SN
Uploaded bySreekanth Narendran
PPTX, PDF1,786 views

Conducting an Information Systems Audit

Chapter 2 discusses conducting an information systems audit, focusing on the complexities and risks auditors face while evaluating data processing systems in various organizational contexts. It covers the importance of internal controls, the audit risk model, types of audit procedures, and the methodologies for auditing through or around the computer. The document emphasizes the structured approach auditors must take to ensure data integrity, asset safeguarding, and system effectiveness.

Engineering
Related topics:
Information Systems

Embed presentation

Downloaded 43 times
Chapter 2 Conducting an Information Systems Audit Sreekanth N 1
Contents • Introduction • The big Question • Learning objectives • Nature of controls • Dealing with complexity • Audit Risks • Types of Audit Procedures • Overview of Steps in an Audit • Auditing Around or Through the computer. 2
Introduction • Auditors can perform a detailed audit in small organizations. • All organizations are of not the same size. • Auditing in big organizations are difficult. • Detailed check on data process inside IS systems become complex. • Auditors resort to sampling. 3
The big question? • How can an auditor perform IS audit so that they obtain reasonable assurance that an organization safeguards its data-processing assets, maintains data integrity, and achieve system effectiveness and efficiency ? 4
Learning Objectives • Learn the general approach followed for information systems audit. • Learn the nature of controls. • Learn techniques for simplifying complexity encountered while making evaluation judgements or computer-based information systems. • Learn the basic risks auditors face and the type of audit procedures used to control and asses these risks. • Finally we examine a major decision auditors must make while doing an IS audit. 5
Attestation vs Audit • Attestation: An attestation is a type of engagement in which an attester (auditor,practitioner,accountant) provides a report as to whether an assertion (made by an asserter management) has been prepared in conformity with the appropriate criteria. • Attestations include financial statement audits, reporting on forecasts, projections, pro-forma information, effectiveness of internal control etc. • Attestation Standards apply only to situations not addressed by other professional standards. • Audit: An audit is a type of attest function in which an auditor provides an independent opinion (positive assurance) about whether management (asserter) has prepared financial statements in conformity with an applicable financial reporting framework (criteria). 6
Nature of controls • A control is a system that prevents, detects, or correct unlawful events. • System – Set of interrelated components working together to achieve some overall purpose • Unlawful event- Arises if unauthorized, in accurate, incomplete, redundant, ineffective, or inefficient input enters the system. • Preventive control • Detective control • Corrective control 7
Dealing with Complexity • Conducting an IS audit is an exercise in dealing with complexity. • Because complexity is the root cause of problems face by many professionals two guidelines have been developed in IS audit. 1. Given the purpose of IS audit, factor the system to be evaluated into subsystems. 2. Determine the reliability of each subsystem and implications of each subsystems level of reliability for the overall reliability of the system. 8
Dealing with Complexity –> Subsystem Factoring • Subsystem performs basic function and are logical components • Factoring – Decomposing a system into subsystems (iterative process) • Systems theory gives two guidelines to identify and delineate subsystems • should be relatively independent • should be internally cohesive • Auditors have recognized some systems cannot be audited based on these. • Over time two methodologies were developed to factor systems. 9
Dealing with Complexity –> Subsystem Factoring IS Function Application subsystems Application systems Cycles Management subsystems Management systems 10
Dealing with Complexity –> Subsystem Factoring –> Management subsystems • Based on managerial functions that must be performed to ensure that development, implementation, operation and maintenance of IS proceed in planned and controlled manner. • Managerial systems function to provide a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis. • Some of the management subsystems are : Top management, IS management, Systems development management, Programming management, Data administration, Quality assurance, Security administration, Operations management 11
Dealing with Complexity –> Subsystem Factoring –> Application Subsystems • Based of cycles approach. • IS systems are grouped into cycles. • Examples of cycles : Sales and collection, payroll and personnel, acquisition and payments, inventory etc. • Each cycle is then factored into application subsystems. • Application systems into application subsystems. • Application Subsystems can includes Boundary, Input, Communication, Processing, Database, Output 12
Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Beginning with the lowest-level subsystems, all the different types of lawful and unlawful events that can occur to the system are identified. • Primary concern are unlawful events. • To identify we focus on the major functions each subsystem performs. • As a basis we focus on (walk-through technique) • the transactions that can occur as an input to the subsystem as all events arise from a transaction. • How the subsystem processes this transaction and understand each processing step. 13
Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Costly to trace each transaction. • Auditors focus on classes. • Group similar transactions into classes and analyze it. • When events are identified auditors evaluate if controls are in place. • They collect evidence on the controls and see if the losses are reduced to acceptable levels. • Errors made at one level can propagate to higher levels 14
Audit Risks • Systems auditors are concerned with four objectives: • Asset safeguarding • Data integrity • System effectiveness • System efficiency • Auditors are concerned with whether errors or irregularities cause material losses or material misstatements in the financial information • Because of test nature of auditing, auditors might fail to detect real or potential material losses and account misstatements. 15
Audit Risks • The risk of an auditor failing to detect actual or potential material losses or account misstatements at the conclusion of the audit is called the audit risk. • Auditors choose an audit approach and design audit procedures in an attempt to reduce this risk to a level deemed acceptable. • For determining desired audit risk following audit risk model is adopted : DAR = IR x CR x DR • DAR is the desired audit risk • IR is the inherent risk, likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal controls is considered. • CR is the control risk, likelihood that internal controls in some segment of the audit will not prevent, detect, or correct material losses or account misstatements that arise. • DR is the detection risk, the audit procedures used in some segment Of the audit will fail to detect material losses or account misstatements. 16
Audit Risks • To apply the model, auditors first choose their level of desired audit risk. • Auditors consider such factors as the level of reliance external parties are likely to place on the financial statements, the likelihood of the organization encountering financial difficulties subsequent to the audit, they assess the short- and long-run consequences for their organizations if they fail to detect real or potential material losses from ineffective or inefficient operations. • Next auditors consider the level of inherent risk. Initially auditors consider general factors such as • the nature of the organization, • the industry in which it operates, • the characteristics of management, and accounting and auditing concerns. 17
Audit Risks Inherent Risk in Financial System • Those that usually provide financial control over the major assets of an organization : • cash receipts and disbursements, • payroll, • accounts receivable and payable—often have higher inherent risk. • Because they are frequently the target of fraud. 18
Audit Risks • To assess the level of control risk associated with a segment of the audit, auditors consider the reliability of both management and application controls. • Auditors usually identify and evaluate controls in management subsystems first. • Management (subsystem) controls are fundamental controls because they cover all application systems. • Thus, the absence of a management control is a serious concern for auditors. • Next auditors calculate the level of detection risk they must attain to achieve their desired audit risk. They then design evidence collection procedures in an attempt to achieve this level of detection risk. 19
Audit Risks • The whole point in considering the audit risk model is that audit efforts should be focused where they will have the highest payoffs. • In most cases auditors cannot collect evidence to the extent they would like. • Accordingly, they must be judicious in terms of where they apply their audit procedures and how they interpret the evidence they collect. 20
Types of Audit Procedures When external auditors gather evidence to determine whether material losses have occurred or financial information has been materially misstated, they use five types Of procedures: • Procedures to obtain an understanding of controls: Inquiries, inspections, and observations can be used to gain an understanding Of what controls supposedly exist, how well they have been designed, and whether they have been placed in operation. • Tests of controls: Inquiries, inspections, observations, and performance of control procedures can be used to evaluate whether controls are operating effectively. • Substantive tests of details of transactions: These tests are designed to detect dollar errors or irregularities in transactions that would affect the financial statements. 21
Types of Audit Procedures • Substantive tests of details of account balances: These tests focus on the ending general ledger balances in the balance sheet and income statement. • Analytical review procedures: These tests focus on relationships among data items with the objective of identifying areas that require further audit work. • Auditors usually carry out the less costly audit procedures first in the hope the evidence obtained from these procedures indicates it is unlikely a material loss or material misstatement has occurred or will occur. If this outcome arises, auditors can alter the nature, timing, and extent of the more costly tests used. 22
Overview of Steps in an Audit Start Stop Obtain Understanding Of control structure Assess control risk Preliminary Audit work Reassess Control risk Tests of controls Limited Substantive testing Extended Substantive testing Form audit Opinion and Issue report Rely on Controls ? Increase Reliance on Controls ? Still Rely on Control ? no Yes no yes no yes Major Steps to be undertaken in an audit 23
Overview of Steps in an Audit – Planning audit • Planning is the first phase of an audit. • For External auditor - investigating new and continuing clients to determine whether the audit engagement should be accepted, assigning appropriate staff to the audit, obtaining an engagement letter, obtaining background information on the client, understanding the client's legal obligations, and undertaking analytical review procedures to understand the client's business better and identify areas of risk in the audit • For an internal auditor -understanding the objectives to be accomplished in the audit, obtaining background information, assigning appropriate staff, and identifying areas of risk. 24
Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Control Environment - Elements that establish the control Context in which specific accounting systems and control procedures must operate. • Risk Assessment - Elements that identify and analyze the risks faced by an Organization and the ways these risks can be managed. • Control Activities - Elements that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks on performance and valuation of recorded amounts occur. 25
Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Information and Communication-Elements in which information is identified, captured, and exchanged in a timely and appropriate form to allow personnel to discharge their responsibilities properly. • Monitoring- Elements that ensure internal controls operate reliably over time. 26
Overview of Steps in an Audit – Planning audit • After auditors obtain an understanding of the internal controls, they then must determine the control risk in relation to each assertion: • If auditors assess control risk at less than the maximum level, they must then identify the material controls that relate to the assertion and test the controls to evaluate whether they are operating effectively. • If auditors assess control risk at the maximum level, they do not test controls; they might conclude that internal controls are unlikely to be effective and therefore cannot be relied upon or that a more effective and efficient audit can be conducted using a substantive approach. 27
Overview of Steps in an Audit – Tests of Controls • Auditors test controls when they assess the control risk for an assertion at less than the maximum level. • They rely on controls as a basis for reducing more costly testing. • Tests of controls evaluate whether specific, material controls are reliable. • This phase usually begins by again focusing first on management controls. • If testing shows that, contrary to expectations, management controls are not operating reliably, there might be little point to testing application controls. • If auditors identify serious management-control weaknesses, they might have to issue an adverse opinion or undertake substantive tests of transactions and balances or overall results. • Auditors conduct the evaluation iteratively for each management subsystem and each application subsystem that is important. 28
Overview of Steps in an Audit – Tests of Controls • If auditors conclude that management controls are in place and working satisfactorily, they then would evaluate the reliability of application controls. • For each transaction considered, auditors evaluate whether the control is operating effectively. 29
Overview of Steps in an Audit – Tests of Controls • After auditors have completed tests of controls, they again assess control risk. • After the test results, auditors might conclude that internal controls are stronger or weaker than initially anticipated. • They might also conclude that it is worthwhile to perform more tests of controls with a view to further reducing the further testing. • Accordingly, auditors conclude control risk has decreased and seek further evidence to support this assessment. 30
Overview of Steps in an Audit – Tests of Transactions • Auditors use tests of transactions to evaluate whether erroneous or irregular processing of a transaction has led to a material misstatement of financial information. • Typical attest tests of transactions include • tracing journal entries to their source documents, • examining price files for propriety, and • testing computational accuracy. • Ex : Auditors usually use generalized audit software to check whether the interest paid on bank accounts has been calculated correctly. • From an operational perspective, auditors use tests of transactions to evaluate whether transactions or events have been handled effectively and efficiently. 31
Overview of Steps in an Audit – Tests of Transactions • In an attest audit, auditors conduct tests of transactions at interim dates in order to reduce the amount of substantive tests of balances to be done at financial year end and thus to reduce the overall costs of the audit. • In an operational audit for effectiveness and efficiency purposes, auditors also use tests of transactions at interim dates in order to reduce the amount of substantive testing of overall results to be done near the reporting date. 32
Overview of Steps in an Audit – Tests of Transactions • If the results of tests of transactions indicate that material losses have occurred or might occur or that financial information is or might be materially misstated, substantive tests of balances or overall results will be expanded. • Auditors can use expanded tests of balances or overall results to obtain a better estimate of the losses or misstatements that have occurred or might occur. 33
Overview of Steps in an Audit – Tests of Balances or Overall Result • Auditors conduct tests of balances or overall results to obtain sufficient evidence for making a final judgment on the extent of losses or account misstatements that occur when • the information systems function fails to safeguard assets, • maintain data integrity, • achieve system effectiveness and efficiency. 34
Overview of Steps in an Audit – Completion of the Audit • In the final phase of the audit, external auditors undertake several additional tests to bring the collection of evidence to a close. • They must then formulate an opinion about whether material losses or account misstatements have occurred and issue a report. • The professional standards in many countries require one of four types of opinion be issued: • Disclaimer of opinion: On the basis of the audit work conducted, the auditor is unable to reach an opinion. • Adverse opinion: The auditor concludes that material losses have occurred or that the financial statements are materially misstated. • Qualified opinion: The auditor concludes that losses have occurred or that the financial statements are misstated but that the amounts are not material. • Unqualified opinion: The auditor believes that no material losses or account misstatements have occurred. 35
Auditing Around or Through the Computer • When auditors come to the controls testing phase of an information systems audit, one of the major decisions they must make is whether to test controls by auditing around or through the computer. • The phrases "auditing around the computer" and "auditing through the computer" are carryovers from the past. • Debate on how much technical knowledge was required to audit computer systems. Two methods were formulated: • Auditors could evaluate computer systems simply by checking their input and output. • Internal workings of computer systems were examined and evaluated. • Both has its own merits and demerits and both are considered now for auditing. 36
Around the Computer • Auditing around the computer involves arriving at an audit opinion through examining and evaluating management controls and then input and output only for application systems. • Based on the quality of an application system's input and output, auditors infer the quality of the application system's processing. • The application system's processing is not examined directly. Instead, auditors view the computer as a black box. • Cost effective way if the SW used is one package. 37
Around the Computer • Auditors seek to ensure • the organization has not modified the package in any way, • adequate controls exist over the source code, object code, and documentation to prevent unauthorized modification of the package • high-quality controls exist over input to and output from the package. 38
Through the Computer • The Advantage of auditing through the computer is that auditors have increased power to test an application system effectively. • Increase their confidence in the reliability of the evidence collection and evaluation. • By directly examining the processing logic embedded within an application system auditors are better able to assess the system's ability to cope with change and the likelihood of losses or account misstatements arising in the future. • The approach has two disadvantages. • it can sometimes be costly • extensive technical expertise to understand how the system works 39
Through the Computer • They use the computer to test • the processing logic and controls existing within the system • the records produced by the system. 40
Thank You 41

More Related Content

PPTX
Overview-of-an-IT-Audit-Lesson-1.pptx
byJoshJaro
 
PPT
Introduction to it auditing
byDamilola Mosaku
 
PDF
Information Technology Control and Audit.pdf
byMaicolcastellanos2
 
PPTX
Information Systems Audit - Ron Weber chapter 1
bySreekanth Narendran
 
PPTX
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
bySreekanth Narendran
 
PPTX
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
bySreekanth Narendran
 
PPTX
Information System audit
byPratapchandra
 
PPTX
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 
Overview-of-an-IT-Audit-Lesson-1.pptx
byJoshJaro
 
Introduction to it auditing
byDamilola Mosaku
 
Information Technology Control and Audit.pdf
byMaicolcastellanos2
 
Information Systems Audit - Ron Weber chapter 1
bySreekanth Narendran
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
bySreekanth Narendran
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
bySreekanth Narendran
 
Information System audit
byPratapchandra
 
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 

What's hot

PDF
IT General Controls Presentation at IIA Vadodara Audit Club
byKaushal Trivedi
 
PPT
3c 2 Information Systems Audit
byRajeswaran Muthu Venkatachalam
 
PDF
Basics in IT Audit and Application Control Testing
byDinesh O Bareja
 
PDF
Control and audit of information System (hendri eka saputra)
byHendri Eka Saputra
 
PPT
Security audit
byRosaria Dee
 
PDF
Auditing application controls
byCenapSerdarolu
 
PPTX
03.2 application control
byMulyadi Yusuf
 
PDF
Steps in it audit
bykinjalmkothari92
 
PPT
Auditing In Computer Environment Presentation
byEMAC Consulting Group
 
PPTX
Auditing SOX ITGC Compliance
byseanpizzy
 
PPTX
Governance, risk and compliance framework
byCeyeap
 
PPT
Auditing sampling presentation
byDominic Korkoryi
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
PPTX
Chapter 1 auditing and internal control
byjayussuryawan
 
PPTX
Information system audit
byJayant Dalvi
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PDF
Cyber Security Governance
byPriyanka Aash
 
PPTX
Information System Architecture and Audit Control Lecture 1
byYasir Khan
 
PPTX
IT General Controls
byCicero Ray Rufino
 
PPTX
IT Audit For Non-IT Auditors
byEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
byKaushal Trivedi
 
3c 2 Information Systems Audit
byRajeswaran Muthu Venkatachalam
 
Basics in IT Audit and Application Control Testing
byDinesh O Bareja
 
Control and audit of information System (hendri eka saputra)
byHendri Eka Saputra
 
Security audit
byRosaria Dee
 
Auditing application controls
byCenapSerdarolu
 
03.2 application control
byMulyadi Yusuf
 
Steps in it audit
bykinjalmkothari92
 
Auditing In Computer Environment Presentation
byEMAC Consulting Group
 
Auditing SOX ITGC Compliance
byseanpizzy
 
Governance, risk and compliance framework
byCeyeap
 
Auditing sampling presentation
byDominic Korkoryi
 
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
Chapter 1 auditing and internal control
byjayussuryawan
 
Information system audit
byJayant Dalvi
 
IT System & Security Audit
byMufaddal Nullwala
 
Cyber Security Governance
byPriyanka Aash
 
Information System Architecture and Audit Control Lecture 1
byYasir Khan
 
IT General Controls
byCicero Ray Rufino
 
IT Audit For Non-IT Auditors
byEd Tobias
 

Similar to Conducting an Information Systems Audit

PPT
1auditconcepts
byShubham Raj
 
PPTX
module_1.pptx
byssuser432862
 
PDF
Chapter 7
byEasyStudy3
 
PDF
Chapter 7
byEasyStudy3
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
bymuhbetpbh
 
DOCX
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
bymccormicknadine86
 
PPTX
Week 4 Audit planning and Client evaluation and audit risk assessment.pptx
bytoammel
 
PDF
Internal control
bySALIH AHMED ISLAM
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
bynoevjka97
 
PPTX
Final (international standard on auditing 315)
byUsama Abid
 
PPT
03 Auditing CH 3.ppt materials for audit
bynewaybeyene5
 
PDF
Auditing An International Approach 8th Edition Smieliauskas Solutions Manual
byepleyschumsu
 
DOC
Ch05 studyguide
byamsultan11
 
PPTX
AUDIT-PLANNING.pptx
byKennethNinalga
 
PPTX
audit-planning,steps in the planning,importance and materiality
byDr Yogita Wagh
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
bydtzyhwofd798
 
PDF
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
byradoclamyawt
 
PDF
Auditing: A Risk Based-Approach 11th Edition Johnstone-Zehms - eBook PDF
bykansiagansiu
 
PPT
audit planning and risk assessment new slides.ppt
byAdeelAhmad724104
 
PPT
Financial accounting Presentation of ISA .ppt
byShakhawatRony1
 
1auditconcepts
byShubham Raj
 
module_1.pptx
byssuser432862
 
Chapter 7
byEasyStudy3
 
Chapter 7
byEasyStudy3
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
bymuhbetpbh
 
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
bymccormicknadine86
 
Week 4 Audit planning and Client evaluation and audit risk assessment.pptx
bytoammel
 
Internal control
bySALIH AHMED ISLAM
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
bynoevjka97
 
Final (international standard on auditing 315)
byUsama Abid
 
03 Auditing CH 3.ppt materials for audit
bynewaybeyene5
 
Auditing An International Approach 8th Edition Smieliauskas Solutions Manual
byepleyschumsu
 
Ch05 studyguide
byamsultan11
 
AUDIT-PLANNING.pptx
byKennethNinalga
 
audit-planning,steps in the planning,importance and materiality
byDr Yogita Wagh
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
bydtzyhwofd798
 
Solution Manual For AUDITING ASSURANCE SERVICES by William F. Messier Steven ...
byradoclamyawt
 
Auditing: A Risk Based-Approach 11th Edition Johnstone-Zehms - eBook PDF
bykansiagansiu
 
audit planning and risk assessment new slides.ppt
byAdeelAhmad724104
 
Financial accounting Presentation of ISA .ppt
byShakhawatRony1
 

More from Sreekanth Narendran

PPTX
Quantum cryptography
bySreekanth Narendran
 
PPTX
Nmap
bySreekanth Narendran
 
PPTX
Transactional vs transformational leadership
bySreekanth Narendran
 
PPTX
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
bySreekanth Narendran
 
PPTX
Web services for banks
bySreekanth Narendran
 
PPTX
Virus vs worms vs trojans
bySreekanth Narendran
 
PPT
Business process reengineering
bySreekanth Narendran
 
PPTX
Hash cat
bySreekanth Narendran
 
PPTX
Phishing
bySreekanth Narendran
 
PPTX
International banking
bySreekanth Narendran
 
PPTX
Master Data Management
bySreekanth Narendran
 
PPTX
Maltego Information Gathering
bySreekanth Narendran
 
PPTX
Leadership traits
bySreekanth Narendran
 
PPTX
Network Miner Network forensics
bySreekanth Narendran
 
PPTX
Autopsy Digital forensics tool
bySreekanth Narendran
 
PPTX
Organizational development
bySreekanth Narendran
 
PPTX
Indigo Case study
bySreekanth Narendran
 
Quantum cryptography
bySreekanth Narendran
 
Nmap
bySreekanth Narendran
 
Transactional vs transformational leadership
bySreekanth Narendran
 
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
bySreekanth Narendran
 
Web services for banks
bySreekanth Narendran
 
Virus vs worms vs trojans
bySreekanth Narendran
 
Business process reengineering
bySreekanth Narendran
 
Hash cat
bySreekanth Narendran
 
Phishing
bySreekanth Narendran
 
International banking
bySreekanth Narendran
 
Master Data Management
bySreekanth Narendran
 
Maltego Information Gathering
bySreekanth Narendran
 
Leadership traits
bySreekanth Narendran
 
Network Miner Network forensics
bySreekanth Narendran
 
Autopsy Digital forensics tool
bySreekanth Narendran
 
Organizational development
bySreekanth Narendran
 
Indigo Case study
bySreekanth Narendran
 

Recently uploaded

PDF
Role of Training and Development in Enhancing Safety Performance in Opencast ...
byRathin Biswas
 
PDF
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
PDF
Unit-I Process Management 1.9 Scheduling Criteria, Scheduling Algorithms
bySanjay Gunjal
 
PPTX
The Hidden Cost of Bad Spare Parts Planning (And How AI CMMS Fixes It)
byMaintWiz Technologies Private Limited
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PDF
(en/zhTW) Heterogeneous System Architecture: Design & Performance
byDanny Jiang
 
PDF
Enhancing optical fiber communication systems using repetition coding for imp...
byMouweffeqBouregaa
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PPTX
ME3592 - Metrology and Measurements - Unit - 1 - Lecture Notes
bypprakash21252
 
PPTX
unit v awp IN ANTENNA AND WAVE PROP IN JNTUH
byTCEKPEDDAPALLI
 
PDF
Microeconomics Theory and Market Structure.pdf
byMahmoodKhalid11
 
PDF
Highway Curves in Transportation Engineering.pdf
byMahmoodKhalid11
 
PPTX
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
PDF
MoD_2.pptx solid rockets of the rocket.pdf
byrajaashish82988
 
PDF
DAA Lab Manual ssit -kavya r.pdf or Digital Design and Analysis of Algorithm ...
bykavya R
 
PDF
Microcontroller Notes Final 2016 April june.pdf
bypmuiruri768
 
PDF
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
PDF
Weak Incentives (WINK): The Agent Definition Layer
byAndrei Savu
 
PDF
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
PPTX
Why Most SAP PM Implementations Fail — And How High-Reliability Plants Fix It
byMaintWiz Technologies Private Limited
 
Role of Training and Development in Enhancing Safety Performance in Opencast ...
byRathin Biswas
 
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
Unit-I Process Management 1.9 Scheduling Criteria, Scheduling Algorithms
bySanjay Gunjal
 
The Hidden Cost of Bad Spare Parts Planning (And How AI CMMS Fixes It)
byMaintWiz Technologies Private Limited
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
(en/zhTW) Heterogeneous System Architecture: Design & Performance
byDanny Jiang
 
Enhancing optical fiber communication systems using repetition coding for imp...
byMouweffeqBouregaa
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
ME3592 - Metrology and Measurements - Unit - 1 - Lecture Notes
bypprakash21252
 
unit v awp IN ANTENNA AND WAVE PROP IN JNTUH
byTCEKPEDDAPALLI
 
Microeconomics Theory and Market Structure.pdf
byMahmoodKhalid11
 
Highway Curves in Transportation Engineering.pdf
byMahmoodKhalid11
 
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
MoD_2.pptx solid rockets of the rocket.pdf
byrajaashish82988
 
DAA Lab Manual ssit -kavya r.pdf or Digital Design and Analysis of Algorithm ...
bykavya R
 
Microcontroller Notes Final 2016 April june.pdf
bypmuiruri768
 
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
Weak Incentives (WINK): The Agent Definition Layer
byAndrei Savu
 
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
Why Most SAP PM Implementations Fail — And How High-Reliability Plants Fix It
byMaintWiz Technologies Private Limited
 

Conducting an Information Systems Audit

  • 1.
    Chapter 2 Conducting anInformation Systems Audit Sreekanth N 1
  • 2.
    Contents • Introduction • Thebig Question • Learning objectives • Nature of controls • Dealing with complexity • Audit Risks • Types of Audit Procedures • Overview of Steps in an Audit • Auditing Around or Through the computer. 2
  • 3.
    Introduction • Auditors canperform a detailed audit in small organizations. • All organizations are of not the same size. • Auditing in big organizations are difficult. • Detailed check on data process inside IS systems become complex. • Auditors resort to sampling. 3
  • 4.
    The big question? •How can an auditor perform IS audit so that they obtain reasonable assurance that an organization safeguards its data-processing assets, maintains data integrity, and achieve system effectiveness and efficiency ? 4
  • 5.
    Learning Objectives • Learnthe general approach followed for information systems audit. • Learn the nature of controls. • Learn techniques for simplifying complexity encountered while making evaluation judgements or computer-based information systems. • Learn the basic risks auditors face and the type of audit procedures used to control and asses these risks. • Finally we examine a major decision auditors must make while doing an IS audit. 5
  • 6.
    Attestation vs Audit •Attestation: An attestation is a type of engagement in which an attester (auditor,practitioner,accountant) provides a report as to whether an assertion (made by an asserter management) has been prepared in conformity with the appropriate criteria. • Attestations include financial statement audits, reporting on forecasts, projections, pro-forma information, effectiveness of internal control etc. • Attestation Standards apply only to situations not addressed by other professional standards. • Audit: An audit is a type of attest function in which an auditor provides an independent opinion (positive assurance) about whether management (asserter) has prepared financial statements in conformity with an applicable financial reporting framework (criteria). 6
  • 7.
    Nature of controls •A control is a system that prevents, detects, or correct unlawful events. • System – Set of interrelated components working together to achieve some overall purpose • Unlawful event- Arises if unauthorized, in accurate, incomplete, redundant, ineffective, or inefficient input enters the system. • Preventive control • Detective control • Corrective control 7
  • 8.
    Dealing with Complexity •Conducting an IS audit is an exercise in dealing with complexity. • Because complexity is the root cause of problems face by many professionals two guidelines have been developed in IS audit. 1. Given the purpose of IS audit, factor the system to be evaluated into subsystems. 2. Determine the reliability of each subsystem and implications of each subsystems level of reliability for the overall reliability of the system. 8
  • 9.
    Dealing with Complexity–> Subsystem Factoring • Subsystem performs basic function and are logical components • Factoring – Decomposing a system into subsystems (iterative process) • Systems theory gives two guidelines to identify and delineate subsystems • should be relatively independent • should be internally cohesive • Auditors have recognized some systems cannot be audited based on these. • Over time two methodologies were developed to factor systems. 9
  • 10.
    Dealing with Complexity–> Subsystem Factoring IS Function Application subsystems Application systems Cycles Management subsystems Management systems 10
  • 11.
    Dealing with Complexity–> Subsystem Factoring –> Management subsystems • Based on managerial functions that must be performed to ensure that development, implementation, operation and maintenance of IS proceed in planned and controlled manner. • Managerial systems function to provide a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis. • Some of the management subsystems are : Top management, IS management, Systems development management, Programming management, Data administration, Quality assurance, Security administration, Operations management 11
  • 12.
    Dealing with Complexity–> Subsystem Factoring –> Application Subsystems • Based of cycles approach. • IS systems are grouped into cycles. • Examples of cycles : Sales and collection, payroll and personnel, acquisition and payments, inventory etc. • Each cycle is then factored into application subsystems. • Application systems into application subsystems. • Application Subsystems can includes Boundary, Input, Communication, Processing, Database, Output 12
  • 13.
    Dealing with Complexity–> Subsystem Factoring –> Assessing Subsystem Reliability • Beginning with the lowest-level subsystems, all the different types of lawful and unlawful events that can occur to the system are identified. • Primary concern are unlawful events. • To identify we focus on the major functions each subsystem performs. • As a basis we focus on (walk-through technique) • the transactions that can occur as an input to the subsystem as all events arise from a transaction. • How the subsystem processes this transaction and understand each processing step. 13
  • 14.
    Dealing with Complexity–> Subsystem Factoring –> Assessing Subsystem Reliability • Costly to trace each transaction. • Auditors focus on classes. • Group similar transactions into classes and analyze it. • When events are identified auditors evaluate if controls are in place. • They collect evidence on the controls and see if the losses are reduced to acceptable levels. • Errors made at one level can propagate to higher levels 14
  • 15.
    Audit Risks • Systemsauditors are concerned with four objectives: • Asset safeguarding • Data integrity • System effectiveness • System efficiency • Auditors are concerned with whether errors or irregularities cause material losses or material misstatements in the financial information • Because of test nature of auditing, auditors might fail to detect real or potential material losses and account misstatements. 15
  • 16.
    Audit Risks • Therisk of an auditor failing to detect actual or potential material losses or account misstatements at the conclusion of the audit is called the audit risk. • Auditors choose an audit approach and design audit procedures in an attempt to reduce this risk to a level deemed acceptable. • For determining desired audit risk following audit risk model is adopted : DAR = IR x CR x DR • DAR is the desired audit risk • IR is the inherent risk, likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal controls is considered. • CR is the control risk, likelihood that internal controls in some segment of the audit will not prevent, detect, or correct material losses or account misstatements that arise. • DR is the detection risk, the audit procedures used in some segment Of the audit will fail to detect material losses or account misstatements. 16
  • 17.
    Audit Risks • Toapply the model, auditors first choose their level of desired audit risk. • Auditors consider such factors as the level of reliance external parties are likely to place on the financial statements, the likelihood of the organization encountering financial difficulties subsequent to the audit, they assess the short- and long-run consequences for their organizations if they fail to detect real or potential material losses from ineffective or inefficient operations. • Next auditors consider the level of inherent risk. Initially auditors consider general factors such as • the nature of the organization, • the industry in which it operates, • the characteristics of management, and accounting and auditing concerns. 17
  • 18.
    Audit Risks Inherent Riskin Financial System • Those that usually provide financial control over the major assets of an organization : • cash receipts and disbursements, • payroll, • accounts receivable and payable—often have higher inherent risk. • Because they are frequently the target of fraud. 18
  • 19.
    Audit Risks • Toassess the level of control risk associated with a segment of the audit, auditors consider the reliability of both management and application controls. • Auditors usually identify and evaluate controls in management subsystems first. • Management (subsystem) controls are fundamental controls because they cover all application systems. • Thus, the absence of a management control is a serious concern for auditors. • Next auditors calculate the level of detection risk they must attain to achieve their desired audit risk. They then design evidence collection procedures in an attempt to achieve this level of detection risk. 19
  • 20.
    Audit Risks • Thewhole point in considering the audit risk model is that audit efforts should be focused where they will have the highest payoffs. • In most cases auditors cannot collect evidence to the extent they would like. • Accordingly, they must be judicious in terms of where they apply their audit procedures and how they interpret the evidence they collect. 20
  • 21.
    Types of AuditProcedures When external auditors gather evidence to determine whether material losses have occurred or financial information has been materially misstated, they use five types Of procedures: • Procedures to obtain an understanding of controls: Inquiries, inspections, and observations can be used to gain an understanding Of what controls supposedly exist, how well they have been designed, and whether they have been placed in operation. • Tests of controls: Inquiries, inspections, observations, and performance of control procedures can be used to evaluate whether controls are operating effectively. • Substantive tests of details of transactions: These tests are designed to detect dollar errors or irregularities in transactions that would affect the financial statements. 21
  • 22.
    Types of AuditProcedures • Substantive tests of details of account balances: These tests focus on the ending general ledger balances in the balance sheet and income statement. • Analytical review procedures: These tests focus on relationships among data items with the objective of identifying areas that require further audit work. • Auditors usually carry out the less costly audit procedures first in the hope the evidence obtained from these procedures indicates it is unlikely a material loss or material misstatement has occurred or will occur. If this outcome arises, auditors can alter the nature, timing, and extent of the more costly tests used. 22
  • 23.
    Overview of Stepsin an Audit Start Stop Obtain Understanding Of control structure Assess control risk Preliminary Audit work Reassess Control risk Tests of controls Limited Substantive testing Extended Substantive testing Form audit Opinion and Issue report Rely on Controls ? Increase Reliance on Controls ? Still Rely on Control ? no Yes no yes no yes Major Steps to be undertaken in an audit 23
  • 24.
    Overview of Stepsin an Audit – Planning audit • Planning is the first phase of an audit. • For External auditor - investigating new and continuing clients to determine whether the audit engagement should be accepted, assigning appropriate staff to the audit, obtaining an engagement letter, obtaining background information on the client, understanding the client's legal obligations, and undertaking analytical review procedures to understand the client's business better and identify areas of risk in the audit • For an internal auditor -understanding the objectives to be accomplished in the audit, obtaining background information, assigning appropriate staff, and identifying areas of risk. 24
  • 25.
    Overview of Stepsin an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Control Environment - Elements that establish the control Context in which specific accounting systems and control procedures must operate. • Risk Assessment - Elements that identify and analyze the risks faced by an Organization and the ways these risks can be managed. • Control Activities - Elements that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks on performance and valuation of recorded amounts occur. 25
  • 26.
    Overview of Stepsin an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Information and Communication-Elements in which information is identified, captured, and exchanged in a timely and appropriate form to allow personnel to discharge their responsibilities properly. • Monitoring- Elements that ensure internal controls operate reliably over time. 26
  • 27.
    Overview of Stepsin an Audit – Planning audit • After auditors obtain an understanding of the internal controls, they then must determine the control risk in relation to each assertion: • If auditors assess control risk at less than the maximum level, they must then identify the material controls that relate to the assertion and test the controls to evaluate whether they are operating effectively. • If auditors assess control risk at the maximum level, they do not test controls; they might conclude that internal controls are unlikely to be effective and therefore cannot be relied upon or that a more effective and efficient audit can be conducted using a substantive approach. 27
  • 28.
    Overview of Stepsin an Audit – Tests of Controls • Auditors test controls when they assess the control risk for an assertion at less than the maximum level. • They rely on controls as a basis for reducing more costly testing. • Tests of controls evaluate whether specific, material controls are reliable. • This phase usually begins by again focusing first on management controls. • If testing shows that, contrary to expectations, management controls are not operating reliably, there might be little point to testing application controls. • If auditors identify serious management-control weaknesses, they might have to issue an adverse opinion or undertake substantive tests of transactions and balances or overall results. • Auditors conduct the evaluation iteratively for each management subsystem and each application subsystem that is important. 28
  • 29.
    Overview of Stepsin an Audit – Tests of Controls • If auditors conclude that management controls are in place and working satisfactorily, they then would evaluate the reliability of application controls. • For each transaction considered, auditors evaluate whether the control is operating effectively. 29
  • 30.
    Overview of Stepsin an Audit – Tests of Controls • After auditors have completed tests of controls, they again assess control risk. • After the test results, auditors might conclude that internal controls are stronger or weaker than initially anticipated. • They might also conclude that it is worthwhile to perform more tests of controls with a view to further reducing the further testing. • Accordingly, auditors conclude control risk has decreased and seek further evidence to support this assessment. 30
  • 31.
    Overview of Stepsin an Audit – Tests of Transactions • Auditors use tests of transactions to evaluate whether erroneous or irregular processing of a transaction has led to a material misstatement of financial information. • Typical attest tests of transactions include • tracing journal entries to their source documents, • examining price files for propriety, and • testing computational accuracy. • Ex : Auditors usually use generalized audit software to check whether the interest paid on bank accounts has been calculated correctly. • From an operational perspective, auditors use tests of transactions to evaluate whether transactions or events have been handled effectively and efficiently. 31
  • 32.
    Overview of Stepsin an Audit – Tests of Transactions • In an attest audit, auditors conduct tests of transactions at interim dates in order to reduce the amount of substantive tests of balances to be done at financial year end and thus to reduce the overall costs of the audit. • In an operational audit for effectiveness and efficiency purposes, auditors also use tests of transactions at interim dates in order to reduce the amount of substantive testing of overall results to be done near the reporting date. 32
  • 33.
    Overview of Stepsin an Audit – Tests of Transactions • If the results of tests of transactions indicate that material losses have occurred or might occur or that financial information is or might be materially misstated, substantive tests of balances or overall results will be expanded. • Auditors can use expanded tests of balances or overall results to obtain a better estimate of the losses or misstatements that have occurred or might occur. 33
  • 34.
    Overview of Stepsin an Audit – Tests of Balances or Overall Result • Auditors conduct tests of balances or overall results to obtain sufficient evidence for making a final judgment on the extent of losses or account misstatements that occur when • the information systems function fails to safeguard assets, • maintain data integrity, • achieve system effectiveness and efficiency. 34
  • 35.
    Overview of Stepsin an Audit – Completion of the Audit • In the final phase of the audit, external auditors undertake several additional tests to bring the collection of evidence to a close. • They must then formulate an opinion about whether material losses or account misstatements have occurred and issue a report. • The professional standards in many countries require one of four types of opinion be issued: • Disclaimer of opinion: On the basis of the audit work conducted, the auditor is unable to reach an opinion. • Adverse opinion: The auditor concludes that material losses have occurred or that the financial statements are materially misstated. • Qualified opinion: The auditor concludes that losses have occurred or that the financial statements are misstated but that the amounts are not material. • Unqualified opinion: The auditor believes that no material losses or account misstatements have occurred. 35
  • 36.
    Auditing Around orThrough the Computer • When auditors come to the controls testing phase of an information systems audit, one of the major decisions they must make is whether to test controls by auditing around or through the computer. • The phrases "auditing around the computer" and "auditing through the computer" are carryovers from the past. • Debate on how much technical knowledge was required to audit computer systems. Two methods were formulated: • Auditors could evaluate computer systems simply by checking their input and output. • Internal workings of computer systems were examined and evaluated. • Both has its own merits and demerits and both are considered now for auditing. 36
  • 37.
    Around the Computer •Auditing around the computer involves arriving at an audit opinion through examining and evaluating management controls and then input and output only for application systems. • Based on the quality of an application system's input and output, auditors infer the quality of the application system's processing. • The application system's processing is not examined directly. Instead, auditors view the computer as a black box. • Cost effective way if the SW used is one package. 37
  • 38.
    Around the Computer •Auditors seek to ensure • the organization has not modified the package in any way, • adequate controls exist over the source code, object code, and documentation to prevent unauthorized modification of the package • high-quality controls exist over input to and output from the package. 38
  • 39.
    Through the Computer •The Advantage of auditing through the computer is that auditors have increased power to test an application system effectively. • Increase their confidence in the reliability of the evidence collection and evaluation. • By directly examining the processing logic embedded within an application system auditors are better able to assess the system's ability to cope with change and the likelihood of losses or account misstatements arising in the future. • The approach has two disadvantages. • it can sometimes be costly • extensive technical expertise to understand how the system works 39
  • 40.
    Through the Computer •They use the computer to test • the processing logic and controls existing within the system • the records produced by the system. 40
  • 41.