SlideShare a Scribd company logo

Conducting an Information Systems Audit

Download as PPTX, PDF
S
Sreekanth Narendran

Chapter 2 Information Systems Control & Audit www.lifein01.com - for presentations of all chapters of ron weber

Engineering
1 of 41
Chapter 2 Conducting an Information Systems Audit Sreekanth N 1
Contents • Introduction • The big Question • Learning objectives • Nature of controls • Dealing with complexity • Audit Risks • Types of Audit Procedures • Overview of Steps in an Audit • Auditing Around or Through the computer. 2
Introduction • Auditors can perform a detailed audit in small organizations. • All organizations are of not the same size. • Auditing in big organizations are difficult. • Detailed check on data process inside IS systems become complex. • Auditors resort to sampling. 3
The big question? • How can an auditor perform IS audit so that they obtain reasonable assurance that an organization safeguards its data-processing assets, maintains data integrity, and achieve system effectiveness and efficiency ? 4
Learning Objectives • Learn the general approach followed for information systems audit. • Learn the nature of controls. • Learn techniques for simplifying complexity encountered while making evaluation judgements or computer-based information systems. • Learn the basic risks auditors face and the type of audit procedures used to control and asses these risks. • Finally we examine a major decision auditors must make while doing an IS audit. 5
Attestation vs Audit • Attestation: An attestation is a type of engagement in which an attester (auditor,practitioner,accountant) provides a report as to whether an assertion (made by an asserter management) has been prepared in conformity with the appropriate criteria. • Attestations include financial statement audits, reporting on forecasts, projections, pro-forma information, effectiveness of internal control etc. • Attestation Standards apply only to situations not addressed by other professional standards. • Audit: An audit is a type of attest function in which an auditor provides an independent opinion (positive assurance) about whether management (asserter) has prepared financial statements in conformity with an applicable financial reporting framework (criteria). 6
Nature of controls • A control is a system that prevents, detects, or correct unlawful events. • System – Set of interrelated components working together to achieve some overall purpose • Unlawful event- Arises if unauthorized, in accurate, incomplete, redundant, ineffective, or inefficient input enters the system. • Preventive control • Detective control • Corrective control 7
Dealing with Complexity • Conducting an IS audit is an exercise in dealing with complexity. • Because complexity is the root cause of problems face by many professionals two guidelines have been developed in IS audit. 1. Given the purpose of IS audit, factor the system to be evaluated into subsystems. 2. Determine the reliability of each subsystem and implications of each subsystems level of reliability for the overall reliability of the system. 8
Dealing with Complexity –> Subsystem Factoring • Subsystem performs basic function and are logical components • Factoring – Decomposing a system into subsystems (iterative process) • Systems theory gives two guidelines to identify and delineate subsystems • should be relatively independent • should be internally cohesive • Auditors have recognized some systems cannot be audited based on these. • Over time two methodologies were developed to factor systems. 9
Dealing with Complexity –> Subsystem Factoring IS Function Application subsystems Application systems Cycles Management subsystems Management systems 10
Dealing with Complexity –> Subsystem Factoring –> Management subsystems • Based on managerial functions that must be performed to ensure that development, implementation, operation and maintenance of IS proceed in planned and controlled manner. • Managerial systems function to provide a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis. • Some of the management subsystems are : Top management, IS management, Systems development management, Programming management, Data administration, Quality assurance, Security administration, Operations management 11
Dealing with Complexity –> Subsystem Factoring –> Application Subsystems • Based of cycles approach. • IS systems are grouped into cycles. • Examples of cycles : Sales and collection, payroll and personnel, acquisition and payments, inventory etc. • Each cycle is then factored into application subsystems. • Application systems into application subsystems. • Application Subsystems can includes Boundary, Input, Communication, Processing, Database, Output 12
Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Beginning with the lowest-level subsystems, all the different types of lawful and unlawful events that can occur to the system are identified. • Primary concern are unlawful events. • To identify we focus on the major functions each subsystem performs. • As a basis we focus on (walk-through technique) • the transactions that can occur as an input to the subsystem as all events arise from a transaction. • How the subsystem processes this transaction and understand each processing step. 13
Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Costly to trace each transaction. • Auditors focus on classes. • Group similar transactions into classes and analyze it. • When events are identified auditors evaluate if controls are in place. • They collect evidence on the controls and see if the losses are reduced to acceptable levels. • Errors made at one level can propagate to higher levels 14
Audit Risks • Systems auditors are concerned with four objectives: • Asset safeguarding • Data integrity • System effectiveness • System efficiency • Auditors are concerned with whether errors or irregularities cause material losses or material misstatements in the financial information • Because of test nature of auditing, auditors might fail to detect real or potential material losses and account misstatements. 15
Audit Risks • The risk of an auditor failing to detect actual or potential material losses or account misstatements at the conclusion of the audit is called the audit risk. • Auditors choose an audit approach and design audit procedures in an attempt to reduce this risk to a level deemed acceptable. • For determining desired audit risk following audit risk model is adopted : DAR = IR x CR x DR • DAR is the desired audit risk • IR is the inherent risk, likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal controls is considered. • CR is the control risk, likelihood that internal controls in some segment of the audit will not prevent, detect, or correct material losses or account misstatements that arise. • DR is the detection risk, the audit procedures used in some segment Of the audit will fail to detect material losses or account misstatements. 16
Audit Risks • To apply the model, auditors first choose their level of desired audit risk. • Auditors consider such factors as the level of reliance external parties are likely to place on the financial statements, the likelihood of the organization encountering financial difficulties subsequent to the audit, they assess the short- and long-run consequences for their organizations if they fail to detect real or potential material losses from ineffective or inefficient operations. • Next auditors consider the level of inherent risk. Initially auditors consider general factors such as • the nature of the organization, • the industry in which it operates, • the characteristics of management, and accounting and auditing concerns. 17
Audit Risks Inherent Risk in Financial System • Those that usually provide financial control over the major assets of an organization : • cash receipts and disbursements, • payroll, • accounts receivable and payable—often have higher inherent risk. • Because they are frequently the target of fraud. 18
Audit Risks • To assess the level of control risk associated with a segment of the audit, auditors consider the reliability of both management and application controls. • Auditors usually identify and evaluate controls in management subsystems first. • Management (subsystem) controls are fundamental controls because they cover all application systems. • Thus, the absence of a management control is a serious concern for auditors. • Next auditors calculate the level of detection risk they must attain to achieve their desired audit risk. They then design evidence collection procedures in an attempt to achieve this level of detection risk. 19
Audit Risks • The whole point in considering the audit risk model is that audit efforts should be focused where they will have the highest payoffs. • In most cases auditors cannot collect evidence to the extent they would like. • Accordingly, they must be judicious in terms of where they apply their audit procedures and how they interpret the evidence they collect. 20
Types of Audit Procedures When external auditors gather evidence to determine whether material losses have occurred or financial information has been materially misstated, they use five types Of procedures: • Procedures to obtain an understanding of controls: Inquiries, inspections, and observations can be used to gain an understanding Of what controls supposedly exist, how well they have been designed, and whether they have been placed in operation. • Tests of controls: Inquiries, inspections, observations, and performance of control procedures can be used to evaluate whether controls are operating effectively. • Substantive tests of details of transactions: These tests are designed to detect dollar errors or irregularities in transactions that would affect the financial statements. 21
Types of Audit Procedures • Substantive tests of details of account balances: These tests focus on the ending general ledger balances in the balance sheet and income statement. • Analytical review procedures: These tests focus on relationships among data items with the objective of identifying areas that require further audit work. • Auditors usually carry out the less costly audit procedures first in the hope the evidence obtained from these procedures indicates it is unlikely a material loss or material misstatement has occurred or will occur. If this outcome arises, auditors can alter the nature, timing, and extent of the more costly tests used. 22
Overview of Steps in an Audit Start Stop Obtain Understanding Of control structure Assess control risk Preliminary Audit work Reassess Control risk Tests of controls Limited Substantive testing Extended Substantive testing Form audit Opinion and Issue report Rely on Controls ? Increase Reliance on Controls ? Still Rely on Control ? no Yes no yes no yes Major Steps to be undertaken in an audit 23
Overview of Steps in an Audit – Planning audit • Planning is the first phase of an audit. • For External auditor - investigating new and continuing clients to determine whether the audit engagement should be accepted, assigning appropriate staff to the audit, obtaining an engagement letter, obtaining background information on the client, understanding the client's legal obligations, and undertaking analytical review procedures to understand the client's business better and identify areas of risk in the audit • For an internal auditor -understanding the objectives to be accomplished in the audit, obtaining background information, assigning appropriate staff, and identifying areas of risk. 24
Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Control Environment - Elements that establish the control Context in which specific accounting systems and control procedures must operate. • Risk Assessment - Elements that identify and analyze the risks faced by an Organization and the ways these risks can be managed. • Control Activities - Elements that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks on performance and valuation of recorded amounts occur. 25
Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Information and Communication-Elements in which information is identified, captured, and exchanged in a timely and appropriate form to allow personnel to discharge their responsibilities properly. • Monitoring- Elements that ensure internal controls operate reliably over time. 26
Overview of Steps in an Audit – Planning audit • After auditors obtain an understanding of the internal controls, they then must determine the control risk in relation to each assertion: • If auditors assess control risk at less than the maximum level, they must then identify the material controls that relate to the assertion and test the controls to evaluate whether they are operating effectively. • If auditors assess control risk at the maximum level, they do not test controls; they might conclude that internal controls are unlikely to be effective and therefore cannot be relied upon or that a more effective and efficient audit can be conducted using a substantive approach. 27
Overview of Steps in an Audit – Tests of Controls • Auditors test controls when they assess the control risk for an assertion at less than the maximum level. • They rely on controls as a basis for reducing more costly testing. • Tests of controls evaluate whether specific, material controls are reliable. • This phase usually begins by again focusing first on management controls. • If testing shows that, contrary to expectations, management controls are not operating reliably, there might be little point to testing application controls. • If auditors identify serious management-control weaknesses, they might have to issue an adverse opinion or undertake substantive tests of transactions and balances or overall results. • Auditors conduct the evaluation iteratively for each management subsystem and each application subsystem that is important. 28
Overview of Steps in an Audit – Tests of Controls • If auditors conclude that management controls are in place and working satisfactorily, they then would evaluate the reliability of application controls. • For each transaction considered, auditors evaluate whether the control is operating effectively. 29
Overview of Steps in an Audit – Tests of Controls • After auditors have completed tests of controls, they again assess control risk. • After the test results, auditors might conclude that internal controls are stronger or weaker than initially anticipated. • They might also conclude that it is worthwhile to perform more tests of controls with a view to further reducing the further testing. • Accordingly, auditors conclude control risk has decreased and seek further evidence to support this assessment. 30
Overview of Steps in an Audit – Tests of Transactions • Auditors use tests of transactions to evaluate whether erroneous or irregular processing of a transaction has led to a material misstatement of financial information. • Typical attest tests of transactions include • tracing journal entries to their source documents, • examining price files for propriety, and • testing computational accuracy. • Ex : Auditors usually use generalized audit software to check whether the interest paid on bank accounts has been calculated correctly. • From an operational perspective, auditors use tests of transactions to evaluate whether transactions or events have been handled effectively and efficiently. 31
Overview of Steps in an Audit – Tests of Transactions • In an attest audit, auditors conduct tests of transactions at interim dates in order to reduce the amount of substantive tests of balances to be done at financial year end and thus to reduce the overall costs of the audit. • In an operational audit for effectiveness and efficiency purposes, auditors also use tests of transactions at interim dates in order to reduce the amount of substantive testing of overall results to be done near the reporting date. 32
Overview of Steps in an Audit – Tests of Transactions • If the results of tests of transactions indicate that material losses have occurred or might occur or that financial information is or might be materially misstated, substantive tests of balances or overall results will be expanded. • Auditors can use expanded tests of balances or overall results to obtain a better estimate of the losses or misstatements that have occurred or might occur. 33
Overview of Steps in an Audit – Tests of Balances or Overall Result • Auditors conduct tests of balances or overall results to obtain sufficient evidence for making a final judgment on the extent of losses or account misstatements that occur when • the information systems function fails to safeguard assets, • maintain data integrity, • achieve system effectiveness and efficiency. 34
Overview of Steps in an Audit – Completion of the Audit • In the final phase of the audit, external auditors undertake several additional tests to bring the collection of evidence to a close. • They must then formulate an opinion about whether material losses or account misstatements have occurred and issue a report. • The professional standards in many countries require one of four types of opinion be issued: • Disclaimer of opinion: On the basis of the audit work conducted, the auditor is unable to reach an opinion. • Adverse opinion: The auditor concludes that material losses have occurred or that the financial statements are materially misstated. • Qualified opinion: The auditor concludes that losses have occurred or that the financial statements are misstated but that the amounts are not material. • Unqualified opinion: The auditor believes that no material losses or account misstatements have occurred. 35
Auditing Around or Through the Computer • When auditors come to the controls testing phase of an information systems audit, one of the major decisions they must make is whether to test controls by auditing around or through the computer. • The phrases "auditing around the computer" and "auditing through the computer" are carryovers from the past. • Debate on how much technical knowledge was required to audit computer systems. Two methods were formulated: • Auditors could evaluate computer systems simply by checking their input and output. • Internal workings of computer systems were examined and evaluated. • Both has its own merits and demerits and both are considered now for auditing. 36
Around the Computer • Auditing around the computer involves arriving at an audit opinion through examining and evaluating management controls and then input and output only for application systems. • Based on the quality of an application system's input and output, auditors infer the quality of the application system's processing. • The application system's processing is not examined directly. Instead, auditors view the computer as a black box. • Cost effective way if the SW used is one package. 37
Around the Computer • Auditors seek to ensure • the organization has not modified the package in any way, • adequate controls exist over the source code, object code, and documentation to prevent unauthorized modification of the package • high-quality controls exist over input to and output from the package. 38
Through the Computer • The Advantage of auditing through the computer is that auditors have increased power to test an application system effectively. • Increase their confidence in the reliability of the evidence collection and evaluation. • By directly examining the processing logic embedded within an application system auditors are better able to assess the system's ability to cope with change and the likelihood of losses or account misstatements arising in the future. • The approach has two disadvantages. • it can sometimes be costly • extensive technical expertise to understand how the system works 39
Through the Computer • They use the computer to test • the processing logic and controls existing within the system • the records produced by the system. 40
Thank You 41

Recommended

Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 

Recommended

Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-softwarekzoe1996
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)bagarza
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Ee Chuan Yoong
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 

More Related Content

What's hot

Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-softwarekzoe1996
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)bagarza
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Ee Chuan Yoong
 

What's hot (20)

Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
03.2 application control
03.2 application control03.2 application control
03.2 application control
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Security audit
Security auditSecurity audit
Security audit
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
 

Similar to Conducting an Information Systems Audit

Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Technology Auditing, Assurance, Internal Control
Technology Auditing, Assurance, Internal ControlTechnology Auditing, Assurance, Internal Control
Technology Auditing, Assurance, Internal ControlZefren Edior
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Controlnellynljcoles
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision fileVithyea You
 
Audit Risk and Fraud
Audit Risk and FraudAudit Risk and Fraud
Audit Risk and FraudDwi Wahyu
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptxAral20101
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingPECB
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 

Similar to Conducting an Information Systems Audit (20)

Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Technology Auditing, Assurance, Internal Control
Technology Auditing, Assurance, Internal ControlTechnology Auditing, Assurance, Internal Control
Technology Auditing, Assurance, Internal Control
 
Compliance
ComplianceCompliance
Compliance
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Control
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision file
 
Audit Risk and Fraud
Audit Risk and FraudAudit Risk and Fraud
Audit Risk and Fraud
 
Internal controls
Internal controlsInternal controls
Internal controls
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptx
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
Internal Control
Internal ControlInternal Control
Internal Control
 
IT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the GameIT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the Game
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
Advance audit
Advance auditAdvance audit
Advance audit
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems Auditing
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
 
Internal control
Internal controlInternal control
Internal control
 

More from Sreekanth Narendran

Transactional vs transformational leadership
Transactional vs transformational leadershipTransactional vs transformational leadership
Transactional vs transformational leadershipSreekanth Narendran
 
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.Sreekanth Narendran
 

More from Sreekanth Narendran (17)

Quantum cryptography
Quantum cryptographyQuantum cryptography
Quantum cryptography
 
Nmap
NmapNmap
Nmap
 
Transactional vs transformational leadership
Transactional vs transformational leadershipTransactional vs transformational leadership
Transactional vs transformational leadership
 
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
 
Web services for banks
Web services for banksWeb services for banks
Web services for banks
 
Virus vs worms vs trojans
Virus vs worms vs trojansVirus vs worms vs trojans
Virus vs worms vs trojans
 
Business process reengineering
Business process reengineeringBusiness process reengineering
Business process reengineering
 
Hash cat
Hash catHash cat
Hash cat
 
Phishing
PhishingPhishing
Phishing
 
International banking
International bankingInternational banking
International banking
 
Master Data Management
Master Data ManagementMaster Data Management
Master Data Management
 
Maltego Information Gathering
Maltego Information Gathering Maltego Information Gathering
Maltego Information Gathering
 
Leadership traits
Leadership traitsLeadership traits
Leadership traits
 
Network Miner Network forensics
Network Miner Network forensicsNetwork Miner Network forensics
Network Miner Network forensics
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Organizational development
Organizational developmentOrganizational development
Organizational development
 
Indigo Case study
Indigo Case study Indigo Case study
Indigo Case study
 

Recently uploaded

High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 

Recently uploaded (20)

High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 

Conducting an Information Systems Audit

  • 1. Chapter 2 Conducting an Information Systems Audit Sreekanth N 1
  • 2. Contents • Introduction • The big Question • Learning objectives • Nature of controls • Dealing with complexity • Audit Risks • Types of Audit Procedures • Overview of Steps in an Audit • Auditing Around or Through the computer. 2
  • 3. Introduction • Auditors can perform a detailed audit in small organizations. • All organizations are of not the same size. • Auditing in big organizations are difficult. • Detailed check on data process inside IS systems become complex. • Auditors resort to sampling. 3
  • 4. The big question? • How can an auditor perform IS audit so that they obtain reasonable assurance that an organization safeguards its data-processing assets, maintains data integrity, and achieve system effectiveness and efficiency ? 4
  • 5. Learning Objectives • Learn the general approach followed for information systems audit. • Learn the nature of controls. • Learn techniques for simplifying complexity encountered while making evaluation judgements or computer-based information systems. • Learn the basic risks auditors face and the type of audit procedures used to control and asses these risks. • Finally we examine a major decision auditors must make while doing an IS audit. 5
  • 6. Attestation vs Audit • Attestation: An attestation is a type of engagement in which an attester (auditor,practitioner,accountant) provides a report as to whether an assertion (made by an asserter management) has been prepared in conformity with the appropriate criteria. • Attestations include financial statement audits, reporting on forecasts, projections, pro-forma information, effectiveness of internal control etc. • Attestation Standards apply only to situations not addressed by other professional standards. • Audit: An audit is a type of attest function in which an auditor provides an independent opinion (positive assurance) about whether management (asserter) has prepared financial statements in conformity with an applicable financial reporting framework (criteria). 6
  • 7. Nature of controls • A control is a system that prevents, detects, or correct unlawful events. • System – Set of interrelated components working together to achieve some overall purpose • Unlawful event- Arises if unauthorized, in accurate, incomplete, redundant, ineffective, or inefficient input enters the system. • Preventive control • Detective control • Corrective control 7
  • 8. Dealing with Complexity • Conducting an IS audit is an exercise in dealing with complexity. • Because complexity is the root cause of problems face by many professionals two guidelines have been developed in IS audit. 1. Given the purpose of IS audit, factor the system to be evaluated into subsystems. 2. Determine the reliability of each subsystem and implications of each subsystems level of reliability for the overall reliability of the system. 8
  • 9. Dealing with Complexity –> Subsystem Factoring • Subsystem performs basic function and are logical components • Factoring – Decomposing a system into subsystems (iterative process) • Systems theory gives two guidelines to identify and delineate subsystems • should be relatively independent • should be internally cohesive • Auditors have recognized some systems cannot be audited based on these. • Over time two methodologies were developed to factor systems. 9
  • 10. Dealing with Complexity –> Subsystem Factoring IS Function Application subsystems Application systems Cycles Management subsystems Management systems 10
  • 11. Dealing with Complexity –> Subsystem Factoring –> Management subsystems • Based on managerial functions that must be performed to ensure that development, implementation, operation and maintenance of IS proceed in planned and controlled manner. • Managerial systems function to provide a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis. • Some of the management subsystems are : Top management, IS management, Systems development management, Programming management, Data administration, Quality assurance, Security administration, Operations management 11
  • 12. Dealing with Complexity –> Subsystem Factoring –> Application Subsystems • Based of cycles approach. • IS systems are grouped into cycles. • Examples of cycles : Sales and collection, payroll and personnel, acquisition and payments, inventory etc. • Each cycle is then factored into application subsystems. • Application systems into application subsystems. • Application Subsystems can includes Boundary, Input, Communication, Processing, Database, Output 12
  • 13. Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Beginning with the lowest-level subsystems, all the different types of lawful and unlawful events that can occur to the system are identified. • Primary concern are unlawful events. • To identify we focus on the major functions each subsystem performs. • As a basis we focus on (walk-through technique) • the transactions that can occur as an input to the subsystem as all events arise from a transaction. • How the subsystem processes this transaction and understand each processing step. 13
  • 14. Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Costly to trace each transaction. • Auditors focus on classes. • Group similar transactions into classes and analyze it. • When events are identified auditors evaluate if controls are in place. • They collect evidence on the controls and see if the losses are reduced to acceptable levels. • Errors made at one level can propagate to higher levels 14
  • 15. Audit Risks • Systems auditors are concerned with four objectives: • Asset safeguarding • Data integrity • System effectiveness • System efficiency • Auditors are concerned with whether errors or irregularities cause material losses or material misstatements in the financial information • Because of test nature of auditing, auditors might fail to detect real or potential material losses and account misstatements. 15
  • 16. Audit Risks • The risk of an auditor failing to detect actual or potential material losses or account misstatements at the conclusion of the audit is called the audit risk. • Auditors choose an audit approach and design audit procedures in an attempt to reduce this risk to a level deemed acceptable. • For determining desired audit risk following audit risk model is adopted : DAR = IR x CR x DR • DAR is the desired audit risk • IR is the inherent risk, likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal controls is considered. • CR is the control risk, likelihood that internal controls in some segment of the audit will not prevent, detect, or correct material losses or account misstatements that arise. • DR is the detection risk, the audit procedures used in some segment Of the audit will fail to detect material losses or account misstatements. 16
  • 17. Audit Risks • To apply the model, auditors first choose their level of desired audit risk. • Auditors consider such factors as the level of reliance external parties are likely to place on the financial statements, the likelihood of the organization encountering financial difficulties subsequent to the audit, they assess the short- and long-run consequences for their organizations if they fail to detect real or potential material losses from ineffective or inefficient operations. • Next auditors consider the level of inherent risk. Initially auditors consider general factors such as • the nature of the organization, • the industry in which it operates, • the characteristics of management, and accounting and auditing concerns. 17
  • 18. Audit Risks Inherent Risk in Financial System • Those that usually provide financial control over the major assets of an organization : • cash receipts and disbursements, • payroll, • accounts receivable and payable—often have higher inherent risk. • Because they are frequently the target of fraud. 18
  • 19. Audit Risks • To assess the level of control risk associated with a segment of the audit, auditors consider the reliability of both management and application controls. • Auditors usually identify and evaluate controls in management subsystems first. • Management (subsystem) controls are fundamental controls because they cover all application systems. • Thus, the absence of a management control is a serious concern for auditors. • Next auditors calculate the level of detection risk they must attain to achieve their desired audit risk. They then design evidence collection procedures in an attempt to achieve this level of detection risk. 19
  • 20. Audit Risks • The whole point in considering the audit risk model is that audit efforts should be focused where they will have the highest payoffs. • In most cases auditors cannot collect evidence to the extent they would like. • Accordingly, they must be judicious in terms of where they apply their audit procedures and how they interpret the evidence they collect. 20
  • 21. Types of Audit Procedures When external auditors gather evidence to determine whether material losses have occurred or financial information has been materially misstated, they use five types Of procedures: • Procedures to obtain an understanding of controls: Inquiries, inspections, and observations can be used to gain an understanding Of what controls supposedly exist, how well they have been designed, and whether they have been placed in operation. • Tests of controls: Inquiries, inspections, observations, and performance of control procedures can be used to evaluate whether controls are operating effectively. • Substantive tests of details of transactions: These tests are designed to detect dollar errors or irregularities in transactions that would affect the financial statements. 21
  • 22. Types of Audit Procedures • Substantive tests of details of account balances: These tests focus on the ending general ledger balances in the balance sheet and income statement. • Analytical review procedures: These tests focus on relationships among data items with the objective of identifying areas that require further audit work. • Auditors usually carry out the less costly audit procedures first in the hope the evidence obtained from these procedures indicates it is unlikely a material loss or material misstatement has occurred or will occur. If this outcome arises, auditors can alter the nature, timing, and extent of the more costly tests used. 22
  • 23. Overview of Steps in an Audit Start Stop Obtain Understanding Of control structure Assess control risk Preliminary Audit work Reassess Control risk Tests of controls Limited Substantive testing Extended Substantive testing Form audit Opinion and Issue report Rely on Controls ? Increase Reliance on Controls ? Still Rely on Control ? no Yes no yes no yes Major Steps to be undertaken in an audit 23
  • 24. Overview of Steps in an Audit – Planning audit • Planning is the first phase of an audit. • For External auditor - investigating new and continuing clients to determine whether the audit engagement should be accepted, assigning appropriate staff to the audit, obtaining an engagement letter, obtaining background information on the client, understanding the client's legal obligations, and undertaking analytical review procedures to understand the client's business better and identify areas of risk in the audit • For an internal auditor -understanding the objectives to be accomplished in the audit, obtaining background information, assigning appropriate staff, and identifying areas of risk. 24
  • 25. Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Control Environment - Elements that establish the control Context in which specific accounting systems and control procedures must operate. • Risk Assessment - Elements that identify and analyze the risks faced by an Organization and the ways these risks can be managed. • Control Activities - Elements that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks on performance and valuation of recorded amounts occur. 25
  • 26. Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Information and Communication-Elements in which information is identified, captured, and exchanged in a timely and appropriate form to allow personnel to discharge their responsibilities properly. • Monitoring- Elements that ensure internal controls operate reliably over time. 26
  • 27. Overview of Steps in an Audit – Planning audit • After auditors obtain an understanding of the internal controls, they then must determine the control risk in relation to each assertion: • If auditors assess control risk at less than the maximum level, they must then identify the material controls that relate to the assertion and test the controls to evaluate whether they are operating effectively. • If auditors assess control risk at the maximum level, they do not test controls; they might conclude that internal controls are unlikely to be effective and therefore cannot be relied upon or that a more effective and efficient audit can be conducted using a substantive approach. 27
  • 28. Overview of Steps in an Audit – Tests of Controls • Auditors test controls when they assess the control risk for an assertion at less than the maximum level. • They rely on controls as a basis for reducing more costly testing. • Tests of controls evaluate whether specific, material controls are reliable. • This phase usually begins by again focusing first on management controls. • If testing shows that, contrary to expectations, management controls are not operating reliably, there might be little point to testing application controls. • If auditors identify serious management-control weaknesses, they might have to issue an adverse opinion or undertake substantive tests of transactions and balances or overall results. • Auditors conduct the evaluation iteratively for each management subsystem and each application subsystem that is important. 28
  • 29. Overview of Steps in an Audit – Tests of Controls • If auditors conclude that management controls are in place and working satisfactorily, they then would evaluate the reliability of application controls. • For each transaction considered, auditors evaluate whether the control is operating effectively. 29
  • 30. Overview of Steps in an Audit – Tests of Controls • After auditors have completed tests of controls, they again assess control risk. • After the test results, auditors might conclude that internal controls are stronger or weaker than initially anticipated. • They might also conclude that it is worthwhile to perform more tests of controls with a view to further reducing the further testing. • Accordingly, auditors conclude control risk has decreased and seek further evidence to support this assessment. 30
  • 31. Overview of Steps in an Audit – Tests of Transactions • Auditors use tests of transactions to evaluate whether erroneous or irregular processing of a transaction has led to a material misstatement of financial information. • Typical attest tests of transactions include • tracing journal entries to their source documents, • examining price files for propriety, and • testing computational accuracy. • Ex : Auditors usually use generalized audit software to check whether the interest paid on bank accounts has been calculated correctly. • From an operational perspective, auditors use tests of transactions to evaluate whether transactions or events have been handled effectively and efficiently. 31
  • 32. Overview of Steps in an Audit – Tests of Transactions • In an attest audit, auditors conduct tests of transactions at interim dates in order to reduce the amount of substantive tests of balances to be done at financial year end and thus to reduce the overall costs of the audit. • In an operational audit for effectiveness and efficiency purposes, auditors also use tests of transactions at interim dates in order to reduce the amount of substantive testing of overall results to be done near the reporting date. 32
  • 33. Overview of Steps in an Audit – Tests of Transactions • If the results of tests of transactions indicate that material losses have occurred or might occur or that financial information is or might be materially misstated, substantive tests of balances or overall results will be expanded. • Auditors can use expanded tests of balances or overall results to obtain a better estimate of the losses or misstatements that have occurred or might occur. 33
  • 34. Overview of Steps in an Audit – Tests of Balances or Overall Result • Auditors conduct tests of balances or overall results to obtain sufficient evidence for making a final judgment on the extent of losses or account misstatements that occur when • the information systems function fails to safeguard assets, • maintain data integrity, • achieve system effectiveness and efficiency. 34
  • 35. Overview of Steps in an Audit – Completion of the Audit • In the final phase of the audit, external auditors undertake several additional tests to bring the collection of evidence to a close. • They must then formulate an opinion about whether material losses or account misstatements have occurred and issue a report. • The professional standards in many countries require one of four types of opinion be issued: • Disclaimer of opinion: On the basis of the audit work conducted, the auditor is unable to reach an opinion. • Adverse opinion: The auditor concludes that material losses have occurred or that the financial statements are materially misstated. • Qualified opinion: The auditor concludes that losses have occurred or that the financial statements are misstated but that the amounts are not material. • Unqualified opinion: The auditor believes that no material losses or account misstatements have occurred. 35
  • 36. Auditing Around or Through the Computer • When auditors come to the controls testing phase of an information systems audit, one of the major decisions they must make is whether to test controls by auditing around or through the computer. • The phrases "auditing around the computer" and "auditing through the computer" are carryovers from the past. • Debate on how much technical knowledge was required to audit computer systems. Two methods were formulated: • Auditors could evaluate computer systems simply by checking their input and output. • Internal workings of computer systems were examined and evaluated. • Both has its own merits and demerits and both are considered now for auditing. 36
  • 37. Around the Computer • Auditing around the computer involves arriving at an audit opinion through examining and evaluating management controls and then input and output only for application systems. • Based on the quality of an application system's input and output, auditors infer the quality of the application system's processing. • The application system's processing is not examined directly. Instead, auditors view the computer as a black box. • Cost effective way if the SW used is one package. 37
  • 38. Around the Computer • Auditors seek to ensure • the organization has not modified the package in any way, • adequate controls exist over the source code, object code, and documentation to prevent unauthorized modification of the package • high-quality controls exist over input to and output from the package. 38
  • 39. Through the Computer • The Advantage of auditing through the computer is that auditors have increased power to test an application system effectively. • Increase their confidence in the reliability of the evidence collection and evaluation. • By directly examining the processing logic embedded within an application system auditors are better able to assess the system's ability to cope with change and the likelihood of losses or account misstatements arising in the future. • The approach has two disadvantages. • it can sometimes be costly • extensive technical expertise to understand how the system works 39
  • 40. Through the Computer • They use the computer to test • the processing logic and controls existing within the system • the records produced by the system. 40