Accounting Information Systems
CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION INFORMATION SYSTEMS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 11.1 11.1 Auditing an AIS !!"ti#$% !!"ti#$% &'ui&( t)at an audit*& )a# (*+ ,n*$dg *! "*+ut&( and t)i& a""*unting a$i"ati*n(. H*#&/ H*#&/ it +a% n*t 0 !a(i0$ !*& #&% audit*& t* 0 a "*+ut& &t. Di("u(( t) tnt t* )i") audit*&( audit*&( ()*u$d *(((( "*+ut& &ti( &ti( t* 0 !!"ti# audit*&(.
Since most organizations make extensive use of computer-based systems in processing data, it is essential that computer expertise expertise be available in the organization's organization's audit group. Such expertise should include: •
Extensive knoledge of computer hardare, softare, data communications, and accounting applications
•
! detailed understanding of appropriate control policies and procedures in computer systems
•
!n ability to read and understand system documentation
•
Experience in planning computer audits and in using modern computer assisted auditing tools and techni"ues #$!!%%s&.
ot all auditors need to possess expertise expertise in all of these areas. (oever, there there is certainly some minimum level of computer expertise that is appropriate appropriate for all auditors to have. %his ould include: •
!n understanding of computer hardare, softare, accounting applications, and controls.
•
%he ability to examine all elements of the computerized !)S !)S
•
%he ability to use the computer as a tool to accomplish these auditing ob*ectives.
11.2 11.2 S)*u$d int&na$ int&na$ audit*& audit*&(( 0 ++0&( *! (%(t+( (%(t+( d#$*+ d#$*+nt nt ta+( t)at t)at d(ign and i+$+nt an AIS3 W)% *& )% )% n*t3
+any people believe that internal auditors should be involved in systems development pro*ects in order to ensure that nely developed systems are auditable auditable and have effective controls. (oever, if the auditor's involvement is too great, then his or her independence may be impaired ith respect to subse"uent revie and evaluation evaluation of the system. !ccordingly, !ccordingly, the the auditor should not be a member of a systems development team, or be otherise directly involved in designing or implementing ne systems. %here are indirect forms of auditor auditor involvement that that are appropriate. %he auditor can . ecommend ecommend a series series of control control and audit audit guidelin guidelines es that all all ne systems systems should should meet. meet. -
Ch. 11: Auditing Computer-Based Computer-Based Information Information Systems Systems
/. )ndepende )ndependently ntly revie revie the ork ork of the systems systems developmen developmentt team, evaluate evaluate both the the "uality of of the systems development effort and its adherence to control and audit guidelines, and report the findings to management. )n both cases, the auditor is orking through management rather than ith the systems development team. 11.4 At &(nt/ n* B&i", +$*%( )a# auditing &in". T* (ta!! it( n int&na$ audit !un"ti*n/ B&i", "*u$d 5a6 t&ain (*+ *! it( "*+ut& ("ia$i(t( in auditing/ 5 06 )i& &in"d audit*&( and t&ain t)+ t* und&(tand B&i",7( in!*&+ati*n (%(t+/ 5"6 u( a "*+0inati*n *! t) !i&(t t* a&*a")(/ a&*a")(/ *& 5d6 t&% a di!!&nt a&*a"). a&*a"). W)i") a&*a") *u$d %*u (u*&t/ and )%3 %he most effective auditor is a person ho has training and experience as an auditor and training and experience as a computer specialist. (oever, fe people people have such an extensive background, and personnel training and development are both expensive and time consuming.
0erick may find it necessary to accept some tradeoffs in staffing its its audit function. Since auditors generally ork in teams, 0erick should probably begin by using a combination of the first to approaches. %hen, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience.
11.8 T) a((i(tant !inan" di&"t*& !*& t) "it% *! Tu(tin/ Tu(tin/ Ca$i!*&nia/ a( !i&d a!t& "it% *!!i"ia$( di("*#&d t)at () )ad u(d )& a""(( t* "it% "*+ut&( t* "an"$ )& daug)t&7( 94:: at& 0i$$. An in#(tigati*n &#a$d &#a$d t)at () )ad +0;;$d a $a&g (u+ *! +*n% !&*+ Tu(tin Tu(tin in t)i( +ann& *#& a $*ng $*ng &i*d. S) a( a0$ t* "*n"a$ t) +0;;$+nt +0;;$+nt !*& (* $*ng 0"au( t) a+*unt +0;;$d a$a%( !$$ it)in a 2< &&*& !a"t*& u(d 0% t) "it%7( int&na$ audit*&(. W)at a,n((( a,n((( i(td in t) audit a&*a")3 a&*a")3 H* "*u$d t) audit $an 0 i+&*#d3 W)at int&na$ "*nt&*$ a,n((( a,n((( & &(nt in in t) (%(t+3 S)*u$d Tu(tin7 Tu(tin7(( int&na$ audit*&( )a# di("*#&d t)i( !&aud a&$i&3
!udit approach eaknesses . %he "uestion "uestion implies implies %ustin's %ustin's internal auditors auditors never never bothered to investigate investigate transactions transactions belo a certain dollar amount, and1or shortages of less than a certain percent. percent. %his is not good audit practice. /. 2hile 2hile auditors auditors generally generally examine examine transacti transaction on samples samples that are selected selected to include include a high percentage of items having a high dollar value, their their sampling procedures should not ignore ignore transactions ith loer dollar dollar values. %here must have been hundreds of falsified transactions, transactions, and an effective sampling plan might have uncovered a fe of them. 3. !n internal internal control control audit should should have detected detected inade"uaci inade"uacies es in %ustin' %ustin'ss computer computer access controls, as ell as a lack of transaction documentation. !udit plan improvements . !udit !udit softare softare could be used to fully fully reconcile reconcile collect collections ions ith ith billings, billings, and list list any
-/
Accounting Information Systems
discrepancies for further investigation. )nternal control eaknesses . !n assistant finance director should not have the authority to enter credits to customer accounts. $ertainly, there should have been documentation to support such transactions. /. %he assistant finance director should not have been granted rights to cancel ater or other utility bills Should the auditors have detected the audit earlier4 %he easy anser here is yes, they should have uncovered the fraud earlier. 2hile she as able to embezzle a large sum of money from %ustin, it as over a long period. 5ne of the keys to her success as that she did not get greedy and the amounts taken in any one year as probably immaterial to the city. %hese kinds of frauds are very hard to detect. 11.= >*u G*0$/ an int&na$ audit*& !*& a $a&g +anu!a"tu&ing nt&&i(/ &"i#d an an*n%+*u( n*t !&*+ an a((+0$%-$in *&at*& )* )a( *&,d at t) "*+an%7( W(t C*a(t !a"t*&% !*& t) a(t 1= %a&(. T) n*t indi"atd t)at t)& a& (*+ !i"titi*u( +$*%( *n t) a%&*$$ a( $$ a( (*+ +$*%( )* )a# $!t t) "*+an%. H *!!&( n* &**! *& na+(. W)at "*+ut&-a((i(td audit t")ni'u "*u$d >*u u( t* )$ )i+ (u0(tantiat *& &!ut t) #$)! Examination, adapted& +$*%7( "$ai+3
$omputer-assisted audit tools and techni"ues #$!!%%s& could have been used to identify employees ho have no deductions. Experience has shon that fictitious or terminated employees ill generally not have deductions. %his happens because the fraud perpetrator ants as much money from each fraudulent or terminated employee paycheck as possible. !nother reason for this is that they fear that a deduction payment sent to a third party might cause an investigation and uncover their fraud. 11.?. E$ain t) !*u& (t( *! t) &i(,-0a(d audit a&*a")/ and di("u(( )* t)% a$% t* t) *#&a$$ ("u&it% *! a "*+an%.
%he risk-based audit approach provides a frameork for conducting information system audits. )t consists of the folloing 6 steps: . /.
3.
6.
7etermine the threats #fraud and errors& facing the company. %his is a list of the accidental or intentional abuse and damage to hich the system is exposed. )dentify the control procedures that prevent, detect, or correct the threats. %hese are all the controls that management has put into place and that auditors should revie and test, to minimize the threats. Evaluate control procedures. $ontrols are evaluated to ays. 8irst, a systems revie determines hether control procedures are actually in place. Second, a tests of controls are conducted to determine hether existing controls ork as intended. Evaluate control eaknesses to determine their effect on the nature, timing, or extent of auditing procedures. )f the auditor determines that control risk is too high because the control system is inade"uate, the auditor may have to gather more evidence, better evidence, or more timely evidence. $ontrol eaknesses in one area may be acceptable if there are compensating controls in -
Ch. 11: Auditing Computer-Based Information Systems
other areas. %he risk-based approach provides auditors ith a clearer understanding of the overall security of a company, including the fraud and errors that can occur in the company. )t also helps them understand the related risks and exposures. )n addition, it helps them plan ho to test and evaluate internal controls, as ell as ho to plan subse"uent audit procedures. %he result is a sound basis for developing recommendations to management on ho the !)S control system should be improved. 11.@. $ompare and contrast the frameorks for auditing program development1ac"uisition and for auditing program modification.
%he to are similar in that: • • •
%hey both deal ith the revie of softare. %hey both are exposed to the same types of errors and fraud. %hey use many of the same control procedures, audit procedures #both systems revie and tests of controls&, and compensating controls, except that one set applies to program development and ac"uisition and the other set is tailored to address program modifications. %hese include management and user authorization and approval9 thorough testing9 revie of the policies, procedures, and standards9 and proper documentation. #$ompare %ables / and 3 in the chapter.&
%he to are dissimilar in that: %he auditors role in systems development is to perform an independent revie of s ystems • development and ac"uisition activities. %he auditors role in program modification is to perform an independent revie of the procedures and controls used to modify softare programs. %here are some control procedures, audit procedures #both systems revie and tests of • controls&, and compensating controls that are uni"ue to program development and ac"uisition and others that are uni"ue to program modifications. #$ompare %ables / and 3 in the chapter.& !uditors test for unauthorized program changes, often on a surprise basis, is several ays that • they do not have to test program development and ac"uisition. %hese include: ;sing a source code comparison program to compare the current version of the program o ith the source code. eprocessing data using the source code and comparing the output ith the companys o output. o
-6
Accounting Information Systems
SUGGESTED SO>UTIONS TO THE PROB>EMS 11.1 Y*u a& t) di&"t*& *! int&na$ auditing at a uni#&(it%. R"nt$%/ %*u +t it) I((a A&nita/ t) +anag& *! ad+ini(t&ati# data &*"((ing/ and &((d t) d(i& t* (ta0$i() a +*& !!"ti# int&!a" 0tn t) t* da&t+nt(. I((a ant( %*u& )$ it) a n "*+ut&i;d a""*unt( a%a0$ (%(t+ "u&&nt$% in d#$*+nt. H &"*++nd( t)at %*u& da&t+nt a((u+ $in &(*n(i0i$it% !*& auditing (u$i&(7 in#*i"( &i*& t* a%+nt. H a$(* ant( int&na$ auditing t* +a, (ugg(ti*n( du&ing (%(t+ d#$*+nt/ a((i(t in it( in(ta$$ati*n/ and a&*# t) "*+$td (%(t+ a!t& +a,ing a !ina$ &#i. W*u$d %*u a""t *& &"t a") *! t) !*$$*ing3 W)%3 a.
T) &"*++ndati*n t)at %*u& da&t+nt 0 &(*n(i0$ !*& t) &-audit *! (u$i&( in#*i"(.
)nternal auditing should not assume responsibility for pre-audit of disbursements. 5b*ectivity is essential to the audit function, and internal auditors should be independent of the activities they must revie. %hey should not prepare records or engage in any activity that could compromise their ob*ectivity and independence. 8urthermore, because internal auditing is a staff function, involvement in such a line function ould be inconsistent ith the proper role of an internal auditor. 0.
T) &'u(t t)at %*u +a, (ugg(ti*n( du&ing (%(t+ d#$*+nt.
)t ould be advantageous for internal auditing to make specific suggestions during the design phase concerning controls and audit trails to be built into a system. )nternal auditing should build an appropriate interface ith the 7ata
•
evie testing plans.
•
7etermine that there are documentation standards and that they are being folloed. •
7etermine that the pro*ect itself is under control and that there is a system for gauging design progress.
)nternal auditing must refrain, hoever, from actual participation in system design. ".
T) &'u(t t)at %*u a((i(t in t) in(ta$$ati*n *! t) (%(t+ and a&*# t) (%(t+ a!t& +a,ing a !ina$ &#i.
%he auditor must remain independent of any system they ill subse"uently audit. %herefore, the auditor must refrain from giving overall approval of the system in final revie. %he auditor may help in the installation or conversion of the s ystem by continuing to offer suggestions for controls, particularly during the implementation period. )n this situation, the auditor may revie for missing segments, results of testing, and ade"uacy of documentation of program and procedures in order to determine readiness of the system for installation or conversion. !fter installation or conversion, the auditor may participate in a post-installation -
Ch. 11: Auditing Computer-Based Information Systems
audit, either alone or as part of a team.
#$)! Examination, adapted&
11.2 A( an int&na$ audit*& !*& t) Qui", Manu!a"tu&ing C*+an%/ %*u a& a&ti"iating in t) audit *! t) "*+an%7( AIS. Y*u )a# 0n &#iing t) int&na$ "*nt&*$( *! t) "*+ut& (%(t+ t)at &*"((( +*(t *! it( a""*unting a$i"ati*n(. Y*u )a# (tudid t) "*+an%7( tn(i# (%(t+( d*"u+ntati*n. Y*u )a# intid t) in!*&+ati*n (%(t+ +anag&/ *&ati*n( (ui(*&/ and *t)& +$*%( t* "*+$t %*u& (tanda&di;d "*+ut& int&na$ "*nt&*$ 'u(ti*nnai&. Y*u &*&t t* %*u& (ui(*& t)at t) "*+an% )a( d(ignd a (u""((!u$ (t *! "*+&)n(i# int&na$ "*nt&*$( int* it( "*+ut& (%(t+(. H t)an,( %*u !*& %*u& !!*&t( and a(,( !*& a (u++a&% &*&t *! %*u& !inding( !*& in"$u(i*n in a ! ina$ *#&a$$ &*&t *n a""*unting int&na$ "*nt&*$(. Ha# %*u !*&g*ttn an i+*&tant audit (t3 E$ain. >i(t !i# a+$( *! ("i!i" audit &*"du&( t)at %*u +ig)t &"*++nd 0!*& &a")ing a "*n"$u(i*n. %he important audit step that has not been performed is tests of controls #sometimes called compliance tests&. ! system revie only tells the auditor hat controls are prescribed. %ests of controls allo the auditor to determine hether the prescribed controls are being adhered to and they are operating effectively.
Examples of audit procedures that ould be considered tests of controls are: •
•
5bserve computer operations, data control procedures, and file library control procedures. )n"uiry of key systems personnel ith respect to the a y in hich prescribed control procedures are interpreted and implemented. ! "uestionnaire or checklist often facilitates such in"uiry.
•
evie a sample of source documents for proper authorization.
•
evie a sample of on-line data entries for authorization.
•
•
evie the data control log, computer operations log, file librarian's log, and error log for evidence that prescribed policies are adhered to. %est data processing by submitting a set of hypothetical transactions and comparing system outputs ith expected results.
•
%race selected transactions through the system and check their processing accuracy.
•
$heck the accuracy of a sample of batch totals.
•
evie system operating statistics.
•
;se a computer audit softare package to edit data on selected master files and databases.
-=
Accounting Information Systems
11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a computer payroll system. To test the computer systems and programs, you submit independently created test transactions with regular data in a normal production run. >i(t !*u& ad#antag( and t* di(ad#antag( *! t)i( t")ni'u. •
• • • •
• • • • •
a. Ad#antag( 7oes not re"uire extensive programming knoledge !pproach and results are easy to understand. %he complete system may be revieed. esults are often easily checked. !n opinion may be formed as to the system's data processing accuracy. ! regular computer program may be used. )t may save time. %he auditor gains experience. %he auditor maintains control over the test. )nvalid data can be submitted to test for re*ections.
•
•
•
•
0. Di(ad#antag( )mpractical to test all error possibilities. +ay be unable to relate input data to output reports in a complex system. )f independent files are not used, it may be difficult to reverse or back out test data.
#$)! Examination, adapted&
-
Ch. 11: Auditing Computer-Based Information Systems
11.4 Y*u a& in#*$#d in t) audit *! a""*unt( &"i#a0$/ )i") &&(nt a (igni!i"ant *&ti*n *! t) a((t( *! a $a&g &tai$ "*&*&ati*n. Y*u& audit $an &'ui&( t) u( *! t) "*+ut&/ 0ut %*u n"*unt& t) !*$$*ing &a"ti*n( F*& a") (ituati*n/ (tat )* t) audit*& ()*u$d &*"d it) t) a""*unt( &"i#a0$ audit. a. T) "*+ut& *&ati*n( +anag& (a%( t) "*+an%7( "*+ut& i( &unning at !u$$ "aa"it% !*& t) !*&(a0$ !utu& and t) audit*& i$$ n*t 0 a0$ t* u( t) (%(t+ !*& audit t(t(. •
%he auditor should not accept this explanation and should arrange ith company executives for access to the computer system.
•
%he auditor should recommend that the procedures manual spell out computer use and access for audits.
0. T) "*+ut& (")du$ing +anag& (ugg(t( t)at %*u& "*+ut& &*g&a+ 0 (t*&d in t) "*+ut& &*g&a+ $i0&a&% (* t)at it "an 0 &un )n "*+ut& ti+ 0"*+( a#ai$a0$. •
".
The auditor should not permit the computer program to be stored because it could then be changed without the auditor's knowledge.
Y*u a& &!u(d ad+i((i*n t* t) "*+ut& &**+. •
%he auditor's charter should clearly provide for access to all areas and records of the organization.
d. T) (%(t+( +anag& t$$( %*u t)at it i$$ ta, t** +u") ti+ t* adat t) audit*&7( "*+ut& audit &*g&a+ t* t) "*+ut&7( *&ating (%(t+ and t )at "*+an% &*g&a++&( i$$ &it t) &*g&a+( ndd !*& t) audit. •
•
!uditors should insist on using their on computer audit program, since someone at the company may ish to conceal falsified data or records. !uditors should insist on using their on computer audit program to expedite the audit, simplify the application, and avoid misunderstanding. #$)! Examination, adapted&
->
Accounting Information Systems
11.= Y*u a& a +anag& !*& t) CPA !i&+ *! D%/ C)at+/ and H* 5DCH6. W)i$ &#iing %*u& (ta!!7( audit *&, a&( !*& t) (tat $!a& agn"%/ %*u !ind t)at t) t(t data a&*a") a( u(d t* t(t t) agn"%7( a""*unting (*!ta&. A du$i"at &*g&a+ "*%/ t) $!a& a""*unting data !i$ *0taind !&*+ t) "*+ut& *&ati*n( +anag&/ and t) t(t t&an(a"ti*n data !i$ t)at t) $!a& agn"%7( &*g&a++&( u(d )n t) &*g&a+ a( &ittn & &*"((d *n DCH7( )*+ *!!i" "*+ut&. T) dit (u++a&% &*&t $i(ting n* &&*&( a( in"$udd in t) *&,ing a&(/ it) a n*tati*n 0% t) (ni*& audit*& t)at t) t(t indi"at( g**d a$i"ati*n "*nt&*$(. Y*u n*t t)at t) 'ua$it% *! t) audit "*n"$u(i*n( *0taind !&*+ t)i( t(t i( !$ad in (#&a$ &("t(/ and %*u d"id t* a(, %*u& (u0*&dinat( t* &at t) t(t. Idnti!% t)& i(ting *& *tntia$ &*0$+( it) t) a% t)i( t(t a( &!*&+d. F*& a") &*0$+/ (ugg(t *n *& +*& &*"du&( t)at +ig)t 0 &!*&+d du&ing t) &#i(d t(t t* a#*id !$a( in t) audit "*n"$u(i*n(.
!udit senior's conclusion has no basis #no supporting evidence&.
•
-
+ust predetermine the result of test data processing, and then compare these to actual results.
Ch. 11: Auditing Computer-Based Information Systems
11.? Y*u a& &!*&+ing an in!*&+ati*n (%(t+ audit t* #a$uat int&na$ "*nt&*$( in Aa&d#a&, W)*$(a$&(7 5AW6 "*+ut& (%(t+. F&*+ an AW +anua$/ %*u )a# *0taind t) !*$$*ing *0 d("&iti*n( !*& ,% &(*nn$ Director of information systems: R(*n(i0$ !*& d!ining t) +i((i*n *! t) in!*&+ati*n (%(t+( di#i(i*n and !*& $anning/ (ta!!ing/ and +anaging t) IS da&t+nt. Manager of systems development and programming: R*&t( t* di&"t*& *! in!*&+ati*n (%(t+(. R(*n(i0$ !*& +anaging t) (%(t+( ana$%(t( and &*g&a++&( )* d(ign/ &*g&a+/ t(t/ i+$+nt/ and +aintain t) data &*"((ing (%(t+(. A$(* &(*n(i0$ !*& (ta0$i()ing and +*nit*&ing d*"u+ntati*n (tanda&d(. Manager of operations: R*&t( t* di&"t*& *! in!*&+ati*n (%(t+(. R(*n(i0$ !*& +anag+nt *! "*+ut& "nt& *&ati*n(/ n!*&"+nt *! &*"((ing (tanda&d(/ and (%(t+( &*g&a++ing/ in"$uding i+$+ntati*n *! *&ating (%(t+ ug&ad(. Data entry supervisor: R*&t( t* +anag& *! *&ati*n(. R(*n(i0$ !*& (ui(i*n *! data nt&% *&ati*n( and +*nit*&ing data &a&ati*n (tanda&d(. Operations supervisor: R*&t( t* +anag& *! *&ati*n(. R(*n(i0$ !*& (ui(i*n *! "*+ut& *&ati*n( (ta!! and +*nit*&ing &*"((ing (tanda&d(. Data control clerk: R*&t( t* +anag& *! *&ati*n(. R(*n(i0$ !*& $*gging and di(t&i0uting "*+ut& inut and *utut/ +*nit*&ing (*u&" data "*nt&*$ &*"du&(/ and "u(t*d% *! &*g&a+( and data !i$(.
a. P&a& an *&gani;ati*na$ ")a&t !*& AW7( in!*&+ati*n (%(t+( di#i(i*n.
-?
Accounting Information Systems
0.
Na+ t* *(iti# and t* ngati# a("t( 5!&*+ an int&na$ "*nt&*$ (tand*int6 *! t)i( *&gani;ati*na$ (t&u"tu&.
. 2hat is good about this organization structure: •
Systems development and programming are organizationally independent of the operations functions.
•
$omputer operations organizationally independent of data entry and data control.
/. 2hat is bad about this organization structure:
c.
•
%he manager of operations is responsible for systems programming, hich is a violation of segregation of systems duties.
•
%he data control clerk is responsible for the file library, hich is a violation of segregation of systems duties.
W)at additi*na$ in!*&+ati*n *u$d %*u &'ui& 0!*& +a,ing a !ina$ udg+nt *n t) ad'ua"% *! AW7( (a&ati*n *! !un"ti*n( in t) in!*&+ati*n (%(t+( di#i(i*n3 •
)s access to e"uipment, files, and documentation restricted and documented4
•
!re activity logs for operating functions maintained and revieed4
•
)s there rotation of operations personnel and mandatory vacations4
•
)s source data authorized4
-
Ch. 11: Auditing Computer-Based Information Systems
11.@ R*0in(*n7( P$a(ti" Pi C*&*&ati*n u(( a data &*"((ing (%(t+ !*& in#nt*&%. T) inut t* t)i( (%(t+ i( ()*n in Ta0$ 11-@. Y*u a& u(ing an inut "*nt&*$( +at&i t* )$ audit t) (*u&" data "*nt&*$(.
Table 11-7 Pa&t( In#nt*&% T&an(a"ti*n Fi$ Field Name
Field Type
)tem number
umeric
7escription
!lphanumeric
%ransaction date
7ate
%ransaction type
!lphanumeric
7ocument number
!lphanumeric
@uantity
umeric
;nit cost
+onetary
P&a& an inut "*nt&*$( +at&i u(ing t) !*&+at and inut "*nt&*$( ()*n in Figu& 11-4 )*#&/ &$a" t) !i$d na+( ()*n in Figu& 11-4 it) t)*( ()*n in Ta0$ 11-@. P$a" ")",( in t) +at&i "$$( t)at &&(nt inut "*nt&*$( %*u +ig)t "t t* !ind !*& a") !i$d.
-/
Accounting Information Systems
In#nt*&% t&an(a"ti*n( inut "*nt&*$ +at&i :
E$57 8)EA7 !+ES !+E: )tem 7escription %ransaction %ransaction 7ocument ;nit
Ces
$ross-footing balance
o
Disual ins ection $heck digit verification
B
B
B
B
B
B
!ll fields
;se prenumbered form o Ces
B B
B
Sign check Dalidity check
B
B
Se"uence check 8ield check
B
B
B
B
B
B
B
!lso for balance on hand
B
Aimit check easonableness test $ompleteness test Size check
B
B
B
B
B
B
B
B
B
$ompare "uantity ith item number !ll fields
B
B
B
B
B
B
B
!ll fields
5ther:
-
Ch. 11: Auditing Computer-Based Information Systems
11. A( an int&na$ audit*& !*& t) (tat audit*&7( *!!i"/ %*u a& a((ignd t* &#i t) i+$+ntati*n *! a n "*+ut& (%(t+ in t) (tat $!a& agn"%. T) agn"% i( in(ta$$ing an *n$in "*+ut& (%(t+ t* +aintain t) (tat7( data0a( *! $!a& &"iint(. Und& t) *$d (%(t+/ a$i"ant( !*& $!a& a((i(tan" "*+$td a !*&+ gi#ing t)i& na+/ add&((/ and *t)& &(*na$ data/ $u( dtai$( a0*ut t)i& in"*+/ a((t(/ dndnt(/ and *t)& data ndd t* (ta0$i() $igi0i$it%. T) data a& ")",d 0% $!a& a+in&( t* #&i!% t)i& aut)nti"it%/ "&ti!% t) a$i"ant7( $igi0i$it% !*& a((i(tan"/ and dt&+in t) !*&+ and a+*unt *! aid. Und& t) n (%(t+/ $!a& a$i"ant( nt& data *n t) agn"%7( W0 (it *& gi# t)i& data t* "$&,(/ )* nt& it u(ing *n$in t&+ina$(. Ea") a$i"ant &"*&d )a( a nding (tatu( unti$ a $!a& a+in& "an #&i!% t) aut)nti"it% *! t) data u(d t* dt&+in $igi0i$it%. W)n t) #&i!i"ati*n i( "*+$td/ t) a+in& ")ang( t) (tatu( "*d t* a&*#d/ and t) (%(t+ "a$"u$at( t) aid a+*unt. P&i*di"a$$%/ &"iint "i&"u+(tan"( 5in"*+/ a((t(/ dndnt(/ t".6 ")ang/ and t) data0a( i( udatd. Ea+in&( nt& t)( ")ang( a( (**n a( t)i& a""u&a"% i( #&i!id/ and t) (%(t+ &"a$"u$at( t) &"iint7( n $!a& 0n!it. At t) nd *! a") +*nt)/ a%+nt( a& $"t&*ni"a$$% d*(itd in t) &"iint7( 0an, a""*unt(. W$!a& a((i(tan" a+*unt( t* (#&a$ )und&d +i$$i*n d*$$a&( annua$$%. Y*u a& "*n"&nd a0*ut t) *((i0i$iti( *! !&aud and a0u(.
a.
D("&i0 )* t* +$*% "*n"u&&nt audit t")ni'u( t* &du" t) &i(,( *! !&aud and a0u(.
!udits should be concerned about a dishonest elfare examiner or unauthorized person submitting fictitious transactions into the system. 8ictitious transactions could cause excessive elfare benefits to be paid to a valid elfare recipient, or payments made to an ineligible or fictitious recipient. %he concurrent audit techni"ues needed most deal ith submitting changes in record status from pending to approved and modifying elfare records to reflect changes in the recipient's circumstances. %he auditor should verify that the system is set up to: •
•
check the passord of every person ho uses the system permit applicant records to be entered only by persons classified as elfare clerks •
•
permit transaction update records to be entered only by persons classified as elfare examiners capture and store the identity of the person entering every applicant record and transaction update record
%he most useful concurrent audit techni"ue to minimize the risk of fraudulent update transactions ould be audit hooks. %hese program subroutines ould revie every record entered into the system, capture all data relating to any record that is suspicious and possibly fraudulent, rite these records on an audit log or file, and report these records to the audit staff on a real-time basis. Some examples of "uestionable records that audit hooks might be designed to flag ould be: •
!ny elfare application record that is entered into the system by someone other than one
-6
Accounting Information Systems
of the authorized elfare clerks, and especially if entered b y a elfare examiner. •
!ny elfare record status change or modification that is entered into the system by someone other than one of the authorized elfare examiners.
•
!ssuming that it takes a minimum of n days for a elfare examiner to verify the authenticity of the data provided by a elfare applicant, any record update transaction entered in less than n days of the original applicant record entry.
•
!ny elfare record modification transaction that causes a elfare recipient's benefits to increase by a significant amount #say, /?F&, or to exceed some upper limit that is close to the maximum amount a recipient can collect.
•
!ny elfare record that is modified more than to or three times ithin a short period, such as to or three months.
•
!ny record modification transaction that involves a change in the recipient's address.
•
!ny elfare record here the recipient's address is a post office box.
•
!ny elfare record that is not modified ithin a five-year period.
•
•
!ny attempt to access the system by someone not able to supply a valid elfare clerk or elfare examiner passord. !ny record entered into the system at a time of day other than during the agency's normal business hours, or one that is entered during a eekend or holiday period.
;ndoubtedly, other useful audit hooks could be identified. %he audit staff should brainstorm about methods that a fraud perpetrator could use to defraud the system, and develop audit hooks to counteract plausible fraud schemes. !s the audit staff receives the data captured b y these audit hooks, they must promptly follo up to verify the validity of the data in each "uestionable record. %he auditor should verify that the program code that calculates elfare recipient's benefits is thoroughly tested during the implementation process. She should copy the program code so it can be compared ith the code that is in use at subse"uent intervals. %o supplement this procedure, as ell as to provide additional protection against a possible fraud perpetrator, the auditor could add another audit hook that captures relevant data relating to any attempt to access and modify the elfare processing program itself.
-
Ch. 11: Auditing Computer-Based Information Systems
b.
D("&i0 )* t* u( "*+ut& audit (*!ta& t* &#i t) *&, $!a& a+in&( d* t* #&i!% a$i"ant $igi0i$it% data. A((u+ t)at t) (tat audit*&7( *!!i" )a( a""(( t* *t)& (tat and $*"a$ g*#&n+nt agn"% data0a((.
$omputer audit softare can process the elfare recipient database against other databases that contain data about elfare recipients, identify any discrepancies in the data items used to determine eligibility for benefits and1or calculate the amount of benefits, and report these discrepancies to the audit staff. 5ther possible databases that might be used for this purpose ould include: •
•
•
State income tax records, hich contain data on the income and dependents of elfare recipients. State unemployment and1or disability compensation records, hich contain data on other sources of income for elfare recipients. State motor vehicle registration records, hich might contain data about valuable assets oned by elfare recipients.
•
•
7eath records, hich ould reflect changes in eligibility for benefits. %he reason it is important to revie these is that a very common fraud scheme involves failure to enter a death record, folloed by the diversion of subse"uent benefit checks.
)f a elfare recipient does not appear in any of the first four databases listed above, it ould raise the issue of hether the person exists at all #e.g., is the elfare recipient a fictitious person4&. %o investigate this, driver license registration records and voter registration records could also be checked. )f the recipient does not sho up there, the audit staff should probably insist that a 2elfare !gency employee #other than a elfare examiner& verify the recipient's existence. )f a recipient appears in the death records database, it represents either deliberate fraud or failure to update the elfare records properly. %he use of computer audit softare serves to purposes. 8irst, it helps reduce the risk of system abuse by elfare applicants ho provide inaccurate or incomplete data about the factors on hich benefit calculations are based. 2elfare examiners are responsible for identifying such cases, but may not alays do so effectively, so audit revies of this kind provide a second line of defense against this form of abuse. Second, it should increase the chance that the audit staff ill identify cases here a elfare examiner attempts to perpetrate fraud by entering false records into the system. $ombined ith the audit hooks described in part #a&, the use of computer audit softare should provide strong assurance that the risks of fraud and abuse have been minimized.
-=
Accounting Information Systems
11. M$inda R*0in(*n/ t) di&"t*& *! int&na$ auditing at Sa")+ Manu!a"tu&ing C*+an%/ 0$i#( t) "*+an% ()*u$d u&")a( (*!ta& t* a((i(t in t) !inan"ia$ and &*"du&a$ audit( )& da&t+nt "*ndu"t(. R*0in(*n i( "*n(id&ing t) !*$$*ing (*!ta& a",ag( A gn&a$i;d audit (*!ta& a",ag t* a((i(t in 0a(i" audit *&,/ (u") a( t) &t&i#a$ *! $i# data !&*+ $a&g "*+ut& !i$(. T) da&t+nt *u$d &#i t)i( in!*&+ati*n u(ing "*n#nti*na$ audit in#(tigati*n t")ni'u(. T) da&t+nt "*u$d &!*&+ "&it&ia ($"ti*n/ (a+$ing/ 0a(i" "*+utati*n( !*& 'uantitati# ana$%(i(/ &"*&d )and$ing/ g&a)i"a$ ana$%(i(/ and &int *utut 5i../ "*n!i&+ati*n(6. An ITF a",ag t)at u((/ +*nit*&(/ and "*nt&*$( du++% t(t data &*"((d 0% i(ting &*g&a+(. It a$(* ")",( t) i(tn" and ad'ua"% *! data nt&% and &*"((ing "*nt&*$(. A !$*")a&ting a",ag t)at g&a)i"a$$% &(nt( t) !$* *! in!*&+ati*n t)&*ug) a (%(t+ and in*int( "*nt&*$ (t&ngt)( and a,n(((. A a&a$$$ (i+u$ati*n and +*d$ing a",ag t)at u(( a"tua$ data t* "*ndu"t t) (a+ t(t( u(ing a $*gi" &*g&a+ d#$*d 0% t) audit*&. T) a",ag "an a$(* 0 u(d t* (, an(&( t* di!!i"u$t audit &*0$+( 5in#*$#ing +an% "*+a&i(*n(6 it)in (tati(ti"a$$% a""ta0$ "*n!idn" $i+it(. #$+! Examination, adapted&
a. Wit)*ut &ga&d t* an% ("i!i" "*+ut& audit (*!ta&/ idnti!% t) gn&a$ ad#antag( *! u(ing "*+ut& audit (*!ta& t* a((i(t it) audit(.
b.
!udits can be more efficient, saving labor time spent on routine calculations. %he routine operations of footing extensions, transcription beteen reports, report generation, etc., are performed by the computer.
%he auditor's time spent on the audit is more analytical than clerical.
%he auditor can examine more records and extract data more readily through ad hoc reporting.
$omputer-generated reports and schedules are more ob*ective and professional, improving data communication.
!udit sampling is improved. !ny bias in sample selection is eliminated because of assured randomness. %his has a direct effect on sampling precision, reliability, and audit accuracy.
D("&i0 t) audit u&*( !a"i$itatd and t) &*"du&a$ (t( t* 0 !*$$*d 0% t) int&na$ audit*& in u(ing t) !*$$*ing Gn&a$i;d audit (*!ta& a",ag. The purpose of generalized audit software programs is to perform a variety of auditing operations on the computer files used to store the information. The steps to be followed by the internal auditor to use generalized computer audit software would include things such as planning and designing the audit application. Intg&atd t(t !a"i$it% a",ag . !n integrated test facility #)%8& can be used to test both source data controls and processing controls as follos: •
Select and prepare the test transactions to be passed through the )%8. %hese -
Ch. 11: Auditing Computer-Based Information Systems
transactions must be representative of all of the transactions the dummy unit emulates. !ll types of valid and invalid transactions must be used and blended ith regular transactions over time to test the system properly under normal conditions.
evie all output and processing routines including a comparison of actual results to predetermined results.
F$*")a&ting a",ag %he purpose of a control flocharting package is to interpret the program source code and generate a program flochart corresponding to it in order to facilitate the revie of internal controls. %o use a control flocharting package, the internal auditor should:
Establish the audit ob*ective by identifying the systems and programs to be tested.
evie manuals and documentation of the system and intervie involved personnel to get an overvie of the operations to be tested.
Parallel simulation and modeling package The purpose of a parallel simulation package is to ensure that organizational objectives are being met, ensure compliance to technical standards, and detect unauthorized program changes. To use a parallel simulation package:
un the same data used in the company's current application program using the simulated application program.
$ompare the results from the simulated application ith the results from the company's current application program to verify that ob*ectives are being met.
->
Accounting Information Systems
11.10
The fixed-asset master file at Thermo-Bond includes the following data items: A((t nu+0&
Dat *! &ti&+nt 5JJ2: !*& a((t( (ti$$ in (i"6
D("&iti*n
D&"iati*n +t)*d "*d
T% "*d
D&"iati*n &at
>*"ati*n "*d
U(!u$ $i! 5%a&(6
Dat *! a"'ui(iti*n
A""u+u$atd d&"iati*n at 0ginning *! %a&
O&igina$ "*(t
Ya&-t*-dat d&"iati*n
E$ain (#&a$ a%( audit*&( "an u( "*+ut& audit (*!ta& in &!*&+ing a !inan"ia$ audit *! T)&+*-B*nd7( !id a((t(. •
Edit the file for obvious errors or inconsistencies such as: o
etired assets that have a non-zero net value.
o
etirement date that precedes ac"uisition date.
o
!ccumulated depreciation that exceeds original cost.
o
;seful life that exceeds a reasonable limit #such as 6? years&.
o
)nvalid type code, location code, or depreciation method code.
o
•
•
umeric fields that contain non-numeric data.
ecalculate year-to-date depreciation for each asset record, compare to the amount in the record, and list all asset records for hich a discrepancy exists.
•
•
Select a sample of assets, stratified by net dollar value, and sorted and listed b y location, for possible physical examination by the auditor.
•
8oot the entire file to obtain file totals for total original cost, total accumulated depreciation, total current year depreciation, and total cost of current year ac"uisitions, for comparison to externally maintained records.
-
Ch. 11: Auditing Computer-Based Information Systems
11.11
Y*u a& auditing t) !inan"ia$ (tat+nt( *! a "*(+ti"( di(t&i0ut*& t)at ($$( t)*u(and( *! indi#idua$ it+(. T) di(t&i0ut*& ,( it( in#nt*&% in it( di(t&i0uti*n "nt& and in t* u0$i" a&)*u((. At t) nd *! a") 0u(in(( da%/ it udat( it( in#nt*&% !i$/ )*( &"*&d( "*ntain t) !*$$*ing data It+ nu+0& It+ d("&iti*n Quantit%-*n-)and It+ $*"ati*n
C*(t & it+ Dat *! $a(t u&")a( Dat *! $a(t (a$ Quantit% (*$d du&ing %a&
Y*u i$$ u( audit (*!ta& t* a+in in#nt*&% data a( *! t) dat *! t) di(t&i0ut*&7( )%(i"a$ in#nt*&% "*unt. Y*u i$$ &!*&+ t) !*$$*ing audit &*"du&( 1. O0( t) di(t&i0ut*&7( )%(i"a$ in#nt*&% "*unt at %a&-nd and t(t a (a+$ !*& a""u&a"%. 2. C*+a& t) audit*&7( t(t "*unt( it) t) in#nt*&% &"*&d(. 4. C*+a& t) "*+an%7( )%(i"a$ "*unt data it) t) in#nt*&% &"*&d(. 8. T(t t) +at)+ati"a$ a""u&a"% *! t) di(t&i0ut*&7( !ina$ in#nt*&% #a$uati*n. =. T(t in#nt*&% &i"ing 0% *0taining it+ "*(t( !&*+ 0u%&(/ #nd*&(/ *& *t)& (*u&"(. ?. Ea+in in#nt*&% u&")a( and (a$ t&an(a"ti*n( *n *& na& t) %a&-nd dat t* #&i!% t)at a$$ t&an(a"ti*n( & &"*&dd in t) &*& a""*unting &i*d. @. A("&tain t) &*&it% *! in#nt*&% it+( $*"atd in u0$i" a&)*u((. . Ana$%; in#nt*&% !*& #idn" *! *((i0$ *0(*$("n". . Ana$%; in#nt*&% !*& #idn" *! *((i0$ *#&(t*",ing *& ($*-+*#ing it+(. 1:. T(t t) a""u&a"% *! indi#idua$ data it+( $i(td in t) di(t&i0ut*&7( in#nt*&% +a(t& !i$. D("&i0 )* t) u( *! t) audit (*!ta& a",ag and a "*% *! t) in#nt*&% !i$ data +ig)t 0 )$!u$ t* t) audit*& in &!*&+ing a") *! t)( auditing &*"du&(.
#$
-/?
Accounting Information Systems
Audit P&*"du&
H* Audit S*!ta& Can H$
. 5bserve the distributors physical count of inventories as of a given date, and test a sample of the distributors inventory counts for accuracy.
7etermine hich items are to be test counted by taking a random sample of a representative number of items from the inventory file as of the date of the physical count.
/. $ompare the auditors test counts to the inventory records.
!rrange test counts in a format identical to the inventory file, and then match the counts.
3. $ompare physical count data to the inventory records.
$ompare the total of the extended values of all inventory items counted, and the extended values of each inventory item counted, to the inventory records.
6. %est the mathematical accuracy of the distributors final inventory valuation.
$alculate the dollar value of each inventory item counted by multiplying the "uantity on hand by the cost per unit, and then verify the addition of the extended dollar values.
G. %est the pricing of the inventory by obtaining a list of costs per item from buyers, vendors, or other sources.
$ompare the unit costs on the auditors price test to those on the inventory file.
=.Examine inventory purchase and sale transactions on or near the year-end date to verify that all such transactions ere recorded in the proper accounting period.
%ake a sample of inventory file items for hich the date of last purchase and date of the last sale are on or immediately prior to the date of the physical count, hich is usually at fiscal year end.
H.!scertain the propriety of items of inventory located in public arehouses.
>.!nalyze inventory for evidence of possible obsolescence.
I.!nalyze inventory for evidence of possible overstocking or slo-moving items.
?.%est the accuracy of individual data items listed in distributors inventory master file.
-
Ch. 11: Auditing Computer-Based Information Systems
11.12
a.
W)i") *! t) !*$$*ing ()*u$d )a# t) &i+a&% &(*n(i0i$it% t* dt"t and "*&&"t data &*"((ing &&*&(3 E$ain )% t)at !un"ti*n ()*u$d )a# &i+a&% &(*n(i0i$it% and )% t) *t)&( ()*u$d n*t. #$
b. T) "*+ut& *&at*& J !lthough the computer operator is responsible for the operation of the hardare and softare of the organization, he is not responsible for detecting and correcting data processing errors. 0eing able to both process data and correct data processing errors ould allo the operator to KfixL non-existent errors in a a y that ould benefit the operator personally9 that is, it ould allo the perpetrator to commit and conceal fraud. c.
T) "*&*&at "*nt&*$$& J %he corporate controller has overall responsibility for the operation of the accounting function, but ould not have primary responsibility to detect and correct data processing errors.
d. T) indndnt u0$i" a""*untant J %he independent auditor has no responsibility to detect and correct a clients data processing errors. %he independent auditors responsibility is to attest to fairness of the financial statements.
-//
Accounting Information Systems
SUGGESTED SO>UTIONS TO THE CASES 11.1
Y*u a& &!*&+ing a !inan"ia$ audit *! t) gn&a$ $dg& a""*unt( *! P&(t*n Manu!a"tu&ing. A( t&an(a"ti*n( a& &*"((d/ (u++a&% *u&na$ nt&i( a& addd t* t) gn&a$ $dg& !i$ at t) nd *! t) da%. At t) nd *! a") da%/ t) gn&a$ *u&na$ !i$ i( &*"((d again(t t) gn&a$ $dg& "*nt&*$ !i$ t* "*+ut a n "u&&nt 0a$an" !*& a") a""*unt and t* &int a t&ia$ 0a$an". T) !*$$*ing &(*u&"( a& a#ai$a0$ a( %*u "*+$t t) audit Y*u& !i&+7( gn&a$i;d "*+ut& audit (*!ta& A "*% *! t) gn&a$ *u&na$ !i$ !*& t) nti& %a& A "*% *! t) gn&a$ $dg& !i$ a( *! !i("a$ %a&-nd 5"u&&nt 0a$an" K %a&-nd 0a$an"6 A &int*ut *! P&(t*n7( %a&-nd t&ia$ 0a$an" $i(ting t) a""*unt nu+0&/ a""*unt na+/ and 0a$an" *! a") a""*unt *n t) gn&a$ $dg& "*nt&*$ !i$ C&at an audit &*g&a+ !*& P&(t*n Manu!a"tu&ing. F*& a") audit (t/ $i(t t) audit *0"ti#( and t) &*"du&( %*u *u$d u( t* a""*+$i() t) audit &*g&a+ (t. General Journal Fi$d Na+
Fi$d T%
!ccount number
umeric
!mount
+onetary
7ebit1credit code
!lphanumeric
7ate #++1771CC&
7ate
eference document type
!lphanumeric
eference document number
umeric
General Ledger Control Fi$d Na+
Fi$d T%
!ccount number
umeric
!ccount name
!lphanumeric
0eginning balance1year
+onetary
0eg-bal-debit1credit code
!lphanumeric
$urrent balance
+onetary
$ur-bal-debit1credit code
!lphanumeric
-
Ch. 11: Auditing Computer-Based Information Systems
AUDIT PROGRAM
AUDIT OBLECTIES AND PROCEDURES
a. Edit the general *ournal file for errors and inconsistencies such as: •
)nvalid debit1credit code or document type.
•
7ate not ithin current fiscal year.
•
+issing data values.
5b*ective: Evaluate the "uality of the file data.
on-numeric data in account number, amount, or document number fields.
•
b. Edit the general ledger file for errors and exceptions such as: •
)nvalid debit1credit codes.
•
+issing data values.
5b*ective: Evaluate the "uality of the file data
on-numeric data in account number or balance fields.
•
c. Select a sample of general *ournal transactions, stratified by dollar value. Sort and list by document type.
5b*ective: %est the transaction data entry accuracy.
d. +erge the general *ournal and general ledger files by account number, and list all unmatched general *ournal entries. #or look them up in the appropriate tables& e. ecalculate each ledger accounts current balance from the beginning balance and the general *ournal amounts, and list any discrepancies beteen the recalculated balance and the file balance.
5b*ective: %est transaction data entry accuracy.
f.
5b*ective: )dentify accounts to be investigated in detail.
-/6