270 likes | 752 Vues
ACG 6936. ITAuditing Using GAS & CAATs. The Audit Function. The audit is to examine and to assure. The nature of auditing differs according to the subject under examination. Audits can be internal, external, and audits of information systems.
E N D
ACG 6936 ITAuditing Using GAS & CAATs
The Audit Function • The audit is to examine and to assure. • The nature of auditing differs according to the subject under examination. • Audits can be internal, external, and audits of information systems.
Internal versus External Auditing • In an internal audit a company’s own accounting employees perform the audit. • Accountants working for an independent CPA firm normally perform the external audit. • The chief function of the external audit is the attest function. • The fairness evaluation of the financial statements in an external audit is conducted according to GAAP.
Information Systems Auditing • Information systems auditing or electronic data processing (EDP) auditing involves evaluating the computer’s role in achieving audit and control objectives. • The AIS components of a computer-based AIS are people, procedures, hardware, data communications, software and databases. • These components are a system of interacting elements.
The Information Audit Process • If computer controls are weak or nonexistent, auditors will need to do more substantive testing. • Substantive tests are detailed tests of transactions and account balances. • Compliance testing is performed to ensure that the controls are in place and working as prescribed. • This may entail using computer-assisted audit techniques (CAATs).
Careers in Information Systems Auditing • Information systems auditors may obtain a Certified Information Systems Auditor (CISA) professional certification. • May be employed as either internal or external auditors. • Specialized skills and broad-based set of technical knowledge needed.
Information Systems Audit Process NO Audit around the computer Is system large and complex? Review general and application controls YES Audit through the computer Perform compliance tests of computer controls Preliminary review of information systems controls YES Audit through the computer Rely on IT controls? Perform substantive test of account balances NO Audit around the computer
Evaluating the Effectiveness of IT ControlsRisk Assessment • External auditor’s main objective in reviewing information systems control procedures is to evaluate the risks to the integrity of accounting data. • Information Systems Risk Assessment is a method for evaluating the desirability of IT-related controls for a particular aspect of business risk.
Guidance in Designing and Evaluating IT Controls • Systems Auditability and Control (SAC) report identifies important information technologies and the specific risks related to these technologies. • Control Objectives for Information and Related Technology (COBIT) provides auditors with guidance in assessing and controlling for business risk associated with IT environments.
Auditing Around the Computer • Auditing Around the Computer assumes that the presence of accurate output verifies proper processing operations. • This type of auditing pays little or no attention to the control procedures within the IT environment. • Generally not an effective approach to auditing a computerized environment.
Auditing Through the Computer • When Auditing Through the Computer, an auditor follows the audit trail through the internal computer operations phase of automated data processing. • Attempts to verify the processing controls involved in the AIS programs. • Primary approaches are 1) testing programs, 2) validating computer programs, 3) reviewing systems software, and 4) continuous auditing.
1) Testing Computer Programs -Test Data • The Test Data Approach uses a set of hypothetical transactions to test the edit checks in programs. • Auditor should use as many different exception situations as possible. • Auditor can also use software programs called test data generators to develop a set of test data.
Testing Computer Programs -Integrated Test Facility • An Integrated Test Facility (ITF) is effective in evaluating integrated online systems and complex programming logic. • ITF examines both the manual steps and the computerized steps that a company uses to process business transactions • Its purpose is to audit an AIS in an operational setting. • Establish a fictitious entity • Enter transactions for that entity • Observe how these transactions are processed. • The auditor’s role is to examine results of transaction processing to find out how well the AIS does the tasks required of it.
Testing Computer Programs - Parallel Simulation • With Parallel Simulation, the auditor uses live input data, rather than test data, in a program written or controlled by the auditor. • The auditor’s program usually simulates only certain critical functions of a client program. • Auditor needs complete understanding of client system and sufficient technical knowledge.
2) Validating Computer Programs • An auditor must validate any program with which he or she is presented. • Procedures that assist in program validation are 1) tests of program change control, 2) program comparison, and 3) surprise audits and surprise use of programs.
Tests of Program Change Control • Program Change Control is a set of internal controls developed to ensure against unauthorized program changes. • Requires documentation of every request for application program changes. • Test begins with inspection of documentation maintained by information processing subsystem.
Program Comparison • To guard against unauthorized program tampering, a test of length control total can be performed. • A comparison program can compare code line-by-line to ensure consistency between authorized version and version being used.
Surprise Audits and Surprise Use of Programs • The Surprise Audit Approach involves examining application programs unexpectedly. • With the Surprise Use Approach, an auditor visits the computer center unannounced and requests that previously obtained authorized programs be used for the required data processing.
3) Review of Systems Software • Systems software includes 1) operating system software, 2) utility programs, 3) program library software, and 4) access control software. • Auditors should review systems software documentation. • Software tools can be used to review systems software. • Systems software can generate incident reports.
4) Continuous Approach • Audit tools can be installed within an information system to achieve Continuous Auditing. • Particularly effective when most of an application’s data is in electronic form. • Examples: 1) embedded audit modules, 2) exception reporting, 3) transaction tagging.
Auditing with the Computer • Auditing with the Computer entails using computer-assisted audit techniques (CAATs) to help in various auditing tasks. • This approach is virtually mandatory since data are stored on computer media and manual access is impossible. • CAATs is effective and saves time.
General-Use Software • Auditors use General-Use Software such as spreadsheets and database management systems as productivity tools to improve their work. • Auditors use Structured Query Language (SQL) to retrieve a client’s data and display these data in a variety of formats for audit purposes.
Generalized Audit Software • Generalized Audit Software (GAS) packages enable auditors to review computer files without continually rewriting processing programs. • GAS programs are specifically tailored to auditor tasks. • Audit Command Language (ACL) and Interactive Data Extraction and Analysis (IDEA) are examples of GAS.
Advantages of a GAS Package • Allows the auditor to access computer-readable records for a wide variety of applications and organizations. • Enables the auditor to examine much more data than could be examined through manual means. • Rapidly and accurately performs a variety of routine audit functions. • Reduces dependence on non-auditing personnel for performing routine functions, thus enabling better control over the audit. • Requires only minimal computer knowledge on the part of the auditor.
Limitation of Using GAS Packages • The main limitation of using GAS packages is that they do not directly examine the application programs and programmed checks. • Thus, they cannot replace the techniques of auditing through the computer.
Automated Workpaper Software • Automated Workpaper Software handles accounts for many organizations in a flexible manner. • Features include: 1) generated trial balances, 2) adjusting entries, 3) consolidations,and 4) analytical procedures.
Auditing in the Information Age • Software can control audit • Audit tools stored on CD-ROM • Electronic spreadsheets • Client/server systems