Chapter 13: Auditing and governance of AIS Flashcards
What are the two broad areas of responsibility associated with the risk management system?
- Board, audit committee and management responsibilities:
- Defining objectives, scope and priorities.
- Formulating overall risk classifications.
- Understanding business life cycles, business processes and critical success factors.
- Identifying and classifying risks.
- Audit assurance related responsibilities:
- Assessing the probability of risk and potential consequences.
- Comparing and analysing risk tolerance and mitigation strategies.
- Evaluating existing and new controls, costs and effectiveness of monitoring procedures.
- Assessing exposure, reporting position and recommending insurance (if necessary).
What are the three main responsibilities of an audit committee?
An audit committee is a committee of board directors, and the charter defines its objectives.
The three primary functions of the audit committee include:
- to focus on issues relevant to the integrity of an organisation’s financial reporting
- to be responsible for overseeing external and internal audit, risk management, internal control and compliance
- to liaise with the board, internal and external auditors, and management.
Good corporate governance requires effective management oversight.
What does this oversight include?
- Internal and external reporting (financial and non-financial).
- Oversight of risk management activities.
- Internal and external audit.
- Internal control framework, including policies and procedures as they apply to financial reporting compliance with applicable laws and regulations.
- Oversight of activities to control and report on fraud.
Can best practices be used during auditing?
If so, how?
Auditors often need other sources of guidance and may turn to best practice as a source.
We can define the best practice as what a skilled, experienced auditor, familiar with the issue, would do.
It is the distilled wisdom of the auditor community and emerges from the discovery of what works best through trialling a variety of techniques and choosing the best one.
It responds to environmental change more quickly than regulatory processes can.
Sources of best practice include ISO standards and materials and procedures developed by the vendors and firms that offer audit and assurance services.
Briefly explain the three types of risk associated with a risk-based approach to an AIS audit.
Inherent risk is an audit area’s susceptibility to an error in a way that could be material, individually or in combination with other errors, assuming that there were no related internal controls.
Control risk is an error that could occur in an audit area. It could be material, individually or in combination with other errors, but will not be prevented or detected and corrected on a timely basis by the internal control system.
Detection risk is the risk that the IS auditor’s substantive procedures will not detect an error that could be material, individually, or in combination with other errors.
What are the five phases of an AIS audit?
- Planning the audit
- Fieldwork
- Analysis
- Completion, review and reporting
- Monitoring and review
How does running test data through the system impose limitations on auditors?
Running test data through the system imposes several limitations on auditors.
First, testing client staff will lessen the degree of independence.
We can either test on a ‘live’- (e.g. in normal operating mode) or ‘dead’ system (e.g. after regular working hours).
We can also test on a copy of the production system, purposely supplied by the client to the auditors.
There is a chance of restoring the production system to its original state if there have been any fraudulent modifications made to it before performing a ‘dead’ system test or copying it for the auditors.
If we test on the ‘live’ system, which is the more desirable situation, we should reverse all test transactions to remove them from the system on test completion.
If done on a ‘dead’ system, then the files would be rolled back to their previous status and the changes discarded.
What are the five general infrastructure controls of a system that need to be evaluated during an audit?
- Logical access controls
- Database controls
- Physical environmental controls
- Storage controls
- Change controls
Why is the auditing of systems under development favourable?
A strong case can be made for auditors to be involved in the design and development of new systems.
The auditor needs to identify all possible risks arising from the use of the new system and to include appropriate controls to mitigate them.
Management must incorporate controls in the design phase to minimise their cost compared with subsequent modification.
Also, substantial costs can result from the exposure to risks posed by missing controls.
The auditor will either be involved in testing the new system or reviewing test plans to include all possible risk factors.
Furthermore, the auditor needs to check test results to confirm that all controls are in place and working as intended.
Besides, auditors may be appointed by senior management to audit the entire project development to provide them with an independent opinion of the project progress, in contrast to possible ‘rose-tinted’ views of project team leadership.
Explain what special purpose audits can do and how these audits can be carried out.
Special purpose audits may be commissioned by management to:
- Investigate proven or suspected fraud by employees or others with access to the client’s system.
- Investigate intrusion (hacking) into a system.
- Obtain an independent opinion of the system’s vulnerability.
In such cases, there is no uniform approach; the auditor’s policy will be dictated firstly by the terms of the engagement and secondly by the particular circumstances of the client.
Required skillsets include a strong knowledge of general IT and, specifically, IT security.
In particular, those relating to the type of system(s) used by the client.
Additional skills may extend to fraud squad detective or criminal hacking.
Explain the importance of an audit to corporate governance.
Corporate governance is the responsibility of the board of directors. Corporate governance is the framework of processes, systems and relationships between the stakeholders in an organisation. To be able to effectively execute their duties as directors, the board must have information about an organisation’s business processes, controls, risks and management practices. Audits can provide independent information and advice about the effectiveness and efficiency of an organisation’s operations.
Discuss the two broad areas of risk management.
Corporate governance drives the management risk agenda. The risk management system involves two broad areas of responsibility:
- Responsibility of the Board, Audit Committee and Management
- Define objectives, scope and priorities
- Formulate overall risk classifications
- Understand business life cycles, business processes, and critical success factors
- Identify and classify risks
- Audit assurance related
- Assess the probability of risk and potential consequences
- Compare and analyse risk tolerance and mitigation strategies
- Evaluate existing and new controls, costs and effectiveness of monitoring procedures
- Assess exposure, report position and recommend insurance (if necessary)
Managing risk is an essential responsibility of the board and management.
Understanding the organisation’s risk profile and having adequate controls to manage risk is on-going and needs frequent re-evaluation.
What is the relationship between the internal and the external auditors?
External auditors can use the work of an internal auditor subject to guidelines outlined in the Auditing Standard ASA 610 Using the Work of Internal Auditors.
The guidelines relate to:
- the level of objectivity associated with the internal audit function
- the level of technical competence
- whether the internal audit function properly plans, reviews, supervises and documents their activities
Outline the influences on an auditor.
There are a number of influences on an auditor:
- Auditing standards come under the control of the Auditing and Assurance Standards Board (AUASB).
- Benchmarks and Best Practice
These influences need to be carefully analysed so that the auditor understands their responsibilities.
Explain why it is necessary for the auditor to conduct post-audit monitoring.
The management letter which normally accompanies the formal report details required improvements to controls. Monitoring is required to ensure that management has, in fact, made the required changes to the system and to ensure that the changes are working as designed.
