Part 4A and B

It is a four-step approach to internal control evaluation that provides a logical framework for carrying out an audit.

Risk-based approach

Four (4) steps in Risk-based audit approach

1. Determine the threats (errors and irregularities) facing the accounting information system

2. Identify control procedures implemented to minimize each threat by preventing or detecting such errors and irregularities

3. Evaluate the control procedures

4. Evaluate weakness to determine their effect on the nature, timing, or extent of auditing procedures and client suggestions.

Its purpose it to review and evaluate the internal controls that protect the system.

Information System Audit

When performing an information system audit, auditors should ascertain that the following objectives are met:

• Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction

• Program development and acquisition are performed in accordance with the management’s general and specific authorization

• Program modifications have management’s authorization and approval

Six objectives and information system components

OPPSD

• Overall Security

• Program Development and Acquisition

• Program Modification

• Computer Processing

• Source Data

• Data Files

Types of security errors and fraud faced by companies (Overall Security)

• Accidental or intentional damage to system assets

• Unauthorized access, disclosure, or modification of data and programs

• Theft

• Interruption of crucial business activities

If security controls are seriously deficient, the organization faces substantial risks, so these controls mitigate the risks.

Compensating controls

Type of errors and fraud (Program Development and Acquisition)

• Inadvertent errors due to careless programming or misunderstanding specifications, or

• Deliberate insertion of unauthorized instructions into the programs

Control Procedures (Program Development and Acquisition)

• Management and user authorization and approval

• Thorough testing

• Proper documentation

One way to test logical access controls is to try to break into a system (True or False)

True

Compensating controls are not likely to be enough, so auditors should strongly recommend that security weaknesses be corrected (T/F)

True

The auditor’s role in systems development should be limited to an ______________ review of system development activities.

Independent

The auditor should be involved in system development to make sure that the system is working properly (T/F)

False (Should not be involved to maintain objectivity)

During the system review, the auditor gain an understanding of development procedures by discussing with them.

• Management

• Users

• IS personnel

Strong processing controls can sometimes compensate for inadequate development controls (T/F)

True

Type of Errors and Fraud (Program Modification)

• Inadvertent programming errors

• Unauthorized programming code

During the change process, the developmental version of the program must be kept separate from the ____________________

product version

The auditor can use this to test for unauthorized program changes and to compare the current version of the program with the original program

source code

Two additional techniques to detect unauthorized program changes

1. Reprocessing

2. Parallel simulation

On a surprise basis, the auditor uses a verified copy of the source code to reprocess data and compare that output with the company’s data

Reprocessing

The auditor writes his own program instead of using verified source code

Parallel Simulation

Types of Errors and Fraud (Computer Processing)

• Fail to detect erroneous input

• Improperly correct input errors

• Process erroneous input

• Improperly distribute or disclose output

Specialized techniques that allow the auditor to use the computer to test processing controls:

• Processing test data

• Using concurrent audit techniques

• Analyzing program logic

It involves testing a program by processing a hypothetical series of valid and invalid transactions

Processing Test Data

It automatically prepares test data based on program specifications

Test Data Generator Program

Auditors can use this technique to continually monitor the system and collect audit evidence while live data are processed during regular operating hours. Millions of dollars of transactions can be processed in an online system without leaving a satisfactory audit trail

Concurrent Audit Techniques

These are segments of program code that:

• Perform audit functions

• Report test results to the auditor, and

• Store collected evidence for audit review

Embedded audit modules

Five concurrent audit techniques

1. Integrated Test Facility (ITF) Technique

2. A snapshot technique

3. A System Control Audit Review File (SCARF)

4. Audit hooks

5. Continuous and intermittent simulation (CIS)

This technique places a small set of fictitious records in the master files

ITF technique

This technique examines the way transactions are processed. Audit modules in the program record these transactions and their master file records before and after processing.

Snapshot

This technique uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance.

System Control Audit Review File (SCARF)

This technique is audit routines that flag suspicious transactions.

Audit hooks

This embeds an audit module in a database management system like those of SCARF

Continuous and Intermittent Simulation (CIS)

It interprets program source code and generate a corresponding flowchart

Automated Flowcharting Programs

It generates a decision table that represents a program logic.

Automated Decision Table Program

It search programs for specified variable names or character combinations

Scanning Routines

It identifies unexecuted program code

Mapping Programs

It sequentially prints all program steps executed during a program run.

Program Tracing

Types of Errors and Fraud (Source Data Computer Processing)

• Inaccurate source data

• Unauthorized source data

It shows the control procedures applied to each field of an input record

Matrix

It is a comprehensive, systematic, and effective means of evaluating internal controls in an AIS.

Auditing-by-objectives