Chapter 3 with added info

1
Chapter 3 with added info
Auditing Data Management Systems
2
Challenges of Sophisticated Computer Systems

• electronic method of sending
  documents between companies
• no paper trail for the auditor to follow
• increased emphasis on front-end controls
• security becomes key element in controlling
  system

3
Objectives of General Controls

• 1. Responsibility for control
• 2. Information system meets needs of entity
• 3. Efficient implementation of information
  systems
• 4. Efficient and effective maintenance of
  information systems
• 5. Effective and efficient development and
  acquisition of information systems
• 6. Present and future requirements of users can
  be met
• 7. Efficient and effective use of resources
  within information systems processing

4
Objectives of General Controls

• 8. Complete, accurate and timely processing of
  authorized information systems
• 9. Appropriate segregation of incompatible
  functions
• 10. All access to information and information
  systems is authorized
• 11. Hardware facilities are physically protected
  from unauthorized access, loss or damage
• 12. Recovery and resumption of information
  systems processing
• 13. Maintenance and recovery of critical user
  activities

5
Input Controls

• input data should be authorized approved
• the system should edit the input data prevent
  errors
• Examples include validity checks, field checks,
  reasonableness check, record counts etc.

6
Processing Controls
7
Processing Controls

• Examples
• control, batch, or proof total - a total of a
  numerical field for all the records of a batch
  that normally would be added (example wages
  expense)
• logic test - ensures against illogical combina
• tions of information (example a salaried em-
• ployee does not report hours worked)

8
Database Processing ControlsInference Controls

• Must prohibit the retrieval of individual data
  through statistical (aggregate) operations on the
  database.
• Example
• SELECT MAX(Salary)
• FROM EMPLOYEE
• WHERE Dept CSE AND
• Address LIKE Cincinnati
• Note What if only one employee in CSE lives
  in Cincinnati?

9
Output Controls
assure that data generated by the system are
valid, accurate, complete, and distributed to
authorized persons in appropriate quantities
10
Objectives of Application Controls

• 1. Design application controls with regard to
• - segregation of incompatible functions
• - security
• - development
• - processing of information systems
• 2. Information provided by the systems is
• - complete
• - accurate
• - authorized
• 3. Existence of adequate management trails

11
Auditing Software

• Generalized audit software involves
• the use of auditor programs, client
• data, and auditor hardware. The
• primary advantage of GAS is that the
• client data can be down-loaded into
• the auditors system and manipulated
• in a variety of ways.

12
Differences with Computer Processing

• Audit trails are different than with manual
  accounting systems
• Portions of audit trails may be temporary or
  never exist
• Processing is more uniform
• Computer may initiate and complete transactions
• Greater potential for fraud

13
Impact of Computers on Planning

• Extent to which computers are used
• Complexity of computer operations
• Organizational structure of computer operations
• Availability of data
• Use of CAATs
• Need for specialized skills by auditor

14
Audit Alternatives

• Continuous (Electronic) Auditing
• Auditing Around the Computer
• Auditing Through the Computer
• Non-concurrent (after-the-fact) auditing
• Recent SAS pronouncements reduce applicability of
  non-concurrent auditing

15
Audit Alternatives

• Concurrent auditing provides greater information
  about the effectiveness of controls
• Special audit test records can be used to examine
  system effectiveness
• Embedded audit modules collect, process and
  report audit evidence as it is processed by the
  system

16
SAS No. 80

• In entities where significant information is
  transmitted, processed, maintained, or accessed
  electronically, the auditor may determine that it
  is not practical or possible to reduce detection
  risk to an acceptable level by performing only
  substantive tests for one or more financial
  statement assertions.

17
SAS No. 80

• Due to the short-term nature of electronic data,
  the auditor should consider the time during which
  information exists or is available in determining
  the nature, timing and extent of his tests

18
SAS No. 94

• SAS No. 94 acknowledges that IT use presents
  benefits as well as risks to internal control
• The auditor should expect to encounter IT systems
  and electronic records
• An entitys IT use may be so significant that the
  quality of the audit evidence available to the
  auditor will depend on the controls that business
  maintains over its accuracy and completeness

19
SAS No. 94

• As companies rely more and more on IT systems and
  controls, auditors will need to adopt new testing
  strategies to obtain evidence that controls are
  effective
• An auditor might need specialized skills to
  determine the effect of IT on the audit
• In some instances, the auditor may need the
  skills of a specialist

20
Errors and Irregularities Necessary Control Procedures Necessary Control Procedures
INPUT INPUT INPUT INPUT
Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Valid data are incorrectly converted to machine-sensible form. Properly converted input is lost, duplicated or distorted during handling. Detected erroneous data are not corrected and resubmitted for processing. Verification controls Computer editing Batch controls Data control group monitoring Transmittal controls Control totals Error logs Data control group monitoring
PROCESSESSING PROCESSESSING PROCESSESSING PROCESSESSING
The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. The wrong files are processed and updated. Processing errors are made on valid input data. Illogical or unreasonable input is processed. External file labels Internal file labels Control totals Limit and reasonableness tests
OUTPUT OUTPUT OUTPUT OUTPUT
Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output may be incorrect because of processing errors. Output may be incorrect because file revisions are unauthorized or approved changes are not made. Output is distributed to unauthorized users. Output control totals Periodic comparisons of file data with source documents Data control group monitoring Report distribution control sheet
21
Tests of Controls Techniques

• Auditing Around the ComputerManually processing
  selected transactions and comparing results to
  computer output
• Auditing Through the ComputerComputer assisted
  techniques
• Test DecksProcessing dummy transactions and
  records with errors and exceptions to see that
  program controls are operating

22
Types of Concurrent Auditing

• Testing real data
• Tracing transactions
• Snapshot/extended record (EAM)
• System Control Audit Review File (SCARF)
• Testing simulated data
• Test deck approach
• Integrated test facility (ITF)

23
Auditing Using Clients Computer- Tracing Real
Data

• Provides direct confirmation that controls
  functioned as prescribed
• Weaknesses of approach
• Actual transactions selected may not trigger all
  of the controls- in fact, finding actual
  transactions to test every control may not be
  possible
• May be disruptive to clients operation

24
Auditing using Clients Computer-Tracing Real
Data

• Weaknesses, continued
• Difficult to verify that program tested is
  program normally used
• Difficult to verify that procedures used during
  test are procedures normally employed
• Auditor needs to understand IT operations

25
Auditing using Clients Computer-Using Simulated
Data

• Strengths
• Auditor can reduce substantially the number of
  records that have to be processed (one record can
  test several controls)
• Permits testing of every control

26
Auditing using Clients Computer-Using Simulated
Data

• Weaknesses
• Only those conditions known to exist can be
  tested
• Same program and procedures questions as in
  processing real data
• Removal of simulated data from client's records

27
Auditing using Clients Computer-Using Simulated
Data

• Verify that no amounts, accounts, or transaction
  types are omitted
• Verify pricing, extensions, and other valuation
  procedures
• Verify account coding and classification
• Verify proper time period recording
• Test subsidiary records footing and
  reconciliation to control account balances

28
Auditing using Clients Computer-Using Simulated
Data

• Test data or test record approach
• Simulated data is controlled and processed
  separately from real data
• Output is compared to auditor-calculated output

29
Auditing using Clients Computer-Using Simulated
Data

• Integrated test facility (ITF)
• Simulated data is assigned a special code to
  distinguish it from real data
• Simulated data is integrated with real data and
  processed in normal course of business
• Weakness - simulated data may be processed
  differently than real data

30
Generalized Audit Software

• Off-the-shelf software that allows examination of
  client data on auditors computer
• Information systems vary widely between clients
• Hardware and software environments
• Data structures
• Record formats
• Processing functions

31
Functional Capabilities of GAS

• File access
• File reorganization (sorting and merging)
• Filtering (Boolean operators , gt, lt, ltgt, AND,
  OR, etc.)
• Statistical (sample selections)
• Arithmetic
• Stratification
• File creation
• Reporting

32
Available CAATs

• CA-Easytrieve (Computer Associates)
• Works in UNIX or LAN (primarily mainframes)
• Uses a background language similar to COBOL
• SAS
• Statistical analysis
• Data mining
• ACL
• IDEA

33
Electronic Workpapers

• Electronic working papers
• Standardizes audit forms and formats
• Improves quality and consistency
• Coordinates efforts
• Can centralize management efforts

34
Centralized Vs Distributed Systems

• Some activities should remain centralized
• DDP is more expensive but can add efficiencies
  over straight client-server approach
• Data can be distributed in different ways
• May raise security issues
• Auditor must question how each site is secured
• DDP may be partitioned or replicated
• DDP requires concurrency control

35
End Ch 3