Part-1-Introduction-in-Auditing-Computer-Based-Information-System

Auditing in a CIS Environment

  • Is the process of understanding the Information Technology Environment, to which the company is exposed to, to identify the related IT risks in order to perform appropriate procedure to achieve that “assurance”.

  • is a multi-disciplinary study

  • consist of various fields of disciplines or subjects

  • Must understood the fundamentals of Accounting, Information Technology, and Auditing

  • In order to make informed decision for the future

  • Must look back what happened in the past

  • Collect these useful, financial information and summarize

  • Prepare a report for the users of the information

  • Accounting - records events systematically to produce reports for the users of information

    • records

    • manual books

    • electronic books

  • Raw Data list:

    • Assets

    • Liabilities

    • Equity

    • Income

    • Expense

  • Processed data list:

    • Financial position

    • Income statement/SCI

    • Changes in Equity

    • CAsh flows

    • Notes to FS

  • Examination of the company’s financial statements:

    • Financial Audit

    • Operational Audit

    • Compliance Audit

    Importance of controls of audit in a CIS environment

    • IPO MODEL

    • Input ——- Process ——- Output

    • Garbage in ——- Process ——- Garbage out

    • Input ——- Source documents ——- Raw data

    • Process ——- CIS ——- Processor

    • Output ——- Financial statements ——- Process data

    Why need for internal control?

    • Errors and fraud = Risks

  • Risks - a situation involving exposure to danger

  • Internal control - it is the organizational plan and all related measures to safeguards assets, ensure accuracy and reliability of accounting records, promote operational efficiency and encourage adherence to prescribed managerial policies.

  • Internal controls = Risks are minimized if not eliminated

    Inherent risk

    • It is associated with the unique characteristics of the business or industry of the client.

    • Firms in declining industries have greater inherent risk than firms with stable or booming industries.

    • Industries that have a heavy volume of cash transactions have a higher level of inherent risk than those that do not.

    • Placing value on inventory when the inventory value is difficult to assess due to its nature is associated with higher inherent risk than in situation where inventory values are more objective.

    Control risk

    • It is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.

    • An accounting information system with adequate controls should prevent or detect an error.

    • Auditors should assess the level of control risk by performing tests of internal controls.

    • The results of the test will indicate that errors are not detected and are being incorrectly posted to the accounts.

    Detection risk

    • It is the risk that the auditors are willing to take that errors not detected or prevented by the control structure will not be detected by the auditor.

    • The auditors set an acceptable level of detection risks that influences the level of substantive tests that they performed.

    • More substantive testing would be required when planned detection risk is 10% than when it is 20%.

    The Relationship Between Tests of Controls and Substantive Tests

    • Test of controls and substantive tests are auditing techniques used for reducing audit risk to an acceptable level.

    • The stronger the internal control structure, as determined through test of controls, the lower the control risk and the less substantive testing the auditors must do.

    • This relationship is true because the likelihood of errors in the accounting records is reduced when controls are strong, hence the auditor may limit substantive testing.

    • In contrast, the weaker the internal control structure, the greater the control risk and the more substantive testing the auditor must perform to reduce total audit risks.

    Internal control objectives, principles and models

    • To safeguard the assets of the firm.

    • To ensure the accuracy and reliability of accounting records and information.

    • To ensure efficiency in the firm’s operations.

    • To measure compliance with management’s prescribed policies and procedures.

      4 Modifying Principles Inherent in the Control Objectives:

  • Management Responsibility

    • This concept holds that the establishment and maintenance of a system of internal control is a management responsibility.

  • Methods of Data Processing

    • The internal control system should achieve the four objectives regardless of the data processing method used, whether manual or computer based.

    • However, the specific techniques used to achieve these objectives will vary with different types of technology.

  • Limitations

    • Every system of internal control has limitations on its effectiveness.

      • The possibility of error - no system is perfect

      • Circumvention - collusion of personnel

      • Management override - personal distorting or directing subordinate

      • Changing condition – existing effective controls may become ineffectual.

  • Reasonable Assurance

    • The internal control system should provide reasonable assurance that the four broad objectives of internal controls are met.

    • This reasonableness means that the cost of achieving improved control should not outweigh its benefits.

The PDC Model - Internal Control Shield

  • Corrective Controls

    • Corrective actions must be taken to reverse the effects of detected errors.

    • There is an important distinction between detective controls and corrective controls:

      • Detective controls identify undesirable events and draw attention to the problems.

      • Where as, corrective controls actually fix the problem.

    • For any detected error, there may be more than one feasible corrective actions.

    • Linking a corrective action to a detected error, as an automatic response, may results in an incorrect action that may causes a worse problem than the original error.

Internal Control COSO Model (Committee of Sponsoring Organizations

  • Principle No. 1 –COSO

    • The entity demonstrate a commitment to Integrity and Ethical Values.

  • Principle No. 2 –COSO

    • The Board of Directors demonstrate independence from management and exercise oversight of the development and performance of internal control.

Internal Control – a process effected by an entity’s BOD, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations

  • Reliability of financial reporting

  • Compliance with applicable laws and regulations

5 Components of COSO

The Control Environment

  • is the foundation for the other four control component.

  • sets tone for the organization and influences the control awareness of its management and employee.

The important elements of the control environment

  • The integrity and ethical values of management

  • The structure of the organization

  • The participation of the organization’s board of directors and the audit committee, if one exists

  • Management’s philosophy and operating style

  • The procedures for delegating responsibility and authority

  • Management’s methods for assessing performance

  • External influences, such as examinations by regulatory agencies

  • The organization’s policies and practices for managing human resources.

Risk Assessment

  • Organizations must perform a risk management to identify, analyze, and manage risks relevant to financial reporting. Risk can arise from circumstances such as:

    • Changes in the operating environment that impose new or changed competitive pressure on the firm

    • New personnel who have a different or inadequate understanding of internal control

    • New or reengineered information system that affect transaction processing.

    • Significant and rapid growth that strains existing internal control

    • The implementation of new technology into the production process or information system that impacts transaction processing

    • The introduction of new product lines or activities with which the organization has little experience

    • Organizational restructuring resulting in the reduction and/or reallocation of personnel such that business operations and transaction processing are affected.

    • Adoption of new accounting principle that impacts the preparation of financial statements.

Information and Communication

  • The organization’s transactions and to account The accounting information system consists of the records and methods used to initiate, identify, analyze, classify, and record the organization’s transactions and to account for the related assets and liabilities.

  • The quality of information that the accounting information system generates impacts management’s ability to take actions and make decisions in connection with the organization’s operations and to prepare reliable financial statements.

  • An effective accounting information system will:

    • Identify and record all valid financial transactions

    • Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting

    • Accurately measure the financial value of transactions so their effects can be recorded in financial statements

    • Accurately record transactions in the time period in which they occurred.

Monitoring

  • Management must determine that internal controls are functioning as intended.

  • Monitoring is the process by which the quality of internal control design and operation can be assessed.

  • This may be accomplished by separate procedures or by ongoing activities

  • Auditor should gather evidence of control adequacy by testing controls and then communicate control strengths and weakness to management.

  • As part of the process, internal auditors make specific recommendations for the improvement of controls.

Control Activities

  • Control activities are policies and procedures used to ensure that appropriate actions are taken to deal with the organization’s identified risks.

  • Control activities can be grouped into two distinct categories:

    • Physical Controls

      • relates to the human activities employed in accounting system.

      • These activities may be purely manual such as physical custody of assets, or physical use of computers.

  • The six categories of physical control are the following:

    • Transaction Authorization

    • Segregation of Duties

    • Supervision

    • Accounting Records

    • Access Controls

    • Independent Verifications

    • IT Controls

      • Information technology drives financial reporting processes of modern organizations.

      • Automated system initiate, authorize, record, and report the effects of financial transactions.

      • As such, they are inextricable elements of financial reporting processes that must be controlled.

      • COSO identifies two broad grouping of IT Controls, to wit:

        • Application Control – Ensure the validity, completeness, and accuracy of financial transactions.

        • General Controls- This apply to all system, including general computer controls and information technology controls.

FRAUD ERRORS IN THE CIS ENVIRONMENT

  • Computer Hacking

    • The act of compromising digital devices and networks through unauthorized access to an account or computer.

  • Intrusion

    • The act of taking and/or stealing valuable network resources and almost always jeopardize the security of networks and their data.

  • Identity Theft

    • Type of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud and deception.

  • Information Theft

    • Obtaining personal or financial information of another person to use their identity to commit fraud.

  • Computer Fraud

    • A cybercrime and the act of using computer to take or alter electronic data or to gain unlawful use of a computer or system.

  • Information Abuse

    • Willful or negligent unauthorized activity that affect the availability, confidentiality or integrity of information technology.

  • White-Collar Crimes (Collusion)

    • Full range of fraud committed by business and government professionals, such as public corruption, health care fraud, money laundering and mortgage fraud.

Importance of Knowing Fraud and Errors in the IT

  • To determine the audit procedures appropriate in the audit.

  • To attain the following audit objectives of:

    • Integrity – complete, honest and fair information

    • Reliability – information can be trusted

    • Validity – well grounded, just and relevant