Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 240 times |
Download: | 0 times |
Auditing 81.3550Auditing 81.3550
Auditing & Automated Systems
Chapter 22
Auditing & Automated Systems
Chapter 22
Auditing and Computer SystemsAuditing and Computer Systems
• As client computing facilities become more sophisticated, “paperless” accounting systems evolve wherein little “hard copy” documentation is produced
• Evidence forms may differ slightly but the basic procedures and objects are often similar.
Challenges of Sophisticated Computer Systems
Challenges of Sophisticated Computer Systems
- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors- in some circumstances, controls may have to make up for a lack of adequate segregation of duties- detecting unauthorized access may be difficult
• electronic method of sending documents between companies
• no “paper trail” for the auditor to follow
• increased emphasis on front-end controls
• security becomes key element in controlling system
• electronic method of sending documents between companies
• no “paper trail” for the auditor to follow
• increased emphasis on front-end controls
• security becomes key element in controlling system
Challenges of Sophisticated Computer Systems
Challenges of Sophisticated Computer Systems
Electronic Fund Transfers (EFT)Electronic Fund Transfers (EFT)
• also referred to as electronic commerce, or e-commerce
• greatly increased through “internet shopping”
• direct payment systems, e.g. payroll, remove the paper trail once relied upon by auditors
• also referred to as electronic commerce, or e-commerce
• greatly increased through “internet shopping”
• direct payment systems, e.g. payroll, remove the paper trail once relied upon by auditors
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
• As part of the audit equation need to assess computer control systems in place
• Starting point obtaining clients computer system documentation, diagrams, policies and procedures
• As part of the audit equation need to assess computer control systems in place
• Starting point obtaining clients computer system documentation, diagrams, policies and procedures
• loss of confidential information, through corporate espionage or “hackers”
- create multiple levels of passwords; change regularly
• data intercepted during data communication
- encrypt (scramble) information during transmission
• loss of confidential information, through corporate espionage or “hackers”
- create multiple levels of passwords; change regularly
• data intercepted during data communication
- encrypt (scramble) information during transmission
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
• inappropriate access to information via the Internet
- use of firewalls - physically separate homepage
equipment and software from other systems
• viruses invading systems - same as above - use current anti-virus
software
• inappropriate access to information via the Internet
- use of firewalls - physically separate homepage
equipment and software from other systems
• viruses invading systems - same as above - use current anti-virus
software
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
• Organization should have a well planned disaster recovery plan
• Should include regular offsite storage of prior data
• Organization should have a well planned disaster recovery plan
• Should include regular offsite storage of prior data
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
Data Communications Risks Data Communications Risks and and Control ProceduresControl Procedures
Disaster Recovery Process Disaster Recovery Process BasicsBasics
1. Management commitment to disaster recovery planning.
2. Ranking of business processes: What will happen if process x
fails?
3. Identifying minimum resources required to restore vital
operations.
Disaster Recovery Process Disaster Recovery Process BasicsBasics
4. Prepare a data centre plan and a user plan.
5. Test the plan, to discover any shortcomings in the plan before disaster strikes.
Categories of Controls in an Categories of Controls in an EDP EnvironmentEDP Environment
GENERAL CONTROLSrelate to all parts of
the EDP system.
APPLICATION CONTROLSrelate to one specific
use of the system
payroll system
expenditure system
revenue system
revenue system
Categories of General Controls
1. plan of organization
Separate duties inEDP systems as discussed
in chapter 9.
2. systems development and documentation controls
• each system should have documented, authorized specifications• any system changes should be author- ized and documented
2. systems development and documentation controls
• each system should have documented, authorized specifications• any system changes should be author- ized and documented
Categories of General Controls
• 3. hardware controls• 3. hardware controls
Categories of General Controls
-diagnostic routines - hardware or software that checks the system’s internal operations and devices
-boundary protection - ensures that simultaneous jobs do not interfere with one another
-periodic maintenance - hardware should be examined periodically by qualified technicians
4. controls over access to equipment, programs, and data files – limited on need basis
Categories of General Controls
ACCESS TO:
programdocumentation
data files &programs
computer hardware
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems4.Efficient and effective maintenance of
information systems5.Effective and efficient development and
acquisition of information systems6.Present and future requirements of users can
be met7.Efficient and effective use of resources within
information systems processing
1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information
systems4.Efficient and effective maintenance of
information systems5.Effective and efficient development and
acquisition of information systems6.Present and future requirements of users can
be met7.Efficient and effective use of resources within
information systems processing
Objectives of General ControlsObjectives of General Controls
8.Complete, accurate and timely processing of authorized information systems
9.Appropriate segregation of incompatible functions
10.All access to information and information systems is authorized
11.Hardware facilities are physically protected from unauthorized access, loss or damage
12. Recovery and resumption of information systems processing
13.Maintenance and recovery of critical user activities
8.Complete, accurate and timely processing of authorized information systems
9.Appropriate segregation of incompatible functions
10.All access to information and information systems is authorized
11.Hardware facilities are physically protected from unauthorized access, loss or damage
12. Recovery and resumption of information systems processing
13.Maintenance and recovery of critical user activities
Objectives of General ControlsObjectives of General Controls
Physical AccessPhysical Access ControlsControls
•Visitor identification•Security guards•Security systems•Locked areas
• 3 Basic categories:• 3 Basic categories:
Application ControlsApplication Controls
input processing output
Input ControlsInput ControlsInput ControlsInput Controls
• input data should be authorized & approved
• the system should edit the input data & prevent errors
• Examples include: validity checks, field checks, reasonableness check, record counts etc.
Processing ControlsProcessing Controls
assure thatdata entered intothe system are
processed, processedonly once, and
processed accurately
Examples control, batch, or proof total - a total of a
numerical field for all the records of a batch that normally would be added (example: wages expense)
logic test - ensures against illogical combinations of information (example: a salaried em-ployee does not report hours worked)
Processing ControlsProcessing Controls
Output ControlsOutput Controls
assure thatdata generated by
the system are valid,accurate, complete,and distributed to
authorized persons inappropriate quantities
1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems2. Information provided by the systems is: - complete - accurate - authorized3. Existence of adequate management trails
Objectives of Application ControlsObjectives of Application Controls
There are two general approachesgeneral approaches to auditing EDP systems:
1. Auditing “around” the computer involves extensive testing of the inputs and outputs of the EDP system and little or no testing of processing or computer hardware.
This approach involves no tests of thecomputer programs and no auditor useof the computer.
1. Auditing “around” the computer depends on a visible, traceable,
hard copy audit trail made of manually prepared and computer-prepared documents.
There are two general approachesgeneral approaches to auditing EDP systems:
2. Auditing with use of the computer involves extensive testing of computer hardware and software.
2. Auditing with use of the computer involves extensive testing of computer hardware and software.
There are two general approachesgeneral approaches to auditing EDP systems:
1. Test data involves auditor preparation of a series of fictitious transactions; many of those transactions will contain intentional errors. The auditor examines the results and determines whether the errors were detected by the client’s
system.
Techniques for auditingTechniques for auditingwith use of the computerwith use of the computer
What are the What are the shortcomingsshortcomings of the of the use of test data?use of test data?
- possibility of accidental integration of fictitious and actual data- preparation of test data that examines all aspects of the application is difficult- the auditor must make sure that the program being tested is the one actually used in routine processing
• 2. Parallel simulation• 2. Parallel simulation
techniques for auditingtechniques for auditingwith use of the computerwith use of the computer
-the auditor writes a computer program that replicates part of the client’s system
-the auditor’s program is used to process actual client data
- the results from the auditor’s program and that of the client’s routine processing are compared
Auditing SoftwareAuditing Software
Generalized audit software involves the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways.
Common Audit Software Functions
Common Audit Software Functions
- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples- printing confirmation requests
- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples- printing confirmation requests