings of the use of test data? - possibility of accidental integration of fictitious and actual data auditor data client data } garbage!

 2003 Pearson Education Canada Inc. What are the shortcomings of the use of test data? - possibility of accidental integration of fictitious and actual data - preparation of test data that examines all aspects of the application is difficult

 2003 Pearson Education Canada Inc. What are the shortcomings of the use of test data? - possibility of accidental integration of fictitious and actual data - preparation of test data that examines all aspects of the application is difficult - the auditor must make sure that the program being tested is the one actually used in routine processing

 2003 Pearson Education Canada Inc. - the auditor writes a computer pro- gram that replicates part of the client’s system auditor’s program 1. Test data 2. Parallel simulation techniques for auditing with use of the computer

 2003 Pearson Education Canada Inc. - the auditor writes a computer pro- gram that replicates part of the client’s system - the auditor’s program is used to process actual client data auditor’s program 1. Test data 2. Parallel simulation techniques for auditing with use of the computer

 2003 Pearson Education Canada Inc. - the auditor writes a computer pro- gram that replicates part of the client’s system - the auditor’s program is used to process actual client data - the results from the auditor’s pro- gram and that of the client’s routine processing are compared 2. Parallel simulation techniques for auditing with use of the computer

 2003 Pearson Education Canada Inc. auditor’s program client data } client hardware Parallel simulation usually involves the use of actual client data, the auditor’s program, and client hardware.

 2003 Pearson Education Canada Inc. With parallel simulation, the auditor must make sure that the program being tested is the one actually used in routine processing. auditor’s program client data } client hardware

 2003 Pearson Education Canada Inc. Generalized Audit Software ?

 2003 Pearson Education Canada Inc. Generalized Audit Software a set of programs specifically de- signed to per- form certain data processing functions that are useful to the auditor.

 2003 Pearson Education Canada Inc. Generalized Audit Software a set of programs specifically de- signed to per- form certain data processing functions that are useful to the auditor. can be used on a variety of clients

 2003 Pearson Education Canada Inc. Generalized audit software involves the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways. client data } auditor hardware GAS

 2003 Pearson Education Canada Inc. - verifying extensions and footings Uses of Generalized Audit Software (GAS) 12/31/04 AGE,BASED ON INVOICE DATE CUSTOMER BALANCE OVER 90 AKINC BOWERS DEWASTALI DUNKLEBURG EASLEY EWING GOHO HARRISON MCCRAY

 2003 Pearson Education Canada Inc. - verifying extensions and footings - examining records for quality, com- pleteness, consistency, and correct- ness. GAS can scan records and print those that are exceptions to auditor- specified criteria. Uses of Generalized Audit Software (GAS)

 2003 Pearson Education Canada Inc. - verifying extensions and footings - examining records - comparing data on separate files human resources payroll accounting Uses of Generalized Audit Software (GAS)

 2003 Pearson Education Canada Inc. - verifying extensions and footings - examining records - comparing data on separate files - summarizing or resequencing data and performing analyses Uses of Generalized Audit Software (GAS)

 2003 Pearson Education Canada Inc. - verifying extensions and footings - examining records - comparing data on separate files - summarizing or resequencing data and performing analyses - comparing data obtained through other audit procedures with company records Uses of Generalized Audit Software (GAS)

 2003 Pearson Education Canada Inc. - verifying extensions and footings - examining records - comparing data on separate files - summarizing or re-sequencing data and performing analyses - comparing data obtained through other audit procedures with company records - selecting audit samples Uses of Generalized Audit Software (GAS)

 2003 Pearson Education Canada Inc. - verifying extensions and footings - examining records - comparing data on separate files - summarizing or re-sequencing data and performing analyses - comparing data obtained through other audit procedures with company records - selecting audit samples - printing confirmation requests Uses of Generalized Audit Software (GAS)