Auditing computer-based information systems ( T6)

Question 1

Auditing

Answer 1

The systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events ( transactions ) in order to determine how well they correspond with established criteria ( accounting standards ).

Question 2

External auditing


Answer 2

• Using external independent auditors – more credible

Question 3

Internal auditing

Answer 3

• An internal, objective assurance and consulting activity designed to add value and improve organisational effectiveness and efficiency, including assisting in the design and implementation of an AIS. – can be issues of credibility
• Interenal helps recognize weaknesses and address then before an external audit

Question 4

External audits ( detail )

Answer 4

External auditors responsible to corporate shareholders ( not managers )

(External auditors hired by board of directors)
– question short term objectives of mangers – agency problem

• Concerned with gathering evidence needed to express opinion concerning financial statements 

• Indirectly concerned with effectiveness of AIS 

• Required to assess how audit strategy affected by use of AIS and IT 

• Required to assess how audit will be affected by AIS and IT 

• Assess and evaluate IT controls 

• Design and perform tests of IT controls 


Question 5

Auditing Compliance in Australia 


Answer 5

• Australian Auditing and Assurance Standards Board, a statutory body 

• 35 Australian Auditing Standards 

• Consistent with International Auditing Standards 


Question 6

Types of Internal Audits

Answer 6

FIOCI

Financial
• Examines the reliability and integrity of financial transactions, accounting records and financial statements.

Information System
• Reviews the controls of an AIS to assess compliance with internal control policies and procedures and effectiveness in safeguarding assets.

Operational
• Economical and efficient use of resources and the accomplishment of established goals and objectives.

Compliance
• Determines whether entities are complying with applicable laws, regulations, policies and procedures.

Investigative
• Incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.

Question 7

Major steps in the Audit Process

Answer 7

• Audit Planning
• Collecting Evidence 

• Evaluating Evidence 

• Communicating Audit Results 


Question 8

Planning the Audit

Answer 8

Why, when, how, whom? – asnwers these question
Why- choice or required by standards
When- frequency – compliance, doing right by stakeholders
How – how often – annually, semi annually or more often
Whom – evidence of independence – no conflict of interest

An audit program lastly is prepared to show the nature, extent, and timing of the procedures needed to achieve audit objectives and minimize audit risks. A time budget is prepared, and staff members are assigned to perform specific audit steps.

Question 9

Planning the audit

Audit scope and objectives

Answer 9

(e.g. “true and fair” financial statements; solid IS controls) – scope , you typically cant audit everuthing as it is expensive and impractical ( take samples of transactions and make conclusion)

Work targeted to area with greatest risk – choose to look at activities with greatest risk

Question 10

Types of risk in auditing

Answer 10

• Inherent risk
- Chance of risk in the absence of controls 

- E.g. cloud a/c exposed to hackers, traditional accounting is not


• Control risk
- Risk a misstatement will not be caught by the internal control system. 

- Weak password etiquette control => passwords may be ‘cracked’


• Detection risk 

- Chance a misstatement will not be caught by auditors or their procedures.- industries often have idiocrincacies

Question 11

Collection of Audit Evidence

Answer 11

Observation of activities to be audited. 
 (e.g., watching how data control personnel handle data processing work as it is received)

Review of documentation: 
- to understand how a particular process or internal control sys- tem is supposed to function

Discussions 
- with employees about their jobs and about how they carry out certain procedures

Questionnaires 
 that gather data

Physical examination - of the quantity and/or condition of tangible assets, such as equipment and inventory

Confirmations:

• Testing balances with external 3rd parties (similar to vouching

Re-performance:

• Recalculations to test values. (e.g.
recalculate deprec. Exp.)

Vouching:
• Examination of supporting documents (e.g. vendor reports on invoiced amounts).

Analytical review:
• Examining relationships and trends (e.g. ratio of A/C receivable/Sales)

Question 12

Evaluation of Audit Evidence

Answer 12

Does evidence support favourable or unfavourable conclusion?
Materiality of errors (unintentional) / irregularities (deliberate)
• How significant is the impact of the evidence? 


“information is material if its omission or misstatement could influence the economic decision of users taken on the basis of financial statements. … Materiality provides a threshold or cut- off point.” (IASB Framework) 


Question 13

Evaluation of Audit evidence

-Reasonable Assurance (RA)

Answer 13

• Auditor seeks RA that no material error exists in information or processes audited
• Some risk remains that the audit conclusion is incorrect.

Question 14

Communication of Audit Conclusion

Answer 14

Written report summarising audit findings and recommendations: 
•	To management 

•	The audit committee 

•	The board of directors 

•	Other appropriate parties

Question 15

Risk-Based Audit Approach

Answer 15

The risk-based approach provides auditors with a clearer understanding of the fraud and errors that can occur and the related risks and exposures. It also helps them plan how to test and evaluate internal controls, as well as how to plan subsequent audit procedures

Question 16

Risk based Audit Approach ( stages )

Answer 16

1. Determine threats (fraud and errors) facing the company.
   - Accidental or intentional abuse and damage to which the system is exposed.
   Identify control procedures that prevent, detect or correct the threats.
   -These are all controls that management has put into place and that auditors should review and test to minimise the threats.

2. Evaluate control procedures. 
a-A systems review 
-
     Are control procedures in place? 

b-  Tests of controls 
     Are existing controls working? 

3. Evaluate control weaknesses 

   - to determine their effect on the nature, timing or extent of auditing procedures. 

   - Control weaknesses in one area may be acceptable if there are compensating controls in other areas

Question 17

Information Systems Audit ( Purpose)

Answer 17

Using the risk-based framework for an information systems audit allows the auditor to review and evaluate internal controls that protect the system to meet each of the following objectives

Question 18

Information Systems Audit ( Objectives )

Answer 18

1. Overall information security

2. Program development and acquisition
3. Program modification
4. Computer processing

5. Source files

6. Data files.

Question 19

There are three ways auditors test for unauthorized program changes:

Answer 19

There are three ways auditors test for unauthorized program changes:
1. Auditors use a source code comparison program to compare the current version of the program with the source code. The two versions should be identical; any differences should be investigated.

2. In the reprocessing technique, auditors reprocess data using the source code and compare the output with the company’s output. Discrepancies in the output are investigated.
3. In parallel simulation, the auditor writes a program instead of using the source code, compares the outputs, and investigates any differences. Parallel simulation can be used to test a program during the implementation process.

Question 20

Audit Techniques Used to Test Programs (CONCURRENT AUDIT TECHNIQUES)

Answer 20

Concurrent audit techniques use embedded audit modules

Integrated Test Facility (ITF)
• Uses fictitious inputs - integrated test facility (Itf) - In- serting a dummy entity in a company’s system; processing test transactions to update them will not affect actual records.

Snapshot Technique
snapshot technique - marking transactions with a special code, recording them and their master file records before and after processing, and storing the data to later verify that all processing steps were properly executed.
• Master files before and after update are stored for specially marked transactions

System Control Audit Review File (SCARF)
• Continuous monitoring and storing of transactions that meet pre-specifications
system control audit review file (SCARf) - using embedded audit modules to continuously monitor transactions, collect data on transactions with special audit significance, and store the data to later identify and investigate questionable transactions.

Audit Hooks

• Notify auditors of questionable transactions
- audit hooks - Audit routines that notify auditors of question- able transactions, often as they occur.

Continuous and Intermittent Simulation (CIS) 
• Similar to SCARF for DBMS - Embedding an audit module in a DBmS that uses specified criteria to exam- ine all transactions that update the database.

Question 21

Concurrent audit techniques

Answer 21

Software that continuously monitors a system as it pro- cesses live data and collects, evaluates, and reports information about system reliability.

Question 22

embedded audit modules

Answer 22

program code segments that per- form audit functions, report test results, and store the evidence collected for auditor review.

Question 23

Software Tools Used to Test Program Logic

Answer 23

Automated flowcharting program

• Interprets source code and generates flowchart

Automated decision table program

• Interprets source code and generates a decision table

Scanning routines

• Searches program for specified items

Mapping programs

• Identifies unexecuted code

Program tracing
• Prints program steps with regular output to observe sequence of program execution events

Question 24

Explain what is the Computer Audit Software and what it can be used for ?

Answer 24

• Query data files and retrieve records based upon specified criteria 

• Create, update, compare, download, and merge files 

• Summarize, sort, and filter data 

• Access data in different formats and convert to common format 

• Select records using statistical sampling techniques 

• Perform analytical tests 

• Perform calculations and statistical tests 


Question 25

Explain the purpose of an operational audit and the specific activities of evidence collection are focused toward operations?

Answer 25

Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the basic audit steps are the same, the specific activities of evidence collection are focused toward operations such as:

• Review operating policies and documentation 

• Confirm procedures with management and operating personnel 

• Observe operating functions and activities 

• Examine financial and operating plans and reports 

• Test accuracy of operating information 

• Test operational controls 


Question 26

Evaluation stage

Answer 26

At the evidence evaluation stage, the auditor measures the system against one that follows the best systems management principles. One important consideration is that the results of management policies and practices are more significant than the policies and practices them- selves