Week 11 Accounting Information Systems

Romney and SteinbartLinda BatchMarch 2012

Learning Objectives• Auditing Computer-based Systems (Chapter 11)

– Overview of audit process– 5 objectives of Information Systems Audits

• Systems Development (Chapter 20)– The Systems Development Lifecycle

• Microsoft Access– Creating Forms– Creating Macros and Switchboard

• Work on Assignment 4• Quiz (Chapter 7 and Chapter 8)

Chapter 11 – Auditing Computer Based AIS• Definitions

– Auditing is the systematic process of obtaining and evaluating evidence to determine how well activities correspond with established criteria

– Internal Audit is an independent, objective assurance and consulting activity designed to improve organizational effectiveness and efficiency

• There are several different types of audits– Financial audit – reliability and integrity of financial statements– Information systems audit – controls of an AIS– Operational audit – economic use of company resources and

achievement of organizational objectives– Compliance audit – evaluates compliance with applicable laws and

regulations– Investigative audit – investigates potential fraud, misappropriation of

assets, and improper governance of activities

Chapter 11 – Auditing Computer Based AIS

• Overview of the Audit Process– Audit Planning– Collection of Audit Evidence– Evaluation of Audit Evidence– Communication of Audit Results

• An audit is planned so the greatest amount of audit work focusses on areas with the highest risk factors.– Inherent risk - susceptibility to material risk in the absence of

controls– Control risk - risk a material misstatement will get through the

internal control structure and into the financial statements– Detection risk – risk the auditors and their procedures will fail to

detect a material error or misstatement

Chapter 11 – Risk Based Audit Approach

• The risk based audit approach provides a framework for conducting information systems audits (or any kind of audit for that matter)

– Determine the threats facing the company– Identify the control procedures that prevent, detect, or correct

the threats– Evaluate the control procedures– Evaluate control weaknesses to determine their effect on the

nature, timing or extent of auditing procedures (are there compensating controls?)

Ch. 11 – Six Objectives of an Information Systems Audit

• Purpose is to review and evaluate the internal controls that protect the system

• There are six objectives to an information systems audit– Overall systems security is effective– Program development and acquisition is controlled– Programming modifications are authorized and approved– Transaction processing is accurate and complete– Source data that is not accurate is identified– Storage of data files are accurate, complete, and confidential

Ch. 11 – Six Objectives of an Information Systems Audit

Chapter 11 – Information Systems Audits

• There are frameworks for each of these six objectives

• Each framework Identifies– The types of errors and fraud– Control procedures– Audit procedures– Audit procedures – test of controls– Compensating controls

Chapter 11 – Examples of Audit Techniques

• Objective 3 - Program Modifications– Source code comparison program– Reprocessing data– Parallel simulation

• Objective 4 – Audit Process Controls– Concurrent audit techniques continually monitor the system use

embedded audit modules. Types of concurrent techniques are:– Integrated test facility (ITF) where a fictitious division is created and

transactions are created that will not be included in the corporate results

– Snapshot technique where select transactions are tagged with a special code and these are reviewed by internal audit

– Systems Control Audit Review file (SCARF) – continually monitors transactions and collects them into a log for periodic review

Chapter 11 – Audit Software

• Computer-Assisted Audit Techniques– CAATS (often called generalized audit software (GAS))– Uses audit supplied specifications to generate a program that

performs audit functions– The program uses a copy of the live data to perform auditing

procedures• Ernst and Young uses CAATS to create samples of transactions for

review during their external audit

Chapter 11 – Audit Software – Chapter 11 Checkpoint1. Which of the following is a characteristic of auditing

a. Auditing is a systematic, step-by-step processb. Auditing involves the collection and review of evidencec. Auditing involves the use of established criteria to evaluate evidenced. All of the above

2. Which type of audit involves a review of general and application controls to determine compliance with policies and adequate safeguarding of assetsa. Information systems auditb. Financial auditc. Operational auditd. Compliance audit

Chapter 11 – Audit Software – Chapter 11 Checkpoint3. At what step in the audit process do the concepts of reasonable

assurance and materiality enter into the auditor’s decision process?a. Planningb. Evidence collectionc. Evidence evaluationd. They are important in all three steps

4. What is the four step approach to internal control evaluation that provides a logical framework for carrying out an audit?a. Inherent risk analysisb. Systems reviewc. Tests of controlsd. A risk-based approach to auditing

Chapter 11 – Audit Software – Chapter 11 Checkpoint5. Which of the following is a concurrent audit technique that monitors all

transactions and collects transactions that meet certain criteria?a. ITF – integrated test facilityb. Snap shot techniquec. SCARF – Systems control audit review filed. Audit hooks

6. Which of the following is a computer program written specifically for audit use?a. GASb. CATAS

7. True or False: If it is found that system changes are not appropriately authorized, tested or approved system output may be unreliable.

c. ITFd. CIS

Chapter 11 – Audit Software – Chapter 11 Checkpoint8. The focus of an operational audit is?

a. Reliability and integrity of financial informationb. All aspects of information systems managementc. Internal controlsd. Safeguarding assets

9. Six Objective for information systems audits are?a. Overall systems securityb. Program development and acquisitionc. Program modificationd. Computer processinge. Source dataf. Data filesg. All of the above

Chapter 11 – Audit Software – Chapter 11 Checkpoint10. The four steps in the audit process include?

a. Audit planningb. Collection of audit evidencec. Evaluation of audit evidenced. Communication of audit resultse. All of the above

11. Three ways an auditor can test for unauthorized program changes are?a. Use a source code comparison programb. Use a reprocessing techniquec. Use parallel simulationd. All of the above

Chapter 20 – Systems Development and Analysis

• Due to the increasingly competitive nature of business, companies are constantly improving or replacing their information systems. Reasons to change the system are:– Changes in user or business needs– Technological changes– Improved business processes– Competitive advantage– Productivity gains– Systems Integration– Systems age and need to be replaced

Know three

Chapter 20 – Systems Development and Analysis

• Absolutely critical that software implementations are done well– 70% of software development projects were late– 54% are over budget– 30% are cancelled prior to completion– 75% of all large systems are not used, are not used as intended, or

generate meaningless reports or inaccurate

• Skipping or skimping on systems development processes can lead to “runaways” that consume time and money

Chapter 20 – Systems Development Lifecycle • SDLC

– Systems Analysis – feasibility study and assess information needs

– Conceptual Design – evaluate design alternatives and deliver conceptual design requirements

– Physical Design – develop input, output, database, programs, procedures, controls, deliver the system

– Implementation and Conversion – develop an implementation and conversion plan, install, train, test, convert, deliver an operational system

– Operations and Maintenance – post-implementation review, operate, modify, ongoing maintenance, and improve

• The Players– Management, Accountants and Other Users, IS Steering

Committee, Project Development Team, Systems analysts and Programmers, External Players

Systemsanalysis

ConceptualSystemDesign

PhysicalDesign

ImplementationAnd

Conversion

Operationand

Maintenance

Chapter 20 – Systems Development Life CycleSystemsanalysis

ConceptualSystemDesign

PhysicalDesign

ImplementationAnd

Conversion

Operationand

Maintenance

Chapter 20 – Systems Development Lifecycle

Chapter 20 – Planning the Development

• Planning enables the systems goals and objectives to correspond to the organization’s strategic plans– Efficiency in design and coordinated with subsystems– Alignment of technologies– No duplication of effort– Staffing / skill sets will be planned

• Two plans are needed– Project Development Plan

• Relates to a specific project, is prepared by the project team, and contains a cost / benefit analysis, project requirements and a schedule of activities

– Master Plan• Long range planning, is prepared by the steering committee, specifies what will be

developed, how it will be developed, who will develop it, resources required, and when it will be developed – creates a prioritized inventory of projects

Chapter 20 – Planning Techniques

• GANTT Chart– Bar chart with project activities on the left side and units of time

across the top (Figure 20-3)– For each activity there is an arrow across that indicates the start and

end date of an activity

• PERT Chart – Program Evaluation and Review Technique– All activities and the precedent and subsequent relationships among

them are identified and used to draw a PERT diagram– The PERT diagram identifies the items that determine the project

critical path– The critical path items are those items, in aggregate, influence the

project duration (greatest amount of time)

Chapter 20 – Feasibility Analysis

• Feasibility Study or Business Case– Prepared during the systems analysis and updated as necessary

during the Systems Development Life Cycle.– All stakeholders should have input into the feasibility study– At major decision points the steering committee reassesses feasibility

to decide whether to terminate a project or to proceed (go/no go decision)

– Economic, technical, legal, scheduling, operational feasibility needs to be considered during this phase

– Capital budgeting techniques such as Payback period, Net Present Value, Internal Rate of Return, are used to determine whether a project is feasible (methods to compare very different projects)

– A project should be evaluated on both tangible and intangible benefits

Chapter 20 – Behavioural Aspects of Change

• How People Resist Change– Failure to provide developers with information, tardiness, or subpar

performance

• Resistance takes three forms– Aggression – behaviour that destroys, cripples, or weakens system

effectiveness such as increased error rates, disruptions or sabotage

– Projection – blaming the new system for everything that goes wrong. The criticisms must be controlled and answered, systems integrity can be damaged or destroyed

– Avoidance – ignoring the system and hoping that it goes away. Eliminate the options to avoid its use and / or eliminate the employees that do not adopt the technology

Chapter 20 – Behavioral Aspects of Change

• Preventing Behavioural Problems– Obtain Management Support– Meet user needs– Involve users – users who participate are more knowledgeable, better

trained and committed– Avoid emotionalism– Performance evaluations should be reexamined to ensure they are

congruent with the new system– Keep communication lines open– Test the system– Control user expectations by being realistic when describing the

merits of the system

Chapter 20 – Systems Development Checkpoint 1. Which of the following is a planning technique that identifies the critical

path of a projecta. GANTT chartb. PERT chartc. Physical modeld. Data flow diagram

2. Which is the long range planning document that specifies the the IT strategic plana. Steering committee agendab. Master Planc. Systems development life cycled. Project development plan

Chapter 20 – Systems Development Checkpoint 3. True or False - Resistance is often a reaction to the methods of instituting

change rather than to change itself. 4. Increased error rates, disruptions, and sabotage are examples of what?

a. Aggressionb. Avoidancec. Projectiond. Payback

5. What is often the most significant problem a company encounters in designing, developing, and implementing a system?a. The human elementb. Technologyc. Legal challengesd. Planning for a new system

Chapter 20 – Systems Development Checkpoint 6. Determining whether the organization has access to people who can

design, implement, and operate the proposed system is?a. Technical feasibilityb. Operational feasibilityc. Legal feasibilityd. Scheduling feasibilitye. Economic feasibility

7. Which of the following are potential tangible or intangible benefits of a new computer system?a. Cost savingsb. Improved customer service and productivityc. Improved decision makingd. Improved data processinge. All of the above

Chapter 20 – Systems Development Checkpoint 8. Identify the five steps in the systems development lift cycle (SDLC).

a. Systems analysisb. Conceptual designc. Physical designd. Implementation and conversione. Operations and maintenance

9. Three commonly used capital budgeting techniques that are used to assess and compare the cost benefits of projects are:a. NPVb. IRRc. Payback periodd. SLCe. All of the above

Ch. 11 – Systems Auditing – Review for Final • What is auditing and internal audit (slide 2)• Five different audit types (slide 2)• Four stages of the audit process• Know what a risk based audit approach is (do not worry about the 4

steps)• Six objectives for an IS audit – be able to name them on fig. 11-2 (slide 7)• Three examples of objective 3 – program modifications• Three examples of objective 4 – audit process controls• Computer assisted audit techniques (CAATS, GAS)

Ch. 20 – Systems Development – Review for Final • Two types of plans used in IS system development planning• GANTT and PERT Charts (what they are, how they differ)• How people resist change - three forms of resistance – aggression,

projection, avoidance• Preventing behavioural problems (know 4)