Chapter 3 with added info

1
Chapter 3 with added info
Auditing Data Management Systems
2
Challenges of Sophisticated Computer Systems

• electronic method of sending
  documents between companies
• no paper trail for the auditor to follow
• increased emphasis on front-end controls
• security becomes key element in controlling
  system

3
Objectives of General Controls

• 1. Responsibility for control
• 2. Information system meets needs of entity
• 3. Efficient implementation of information
  systems
• 4. Efficient and effective maintenance of
  information systems
• 5. Effective and efficient development and
  acquisition of information systems
• 6. Present and future requirements of users can
  be met
• 7. Efficient and effective use of resources
  within information systems processing

4
Objectives of General Controls

• 8. Complete, accurate and timely processing of
  authorized information systems
• 9. Appropriate segregation of incompatible
  functions
• 10. All access to information and information
  systems is authorized
• 11. Hardware facilities are physically protected
  from unauthorized access, loss or damage
• 12. Recovery and resumption of information
  systems processing
• 13. Maintenance and recovery of critical user
  activities

5
Input Controls

• input data should be authorized approved
• the system should edit the input data prevent
  errors
• Examples include validity checks, field checks,
  reasonableness check, record counts etc.

6
Processing Controls
7
Processing Controls

• Examples
• control, batch, or proof total - a total of a
  numerical field for all the records of a batch
  that normally would be added (example wages
  expense)
• logic test - ensures against illogical combina
• tions of information (example a salaried em-
• ployee does not report hours worked)

8
Output Controls
assure that data generated by the system are
valid, accurate, complete, and distributed to
authorized persons in appropriate quantities
9
Objectives of Application Controls

• 1. Design application controls with regard to
• - segregation of incompatible functions
• - security
• - development
• - processing of information systems
• 2. Information provided by the systems is
• - complete
• - accurate
• - authorized
• 3. Existence of adequate management trails

10
There are two general approaches to auditing EDP
systems

• 1. Auditing around the computer involves
  extensive testing of the inputs and outputs of
  the EDP system and little or no testing of
  processing or computer hardware.

This approach involves no tests of the computer
programs and no auditor use of the computer.
11
There are two general approaches to auditing EDP
systems

• 1. Auditing around the computer
• depends on a visible, traceable, hard copy
  audit trail made of manually prepared and
  computer-prepared documents.

12
There are two general approaches to auditing EDP
systems

• 2. Auditing with use of the computer involves
  extensive testing of computer hardware and
  software.

13
Techniques for auditingwith use of the computer

• 1. Test data involves auditor preparation of a
  series of fictitious transactions many of those
  transactions will contain intentional errors. The
  auditor examines the results and determines
  whether the errors were detected by the clients
• system.

14
What are the shortcomings of the use of test data?

• - possibility of accidental integration of
• fictitious and actual data
• - preparation of test data that examines
• all aspects of the application is difficult
• - the auditor must make sure that the
• program being tested is the one
• actually used in routine processing

15
techniques for auditingwith use of the computer

• 2. Parallel simulation

• the auditor writes a computer program that
  replicates part of the clients system
• the auditors program is used to process actual
  client data

- the results from the auditors program and that
of the clients routine processing are compared
16
Auditing Software

• Generalized audit software involves
• the use of auditor programs, client
• data, and auditor hardware. The
• primary advantage of GAS is that the
• client data can be down-loaded into
• the auditors system and manipulated
• in a variety of ways.

17
Common Audit Software Functions

• - verifying extensions and footings
• - examining records
• - comparing data on separate files
• - summarizing or re-sequencing data and
• performing analyses
• - comparing data obtained through other
• audit procedures with company records
• - selecting audit samples
• - printing confirmation requests

18
Differences with Computer Processing

• Audit trails are different than with manual
  accounting systems
• Portions of audit trails may be temporary or
  never exist
• Processing is more uniform
• Computer may initiate and complete transactions
• Greater potential for fraud

19
Impact of Computers on Planning

• Extent to which computers are used
• Complexity of computer operations
• Organizational structure of computer operations
• Availability of data
• Use of CAATs
• Need for specialized skills by auditor

20
Audit Alternatives

• Continuous (Electronic) Auditing
• Auditing Around the Computer
• Auditing Through the Computer
• Non-concurrent (after-the-fact) auditing
• Can be used for tests of transactions and
  balances (substantive tests)
• Can be used to test the effectiveness of controls
  at various times in the past
• Recent SAS pronouncements reduce applicability of
  non-concurrent auditing

21
Audit Alternatives

• Concurrent auditing provides greater information
  about the effectiveness of controls
• Special audit test records can be used to examine
  system effectiveness
• Embedded audit modules collect, process and
  report audit evidence as it is processed by the
  system

22
SAS No. 80

• In entities where significant information is
  transmitted, processed, maintained, or accessed
  electronically, the auditor may determine that it
  is not practical or possible to reduce detection
  risk to an acceptable level by performing only
  substantive tests for one or more financial
  statement assertions.

23
SAS No. 80

• Due to the short-term nature of electronic data,
  the auditor should consider the time during which
  information exists or is available in determining
  the nature, timing and extent of his tests

24
SAS No. 94

• The Effect of Information Technology on the
  Auditors Consideration of Internal Control in a
  Financial Statement Audit
• Amends SAS No. 55 Consideration of Internal
  Control in a Financial Statement Audit
• SAS No. 94 does NOT change the requirement that
  the auditor obtain a sufficient understanding of
  internal control to plan the audit

25
SAS No. 94

• SAS No. 94 acknowledges that IT use presents
  benefits as well as risks to an entitys internal
  control
• The auditor should expect to encounter IT systems
  and electronic records rather than paper
  documents
• An entitys IT use may be so significant that the
  quality of the audit evidence available to the
  auditor will depend on the controls that business
  maintains over its accuracy and completeness

26
SAS No. 94

• As companies rely more and more on IT systems and
  controls, auditors will need to adopt new testing
  strategies to obtain evidence that controls are
  effective
• An auditor might need specialized skills to
  determine the effect of IT on the audit
• In some instances, the auditor may need the
  skills of a specialist

27
Areas of Audit Focus

• Auditing computer programs
• Auditing computer processing
• Auditing computer files and databases

28
Auditing Computer Programs

• Non-processing of data
• Program logic flowchart verification
• Program code checking
• Examination of job accounting and control
  information
• Review printouts

29
Non-concurrent Auditing

• The Black Box Approach (still allowed?)
• Must be able to locate copies of source documents
  for transactions and the accounting reports
  resulting from those transactions
• Must be able to read the source documents and
  reports without the aid of the clients computer
• Auditor must assess a low level of risk on
  controls external to EDP

30
Black Box Approach

• Must trace transactions from the source documents
  (cradle) to the accounting reports (grave) and
  from the reports back to the source documents

31
Need for Concurrent Auditing

• Disappearing paper-based audit trail
• Continuous monitoring required by advanced
  systems
• Increasing difficulty of performing transaction
  walkthroughs
• Presence of entropy (disorder) in systems
• Outsourced and distributed IS
• Increased interorganizational IS (EDI)

32
EDP Controls
33
(No Transcript)
34
Tests of Controls Techniques

• Auditing Around the ComputerManually processing
  selected transactions and comparing results to
  computer output
• Auditing Through the ComputerComputer assisted
  techniques
• Test DecksProcessing dummy transactions and
  records with errors and exceptions to see that
  program controls are operating

35
Tests of Controls Techniques

• Controlled ProgramsProcessing real and test data
  with a copy of the clients program under the
  auditors control
• Program Analysis TechniquesThe examination of a
  computer generated flowchart of the clients
  program to test the programs logic
• Tagging and Tracing TransactionsExamination of
  computer generated details of the steps in
  processing tagged transactions

36
Tests of Controls Techniques

• Integrated Test FacilityA system that processes
  test data simultaneously with real transactions
  to allow the system to be constantly monitored
• Parallel SimulationThe use of an auditor-written
  program to process client data and comparison of
  its output to the output generated by the
  clients program

37
Clients Program
Auditors Test Data
Computer Processing
Auditors Predetermined Results
Computer Results
should match
38
System Concept of Parallel Simulation
Source W.C. Mair, New Techniques in Computer
Program Verification, Tempo (Touche Ross Co.,
Winter 1971-72), p. 14.
39
Parallel Simulation
40
Types of Concurrent Auditing

• Testing real data
• Tracing transactions
• Snapshot/extended record (EAM)
• System Control Audit Review File (SCARF)
• Testing simulated data
• Test deck approach
• Integrated test facility (ITF)

41
Auditing Using Clients Computer- Tracing Real
Data

• Provides direct confirmation that controls
  functioned as prescribed
• Weaknesses of approach
• Actual transactions selected may not trigger all
  of the controls- in fact, finding actual
  transactions to test every control may not be
  possible
• May be disruptive to clients operation

42
Auditing using Clients Computer-Tracing Real
Data

• Weaknesses, continued
• Difficult to verify that program tested is
  program normally used
• Difficult to verify that procedures used during
  test are procedures normally employed
• Auditor needs to understand IT operations

43
Auditing using Clients Computer-Using Simulated
Data

• Strengths
• Auditor can reduce substantially the number of
  records that have to be processed (one record can
  test several controls)
• Permits testing of every control

44
Auditing using Clients Computer-Using Simulated
Data

• Weaknesses
• Only those conditions known to exist can be
  tested
• Same program and procedures questions as in
  processing real data
• Removal of simulated data from client's records

45
Auditing using Clients Computer-Using Simulated
Data

• Verify that no amounts, accounts, or transaction
  types are omitted
• Verify pricing, extensions, and other valuation
  procedures
• Verify account coding and classification
• Verify proper time period recording
• Test subsidiary records footing and
  reconciliation to control account balances

46
Auditing using Clients Computer-Using Simulated
Data

• Test data or test record approach
• Simulated data is controlled and processed
  separately from real data
• Output is compared to auditor-calculated output

47
Auditing using Clients Computer-Using Simulated
Data

• Integrated test facility (ITF)
• Simulated data is assigned a special code to
  distinguish it from real data
• Simulated data is integrated with real data and
  processed in normal course of business
• Weakness - simulated data may be processed
  differently than real data

48
Generalized Audit Software

• Off-the-shelf software that allows examination of
  client data on auditors computer
• Information systems vary widely between clients
• Hardware and software environments
• Data structures
• Record formats
• Processing functions

49
Generalized Audit Software

• GAS developed specifically to accommodate a wide
  variety of hardware and software platforms
• Allows auditor to quickly modify audit approach
  as audit objectives change
• Allows auditors relatively unskilled in computer
  systems to audit effectively in an electronic
  environment

50
Functional Capabilities of GAS

• File access
• File reorganization (sorting and merging)
• Filtering (Boolean operators , gt, lt, ltgt, AND,
  OR, etc.)
• Statistical (sample selections)
• Arithmetic
• Stratification
• File creation
• Reporting

51
Available CAATs

• CA-Easytrieve (Computer Associates)
• Works in UNIX or LAN (primarily mainframes)
• Uses a background language similar to COBOL
• SAS
• Statistical analysis
• Data mining
• ACL
• IDEA

52
Electronic Workpapers

• Electronic working papers
• Standardizes audit forms and formats
• Improves quality and consistency
• Coordinates efforts
• Can centralize management efforts

53
Centralized Vs Distributed Systems

• Some activities should remain centralized
• DDP is more expensive but can add efficiencies
  over straight client-server approach
• Data can be distributed in different ways
• May raise security issues
• Auditor must question how each site is secured
• DDP may be partitioned or replicated
• DDP requires concurrency control

54
End Ch 3