chapter 7-1. chapter 7-2 accounting information systems, 1 st edition auditing information...

Chapter 7-1

Chapter 7-2 Accounting Information Systems, 1st Edition

Auditing Information Technology-Based Processes

Chapter 7-3

1. An introduction to auditing IT processes

2. The various types of audits and auditors

3. Information risk and IT-enhanced internal control

4. Authoritative literature used in auditing

5. Management assertions used in the auditing process and the related audit objectives

6. The phases of an IT audit

7. The use of computers in audits

8. Tests of controls

9. Tests of transactions and tests of balances

10. Audit Completion/Reporting

11. Other audit considerations

12. Ethical issues related to auditing

Study ObjectivesStudy ObjectivesStudy ObjectivesStudy Objectives

Chapter 7-4 SO 1 An introduction to auditing IT processesSO 1 An introduction to auditing IT processes

Introduction to Auditing IT Introduction to Auditing IT ProcessesProcessesIntroduction to Auditing IT Introduction to Auditing IT ProcessesProcesses

Accounting services that improve the quality of information are called assurance services.

An audit is the most common type of assurance service.

Chapter 7-5 SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors

Types of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and AuditorsTypes of Audits and Auditors

Main purpose of the audit is to assure users of financial information about the accuracy and completeness of the information.

Three primary types of audits include

compliance audits,

operational audits, and

financial statement audits.



Audits are typically conducted by accountants.

Certified public accountants (CPAs)

Internal auditor

IT auditors

Government auditors



IT environment plays a key role in how auditors conduct their work in the following areas:

Consideration of risk

Audit procedures used to obtain knowledge of accounting and internal control systems

Design and performance of audit tests

Chapter 7-8

Concept CheckConcept Check

SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors


Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings?

a. Financial statement audits

b. Operational audits

c. Regulatory audits

d. Compliance audits

Chapter 7-9


SO 2 The various types of audits and auditorsSO 2 The various types of audits and auditors


Financial statement audits are required to be performed by

a. government auditors.

b. CPAs.

c. internal auditors.

d. IT auditors.

Chapter 7-10 SO 3 Information risk and IT-enhanced internal controlSO 3 Information risk and IT-enhanced internal control

Risk and IT-Enhanced Internal Risk and IT-Enhanced Internal ControlControlRisk and IT-Enhanced Internal Risk and IT-Enhanced Internal ControlControl

Information risk is the chance that information used by decision makers may be inaccurate.

Following are some causes of information risk:

Remoteness of information

Volume and complexity of underlying data

Motive of the preparer

Chapter 7-11 SO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing

Authoritative Literature Used in Authoritative Literature Used in AuditingAuditingAuthoritative Literature Used in Authoritative Literature Used in AuditingAuditing

Sources of authoritative literature

Generally accepted auditing standards (GAAS)

Public Company Accounting Oversight Board (PCAOB)

Auditing Standards Board (ASB)

International Audit Practices Committee (IAPC)

Information Systems Audit and Control Association (ISACA).

Chapter 7-12


Which of the following is not a part of generally accepted auditing standards?

a. general standards

b. standards of fieldwork

c. standards of information systems

d. standards of reporting

SO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing


Chapter 7-13


Which of the following best describes what is meant by the term “generally accepted auditing standards”?

a. Procedures used to gather evidence to support the accuracy of a client’s financial statements

b. Measures of the quality of an auditor’s conduct

c. Professional pronouncements issued by the Auditing Standards Board

d. Rules acknowledged by the accounting profession because of their widespread applicationSO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing


Chapter 7-14


In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to

a. document the auditor’s understanding of the client company’s internal controls.

b. search for weaknesses in the operation of the client company’s internal controls.

c. perform tests of controls to evaluate the effectiveness of the client company’s internal controls.

d. determine whether controls are appropriately designed to prevent or detect material misstatements.SO 4 Authoritative literature used in auditingSO 4 Authoritative literature used in auditing


Chapter 7-15

SO 5 Management assertions used in the SO 5 Management assertions used in the auditing process and the related audit auditing process and the related audit objectivesobjectives

Management Assertions and Audit Management Assertions and Audit ObjectivesObjectivesManagement Assertions and Audit Management Assertions and Audit ObjectivesObjectivesResponsibility for the preparation of financial statements lies with management

Management assertions are claims regarding the financial condition and results of operations.

Existence/occurrence

Valuation and Allocation

Accuracy, Classification, Cutoff

Completeness

Rights and Obligations

Presentation and Disclosure

Audit tests developed for an audit client are documented in

an audit program.

Chapter 7-16


Auditors should design a written audit program so that

a. all material transactions will be included in substantive testing.

b. substantive testing performed prior to year end will be minimized.

c. the procedures will achieve specific audit objectives related to specific management assertions.

d. each account balance will be tested under either a substantive test or a test of controls.


Management Assertions and Audit Management Assertions and Audit ObjectivesObjectivesManagement Assertions and Audit Management Assertions and Audit ObjectivesObjectives

Chapter 7-17


Which of the following audit objectives relates to the management assertion of existence?

a. A transaction is recorded in the proper period.

b. A transaction actually occurred (i.e., it is real).

c. A transaction is properly presented in the financial statements.

d. A transaction is supported by detailed evidence.


Management Assertions and Audit Management Assertions and Audit ObjectivesObjectivesManagement Assertions and Audit Management Assertions and Audit ObjectivesObjectives

Chapter 7-18 SO 6 The phases of an IT auditSO 6 The phases of an IT audit

Phases of an IT AuditPhases of an IT AuditPhases of an IT AuditPhases of an IT Audit

There are four primary phases to an IT audit:

planning,

tests of controls,

substantive tests, and

audit completion/reporting.


Phases of an IT Phases of an IT AuditAuditPhases of an IT Phases of an IT AuditAudit Exhibit 7-4

Process Map of Phases of an Audit



Audit evidence is proof of the fairness of financial information. Techniques for gathering evidence:

physically examining or inspecting assets or supporting documentation

obtaining written confirmations

rechecking or recalculating information

observing the underlying activities

making inquiries of client personnel

analyzing financial relationships and comparisons



Audit Planning

Auditors review and assess the risks and controls, establish materiality guidelines, and develop relevant tests addressing the objectives.


Audit Planning

Phases of an IT Phases of an IT AuditAuditPhases of an IT Phases of an IT AuditAudit

Exhibit 7-5Audit Planning Phase Process Map

Chapter 7-23


Risk assessment is a process designed to

a. identify possible events that may effect the business.

b. establish policies and procedures to carry out internal controls.

c. identify and capture information in a timely manner.

d. test the internal controls throughout the year.

SO 6 The phases of an IT auditSO 6 The phases of an IT audit


Chapter 7-24


Which of the following audit procedures is most likely to be performed during the planning phase of the audit?

a. Obtain an understanding of the client’s risk assessment process.

b. Identify specific internal control activities that are designed to prevent fraud.

c. Evaluate the reasonableness of the client’s accounting estimates.

d. Test the timely cutoff of cash payments and collections.

SO 6 The phases of an IT auditSO 6 The phases of an IT audit


Chapter 7-25 SO 7 The use of computers in auditsSO 7 The use of computers in audits

Use of Computers in AuditsUse of Computers in AuditsUse of Computers in AuditsUse of Computers in Audits

Auditing around the computer

Auditing through the computer

Auditing with the computer

Computer-assisted audit techniques (CAATs)

Chapter 7-26


Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer?

a. The time involved in testing processing controls is significant.

b. The cost involved in testing processing controls is significant.

c. A portion of the audit trail is not tested.

d. The technical expertise required to test processing controls is extensive.

SO 7 The use of computers in auditsSO 7 The use of computers in audits

Use of Computers in AuditsUse of Computers in AuditsUse of Computers in AuditsUse of Computers in Audits

Chapter 7-27 SO 8 Test of controlsSO 8 Test of controls

Tests of ControlsTests of ControlsTests of ControlsTests of Controls

Tests of controls involve audit procedures designed to evaluate both general controls and application controls.

Exhibit 7-6Control Testing Phase Process Map



General Controls

Two broad categories of general controls that relate to IT systems:

IT administration and related operating systems development and maintenance processes

Security controls and related access issues



General Controls

IT Administration

Audit tests include review for the existence and communication of company policies regarding:

personal accountability and segregation of incompatible responsibilities

job descriptions and clear lines of authority

computer security and virus protection

IT systems documentation



General Controls

Security Controls

To test external access controls, auditors may perform:

Authenticity tests.

Penetration tests

Vulnerability assessments

Review access logs to identify unauthorized users or failed access attempts



Application Controls

Computerized controls over application programs.

Auditors should test

Systems documentation

Main functions of the computer applications

input,

processing, and

output.




Input Controls

1. Financial totals

2. Hash totals

3. Completeness or redundancy tests

4. Limit tests

5. Validation checks

6. Field checks




Processing Controls, techniques for testing

1. Test data method

2. Program tracing

3. Integrated test facility

4. Parallel simulation

5. Embedded audit modules




Output Controls

1. Reasonableness tests

2. Audit trail tests

3. Rounding errors tests

Chapter 7-35


The primary objective of compliance testing in a financial statement audit is to determine whether

a. procedures have been updated regularly.

b. financial statement amounts are accurately stated.

c. internal controls are functioning as designed.

d. collusion is taking place.

SO 8 Test of controlsSO 8 Test of controls


Chapter 7-36


Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor’s control to periodically test controls in the client’s computer system?

a. Test data method

b. Embedded audit module

c. Integrated test facility

d. Parallel simulationSO 8 Test of controlsSO 8 Test of controls


Chapter 7-37


Which of the following is a general control to test for external access to a client’s computerized systems?

a. Penetration tests

b. Hash totals

c. Field checks

d. Program tracing

SO 8 Test of controlsSO 8 Test of controls


Chapter 7-38 SO 9 Test of transactions and tests of balancesSO 9 Test of transactions and tests of balances

Tests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and BalancesTests of Transactions and Balances

Substantive Testing - tests of accuracy of monetary amounts of transactions and account balances.

Computerized auditing tools make it possible for more efficient audit tests such as:

mathematical and statistical calculations data queries identification of missing items in a sequence stratification and comparison of data items selection of items of interest from the data files summarization of testing results into a useful

format for decision making

Chapter 7-39 SO 9 Test of transactions and tests of balancesSO 9 Test of transactions and tests of balances


Exhibit 7-9Substantive Testing Phase Process Map

Chapter 7-40


Generalized audit software can be used to

a. examine the consistency of data maintained on computer files.

b. perform audit tests of multiple computer files concurrently.

c. verify the processing logic of operating system software.

d. process test data against master files that contain both real and fictitious data.

SO 9 Test of transactions and tests of balancesSO 9 Test of transactions and tests of balances


Chapter 7-41 SO 10 Audit Completion/ReportingSO 10 Audit Completion/Reporting

Audit Completion/ReportingAudit Completion/ReportingAudit Completion/ReportingAudit Completion/Reporting

Four basic types of reports:

1. Unqualified opinion

2. Qualified opinion

3. Adverse opinion

4. Disclaimer

The most important task is obtaining a letter of representations from client management.

Chapter 7-42

Audit Completion/ReportingAudit Completion/ReportingAudit Completion/ReportingAudit Completion/Reporting

SO 10 Audit SO 10 Audit Completion/ReportingCompletion/Reporting

Exhibit 7-10Audit Completion/Reporting Phase Process Map

Chapter 7-43 SO 11 Other audit considerationsSO 11 Other audit considerations

Other Audit ConsiderationsOther Audit ConsiderationsOther Audit ConsiderationsOther Audit Considerations

Different IT Environments

Using PCs, companies may use IT environments that involve

networks,

database management systems, and/or

e-commerce systems.


Changes in a Client’s IT Environment

Auditors must consider whether additional audit testing is needed.

Specific audit tests include verification of: Assessment of user needs

Authorization for new projects and program changes

Adequate feasibility study and cost–benefit analysis

Proper design documentation

Proper user instructions

Adequate testing before system is put into use



Sampling

Test a limited number of items or transactions and then draw conclusions about the balance as a whole on the basis of the results.


Chapter 7-46


Independent auditors are generally actively involved in each of the following tasks except:

a. Preparation of a client’s financial statements and accompanying notes

b. Advising client management as to the applicability of a new accounting standard

c. Proposing adjustments to a client’s financial statements

d. Advising client management about the presentation of the financial statements

SO 11 Other audit considerationsSO 11 Other audit considerations


Chapter 7-47


Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions?

a. Due professional care

b. Competence

c. Independence

d. A complex underlying body of professional knowledge



Chapter 7-48


Which of the following terms is not associated with the auditor’s requirement to maintain independence?

a. Objectivity

b. Neutrality

c. Professional skepticism

d. Competence



Chapter 7-49 SO 12 Ethical issues related to auditingSO 12 Ethical issues related to auditing

AICPA Code of Professional Conduct

Six principles of the code:

1. Responsibilities.

2. The Public Interest.

3. Integrity.

4. Objectivity and Independence. CPAs

5. Due Care

6. Scope and Nature of Services

Ethical Issues Related to AuditingEthical Issues Related to AuditingEthical Issues Related to AuditingEthical Issues Related to Auditing

Auditors must practice

professional skepticism

Chapter 7-50

Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

CopyrightCopyrightCopyrightCopyright

Chapter 7-51

b. Reducing inventory quantities.

Manufacturing companies implement ERP systems for the primary purpose of


c. Sharing information.

d. Reducing investments.

a. Increasing productivity.

SO 1 The overview of an ERP systemSO 1 The overview of an ERP system

Overview of ERP SystemsOverview of ERP SystemsOverview of ERP SystemsOverview of ERP Systems

chapter 7-1. chapter 7-2 accounting information systems, 1 st edition auditing information...

Documents