CHAPTER 22 Auditing Automated Information Systems: Special Topics

22 - 1 2003 Pearson Education Canada Inc.

CHAPTER 22Auditing Automated

Information Systems: Special Topics


As client computing facilities become more sophisticated, “paperless” accounting

systems evolve wherein little “hard copy” documentation is produced.

A / Rmaster

monday’sA / Rtransactions


What challenges does a sophisti-What challenges does a sophisti-cated EDP accounting systemcated EDP accounting system

present for an auditor?present for an auditor?


- audit trails, documentation may only exist on disk (no printed copies)




- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors



ERROR!!!


- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors- in some circumstances, controls may have to make up for a lack of adequate segregation of duties




- audit trails, documentation may only exist on disk (no printed copies)- program errors may exist that cause uniform transaction errors- in some circumstances, controls may have to make up for a lack of adequate segregation of duties- detecting unauthorized access may be difficult




- electronic method of sending documents between companies - no “paper trail” for the auditor to

follow - increased emphasis on front-end controls - security becomes key element in

controlling system

Electronic Data Interchange (EDI) Electronic Data Interchange (EDI) Presents Even More ChallengesPresents Even More Challenges


- also referred to as electronic commerce, or e-commerce

- greatly increased through “internet shopping”

- direct payment systems, e.g. payroll, remove the paper trail once relied upon by auditors

Electronic Funds Transfer (EFT) Electronic Funds Transfer (EFT) Also Presents ChallengesAlso Presents Challenges


- loss of confidential information, through corporate espionage or “hackers”

- create multiple levels of passwords; change regularly

- data intercepted during data communication - encrypt (scramble) information

during transmission

Data Communications Risks and Data Communications Risks and Control ProceduresControl Procedures


- inappropriate access to information via the Internet

- use of firewalls - physically separate homepage

equipment and software from other systems

- viruses invading systems - same as above - use current anti-virus software

Data Communications Risks and Data Communications Risks and Control ProceduresControl Procedures


1. Management commitment to disaster recovery planning.

2. Ranking of business processes: What will happen if process x fails?

3. Identifying minimum resources required to restore vital operations.

Disaster Recovery ProcessDisaster Recovery Process


4. Prepare a data centre plan and a user plan.

5. Test the plan, to discover any shortcomings in the plan before disaster strikes.

Disaster Recovery ProcessDisaster Recovery Process


Categories of Controls in an Categories of Controls in an EDP EnvironmentEDP Environment

APPLICATION CONTROLSGENERAL CONTROLS


revenue system

payroll system

expenditure system

GENERAL CONTROLSrelate to all parts of

the EDP system.



revenue system

payroll system

expenditure system

GENERAL CONTROLSrelate to all parts of

the EDP system.


APPLICATION CONTROLSrelate to one specific

use of the system

revenue system


Categories of General ControlsCategories of General Controls

1. plan of organization

Separate duties inEDP systems as discussed

in chapter 9.


2. systems development and documentation controls - each system should have documented, authorized specifications


SystemSpecifications

-Confidential-


Categories of General ControlsCategories of General Controls2. systems development and documentation controls - each system should have documented, authorized specifications - any system changes should be authorized and documented

SystemChanges

authorized


3. hardware controls



- diagnostic routines - hardware or software that checks the system’s internal operations and devices




- boundary protection - ensures that simulta- neous jobs do not interfere with one another

CENTRAL PROCESSING UNIT

boundary

weekly payroll calculation

daily accounts payable update




- periodic maintenance - hardware should be examined periodically by qualified technicians




4. controls over access to equipment, programs, and data files

ACCESS TO:

programdocumentation

data files &programs

computer hardware



4. controls over access to equipment, programs, and data files

ACCESS TO:

programdocumentation

data files &programs

computer hardware


SHOULD BELIMITED TO:

those who need accessto perform their duties


Physical Access ControlsPhysical Access Controls

security guards

manual key locks

controlsregardingvisitors

visitor


- access control software - passwords and ID codes which should be changed periodically. A password may provide access to only part of the system.

user ID?password?

Electronic Access ControlsElectronic Access Controls


- encryption boards - devices that are programmed with a unique key that makes data unread- able to anyone who may intercept a transmission

ajdienal k448an*& ddbdueb8 ao0#$ dd87cbd^^7dbd8cba sbc((suUduud(765@@ c38,sdus8 s8d890++s8 !!

Electronic Access ControlsElectronic Access Controls


1. Responsibility for control - senior management, user management

and information systems management has responsibilities

Objectives of General ControlsObjectives of General Controls


1. Responsibility for control2. Information system meets needs of entity



1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information

systems




systems4.Efficient and effective maintenance of

information systems





information systems5.Effective and efficient development and

acquisition of information systems






acquisition of information systems6.Present and future requirements of users

can be met






acquisition of information systems6.Present and future requirements of users

can be met7.Efficient and effective use of resources

within information systems processing



8.Complete, accurate and timely processing of authorized information systems



8.Complete, accurate and timely processing of authorized information systems

9.Appropriate segregation of incompatible functions



8. Complete, accurate and timely processing of authorized information systems

9. Appropriate segregation of incompatible functions

10.All access to information and information systems is authorized






11.Hardware facilities are physically protected from unauthorized access, loss or damage







12. Recovery and resumption of information systems processing







12. Recovery and resumption of information systems processing

13.Maintenance and recovery of critical user activities



input processing output

Application controls can beApplication controls can begrouped into three categories:grouped into three categories:


Input ControlsInput Controls- input data should be authorized & approved


- input data should be authorized & approved- the system should edit the input data

Input ControlsInput Controls

ERROR!!!Try again!


Examples Examples of Input of Input ControlsControls

adequatedocuments - data has an assigned place andformat

SALES INVOICE 4527 Date: Ace Company Customer: 834 Reynolds Rd. Winnipeg, MB R2V 4E3 Sales Representative: Quantity Description Price

total invoice amount

Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:

Credit authorization:


Acct# description $amount_

50011 factory wage-reg 54,321.8950021 factory wage-ot 11,573.9150101 office wage-reg 32,811.0050111 office wage-ot 1.64 98,708.44

Examples of Input ControlsExamples of Input Controls

check digit- an extra digit is added to numbersto detect errors in transmission

checkdigits


Examples of Input ControlsExamples of Input Controlsrecord count - a control total of records processed (example: number of employeerecords processed in calculating payroll)

SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30245376868 Tom Taylor 43 8.60RECORD COUNT = 4


Examples of Input ControlsExamples of Input Controlsreasonableness and limit tests - deter-mine if amounts are too high, too low, orunreasonable (example: the maximum employee pay rate may be $15/hour)

SS number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30245376868 Tom Taylor 43 28.60ERROR MESSAGE: Rate exceeds specified parameters.


Examples of Input ControlsExamples of Input Controlsfield size check - results in an error messageif more or less than a certain number of characters is input (example: social insurancenumbers always have 9 characters)

SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.302453768688Tom Taylor 43 8.60 ERROR MESSAGE: SIN has excesscharacters.


Examples of Input ControlsExamples of Input Controlsfield check - ensures that only numbers,alphabetic characters, or special characters are accepted into a specific field (example: SInumbers always have numeric characters)

SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30245at6868 Tom Taylor 43 8.60 ERROR MESSAGE: SIN has non-numeric characters.


Examples of Input ControlsExamples of Input Controlsvalidity check - allows only previously-definedvalid data to be entered into a data field (example: employee status must be either “hourly” or “salary”)

Emp. name Status Hours Rate Jon Duchac hourly 46 6.45 Paul Juras hourly 51 6.55 Dale Martin salary - - Tom Taylor unknown - - ERROR MESSAGE: status must be either “hourly” or “salary”


Processing ControlsProcessing Controls

assure thatdata entered intothe system are

processed, processedonly once, and

processed accurately


Examples of Processing ControlsExamples of Processing Controlscontrol, batch, or proof total - a total of anumerical field for all the records of a batchthat normally would be added (example: wages expense)

Acct# description $amount_5001 factory wage-reg 54,321.895002 factory wage-ot 11,573.915010 office wage-reg 32,811.005011 office wage-ot 1.64 wages expense 98,708.44

control


Examples of Processing ControlsExamples of Processing Controls

logic test - ensures against illogical combina-tions of information (example: a salaried em-ployee does not report hours worked)

Emp. name Status Hours Rate Jon Duchac hourly 46 6.45 Paul Juras hourly 51 6.55 Dale Martin salary - - Tom Taylor salary 43 - ERROR MESSAGE: for salaried employees, “Hours” should be “-”


Examples of Processing ControlsExamples of Processing Controls

completeness check - results in an error if information is incomplete

SI number Emp. name Hours Rate423988745 Jon Duchac 46 6.45127874639 Paul Juras 51 6.55567398674 Dale Martin 41 8.30 Tom Taylor 43 8.60 ERROR MESSAGE: Tom Taylor’s SINhas not been input.


Output ControlsOutput Controls

assure thatdata generated by

the system are valid,accurate, complete,and distributed to

authorized persons inappropriate quantities


Examples of Output ControlsExamples of Output Controls

- limits on quantity of output and/or processing time programmed constraints on time and/or output that prevent waste of resources

you’re wastingmy CPU time!!!


1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems

Objectives of Application ControlsObjectives of Application Controls


1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems2. Information provided by the systems is: - complete - accurate - authorized



1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems2. Information provided by the systems is: - complete - accurate - authorized3. Existence of adequate management trails



There are two general approachesgeneral approaches to auditing EDP systems:



1. Auditing “around” the computer


1. Auditing “around” the computer involves extensive testing of the inputs and outputs of the EDP system and little or no testing of processing or computer hardware.

inputs processing output



inputs processing outputs

This approach involves no tests of thecomputer programs and no auditor useof the computer.





The logic of this approach is: “If we understand what went in and what came out, we understand the system.”


1. Auditing “around” the computer depends on a visible, traceable, hard copy audit trail made of manually- prepared and computer-prepared documents.


Can an auditor effectively “Can an auditor effectively “audit audit aroundaround” a client’s EDP system? ” a client’s EDP system?


Possibly! Many clients, however, do nothave a hard copy audit trail. Increasingly,data are recorded on computer disk and never printed.

Can an auditor effectively “Can an auditor effectively “audit audit aroundaround” a client’s EDP system? ” a client’s EDP system?


1. Auditing “around” the computer2. Auditing with use of the computer involves extensive testing of computer hardware and software.



2. Auditing with use of the computer em- phasizes the input and processing phases of EDP systems.



1. Test data involves auditor preparation of a series of fictitious transactions; many of those transactions will contain intentional errors. The auditor examines the results and determines whether the errors were detected by the client’s system.

testdata

Techniques for auditingTechniques for auditingwith use of the computerwith use of the computer


Test data involves the use of auditor- prepared data, client programs, and client hardware.

auditor data

clientprogram }

clienthardware


What are the What are the shortcomingsshortcomings

of the use of test data?of the use of test data?


What are the What are the shortcomingsshortcomings of the use of of the use of test data?test data?

- possibility of accidental integration of fictitious and actual data

auditor data

client data }

garbage!



- possibility of accidental integration of fictitious and actual data- preparation of test data that examines all aspects of the application is difficult



- possibility of accidental integration of fictitious and actual data- preparation of test data that examines all aspects of the application is difficult- the auditor must make sure that the program being tested is the one actually used in routine processing


- the auditor writes a computer program that replicates part of the client’s system

auditor’sprogram

1. Test data 2. Parallel simulation

techniques for auditingtechniques for auditingwith use of the computerwith use of the computer


- the auditor writes a computer program that replicates part of the client’s system - the auditor’s program is used to process actual client data

auditor’sprogram

1. Test data 2. Parallel simulation



- the auditor writes a computer program that replicates part of the client’s system - the auditor’s program is used to process actual client data - the results from the auditor’s program and that of the client’s routine processing are compared

2. Parallel simulation



auditor’sprogram

clientdata }

clienthardware

Parallel simulation usually involves the use of actual client data, the auditor’s program, and client hardware.


With parallel simulation, the auditor mustmake sure that the program being tested isthe one actually used in routine processing.

auditor’sprogram

clientdata }

clienthardware


Generalized Audit SoftwareGeneralized Audit Software

?



a set of programs

specifically de-signed to per-form certain

data processing functions thatare useful tothe auditor.



a set of programs

specifically de-signed to per-form certain

data processing functions thatare useful tothe auditor.

canbe used

on a variety of

clients


Generalized audit software involves the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways.

client data }

auditorhardware

GAS


- verifying extensions and footings

Uses of Generalized Audit Uses of Generalized Audit Software (GAS)Software (GAS)

12/31/04 AGE,BASED ON INVOICE DATECUSTOMER BALANCE 0 -30 31-60 61-90 OVER 90AKINC 1276 170 1106BOWERS 534 534DEWASTALI 7523 7100 423DUNKLEBURG 97 97EASLEY 23000 21000 2000 EWING 8969 8969GOHO 1500 1500HARRISON 56900 56900MCCRAY 6500 6500 106299 30304 3203 6923 65869


- verifying extensions and footings- examining records for quality, completeness, consistency, and correct- ness. GAS can scan records and print those that are exceptions to auditor- specified criteria.



- verifying extensions and footings- examining records- comparing data on separate files

humanresources

payrollaccounting



- verifying extensions and footings- examining records- comparing data on separate files - summarizing or resequencing data and performing analyses



- verifying extensions and footings- examining records- comparing data on separate files - summarizing or resequencing data and performing analyses- comparing data obtained through other audit procedures with company records



- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples



- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples- printing confirmation requests


Documents

CHAPTER 22 Auditing Automated Information Systems: Special Topics