Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Data Management Systems Chapter 3 with added info.

Published byEustacia Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "Auditing Data Management Systems Chapter 3 with added info."— Presentation transcript:

1 Auditing Data Management Systems Chapter 3 with added info

2 electronic method of sending documents between companies no “paper trail” for the auditor to follow increased emphasis on front-end controls security becomes key element in controlling system Challenges of Sophisticated Computer Systems

3 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4.Efficient and effective maintenance of information systems 5.Effective and efficient development and acquisition of information systems 6.Present and future requirements of users can be met 7.Efficient and effective use of resources within information systems processing Objectives of General Controls

4 8.Complete, accurate and timely processing of authorized information systems 9.Appropriate segregation of incompatible functions 10. All access to information and information systems is authorized 11. Hardware facilities are physically protected from unauthorized access, loss or damage 12. Recovery and resumption of information systems processing 13. Maintenance and recovery of critical user activities Objectives of General Controls

5 Input Controls input data should be authorized & approved the system should edit the input data & prevent errors Examples include: validity checks, field checks, reasonableness check, record counts etc.

6 assure that data entered into the system are processed, processed only once, and processed accurately Processing Controls

7 Examples control, batch, or proof total - a total of a numerical field for all the records of a batch that normally would be added (example: wages expense) logic test - ensures against illogical combina tions of information (example: a salaried em- ployee does not report hours worked) Processing Controls

8 Database Processing Controls Inference Controls Must prohibit the retrieval of individual data through statistical (aggregate) operations on the database. Example: SELECT MAX ( Salary ) FROM EMPLOYEE WHERE Dept = ‘CSE’ AND Address LIKE ‘ %Cincinnati% ’ ; Note: What if only one employee in CSE lives in Cincinnati?

9 Output Controls assure that data generated by the system are valid, accurate, complete, and distributed to authorized persons in appropriate quantities

10 1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems 2. Information provided by the systems is: - complete - accurate - authorized 3. Existence of adequate management trails Objectives of Application Controls

11 Auditing Software Generalized audit software involves the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways.

12 Differences with Computer Processing Audit trails are different than with manual accounting systems Portions of audit trails may be temporary or never exist Processing is more uniform Computer may initiate and complete transactions Greater potential for fraud

13 Impact of Computers on Planning Extent to which computers are used Complexity of computer operations Organizational structure of computer operations Availability of data Use of CAATs Need for specialized skills by auditor

14 Audit Alternatives Continuous (Electronic) Auditing Auditing Around the Computer Auditing Through the Computer Non-concurrent (after-the-fact) auditing –Recent SAS pronouncements reduce applicability of non-concurrent auditing

15 Audit Alternatives Concurrent auditing provides greater information about the effectiveness of controls –Special audit test records can be used to examine system effectiveness –Embedded audit modules collect, process and report audit evidence as it is processed by the system

16 SAS No. 80 In entities where significant information is transmitted, processed, maintained, or accessed electronically, the auditor may determine that it is not practical or possible to reduce detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions.

17 SAS No. 80 Due to the short-term nature of electronic data, the auditor should consider the time during which information exists or is available in determining the nature, timing and extent of his tests

18 SAS No. 94 SAS No. 94 acknowledges that IT use presents benefits as well as risks to internal control The auditor should expect to encounter IT systems and electronic records An entity’s IT use may be so significant that the quality of the audit evidence available to the auditor will depend on the controls that business maintains over its accuracy and completeness

19 SAS No. 94 As companies rely more and more on IT systems and controls, auditors will need to adopt new testing strategies to obtain evidence that controls are effective An auditor might need specialized skills to determine the effect of IT on the audit In some instances, the auditor may need the skills of a specialist

20 Errors and Irregularities Necessary Control Procedures INPUT Valid data are incorrectly converted to machine- sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Verification controls Computer editing Batch controls Data control group monitoring Transmittal controls Control totals Error logs Data control group monitoring PROCESSESSING The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. External file labels Internal file labels Control totals Limit and reasonableness tests OUTPUT Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output control totals Periodic comparisons of file data with source documents Data control group monitoring Report distribution control sheet

21 Tests of Controls Techniques Auditing Around the Computer—Manually processing selected transactions and comparing results to computer output Auditing Through the Computer— Computer assisted techniques –Test Decks—Processing dummy transactions and records with errors and exceptions to see that program controls are operating

22 Types of Concurrent Auditing Testing real data –Tracing transactions –Snapshot/extended record (EAM) –System Control Audit Review File (SCARF) Testing simulated data –Test deck approach –Integrated test facility (ITF)

23 Auditing Using Client’s Computer- Tracing Real Data Provides direct confirmation that controls functioned as prescribed Weaknesses of approach –Actual transactions selected may not trigger all of the controls- in fact, finding actual transactions to test every control may not be possible –May be disruptive to client’s operation

24 Auditing using Client’s Computer- Tracing Real Data Weaknesses, continued –Difficult to verify that program tested is program normally used –Difficult to verify that procedures used during test are procedures normally employed –Auditor needs to understand IT operations

25 Strengths –Auditor can reduce substantially the number of records that have to be processed (one record can test several controls) –Permits testing of every control Auditing using Client’s Computer- Using Simulated Data

26 Weaknesses –Only those conditions known to exist can be tested –Same program and procedures questions as in processing real data –Removal of simulated data from client's records Auditing using Client’s Computer- Using Simulated Data

27 Verify that no amounts, accounts, or transaction types are omitted Verify pricing, extensions, and other valuation procedures Verify account coding and classification Verify proper time period recording Test subsidiary records footing and reconciliation to control account balances Auditing using Client’s Computer- Using Simulated Data

28 Test data or test record approach –Simulated data is controlled and processed separately from real data –Output is compared to auditor- calculated output

29 Auditing using Client’s Computer- Using Simulated Data Integrated test facility (ITF) –Simulated data is assigned a special code to distinguish it from real data –Simulated data is integrated with real data and processed in normal course of business –Weakness - simulated data may be processed differently than real data

30 Generalized Audit Software Off-the-shelf software that allows examination of client data on auditor’s computer Information systems vary widely between clients –Hardware and software environments –Data structures –Record formats –Processing functions

31 Functional Capabilities of GAS File access File reorganization (sorting and merging) Filtering (Boolean operators: =, >=,, AND, OR, etc.) Statistical (sample selections) Arithmetic Stratification File creation Reporting

32 Available CAATs CA-Easytrieve (Computer Associates) –Works in UNIX or LAN (primarily mainframes) –Uses a background language similar to COBOL SAS –Statistical analysis –Data mining ACL IDEA

33 Electronic Workpapers Electronic working papers –Standardizes audit forms and formats –Improves quality and consistency –Coordinates efforts –Can centralize management efforts

34 Centralized Vs Distributed Systems Some activities should remain centralized DDP is more expensive but can add efficiencies over straight client-server approach Data can be distributed in different ways May raise security issues Auditor must question how each site is secured DDP may be partitioned or replicated DDP requires concurrency control

35 End Ch 3

Download ppt "Auditing Data Management Systems Chapter 3 with added info."

Similar presentations

Audit of Autonomous District Councils (in an IT environment using FAAM)

Audit of Autonomous District Councils (in an IT environment using FAAM)
Presented to the Tallahassee ISACA Chapter

Presented to the Tallahassee ISACA Chapter
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.

Auditing Concepts.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Chapter 3 with added info

Chapter 3 with added info
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
The Islamic University of Gaza

The Islamic University of Gaza
The Islamic University of Gaza

The Islamic University of Gaza
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
THE AUDITING OF INFORMATION SYSTEMS

THE AUDITING OF INFORMATION SYSTEMS
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.

1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Concurrent Auditing Techniques

Concurrent Auditing Techniques
Chapter 9 The Study of Internal Control and Assessment of Control Risk

Chapter 9 The Study of Internal Control and Assessment of Control Risk
Chapter 12 Auditing the Human Resource Management Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Chapter 12 Auditing the Human Resource Management Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Similar presentations

Ads by Google