Professional Documents
Culture Documents
ANALYSIS APPROACH
5th edition
Larry F. Konrath
Electronic Presentation
by Harold
O. Wilson
Chapter 8
LEARNING
OBJECTIVES
Differentiate auditing around vs.
through the computer
Identify various types of CBIS
Define major CBIS accounting controls
Develop an approach to assessing control
risk in CBIS accounting applications
Evaluate/manage audit risk factors in
CBIS accounting applications
COMPUTER BASED
INFORMATION SYSTEMS
Personal Computerscommonplace
Wide Area Networks(WAN) & Local Area
Networks (LAN)--end-user sharing
Database Management Systems (DBMS)-integrated collections of stored data
Internet and Intranet applications
Artificial Intelligence (sequenced decision rules)
programs using Knowledge Engineers and
Knowledge Bases (embedded cases)
A note on technology
Information processing systems have
encouraged continuous auditing throughout
a clients fiscal year. Computer systems and
personnel (and changes) tend to obscure (or
destroy) audit trails traditionally traced by
auditors.
FAQ?
What are major impacts of CBIS advances
on auditing and assurance services?
Trends in computer use impact two aspects of
audit risk, but not audit objectives:
Assessing control risk (need for CBIS control)
Managing detection risk (verifying
transaction data processed by CBIS, and
balance data stored in CBIS)
A consistent truism:
Optimal segregation of
functions exists when
collusion is necessary
in order to circumvent
controls.
IMPACTS ON AUDITING
Changes in the audit trail
Less documentation, but more consistency
Less hard-copy available, but better data access
Combining of functions
Computerized checking, transaction logs
Less segmentation of details, and/or people
FAQ?
What is the audit trail?
The documents & records (evidence of
executed transactions) that allow tracing
transactions through the accounting cycle in
the accounting and information system.
Auditing around the computer is to
pretend its just a super-sized typewriter!
TYPES OF CBIS
ELECTRONIC COMMERCE
SYSTEMS
Scope:
Merchandise and securities markets
Bookkeeping and tax services
Consulting and teaching
CBIS CONTROLS:
1. General Controls
Control procedures that are interactive
with two or more control objectives.
Relate to the organizational structure of
the CBIS function (safeguarding data
files & programs, documentation, etc.).
Relate to all (or many) computerized
accounting activities.
Of major concern to auditors.
CBIS CONTROLS:
2. Application Controls
Control procedures that are designed to
achieve specific control objectives.
Relate to individual computerized
accounting applications.
Organized into input controls, processing
controls, output controls.
CBIS CONTROLS:
3. User Controls
Control procedures that are established by
departments other than Data Processing,
whose transactions are computer
processed.
Relates to ensuring accuracy of data
processing (e.g., approvals of inputs,
review of outputs).
Techniques include control totals, hash
totals, comparative summaries.
AUDIT TECHNIQUES
for testing CBIS controls
Develop the audit program for needed
substantive testing in CBIS environments:
Review the CBIS and identify areas for
specific testing of controls
Study the system and program documentation
Make tests
Evaluate the control risk
AUDIT TECHNIQUES
for testing CBIS
controls
Auditor considerations:
AUDIT TECHNIQUES
for testing CBIS controls
Auditor concerns in evaluating & testing
General Controls:
AUDIT TECHNIQUES
for testing CBIS controls
Auditor concerns--General Controls:
Extent of internal auditor involvement
Authorization issues
Data protection (antivirus software, backups,
e-commerce security, network monitoring,
protocol controls)
Assurance that programs designed and intended
to be used are, in fact, the programs in use.
FAQ?
Would auditor involvement in the design of
the clients CBIS and its controls, be an
advantage or disadvantage in audit practice?
COMPUTER ASSISTED
Audit Techniques (CAAT)
Test Data (hypothetical answers & errors)
used with the clients computer:
Would their computer find?
Tagging & Tracing technique
Systems Control Audit Review File
(SCARF) using specific control points
BCSE (for large clients!)
CAAT
Parallel Simulation an automated
version of auditing around the
computer, e.g., Clients software
or data used with CPAs computer
or software (known reliability).
Mixing such factors, surprise
audit, may be effective
or may be
inadvisable; maybe dangerous.
CAAT
Artificial Intelligence & Expert Systems
(AI/XS):
Software packages based on
decision rules, knowledge base systems
(KBS), and expertise in defined domains.
Expert System Shells: Software prompting
effective transference of expertise to
the less experienced, by utilizing a
critical sequence of input variables.
FAQ?
Would the auditors use of artificial
data introduced into the clients
normal live data processing (ITF
approach) be effective? efficient?
wise?
CBIS &
Audit Risk Implications
Audit trail modifications may occur as
OLRT inputs are shotgunned once to every
location to use such input data.
Hard-copy may be replaced by DBMS.
Temporary vs. long-term retention policies
may
become fuzzy policies.
Similar concerns prompt initial assessments
of control risk at very high levels!
Suggestions
Systems & changes--well-documented &
adequately approved.
Transaction logs adequately detailed.
Passwords & encryption tightly controlled,
changed, voided. [When someone is fired,
the path to the doorway should disallow
returning by his/her desk.]
Suggestions
Input editing (e.g., debits must equal
credits, reasonableness) updated often.
Backups & History Logsdetailed, required.
The OLRT, DDP, and EDI world leads to
automatic initiations; thus, compensating
controls are vital.
Exception Reports (errors, unusual ratios)
AUDITOR MANAGEMENT
of DETECTION RISK
Involvement with CBIS design, audit trails
Computer specialists on their staffs
A mindset for potential computer fraud and
management fraud
Experience in tradeoffs: control risks vs.
detection risks, interim vs. FYE testing
Continuous auditing relationships
Application controls
Auditing around
Auditing through
BCSE
Batch processing
CBIS Manager
Centralized data
processing
Check digit
Completeness test
Computer editing
Conditioned
telecommunications
Continuous auditing
Data control group
Design phase auditing
Distributed data
processing
Encryption
Echo check
Expert systems
Expert systems shell
Fiber optics
Flat file system
General controls
Input controls
DBMS
KBS
Neural networks
OLRT system
Output controls
Parallel simulation
Processing controls
Systems analysts
SCARF
User controls
End of Chapter 8