chapter 7-1. chapter 7-2 accounting information systems, 1 st edition auditing information...
Post on 15-Jan-2016
226 views
TRANSCRIPT
Chapter 7-1
Chapter 7-2 Accounting Information Systems, 1st Edition
Auditing Information Technology-Based Processes
Chapter 7-3
1. An introduction to auditing IT processes
2. The various types of audits and auditors
3. Information risk and IT-enhanced internal control
4. Authoritative literature used in auditing
5. Management assertions used in the auditing process and the related audit objectives
6. The phases of an IT audit
7. The use of computers in audits
8. Tests of controls
9. Tests of transactions and tests of balances
10. Audit Completion/Reporting
11. Other audit considerations
12. Ethical issues related to auditing
Study ObjectivesStudy ObjectivesStudy ObjectivesStudy Objectives
Chapter 7-4 SO 1 An introduction to auditing IT processesSO 1 An introduction to auditing IT processes
Introduction to Auditing IT Introduction to Auditing IT ProcessesProcessesIntroduction to Auditing IT Introduction to Auditing IT ProcessesProcesses
Accounting services that improve the quality of information are called assurance services.
An audit is the most common type of assurance service.
Chapter 7-5 SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors
Types of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and Auditors
Main purpose of the audit is to assure users of financial information about the accuracy and completeness of the information.
Three primary types of audits include
compliance audits,
operational audits, and
financial statement audits.
Chapter 7-6 SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors
Types of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and Auditors
Audits are typically conducted by accountants.
Certified public accountants (CPAs)
Internal auditor
IT auditors
Government auditors
Chapter 7-7 SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors
Types of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and Auditors
IT environment plays a key role in how auditors conduct their work in the following areas:
Consideration of risk
Audit procedures used to obtain knowledge of accounting and internal control systems
Design and performance of audit tests
Chapter 7-8
Concept CheckConcept Check
SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors
Types of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and Auditors
Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings?
a. Financial statement audits
b. Operational audits
c. Regulatory audits
d. Compliance audits
Chapter 7-9
Concept CheckConcept Check
SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors
Types of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and Auditors
Financial statement audits are required to be performed by
a. government auditors.
b. CPAs.
c. internal auditors.
d. IT auditors.
Chapter 7-10 SO 3 Information risk and IT-enhanced internal controlSO 3 Information risk and IT-enhanced internal control
Risk and IT-Enhanced Internal Risk and IT-Enhanced Internal ControlControlRisk and IT-Enhanced Internal Risk and IT-Enhanced Internal ControlControl
Information risk is the chance that information used by decision makers may be inaccurate.
Following are some causes of information risk:
Remoteness of information
Volume and complexity of underlying data
Motive of the preparer
Chapter 7-11 SO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing
Authoritative Literature Used in Authoritative Literature Used in AuditingAuditingAuthoritative Literature Used in Authoritative Literature Used in AuditingAuditing
Sources of authoritative literature
Generally accepted auditing standards (GAAS)
Public Company Accounting Oversight Board (PCAOB)
Auditing Standards Board (ASB)
International Audit Practices Committee (IAPC)
Information Systems Audit and Control Association (ISACA).
Chapter 7-12
Concept CheckConcept Check
Which of the following is not a part of generally accepted auditing standards?
a. general standards
b. standards of fieldwork
c. standards of information systems
d. standards of reporting
SO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing
Authoritative Literature Used in Authoritative Literature Used in AuditingAuditingAuthoritative Literature Used in Authoritative Literature Used in AuditingAuditing
Chapter 7-13
Concept CheckConcept Check
Which of the following best describes what is meant by the term “generally accepted auditing standards”?
a. Procedures used to gather evidence to support the accuracy of a client’s financial statements
b. Measures of the quality of an auditor’s conduct
c. Professional pronouncements issued by the Auditing Standards Board
d. Rules acknowledged by the accounting profession because of their widespread applicationSO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing
Authoritative Literature Used in Authoritative Literature Used in AuditingAuditingAuthoritative Literature Used in Authoritative Literature Used in AuditingAuditing
Chapter 7-14
Concept CheckConcept Check
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to
a. document the auditor’s understanding of the client company’s internal controls.
b. search for weaknesses in the operation of the client company’s internal controls.
c. perform tests of controls to evaluate the effectiveness of the client company’s internal controls.
d. determine whether controls are appropriately designed to prevent or detect material misstatements.SO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing
Authoritative Literature Used in Authoritative Literature Used in AuditingAuditingAuthoritative Literature Used in Authoritative Literature Used in AuditingAuditing
Chapter 7-15
SO 5 Management assertions used in the SO 5 Management assertions used in the auditing process and the related audit auditing process and the related audit objectivesobjectives
Management Assertions and Audit Management Assertions and Audit ObjectivesObjectivesManagement Assertions and Audit Management Assertions and Audit ObjectivesObjectivesResponsibility for the preparation of financial statements lies with management
Management assertions are claims regarding the financial condition and results of operations.
Existence/occurrence
Valuation and Allocation
Accuracy, Classification, Cutoff
Completeness
Rights and Obligations
Presentation and Disclosure
Audit tests developed for an audit client are documented in
an audit program.
Chapter 7-16
Concept CheckConcept Check
Auditors should design a written audit program so that
a. all material transactions will be included in substantive testing.
b. substantive testing performed prior to year end will be minimized.
c. the procedures will achieve specific audit objectives related to specific management assertions.
d. each account balance will be tested under either a substantive test or a test of controls.
SO 5 Management assertions used in the SO 5 Management assertions used in the auditing process and the related audit auditing process and the related audit objectivesobjectives
Management Assertions and Audit Management Assertions and Audit ObjectivesObjectivesManagement Assertions and Audit Management Assertions and Audit ObjectivesObjectives
Chapter 7-17
Concept CheckConcept Check
Which of the following audit objectives relates to the management assertion of existence?
a. A transaction is recorded in the proper period.
b. A transaction actually occurred (i.e., it is real).
c. A transaction is properly presented in the financial statements.
d. A transaction is supported by detailed evidence.
SO 5 Management assertions used in the SO 5 Management assertions used in the auditing process and the related audit auditing process and the related audit objectivesobjectives
Management Assertions and Audit Management Assertions and Audit ObjectivesObjectivesManagement Assertions and Audit Management Assertions and Audit ObjectivesObjectives
Chapter 7-18 SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Phases of an IT AuditPhases of an IT AuditPhases of an IT AuditPhases of an IT Audit
There are four primary phases to an IT audit:
planning,
tests of controls,
substantive tests, and
audit completion/reporting.
Chapter 7-19 SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Phases of an IT Phases of an IT AuditAuditPhases of an IT Phases of an IT AuditAudit Exhibit 7-4
Process Map of Phases of an Audit
Chapter 7-20 SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Phases of an IT AuditPhases of an IT AuditPhases of an IT AuditPhases of an IT Audit
Audit evidence is proof of the fairness of financial information. Techniques for gathering evidence:
physically examining or inspecting assets or supporting documentation
obtaining written confirmations
rechecking or recalculating information
observing the underlying activities
making inquiries of client personnel
analyzing financial relationships and comparisons
Chapter 7-21 SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Phases of an IT AuditPhases of an IT AuditPhases of an IT AuditPhases of an IT Audit
Audit Planning
Auditors review and assess the risks and controls, establish materiality guidelines, and develop relevant tests addressing the objectives.
Chapter 7-22 SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Audit Planning
Phases of an IT Phases of an IT AuditAuditPhases of an IT Phases of an IT AuditAudit
Exhibit 7-5Audit Planning Phase Process Map
Chapter 7-23
Concept CheckConcept Check
Risk assessment is a process designed to
a. identify possible events that may effect the business.
b. establish policies and procedures to carry out internal controls.
c. identify and capture information in a timely manner.
d. test the internal controls throughout the year.
SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Phases of an IT AuditPhases of an IT AuditPhases of an IT AuditPhases of an IT Audit
Chapter 7-24
Concept CheckConcept Check
Which of the following audit procedures is most likely to be performed during the planning phase of the audit?
a. Obtain an understanding of the client’s risk assessment process.
b. Identify specific internal control activities that are designed to prevent fraud.
c. Evaluate the reasonableness of the client’s accounting estimates.
d. Test the timely cutoff of cash payments and collections.
SO 6 The phases of an IT auditSO 6 The phases of an IT audit
Phases of an IT AuditPhases of an IT AuditPhases of an IT AuditPhases of an IT Audit
Chapter 7-25 SO 7 The use of computers in auditsSO 7 The use of computers in audits
Use of Computers in AuditsUse of Computers in AuditsUse of Computers in AuditsUse of Computers in Audits
Auditing around the computer
Auditing through the computer
Auditing with the computer
Computer-assisted audit techniques (CAATs)
Chapter 7-26
Concept CheckConcept Check
Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer?
a. The time involved in testing processing controls is significant.
b. The cost involved in testing processing controls is significant.
c. A portion of the audit trail is not tested.
d. The technical expertise required to test processing controls is extensive.
SO 7 The use of computers in auditsSO 7 The use of computers in audits
Use of Computers in AuditsUse of Computers in AuditsUse of Computers in AuditsUse of Computers in Audits
Chapter 7-27 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Tests of controls involve audit procedures designed to evaluate both general controls and application controls.
Exhibit 7-6Control Testing Phase Process Map
Chapter 7-28 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
General Controls
Two broad categories of general controls that relate to IT systems:
IT administration and related operating systems development and maintenance processes
Security controls and related access issues
Chapter 7-29 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
General Controls
IT Administration
Audit tests include review for the existence and communication of company policies regarding:
personal accountability and segregation of incompatible responsibilities
job descriptions and clear lines of authority
computer security and virus protection
IT systems documentation
Chapter 7-30 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
General Controls
Security Controls
To test external access controls, auditors may perform:
Authenticity tests.
Penetration tests
Vulnerability assessments
Review access logs to identify unauthorized users or failed access attempts
Chapter 7-31 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Application Controls
Computerized controls over application programs.
Auditors should test
Systems documentation
Main functions of the computer applications
input,
processing, and
output.
Chapter 7-32 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Application Controls
Input Controls
1. Financial totals
2. Hash totals
3. Completeness or redundancy tests
4. Limit tests
5. Validation checks
6. Field checks
Chapter 7-33 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Application Controls
Processing Controls, techniques for testing
1. Test data method
2. Program tracing
3. Integrated test facility
4. Parallel simulation
5. Embedded audit modules
Chapter 7-34 SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Application Controls
Output Controls
1. Reasonableness tests
2. Audit trail tests
3. Rounding errors tests
Chapter 7-35
Concept CheckConcept Check
The primary objective of compliance testing in a financial statement audit is to determine whether
a. procedures have been updated regularly.
b. financial statement amounts are accurately stated.
c. internal controls are functioning as designed.
d. collusion is taking place.
SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Chapter 7-36
Concept CheckConcept Check
Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor’s control to periodically test controls in the client’s computer system?
a. Test data method
b. Embedded audit module
c. Integrated test facility
d. Parallel simulationSO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Chapter 7-37
Concept CheckConcept Check
Which of the following is a general control to test for external access to a client’s computerized systems?
a. Penetration tests
b. Hash totals
c. Field checks
d. Program tracing
SO 8 Test of controlsSO 8 Test of controls
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
Chapter 7-38 SO 9 Test of transactions and tests of balancesSO 9 Test of transactions and tests of balances
Tests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and Balances
Substantive Testing - tests of accuracy of monetary amounts of transactions and account balances.
Computerized auditing tools make it possible for more efficient audit tests such as:
mathematical and statistical calculations data queries identification of missing items in a sequence stratification and comparison of data items selection of items of interest from the data files summarization of testing results into a useful
format for decision making
Chapter 7-39 SO 9 Test of transactions and tests of balancesSO 9 Test of transactions and tests of balances
Tests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and Balances
Exhibit 7-9Substantive Testing Phase Process Map
Chapter 7-40
Concept CheckConcept Check
Generalized audit software can be used to
a. examine the consistency of data maintained on computer files.
b. perform audit tests of multiple computer files concurrently.
c. verify the processing logic of operating system software.
d. process test data against master files that contain both real and fictitious data.
SO 9 Test of transactions and tests of balancesSO 9 Test of transactions and tests of balances
Tests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and Balances
Chapter 7-41 SO 10 Audit Completion/ReportingSO 10 Audit Completion/Reporting
Audit Completion/ReportingAudit Completion/ReportingAudit Completion/ReportingAudit Completion/Reporting
Four basic types of reports:
1. Unqualified opinion
2. Qualified opinion
3. Adverse opinion
4. Disclaimer
The most important task is obtaining a letter of representations from client management.
Chapter 7-42
Audit Completion/ReportingAudit Completion/ReportingAudit Completion/ReportingAudit Completion/Reporting
SO 10 Audit SO 10 Audit Completion/ReportingCompletion/Reporting
Exhibit 7-10Audit Completion/Reporting Phase Process Map
Chapter 7-43 SO 11 Other audit considerationsSO 11 Other audit considerations
Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations
Different IT Environments
Using PCs, companies may use IT environments that involve
networks,
database management systems, and/or
e-commerce systems.
Chapter 7-44 SO 11 Other audit considerationsSO 11 Other audit considerations
Changes in a Client’s IT Environment
Auditors must consider whether additional audit testing is needed.
Specific audit tests include verification of: Assessment of user needs
Authorization for new projects and program changes
Adequate feasibility study and cost–benefit analysis
Proper design documentation
Proper user instructions
Adequate testing before system is put into use
Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations
Chapter 7-45 SO 11 Other audit considerationsSO 11 Other audit considerations
Sampling
Test a limited number of items or transactions and then draw conclusions about the balance as a whole on the basis of the results.
Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations
Chapter 7-46
Concept CheckConcept Check
Independent auditors are generally actively involved in each of the following tasks except:
a. Preparation of a client’s financial statements and accompanying notes
b. Advising client management as to the applicability of a new accounting standard
c. Proposing adjustments to a client’s financial statements
d. Advising client management about the presentation of the financial statements
SO 11 Other audit considerationsSO 11 Other audit considerations
Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations
Chapter 7-47
Concept CheckConcept Check
Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions?
a. Due professional care
b. Competence
c. Independence
d. A complex underlying body of professional knowledge
SO 11 Other audit considerationsSO 11 Other audit considerations
Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations
Chapter 7-48
Concept CheckConcept Check
Which of the following terms is not associated with the auditor’s requirement to maintain independence?
a. Objectivity
b. Neutrality
c. Professional skepticism
d. Competence
SO 11 Other audit considerationsSO 11 Other audit considerations
Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations
Chapter 7-49 SO 12 Ethical issues related to auditingSO 12 Ethical issues related to auditing
AICPA Code of Professional Conduct
Six principles of the code:
1. Responsibilities.
2. The Public Interest.
3. Integrity.
4. Objectivity and Independence. CPAs
5. Due Care
6. Scope and Nature of Services
Ethical Issues Related to AuditingEthical Issues Related to AuditingEthical Issues Related to AuditingEthical Issues Related to Auditing
Auditors must practice
professional skepticism
Chapter 7-50
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
CopyrightCopyrightCopyrightCopyright
Chapter 7-51
b. Reducing inventory quantities.
Manufacturing companies implement ERP systems for the primary purpose of
Concept CheckConcept Check
c. Sharing information.
d. Reducing investments.
a. Increasing productivity.
SO 1 The overview of an ERP systemSO 1 The overview of an ERP system
Overview of ERP SystemsOverview of ERP SystemsOverview of ERP SystemsOverview of ERP Systems