Auditing of Computer-Based Information Systems

Auditing of Computer-Based Information Systems

The Nature of Auditing

The American Accounting Association defines auditing as follows:

Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.

 

Internal Auditing Standards

According to the Institute of Internal Auditors (IIA), the purpose of an internal audit is to evaluate the adequacy and effectiveness of a company’s internal control system.

 

The IIA’s five audit scope standards are:

1. Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.

2. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.

3. Review how assets are safeguarded, and verify the existence of assets as appropriate.

4 Examine company resources to determine how effectively and efficiently they are utilized.

5 Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives.

 

Types of Internal Auditing Work

What are the three different types of audits commonly performed?

1. Financial audit

2 .Information system (IS) audit

3. Operational or management audit

 

An Overview of the Auditing Process

All audits follow a similar sequence of activities and may be divided into four stages.

1. Audit planning

2. Collection of audit evidence

3. Evaluation of audit evidence

4. Communication of audit results

 

Audit Planning

Establish scope and objectives

Organize audit team

Develop knowledge of business

operations

Review prior audit results

Identify risk factors

Prepare audit program

Collection of Audit Evidence

Observation of operating activities

Review of documentation

Discussion with employees and questionnaires

Physical examination of assets

Confirmation through third parties

Reperformance of procedures

Vouching of source documents

Analytical review and sampling

 

Evaluation of Audit Evidence

Assess quality of internal controls

Assess reliability of information

Assess operating performance

Consider need for additional evidence

Consider risk factors

Consider materiality factors

Document audit findings

 

Communication of Audit Results

Formulate audit conclusions

Develop recommendations for management

Present audit results to management

 

Information Systems Audits

The purpose of an AIS audit is to review and evaluate the internal controls that protect the system.

When performing an IS audit, auditors should ascertain that the following objectives are met:

1.      Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction.

2.      Program development and acquisition is performed in accordance with management’s general and specific authorization.

3.      Program modifications have the authorization and approval of management.

4.      Processing of transactions, files, reports, and other computer records is accurate and complete.

5.      Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies.

6.      Computer data files are accurate, complete, and confidential.

 

The Risk-Based Audit Approach

The risk-based approach to auditing provides auditors with a clear understanding of the errors and irregularities that can occur and the related risks and exposures.

This understanding provides a sound basis for developing recommendations to management on how the AIS control system should be improved.

What is the four-step approach to internal control evaluation?

1. Determine the threats facing the AIS.

2. Identify the control procedures that should be in place to minimize each threat.

3  Evaluate the control procedures.

4. Evaluate weakness (errors and irregularities not covered by control procedures).

 

Computer Software

A number of computer programs, called computer audit software (CAS) or generalized audit software (GAS), have been written especially for auditors.

CAS is a computer program that, based on the auditor’s specifications, generates programs that perform the audit functions.

 

Usage of Computer Software

The auditor’s first step is to decide on audit objectives, learn about the files to be audited, design the audit reports, and determine how to produce them.

This information is recorded on specification sheets and entered into the system via a data entry program.

 

General Functions of Computer Audit Software

– Reformatting

– File manipulation

– Calculation

– Data selection

– Data analysis

– File processing

– Statistics

– Report generation

 

Operational Audits of an AIS

The techniques and procedures used in operational audits are similar to those of IS and financial audits.

The basic difference is that the IS audit scope is confined to internal controls, whereas the financial audit scope is limited to IIS output.

The operational audit scope encompasses all aspects of IS management.

Operational audit objectives include evaluating effectiveness, efficiency, and goal achievement.

What are some evidence collection activities?

– Reviewing operating policies and documentation

– Confirming procedures with management and operating personnel

– Observing operating functions and activities

– Examining financial and operating plans and reports

– Testing the accuracy of operating information

– Testing controls

 

To Download Auditing of Computer-Based Information Systems PPT File Click Here.

Conclusion: auditing computer based information systems, auditing computer based information systems pdf, chapter 11 auditing computer based information systems, Auditing of Computer-Based Information Systems.

Share this post