WIXLIB

Auditing Computer-BasedInformation SystemsSource:Romney/Steinbart AIS 11th ed & CISA Review, ISACAAnotasi diagram/gambar penjelasan oleh Arrianto Mukti Wibowo1Source: Accounting Information Systems, 11th ed, Romney/Steinbart

INTRODUCTION Questions to be addressed in this sessioninclude: What are the scope and objectives of audit work, andwhat major steps take place in the audit process? What are the objectives of an information systemsaudit, and what is the four-step approach for meetingthose objectives? How can a plan be designed to study and evaluateinternal controls in an application? How can computer audit software be useful in theaudit of an application? What is the nature and scope of an operational audit?2

INTRODUCTION This session focuses on the concepts and techniquesused in auditing an application.Auditors are employed for a wide range of tasks andresponsibilities: Organizations employ internal auditors to evaluate companyoperations. The GAO and state governments employ auditors to evaluatemanagement performance and compliance with legislative intent. The Defense Department employs auditors to review financialrecords of defense contractors. Publicly-held corporations hire external auditors to provide anindependent review of their financial statements.3

INTRODUCTION This session is written primarily from theperspective of an internal auditor. They are directly responsible for helping managementimprove organizational efficiency and effectiveness. They assist in designing and implementing anapplication that contributes to the entity’s goals. External auditors are primarily responsible toshareholders and investors. Only indirectly concerned with applicationeffectiveness. But many internal audit concepts apply to externalaudits.4

INTRODUCTION Questions to be addressed in this sessioninclude: What are the scope and objectives of audit work,and what major steps take place in the auditprocess? What are the objectives of an information systemsaudit, and what is the four-step approach for meetingthose objectives? How can a plan be designed to study and evaluateinternal controls in an application? How can computer audit software be useful in theaudit of an application? What is the nature and scope of an operational audit?5

Nature of Auditing6Source: Accounting Information Systems, 11th ed, Romney/Steinbart

THE NATURE OF AUDITING The American Accounting Association (AAA)defines auditing as: A systematic process of objectively obtaining andevaluating evidence Regarding assertions about economic actions andevents To ascertain the degree of correspondence betweenthose assertions and established criteria And communicating the results to interested users.7

THE NATURE OF AUDITING Auditingrequires a step-by-step approach. Should be carefully planned and techniquesshould be judiciously selected and executed. Auditing involves collecting, reviewing, anddocumenting audit evidence. The auditor uses criteria such as theprinciples of management control discussedin previous sessions to developrecommendations.8

THE NATURE OF AUDITING Auditors used to audit around the computer and ignorethe computer and programs. Assumption: If output was correctly obtained from system input,then processing must be reliable. Current approach: Audit through the computer. Uses the computer to check adequacy of system controls, data,and output. SAS-94 requires that external auditors evaluate how auditstrategy is affected by an organization’s use of IT. Also states that auditors may need specialized skills to: Determine how the audit will be affected by IT. Assess and evaluate IT controls. Design and perform both tests of IT controls and substantivetests.9

INTRODUCTION Questions to be addressed in this sessioninclude: What are the scope and objectives of audit work, andwhat major steps take place in the audit process? What are the objectives of an information systemsaudit, and what is the four-step approach formeeting those objectives? How can a plan be designed to study and evaluateinternal controls in an application? How can computer audit software be useful in theaudit of an application? What is the nature and scope of an operational audit?10

THE NATURE OF AUDITING InternalAuditing Standards According to the IIA, the purpose of aninternal audit is to: Evaluate the adequacy and effectiveness of acompany’s internal control system; and Determine the extent to which assignedresponsibilities are carried out.11

THE NATURE OF AUDITING The IIA’s five audit scope standards outline the internalauditor’s responsibilities: Review the reliability and integrity of operating and financialinformation and how it is identified, measured, classified, andreported. Determine if the systems designed to comply with these policies,plans, procedures, laws, and regulations are being followed. Review how assets are safeguarded, and verify their existence. Examine company resources to determine how effectively andefficiently they are used. Review company operations and programs to determine if theyare being carried out as planned and if they are meeting theirobjectives.12

THE NATURE OF AUDITING Today’s organizations use a computerizedapplication to process, store, and controlcompany information. To achieve the five preceding objectives, an internalauditor must be qualified to examine all elements ofthe computerized application and use the computeras a tool to accomplish these auditing objectives. Computer expertise is essential to these tasks.13

THE NATURE OF AUDITING Typesof Internal Auditing Work Three different types of audits are commonlyperformed. Financial audit Examines reliability and integrity of accountingrecords (financial and operating).Correlates with the first of the five scopestandards.14

THE NATURE OF AUDITING Typesof Internal Auditing Work Three different types of audits are commonlyperformed. Financial audit Information systems audit Reviews the controls of an application toassess: Compliance with internal control policies andprocedures; and Effectiveness in safeguarding assets.Scope roughly corresponds to the IIA’s secondand third standards.15

THE NATURE OF AUDITING Typesof Internal Auditing Work Three different types of audits are commonlyperformed. Financial audit Information systems audit Operational or management audit Concerned with economical and efficient use ofresources and accomplishment of establishedgoals and objectives.Scope corresponds to fourth and fifth standards.16

THE NATURE OF AUDITING Today’s organizations use a computerizedapplication to process, store, and controlcompany information. To achieve the five preceding objectives, an internalauditor must be qualified to examine all elements ofthe computerized application and use the computeras a tool to accomplish these auditing objectives. Computer expertise is essential to these tasks.17

THE NATURE OF AUDITINGPlanning AnOverview of theAuditing Process All audits follow a similarsequence of activities andmay be divided into fourstages: Planning18

THE NATURE OF AUDITINGPlanningCollectingEvidence AnOverview of theAuditing Process All audits follow a similarsequence of activities andmay be divided into fourstages: Planning Collecting Evidence19

THE NATURE OF ce AnOverview of theAuditing Process All audits follow a similarsequence of activities andmay be divided into fourstages: Planning Collecting evidence Evaluating evidence20

THE NATURE OF ceCommunicatingAudit Results AnOverview of theAuditing Process All audits follow a similarsequence of activities andmay be divided into fourstages: PlanningCollecting evidenceEvaluating evidenceCommunicating auditresults21

THE NATURE OF ceCommunicatingAudit Results Audit Planning Purpose: Determine why, how, when, andby whom the audit will be performed. The first step in audit planning is toestablish the scope and objectives of theaudit. An audit team with the necessaryexperience and expertise is formed. Team members become familiar with theauditee by: Conferring with supervisory andoperating personnel; Reviewing system documentation;and Reviewing findings of prior audits.22

THE NATURE OF AUDITING Theaudit should be planned so that thegreatest amount of audit work focuses onareas with the highest risk factors. There are three types of risk whenconducting an audit: Inherent risk How susceptible the area would be to threats ifthere were no controls.23

THE NATURE OF AUDITINGThe risk that a material misstatement will getthrough the internal control structure and intothe financial The audit shouldbestatements.planned so that the Inversely related to the strength of thegreatest amountofinternalauditcontrols,work focusescompany’si.e., strongeronmeans lowerrisk.areas with controlsthe highestriskcontrolfactors. Can be determined by: There are threetypesriskenvironment.when Reviewingtheofcontrolconducting anConsideringaudit: control weaknesses identified inprior audits and evaluating how they have Inherent riskbeen rectified. Control risk24

THE NATURE OF AUDITING Theaudit should be planned so that thegreatest amount of audit work focuses onareas with the highest risk factors. There are three types of risk whenconducting an audit: Inherent risk Control risk Detection risk The risk that auditors and their procedures willmiss a material error or misstatement.25

THE NATURE OF AUDITING Toconclude the planning stage: A preliminary audit program is prepared toshow the nature, extent, and timing of theprocedures necessary to achieve auditobjectives and minimize audit risks. A time budget is prepared. Staff members are assigned to performspecific audit steps.26

THE NATURE OF AUDITINGPlanning Collectionof AuditEvidenceCollectingEvidence Much audit effort isspent Audit Results27

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: Observation Watch the activities being audited, e.g., howemployees enter the site or handle a particular form.28

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: Observation Review of documentation Review documents to understand how anapplication or an internal control system issupposed to function.29

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: Observation Review of documentation Discussions Talk with employees about their jobs and howthey carry out certain procedures.30

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: ObservationReview of documentationDiscussionsPhysical examination Examine quantity and/or condition of tangibleassets, such as equipment, inventory, or cash.31

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: ObservationReview of documentationDiscussionsPhysical examinationConfirmation Communicate with third parties to check theaccuracy of information such as customeraccount balances.32

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: ObservationReview of documentationDiscussionsPhysical examinationConfirmationRe-performance Repeat a calculation to verify quantitativeinformation on records and reports.33

THE NATURE OF AUDITING Collection of Audit Evidence The following are among the most commonly usedevidence collection methods: ObservationReview of documentationDiscussionsPhysical examination Examine supporting documents to ensure theConfirmationvalidity of the transaction.Re-performanceVouching34