Post on 01-Jan-2016
description
transcript
22 - 1 2003 Pearson Education Canada Inc.
CHAPTER 22Auditing Automated
Information Systems: Special Topics
22 - 2 2003 Pearson Education Canada Inc.
As client computing facilities become more sophisticated, “paperless” accounting
systems evolve wherein little “hard copy” documentation is produced.
A / Rmaster
monday’sA / Rtransactions
22 - 3 2003 Pearson Education Canada Inc.
What challenges does a sophisti-What challenges does a sophisti-cated EDP accounting systemcated EDP accounting system
present for an auditor?present for an auditor?
22 - 4 2003 Pearson Education Canada Inc.
- audit trails, documentation may only exist on disk (no printed copies)
What challenges does a sophisti-What challenges does a sophisti-cated EDP accounting systemcated EDP accounting system
present for an auditor?present for an auditor?
22 - 5 2003 Pearson Education Canada Inc.
- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors
What challenges does a sophisti-What challenges does a sophisti-cated EDP accounting systemcated EDP accounting system
present for an auditor?present for an auditor?
ERROR!!!
22 - 6 2003 Pearson Education Canada Inc.
- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors- in some circumstances, controls may have to make up for a lack of adequate segregation of duties
What challenges does a sophisti-What challenges does a sophisti-cated EDP accounting systemcated EDP accounting system
present for an auditor?present for an auditor?
22 - 7 2003 Pearson Education Canada Inc.
- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors- in some circumstances, controls may have to make up for a lack of adequate segregation of duties- detecting unauthorized access may be difficult
What challenges does a sophisti-What challenges does a sophisti-cated EDP accounting systemcated EDP accounting system
present for an auditor?present for an auditor?
22 - 8 2003 Pearson Education Canada Inc.
- electronic method of sending documents between companies - no “paper trail” for the auditor to
follow - increased emphasis on front-end controls - security becomes key element in
controlling system
Electronic Data Interchange (EDI) Electronic Data Interchange (EDI) Presents Even More ChallengesPresents Even More Challenges
22 - 9 2003 Pearson Education Canada Inc.
- also referred to as electronic commerce, or e-commerce
- greatly increased through “internet shopping”
- direct payment systems, e.g. payroll, remove the paper trail once relied upon by auditors
Electronic Funds Transfer (EFT) Electronic Funds Transfer (EFT) Also Presents ChallengesAlso Presents Challenges
22 - 10 2003 Pearson Education Canada Inc.
- loss of confidential information, through corporate espionage or “hackers”
- create multiple levels of passwords; change regularly
- data intercepted during data communication - encrypt (scramble) information
during transmission
Data Communications Risks and Data Communications Risks and Control ProceduresControl Procedures
22 - 11 2003 Pearson Education Canada Inc.
- inappropriate access to information via the Internet
- use of firewalls - physically separate homepage
equipment and software from other systems
- viruses invading systems - same as above - use current anti-virus software
Data Communications Risks and Data Communications Risks and Control ProceduresControl Procedures
22 - 12 2003 Pearson Education Canada Inc.
1. Management commitment to disaster recovery planning.
2. Ranking of business processes: What will happen if process x fails?
3. Identifying minimum resources required to restore vital operations.
Disaster Recovery ProcessDisaster Recovery Process
22 - 13 2003 Pearson Education Canada Inc.
4. Prepare a data centre plan and a user plan.
5. Test the plan, to discover any shortcomings in the plan before disaster strikes.
Disaster Recovery ProcessDisaster Recovery Process
22 - 14 2003 Pearson Education Canada Inc.
Categories of Controls in an Categories of Controls in an EDP EnvironmentEDP Environment
APPLICATION CONTROLSGENERAL CONTROLS
22 - 15 2003 Pearson Education Canada Inc.
revenue system
payroll system
expenditure system
GENERAL CONTROLSrelate to all parts of
the EDP system.
Categories of Controls in an Categories of Controls in an EDP EnvironmentEDP Environment
22 - 16 2003 Pearson Education Canada Inc.
revenue system
payroll system
expenditure system
GENERAL CONTROLSrelate to all parts of
the EDP system.
Categories of Controls in an Categories of Controls in an EDP EnvironmentEDP Environment
APPLICATION CONTROLSrelate to one specific
use of the system
revenue system
22 - 17 2003 Pearson Education Canada Inc.
Categories of General ControlsCategories of General Controls
1. plan of organization
Separate duties inEDP systems as discussed
in chapter 9.
22 - 18 2003 Pearson Education Canada Inc.
2. systems development and documentation controls - each system should have documented, authorized specifications
Categories of General ControlsCategories of General Controls
SystemSpecifications
-Confidential-
22 - 19 2003 Pearson Education Canada Inc.
Categories of General ControlsCategories of General Controls2. systems development and documentation controls - each system should have documented, authorized specifications - any system changes should be author- ized and documented
SystemChanges
authorized
22 - 20 2003 Pearson Education Canada Inc.
3. hardware controls
Categories of General ControlsCategories of General Controls
22 - 21 2003 Pearson Education Canada Inc.
- diagnostic routines - hardware or software that checks the system’s internal operations and devices
Categories of General ControlsCategories of General Controls
3. hardware controls
22 - 22 2003 Pearson Education Canada Inc.
- boundary protection - ensures that simulta- neous jobs do not interfere with one another
CENTRAL PROCESSING UNIT
boundary
weekly payroll calculation
daily accounts payable update
Categories of General ControlsCategories of General Controls
3. hardware controls
22 - 23 2003 Pearson Education Canada Inc.
- periodic maintenance - hardware should be examined periodically by qualified technicians
Categories of General ControlsCategories of General Controls
3. hardware controls
22 - 24 2003 Pearson Education Canada Inc.
4. controls over access to equipment, pro- grams, and data files
ACCESS TO:
programdocumentation
data files &programs
computer hardware
Categories of General ControlsCategories of General Controls
22 - 25 2003 Pearson Education Canada Inc.
4. controls over access to equipment, pro- grams, and data files
ACCESS TO:
programdocumentation
data files &programs
computer hardware
Categories of General ControlsCategories of General Controls
SHOULD BELIMITED TO:
those who need accessto perform their duties
22 - 26 2003 Pearson Education Canada Inc.
Physical Access ControlsPhysical Access Controls
security guards
manual key locks
controlsregardingvisitors
visitor
22 - 27 2003 Pearson Education Canada Inc.
- access control software - passwords and ID codes which should be changed periodically. A password may provide access to only part of the system.
user ID?password?
Electronic Access ControlsElectronic Access Controls
22 - 28 2003 Pearson Education Canada Inc.
- encryption boards - devices that are programmed with a unique key that makes data unread- able to anyone who may intercept a transmission
ajdienal k448an*& ddbdueb8 ao0#$ dd87cbd^^7dbd8cba sbc((suUduud(765@@ c38,sdus8 s8d890++s8 !!
Electronic Access ControlsElectronic Access Controls
22 - 29 2003 Pearson Education Canada Inc.
1. Responsibility for control - senior management, user management
and information systems management has responsibilities
Objectives of General ControlsObjectives of General Controls
22 - 30 2003 Pearson Education Canada Inc.
1. Responsibility for control2. Information system meets needs of entity
Objectives of General ControlsObjectives of General Controls
22 - 31 2003 Pearson Education Canada Inc.
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems
Objectives of General ControlsObjectives of General Controls
22 - 32 2003 Pearson Education Canada Inc.
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems4.Efficient and effective maintenance of
information systems
Objectives of General ControlsObjectives of General Controls
22 - 33 2003 Pearson Education Canada Inc.
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems4.Efficient and effective maintenance of
information systems5.Effective and efficient development and
acquisition of information systems
Objectives of General ControlsObjectives of General Controls
22 - 34 2003 Pearson Education Canada Inc.
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems4.Efficient and effective maintenance of
information systems5.Effective and efficient development and
acquisition of information systems6.Present and future requirements of users
can be met
Objectives of General ControlsObjectives of General Controls
22 - 35 2003 Pearson Education Canada Inc.
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems4.Efficient and effective maintenance of
information systems5.Effective and efficient development and
acquisition of information systems6.Present and future requirements of users
can be met7.Efficient and effective use of resources
within information systems processing
Objectives of General ControlsObjectives of General Controls
22 - 36 2003 Pearson Education Canada Inc.
8.Complete, accurate and timely processing of authorized information systems
Objectives of General ControlsObjectives of General Controls
22 - 37 2003 Pearson Education Canada Inc.
8.Complete, accurate and timely processing of authorized information systems
9.Appropriate segregation of incompatible functions
Objectives of General ControlsObjectives of General Controls
22 - 38 2003 Pearson Education Canada Inc.
8. Complete, accurate and timely processing of authorized information systems
9. Appropriate segregation of incompatible functions
10.All access to information and information systems is authorized
Objectives of General ControlsObjectives of General Controls
22 - 39 2003 Pearson Education Canada Inc.
8. Complete, accurate and timely processing of authorized information systems
9. Appropriate segregation of incompatible functions
10.All access to information and information systems is authorized
11.Hardware facilities are physically protected from unauthorized access, loss or damage
Objectives of General ControlsObjectives of General Controls
22 - 40 2003 Pearson Education Canada Inc.
8. Complete, accurate and timely processing of authorized information systems
9. Appropriate segregation of incompatible functions
10.All access to information and information systems is authorized
11.Hardware facilities are physically protected from unauthorized access, loss or damage
12. Recovery and resumption of information systems processing
Objectives of General ControlsObjectives of General Controls
22 - 41 2003 Pearson Education Canada Inc.
8. Complete, accurate and timely processing of authorized information systems
9. Appropriate segregation of incompatible functions
10.All access to information and information systems is authorized
11.Hardware facilities are physically protected from unauthorized access, loss or damage
12. Recovery and resumption of information systems processing
13.Maintenance and recovery of critical user activities
Objectives of General ControlsObjectives of General Controls
22 - 42 2003 Pearson Education Canada Inc.
input processing output
Application controls can beApplication controls can begrouped into three categories:grouped into three categories:
22 - 43 2003 Pearson Education Canada Inc.
Input ControlsInput Controls- input data should be authorized & approved
22 - 44 2003 Pearson Education Canada Inc.
- input data should be author- ized & approved- the system should edit the input data
Input ControlsInput Controls
ERROR!!!Try again!
22 - 45 2003 Pearson Education Canada Inc.
Examples Examples of Input of Input ControlsControls
adequatedocuments - data has an assigned place andformat
SALES INVOICE 4527 Date: Ace Company Customer: 834 Reynolds Rd. Winnipeg, MB R2V 4E3 Sales Representative: Quantity Description Price
total invoice amount
Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:
Credit authorization:
22 - 46 2003 Pearson Education Canada Inc.
Acct# description $amount_
50011 factory wage-reg 54,321.8950021 factory wage-ot 11,573.9150101 office wage-reg 32,811.0050111 office wage-ot 1.64 98,708.44
Examples of Input ControlsExamples of Input Controls
check digit- an extra digit is added to numbersto detect errors in transmission
checkdigits
22 - 47 2003 Pearson Education Canada Inc.
Examples of Input ControlsExamples of Input Controlsrecord count - a control total of records processed (example: number of employeerecords processed in calculating payroll)
SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30245376868 Tom Taylor 43 8.60RECORD COUNT = 4
22 - 48 2003 Pearson Education Canada Inc.
Examples of Input ControlsExamples of Input Controlsreasonableness and limit tests - deter-mine if amounts are too high, too low, orunreasonable (example: the maximum employee pay rate may be $15/hour)
SS number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30245376868 Tom Taylor 43 28.60ERROR MESSAGE: Rate exceeds specified parameters.
22 - 49 2003 Pearson Education Canada Inc.
Examples of Input ControlsExamples of Input Controlsfield size check - results in an error messageif more or less than a certain number of characters is input (example: social insurancenumbers always have 9 characters)
SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.302453768688Tom Taylor 43 8.60 ERROR MESSAGE: SIN has excesscharacters.
22 - 50 2003 Pearson Education Canada Inc.
Examples of Input ControlsExamples of Input Controlsfield check - ensures that only numbers,alphabetic characters, or special characters are accepted into a specific field (example: SInumbers always have numeric characters)
SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30245at6868 Tom Taylor 43 8.60 ERROR MESSAGE: SIN has non-numeric characters.
22 - 51 2003 Pearson Education Canada Inc.
Examples of Input ControlsExamples of Input Controlsvalidity check - allows only previously-definedvalid data to be entered into a data field (example: employee status must be either “hourly” or “salary”)
Emp. name Status Hours Rate Jon Duchac hourly 46 6.45 Paul Juras hourly 51 6.55 Dale Martin salary - - Tom Taylor unknown - - ERROR MESSAGE: status must be either “hourly” or “salary”
22 - 52 2003 Pearson Education Canada Inc.
Processing ControlsProcessing Controls
assure thatdata entered intothe system are
processed, processedonly once, and
processed accurately
22 - 53 2003 Pearson Education Canada Inc.
Examples of Processing ControlsExamples of Processing Controlscontrol, batch, or proof total - a total of anumerical field for all the records of a batchthat normally would be added (example: wages expense)
Acct# description $amount_5001 factory wage-reg 54,321.895002 factory wage-ot 11,573.915010 office wage-reg 32,811.005011 office wage-ot 1.64 wages expense 98,708.44
control
22 - 54 2003 Pearson Education Canada Inc.
Examples of Processing ControlsExamples of Processing Controls
logic test - ensures against illogical combina-tions of information (example: a salaried em-ployee does not report hours worked)
Emp. name Status Hours Rate Jon Duchac hourly 46 6.45 Paul Juras hourly 51 6.55 Dale Martin salary - - Tom Taylor salary 43 - ERROR MESSAGE: for salaried employees, “Hours” should be “-”
22 - 55 2003 Pearson Education Canada Inc.
Examples of Processing ControlsExamples of Processing Controls
completeness check - results in an error if information is incomplete
SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30 Tom Taylor 43 8.60 ERROR MESSAGE: Tom Taylor’s SINhas not been input.
22 - 56 2003 Pearson Education Canada Inc.
Output ControlsOutput Controls
assure thatdata generated by
the system are valid,accurate, complete,and distributed to
authorized persons inappropriate quantities
22 - 57 2003 Pearson Education Canada Inc.
Examples of Output ControlsExamples of Output Controls
- limits on quantity of output and/or processing time programmed constraints on time and/or output that prevent waste of resources
you’re wastingmy CPU time!!!
22 - 58 2003 Pearson Education Canada Inc.
1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems
Objectives of Application ControlsObjectives of Application Controls
22 - 59 2003 Pearson Education Canada Inc.
1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems2. Information provided by the systems is: - complete - accurate - authorized
Objectives of Application ControlsObjectives of Application Controls
22 - 60 2003 Pearson Education Canada Inc.
1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems2. Information provided by the systems is: - complete - accurate - authorized3. Existence of adequate management trails
Objectives of Application ControlsObjectives of Application Controls
22 - 61 2003 Pearson Education Canada Inc.
There are two general approachesgeneral approaches to auditing EDP systems:
22 - 62 2003 Pearson Education Canada Inc.
There are two general approachesgeneral approaches to auditing EDP systems:
1. Auditing “around” the computer
22 - 63 2003 Pearson Education Canada Inc.
1. Auditing “around” the computer in- volves extensive testing of the inputs and outputs of the EDP system and little or no testing of processing or computer hardware.
inputs processing output
There are two general approachesgeneral approaches to auditing EDP systems:
22 - 64 2003 Pearson Education Canada Inc.
inputs processing outputs
This approach involves no tests of thecomputer programs and no auditor useof the computer.
1. Auditing “around” the computer
22 - 65 2003 Pearson Education Canada Inc.
1. Auditing “around” the computer
inputs processing outputs
The logic of this approach is: “If we understand what went in and what came out, we understand the system.”
22 - 66 2003 Pearson Education Canada Inc.
1. Auditing “around” the computer depends on a visible, traceable, hard copy audit trail made of manually- prepared and computer-prepared documents.
22 - 67 2003 Pearson Education Canada Inc.
Can an auditor effectively “Can an auditor effectively “audit audit aroundaround” a client’s EDP system? ” a client’s EDP system?
22 - 68 2003 Pearson Education Canada Inc.
Possibly! Many clients, however, do nothave a hard copy audit trail. Increasingly,data are recorded on computer disk and never printed.
Can an auditor effectively “Can an auditor effectively “audit audit aroundaround” a client’s EDP system? ” a client’s EDP system?
22 - 69 2003 Pearson Education Canada Inc.
1. Auditing “around” the computer2. Auditing with use of the computer involves extensive testing of com- puter hardware and software.
There are two general approachesgeneral approaches to auditing EDP systems:
22 - 70 2003 Pearson Education Canada Inc.
2. Auditing with use of the computer em- phasizes the input and processing phases of EDP systems.
inputs processing outputs
22 - 71 2003 Pearson Education Canada Inc.
1. Test data involves auditor preparation of a series of fictitious transactions; many of those transactions will contain intentional errors. The auditor examines the results and determines whether the errors were detected by the client’s system.
testdata
Techniques for auditingTechniques for auditingwith use of the computerwith use of the computer
22 - 72 2003 Pearson Education Canada Inc.
Test data involves the use of auditor- prepared data, client programs, and client hardware.
auditor data
clientprogram }
clienthardware
22 - 73 2003 Pearson Education Canada Inc.
What are the What are the shortcomingsshortcomings
of the use of test data?of the use of test data?
22 - 74 2003 Pearson Education Canada Inc.
What are the What are the shortcomingsshortcomings of the use of of the use of test data?test data?
- possibility of accidental integration of fictitious and actual data
auditor data
client data }
garbage!
22 - 75 2003 Pearson Education Canada Inc.
What are the What are the shortcomingsshortcomings of the use of of the use of test data?test data?
- possibility of accidental integration of fictitious and actual data- preparation of test data that examines all aspects of the application is difficult
22 - 76 2003 Pearson Education Canada Inc.
What are the What are the shortcomingsshortcomings of the use of of the use of test data?test data?
- possibility of accidental integration of fictitious and actual data- preparation of test data that examines all aspects of the application is difficult- the auditor must make sure that the program being tested is the one actually used in routine processing
22 - 77 2003 Pearson Education Canada Inc.
- the auditor writes a computer pro- gram that replicates part of the client’s system
auditor’sprogram
1. Test data 2. Parallel simulation
techniques for auditingtechniques for auditingwith use of the computerwith use of the computer
22 - 78 2003 Pearson Education Canada Inc.
- the auditor writes a computer pro- gram that replicates part of the client’s system - the auditor’s program is used to process actual client data
auditor’sprogram
1. Test data 2. Parallel simulation
techniques for auditingtechniques for auditingwith use of the computerwith use of the computer
22 - 79 2003 Pearson Education Canada Inc.
- the auditor writes a computer pro- gram that replicates part of the client’s system - the auditor’s program is used to process actual client data - the results from the auditor’s pro- gram and that of the client’s routine processing are compared
2. Parallel simulation
techniques for auditingtechniques for auditingwith use of the computerwith use of the computer
22 - 80 2003 Pearson Education Canada Inc.
auditor’sprogram
clientdata }
clienthardware
Parallel simulation usually involves the use of actual client data, the auditor’s program, and client hardware.
22 - 81 2003 Pearson Education Canada Inc.
With parallel simulation, the auditor mustmake sure that the program being tested isthe one actually used in routine processing.
auditor’sprogram
clientdata }
clienthardware
22 - 82 2003 Pearson Education Canada Inc.
Generalized Audit SoftwareGeneralized Audit Software
?
22 - 83 2003 Pearson Education Canada Inc.
Generalized Audit SoftwareGeneralized Audit Software
a set of programs
specifically de-signed to per-form certain
data processing functions thatare useful tothe auditor.
22 - 84 2003 Pearson Education Canada Inc.
Generalized Audit SoftwareGeneralized Audit Software
a set of programs
specifically de-signed to per-form certain
data processing functions thatare useful tothe auditor.
canbe used
on a variety of
clients
22 - 85 2003 Pearson Education Canada Inc.
Generalized audit software involves the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways.
client data }
auditorhardware
GAS
22 - 86 2003 Pearson Education Canada Inc.
- verifying extensions and footings
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)
12/31/04 AGE,BASED ON INVOICE DATECUSTOMER BALANCE 0 -30 31-60 61-90 OVER 90AKINC 1276 170 1106BOWERS 534 534DEWASTALI 7523 7100 423DUNKLEBURG 97 97EASLEY 23000 21000 2000 EWING 8969 8969GOHO 1500 1500HARRISON 56900 56900MCCRAY 6500 6500 106299 30304 3203 6923 65869
22 - 87 2003 Pearson Education Canada Inc.
- verifying extensions and footings- examining records for quality, com- pleteness, consistency, and correct- ness. GAS can scan records and print those that are exceptions to auditor- specified criteria.
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)
22 - 88 2003 Pearson Education Canada Inc.
- verifying extensions and footings- examining records- comparing data on separate files
humanresources
payrollaccounting
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)
22 - 89 2003 Pearson Education Canada Inc.
- verifying extensions and footings- examining records- comparing data on separate files - summarizing or resequencing data and performing analyses
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)
22 - 90 2003 Pearson Education Canada Inc.
- verifying extensions and footings- examining records- comparing data on separate files - summarizing or resequencing data and performing analyses- comparing data obtained through other audit procedures with company records
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)
22 - 91 2003 Pearson Education Canada Inc.
- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)
22 - 92 2003 Pearson Education Canada Inc.
- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples- printing confirmation requests
Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)