Looks like no one added any tags here yet for you.
It is a four-step approach to internal control evaluation that provides a logical framework for carrying out an audit.
Risk-based approach
Four (4) steps in Risk-based audit approach
Determine the threats (errors and irregularities) facing the accounting information system
Identify control procedures implemented to minimize each threat by preventing or detecting such errors and irregularities
Evaluate the control procedures
Evaluate weakness to determine their effect on the nature, timing, or extent of auditing procedures and client suggestions.
Its purpose it to review and evaluate the internal controls that protect the system.
Information System Audit
When performing an information system audit, auditors should ascertain that the following objectives are met:
Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction
Program development and acquisition are performed in accordance with the management’s general and specific authorization
Program modifications have management’s authorization and approval
Six objectives and information system components
OPPSD
Overall Security
Program Development and Acquisition
Program Modification
Computer Processing
Source Data
Data Files
Types of security errors and fraud faced by companies (Overall Security)
Accidental or intentional damage to system assets
Unauthorized access, disclosure, or modification of data and programs
Theft
Interruption of crucial business activities
If security controls are seriously deficient, the organization faces substantial risks, so these controls mitigate the risks.
Compensating controls
Type of errors and fraud (Program Development and Acquisition)
Inadvertent errors due to careless programming or misunderstanding specifications, or
Deliberate insertion of unauthorized instructions into the programs
Control Procedures (Program Development and Acquisition)
Management and user authorization and approval
Thorough testing
Proper documentation
One way to test logical access controls is to try to break into a system (True or False)
True
Compensating controls are not likely to be enough, so auditors should strongly recommend that security weaknesses be corrected (T/F)
True
The auditor’s role in systems development should be limited to an ______________ review of system development activities.
Independent
The auditor should be involved in system development to make sure that the system is working properly (T/F)
False (Should not be involved to maintain objectivity)
During the system review, the auditor gain an understanding of development procedures by discussing with them.
Management
Users
IS personnel
Strong processing controls can sometimes compensate for inadequate development controls (T/F)
True
Type of Errors and Fraud (Program Modification)
Inadvertent programming errors
Unauthorized programming code
During the change process, the developmental version of the program must be kept separate from the ____________________
product version
The auditor can use this to test for unauthorized program changes and to compare the current version of the program with the original program
source code
Two additional techniques to detect unauthorized program changes
Reprocessing
Parallel simulation
On a surprise basis, the auditor uses a verified copy of the source code to reprocess data and compare that output with the company’s data
Reprocessing
The auditor writes his own program instead of using verified source code
Parallel Simulation
Types of Errors and Fraud (Computer Processing)
Fail to detect erroneous input
Improperly correct input errors
Process erroneous input
Improperly distribute or disclose output
Specialized techniques that allow the auditor to use the computer to test processing controls:
Processing test data
Using concurrent audit techniques
Analyzing program logic
It involves testing a program by processing a hypothetical series of valid and invalid transactions
Processing Test Data
It automatically prepares test data based on program specifications
Test Data Generator Program
Auditors can use this technique to continually monitor the system and collect audit evidence while live data are processed during regular operating hours. Millions of dollars of transactions can be processed in an online system without leaving a satisfactory audit trail
Concurrent Audit Techniques
These are segments of program code that:
Perform audit functions
Report test results to the auditor, and
Store collected evidence for audit review
Embedded audit modules
Five concurrent audit techniques
Integrated Test Facility (ITF) Technique
A snapshot technique
A System Control Audit Review File (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)
This technique places a small set of fictitious records in the master files
ITF technique
This technique examines the way transactions are processed. Audit modules in the program record these transactions and their master file records before and after processing.
Snapshot
This technique uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance.
System Control Audit Review File (SCARF)
This technique is audit routines that flag suspicious transactions.
Audit hooks
This embeds an audit module in a database management system like those of SCARF
Continuous and Intermittent Simulation (CIS)
It interprets program source code and generate a corresponding flowchart
Automated Flowcharting Programs
It generates a decision table that represents a program logic.
Automated Decision Table Program
It search programs for specified variable names or character combinations
Scanning Routines
It identifies unexecuted program code
Mapping Programs
It sequentially prints all program steps executed during a program run.
Program Tracing
Types of Errors and Fraud (Source Data Computer Processing)
Inaccurate source data
Unauthorized source data
It shows the control procedures applied to each field of an input record
Matrix
It is a comprehensive, systematic, and effective means of evaluating internal controls in an AIS.
Auditing-by-objectives