Auditing of Computer-Based Information Systems
The Nature of Auditing
The American Accounting Association defines auditing as
follows:
Auditing is a systematic process of objectively obtaining
and evaluating evidence regarding assertions about economic actions and events
to ascertain the degree of correspondence between those assertions and established
criteria and communicating the results to interested users.
Internal Auditing Standards
According to the Institute of Internal Auditors (IIA), the
purpose of an internal audit is to evaluate the adequacy and effectiveness of a
company’s internal control system.
The IIA’s five audit scope standards are:
1. Review the reliability and integrity of operating and
financial information and how it is identified, measured, classified, and reported.
2. Determine whether the systems designed to comply with operating
and reporting policies, plans, procedures, laws, and regulations are actually
being followed.
3. Review how assets are safeguarded, and verify the
existence of assets as appropriate.
4 Examine company resources to determine how effectively and
efficiently they are utilized.
5 Review company operations and programs to determine whether
they are being carried out as planned and whether they are meeting their
objectives.
Types of Internal Auditing Work
What are the three different types of audits commonly
performed?
1. Financial audit
2 .Information system (IS) audit
3. Operational or management audit
An Overview of the Auditing Process
All audits follow a similar sequence of activities and may
be divided into four stages.
1. Audit planning
2. Collection of audit evidence
3. Evaluation of audit evidence
4. Communication of audit results
Audit Planning
Establish scope and objectives
Organize audit team
Develop knowledge of business
operations
Review prior audit results
Identify risk factors
Prepare audit program
Collection of Audit Evidence
Observation of operating activities
Review of documentation
Discussion with employees and questionnaires
Physical examination of assets
Confirmation through third parties
Reperformance of procedures
Vouching of source documents
Analytical review and sampling
Evaluation of Audit Evidence
Assess quality of internal controls
Assess reliability of information
Assess operating performance
Consider need for additional evidence
Consider risk factors
Consider materiality factors
Document audit findings
Communication of Audit Results
Formulate audit conclusions
Develop recommendations for management
Present audit results to management
Information Systems Audits
The purpose of an AIS audit is to review and evaluate the internal
controls that protect the system.
When performing an IS audit, auditors should ascertain that
the following objectives are met:
1.
Security provisions protect computer equipment,
programs, communications, and data from unauthorized access, modification, or
destruction.
2.
Program development and acquisition is performed
in accordance with management’s general and specific authorization.
3.
Program modifications have the authorization and
approval of management.
4.
Processing of transactions, files, reports, and
other computer records is accurate and complete.
5.
Source data that are inaccurate or improperly
authorized are identified and handled according to prescribed managerial policies.
6.
Computer data files are accurate, complete, and
confidential.
The Risk-Based Audit Approach
The risk-based approach to auditing provides auditors with a
clear understanding of the errors and irregularities that can occur and the
related risks and exposures.
This understanding provides a sound basis for developing
recommendations to management on how the AIS control system should be improved.
What is the four-step approach to internal control evaluation?
1. Determine the threats facing the AIS.
2. Identify the control procedures that should be in place
to minimize each threat.
3 Evaluate the
control procedures.
4. Evaluate weakness (errors and irregularities not covered
by control procedures).
Computer Software
A number of computer programs, called computer audit software
(CAS) or generalized audit software (GAS), have been written especially for
auditors.
CAS is a computer program that, based on the auditor’s specifications,
generates programs that perform the audit functions.
Usage of Computer Software
The auditor’s first step is to decide on audit objectives, learn
about the files to be audited, design the audit reports, and determine how to
produce them.
This information is recorded on specification sheets and entered
into the system via a data entry program.
General Functions of Computer Audit Software
– Reformatting
– File manipulation
– Calculation
– Data selection
– Data analysis
– File processing
– Statistics
– Report generation
Operational Audits of an AIS
The techniques and procedures used in operational audits are
similar to those of IS and financial audits.
The basic difference is that the IS audit scope is confined
to internal controls, whereas the financial audit scope is limited to IIS
output.
The operational audit scope encompasses all aspects of IS management.
Operational audit objectives include evaluating effectiveness,
efficiency, and goal achievement.
What are some evidence collection activities?
– Reviewing operating policies and documentation
– Confirming procedures with management and operating personnel
– Observing operating functions and activities
– Examining financial and operating plans and reports
– Testing the accuracy of operating information
– Testing controls
Conclusion: auditing computer
based information systems, auditing computer based information systems
pdf, chapter 11 auditing computer based information systems, Auditing of
Computer-Based Information Systems.