Rais12 Sm Ch11

Accounting Information Systems

CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION INFORMATION SYSTEMS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 11.1 11.1 Auditing an AIS !!"ti#$% !!"ti#$% &'ui&( t)at an audit*& )a# (*+ ,n*$dg *! "*+ut&( and t)i& a""*unting a$i"ati*n(. H*#&/ H*#&/ it +a% n*t 0 !a(i0$ !*& #&% audit*& t* 0 a "*+ut& &t. Di("u(( t) tnt t* )i") audit*&( audit*&( ()*u$d *(((( "*+ut& &ti( &ti( t* 0 !!"ti# audit*&(.

Since most organizations make extensive use of computer-based systems in processing data, it is essential that computer expertise expertise be available in the organization's organization's audit group. Such expertise should include: •

Extensive knoledge of computer hardare, softare, data communications, and accounting applications

•

! detailed understanding of appropriate control policies and procedures in computer systems

•

!n ability to read and understand system documentation

•

Experience in planning computer audits and in using modern computer assisted auditing tools and techni"ues #$!!%%s&.

ot all auditors need to possess expertise expertise in all of these areas. (oever, there there is certainly some minimum level of computer expertise that is appropriate appropriate for all auditors to have. %his ould include: •

!n understanding of computer hardare, softare, accounting applications, and controls.

•

%he ability to examine all elements of the computerized !)S !)S

•

%he ability to use the computer as a tool to accomplish these auditing ob*ectives.

11.2 11.2 S)*u$d int&na$ int&na$ audit*& audit*&(( 0 ++0&( *! (%(t+( (%(t+( d#$*+ d#$*+nt nt ta+( t)at t)at d(ign and i+$+nt an AIS3 W)% *& )% )% n*t3

+any people believe that internal auditors should be involved in systems development pro*ects in order to ensure that nely developed systems are auditable auditable and have effective controls. (oever, if the auditor's involvement is too great, then his or her independence may be impaired ith respect to subse"uent revie and evaluation evaluation of the system. !ccordingly, !ccordingly, the the auditor should not be a member of a systems development team, or be otherise directly involved in designing or implementing ne systems. %here are indirect forms of auditor auditor involvement that that are appropriate. %he auditor can . ecommend ecommend a series series of control control and audit audit guidelin guidelines es that all all ne systems systems should should meet. meet. -

Ch. 11: Auditing Computer-Based Computer-Based Information Information Systems Systems

/. )ndepende )ndependently ntly revie revie the ork ork of the systems systems developmen developmentt team, evaluate evaluate both the the "uality of of the systems development effort and its adherence to control and audit guidelines, and report the findings to management. )n both cases, the auditor is orking through management rather than ith the systems development team. 11.4 At &(nt/ n* B&i", +$*%( )a# auditing &in". T* (ta!! it( n int&na$ audit !un"ti*n/ B&i", "*u$d 5a6 t&ain (*+ *! it( "*+ut& ("ia$i(t( in auditing/ 5 06 )i& &in"d audit*&( and t&ain t)+ t* und&(tand B&i",7( in!*&+ati*n (%(t+/ 5"6 u( a "*+0inati*n *! t) !i&(t t* a&*a")(/ a&*a")(/ *& 5d6 t&% a di!!&nt a&*a"). a&*a"). W)i") a&*a") *u$d %*u (u*&t/ and )%3 %he most effective auditor is a person ho has training and experience as an auditor and training and experience as a computer specialist. (oever, fe people people have such an extensive background, and personnel training and development are both expensive and time consuming.

0erick may find it necessary to accept some tradeoffs in staffing its its audit function. Since auditors generally ork in teams, 0erick should probably begin by using a combination of the first to approaches. %hen, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience.

11.8 T) a((i(tant !inan" di&"t*& !*& t) "it% *! Tu(tin/ Tu(tin/ Ca$i!*&nia/ a( !i&d a!t& "it% *!!i"ia$( di("*#&d t)at () )ad u(d )& a""(( t* "it% "*+ut&( t* "an"$ )& daug)t&7( 94:: at& 0i$$. An in#(tigati*n &#a$d &#a$d t)at () )ad +0;;$d a $a&g (u+ *! +*n% !&*+ Tu(tin Tu(tin in t)i( +ann& *#& a $*ng $*ng &i*d. S) a( a0$ t* "*n"a$ t) +0;;$+nt +0;;$+nt !*& (* $*ng 0"au( t) a+*unt +0;;$d a$a%( !$$ it)in a 2< &&*& !a"t*& u(d 0% t) "it%7( int&na$ audit*&(. W)at a,n((( a,n((( i(td in t) audit a&*a")3 a&*a")3 H* "*u$d t) audit $an 0 i+&*#d3 W)at int&na$ "*nt&*$ a,n((( a,n((( & &(nt in in t) (%(t+3 S)*u$d Tu(tin7 Tu(tin7(( int&na$ audit*&( )a# di("*#&d t)i( !&aud a&$i&3

!udit approach eaknesses . %he "uestion "uestion implies implies %ustin's %ustin's internal auditors auditors never never bothered to investigate investigate transactions transactions belo a certain dollar amount, and1or shortages of less than a certain percent. percent. %his is not good audit practice. /. 2hile 2hile auditors auditors generally generally examine examine transacti transaction on samples samples that are selected selected to include include a high percentage of items having a high dollar value, their their sampling procedures should not ignore ignore transactions ith loer dollar dollar values. %here must have been hundreds of falsified transactions, transactions, and an effective sampling plan might have uncovered a fe of them. 3. !n internal internal control control audit should should have detected detected inade"uaci inade"uacies es in %ustin' %ustin'ss computer computer access controls, as ell as a lack of transaction documentation. !udit plan improvements . !udit !udit softare softare could be used to fully fully reconcile reconcile collect collections ions ith ith billings, billings, and list list any

-/


discrepancies for further investigation. )nternal control eaknesses . !n assistant finance director should not have the authority to enter credits to customer accounts. $ertainly, there should have been documentation to support such transactions. /. %he assistant finance director should not have been granted rights to cancel ater or other utility bills Should the auditors have detected the audit earlier4 %he easy anser here is yes, they should have uncovered the fraud earlier. 2hile she as able to embezzle a large sum of money from %ustin, it as over a long period. 5ne of the keys to her success as that she did not get greedy and the amounts taken in any one year as probably immaterial to the city. %hese kinds of frauds are very hard to detect. 11.= >*u G*0$/ an int&na$ audit*& !*& a $a&g +anu!a"tu&ing nt&&i(/ &"i#d an an*n%+*u( n*t !&*+ an a((+0$%-$in *&at*& )* )a( *&,d at t) "*+an%7( W(t C*a(t !a"t*&% !*& t) a(t 1= %a&(. T) n*t indi"atd t)at t)& a& (*+ !i"titi*u( +$*%( *n t) a%&*$$ a( $$ a( (*+ +$*%( )* )a# $!t t) "*+an%. H *!!&( n* &**! *& na+(. W)at "*+ut&-a((i(td audit t")ni'u "*u$d >*u u( t* )$ )i+ (u0(tantiat *& &!ut t) #$)! Examination, adapted& +$*%7( "$ai+3

$omputer-assisted audit tools and techni"ues #$!!%%s& could have been used to identify employees ho have no deductions. Experience has shon that fictitious or terminated employees ill generally not have deductions. %his happens because the fraud perpetrator ants as much money from each fraudulent or terminated employee paycheck as possible. !nother reason for this is that they fear that a deduction payment sent to a third party might cause an investigation and uncover their fraud. 11.?. E$ain t) !*u& (t( *! t) &i(,-0a(d audit a&*a")/ and di("u(( )* t)% a$% t* t) *#&a$$ ("u&it% *! a "*+an%.

%he risk-based audit approach provides a frameork for conducting information system audits. )t consists of the folloing 6 steps: . /.

3.

6.

7etermine the threats #fraud and errors& facing the company. %his is a list of the accidental or intentional abuse and damage to hich the system is exposed. )dentify the control procedures that prevent, detect, or correct the threats. %hese are all the controls that management has put into place and that auditors should revie and test, to minimize the threats. Evaluate control procedures. $ontrols are evaluated to ays. 8irst, a systems revie determines hether control procedures are actually in place. Second, a tests of controls are conducted to determine hether existing controls ork as intended. Evaluate control eaknesses to determine their effect on the nature, timing, or extent of auditing procedures. )f the auditor determines that control risk is too high because the control system is inade"uate, the auditor may have to gather more evidence, better evidence, or more timely evidence. $ontrol eaknesses in one area may be acceptable if there are compensating controls in -

Ch. 11: Auditing Computer-Based Information Systems

other areas. %he risk-based approach provides auditors ith a clearer understanding of the overall security of a company, including the fraud and errors that can occur in the company. )t also helps them understand the related risks and exposures. )n addition, it helps them plan ho to test and evaluate internal controls, as ell as ho to plan subse"uent audit procedures. %he result is a sound basis for developing recommendations to management on ho the !)S control system should be improved. 11.@. $ompare and contrast the frameorks for auditing program development1ac"uisition and for auditing program modification.

%he to are similar in that: • • •

%hey both deal ith the revie of softare. %hey both are exposed to the same types of errors and fraud. %hey use many of the same control procedures, audit procedures #both systems revie and tests of controls&, and compensating controls, except that one set applies to program development and ac"uisition and the other set is tailored to address program modifications. %hese include management and user authorization and approval9 thorough testing9 revie of the policies, procedures, and standards9 and proper documentation. #$ompare %ables / and 3 in the chapter.&

%he to are dissimilar in that: %he auditors role in systems development is to perform an independent revie of s ystems • development and ac"uisition activities. %he auditors role in program modification is to perform an independent revie of the procedures and controls used to modify softare programs. %here are some control procedures, audit procedures #both systems revie and tests of • controls&, and compensating controls that are uni"ue to program development and ac"uisition and others that are uni"ue to program modifications. #$ompare %ables / and 3 in the chapter.& !uditors test for unauthorized program changes, often on a surprise basis, is several ays that • they do not have to test program development and ac"uisition. %hese include: ;sing a source code comparison program to compare the current version of the program o ith the source code. eprocessing data using the source code and comparing the output ith the companys o output. o
-6


SUGGESTED SO>UTIONS TO THE PROB>EMS 11.1 Y*u a& t) di&"t*& *! int&na$ auditing at a uni#&(it%. R"nt$%/ %*u +t it) I((a A&nita/ t) +anag& *! ad+ini(t&ati# data &*"((ing/ and &((d t) d(i& t* (ta0$i() a +*& !!"ti# int&!a" 0tn t) t* da&t+nt(. I((a ant( %*u& )$ it) a n "*+ut&i;d a""*unt( a%a0$ (%(t+ "u&&nt$% in d#$*+nt. H &"*++nd( t)at %*u& da&t+nt a((u+ $in &(*n(i0i$it% !*& auditing (u$i&(7 in#*i"( &i*& t* a%+nt. H a$(* ant( int&na$ auditing t* +a, (ugg(ti*n( du&ing (%(t+ d#$*+nt/ a((i(t in it( in(ta$$ati*n/ and a&*# t) "*+$td (%(t+ a!t& +a,ing a !ina$ &#i. W*u$d %*u a""t *& &"t a") *! t) !*$$*ing3 W)%3 a.

T) &"*++ndati*n t)at %*u& da&t+nt 0 &(*n(i0$ !*& t) &-audit *! (u$i&( in#*i"(.

)nternal auditing should not assume responsibility for pre-audit of disbursements. 5b*ectivity is essential to the audit function, and internal auditors should be independent of the activities they must revie. %hey should not prepare records or engage in any activity that could compromise their ob*ectivity and independence. 8urthermore, because internal auditing is a staff function, involvement in such a line function ould be inconsistent ith the proper role of an internal auditor. 0.

T) &'u(t t)at %*u +a, (ugg(ti*n( du&ing (%(t+ d#$*+nt.

)t ould be advantageous for internal auditing to make specific suggestions during the design phase concerning controls and audit trails to be built into a system. )nternal auditing should build an appropriate interface ith the 7ata

•

evie testing plans.

•

7etermine that there are documentation standards and that they are being folloed. •

7etermine that the pro*ect itself is under control and that there is a system for gauging design progress.

)nternal auditing must refrain, hoever, from actual participation in system design. ".

T) &'u(t t)at %*u a((i(t in t) in(ta$$ati*n *! t) (%(t+ and a&*# t) (%(t+ a!t& +a,ing a !ina$ &#i.

%he auditor must remain independent of any system they ill subse"uently audit. %herefore, the auditor must refrain from giving overall approval of the system in final revie. %he auditor may help in the installation or conversion of the s ystem by continuing to offer suggestions for controls, particularly during the implementation period. )n this situation, the auditor may revie for missing segments, results of testing, and ade"uacy of documentation of program and procedures in order to determine readiness of the system for installation or conversion. !fter installation or conversion, the auditor may participate in a post-installation -


audit, either alone or as part of a team.

#$)! Examination, adapted&

11.2 A( an int&na$ audit*& !*& t) Qui", Manu!a"tu&ing C*+an%/ %*u a& a&ti"iating in t) audit *! t) "*+an%7( AIS. Y*u )a# 0n &#iing t) int&na$ "*nt&*$( *! t) "*+ut& (%(t+ t)at &*"((( +*(t *! it( a""*unting a$i"ati*n(. Y*u )a# (tudid t) "*+an%7( tn(i# (%(t+( d*"u+ntati*n. Y*u )a# int&#id t) in!*&+ati*n (%(t+ +anag&/ *&ati*n( (u&#i(*&/ and *t)& +$*%( t* "*+$t %*u& (tanda&di;d "*+ut& int&na$ "*nt&*$ 'u(ti*nnai&. Y*u &*&t t* %*u& (u&#i(*& t)at t) "*+an% )a( d(ignd a (u""((!u$ (t *! "*+&)n(i# int&na$ "*nt&*$( int* it( "*+ut& (%(t+(. H t)an,( %*u !*& %*u& !!*&t( and a(,( !*& a (u++a&% &*&t *! %*u& !inding( !*& in"$u(i*n in a ! ina$ *#&a$$ &*&t *n a""*unting int&na$ "*nt&*$(. Ha# %*u !*&g*ttn an i+*&tant audit (t3 E$ain. >i(t !i# a+$( *! ("i!i" audit &*"du&( t)at %*u +ig)t &"*++nd 0!*& &a")ing a "*n"$u(i*n. %he important audit step that has not been performed is tests of controls #sometimes called compliance tests&. ! system revie only tells the auditor hat controls are prescribed. %ests of controls allo the auditor to determine hether the prescribed controls are being adhered to and they are operating effectively.

Examples of audit procedures that ould be considered tests of controls are: •

•

5bserve computer operations, data control procedures, and file library control procedures. )n"uiry of key systems personnel ith respect to the a y in hich prescribed control procedures are interpreted and implemented. ! "uestionnaire or checklist often facilitates such in"uiry.

•

evie a sample of source documents for proper authorization.

•

evie a sample of on-line data entries for authorization.

•

•

evie the data control log, computer operations log, file librarian's log, and error log for evidence that prescribed policies are adhered to. %est data processing by submitting a set of hypothetical transactions and comparing system outputs ith expected results.

•

%race selected transactions through the system and check their processing accuracy.

•

$heck the accuracy of a sample of batch totals.

•

evie system operating statistics.

•

;se a computer audit softare package to edit data on selected master files and databases.

-=


11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a computer payroll system. To test the computer systems and programs, you submit independently created test transactions with regular data in a normal production run. >i(t !*u& ad#antag( and t* di(ad#antag( *! t)i( t")ni'u. •

• • • •

• • • • •

a. Ad#antag( 7oes not re"uire extensive programming knoledge !pproach and results are easy to understand. %he complete system may be revieed. esults are often easily checked. !n opinion may be formed as to the system's data processing accuracy. ! regular computer program may be used. )t may save time. %he auditor gains experience. %he auditor maintains control over the test. )nvalid data can be submitted to test for re*ections.

•

•

•

•

0. Di(ad#antag( )mpractical to test all error possibilities. +ay be unable to relate input data to output reports in a complex system. )f independent files are not used, it may be difficult to reverse or back out test data.
#$)! Examination, adapted&

-


11.4 Y*u a& in#*$#d in t) audit *! a""*unt( &"i#a0$/ )i") &&(nt a (igni!i"ant *&ti*n *! t) a((t( *! a $a&g &tai$ "*&*&ati*n. Y*u& audit $an &'ui&( t) u( *! t) "*+ut&/ 0ut %*u n"*unt& t) !*$$*ing &a"ti*n( F*& a") (ituati*n/ (tat )* t) audit*& ()*u$d &*"d it) t) a""*unt( &"i#a0$ audit. a. T) "*+ut& *&ati*n( +anag& (a%( t) "*+an%7( "*+ut& i( &unning at !u$$ "aa"it% !*& t) !*&(a0$ !utu& and t) audit*& i$$ n*t 0 a0$ t* u( t) (%(t+ !*& audit t(t(. •

%he auditor should not accept this explanation and should arrange ith company executives for access to the computer system.

•

%he auditor should recommend that the procedures manual spell out computer use and access for audits.

0. T) "*+ut& (")du$ing +anag& (ugg(t( t)at %*u& "*+ut& &*g&a+ 0 (t*&d in t) "*+ut& &*g&a+ $i0&a&% (* t)at it "an 0 &un )n "*+ut& ti+ 0"*+( a#ai$a0$. •

".

The auditor should not permit the computer program to be stored because it could then be changed without the auditor's knowledge.

Y*u a& &!u(d ad+i((i*n t* t) "*+ut& &**+. •

%he auditor's charter should clearly provide for access to all areas and records of the organization.

d. T) (%(t+( +anag& t$$( %*u t)at it i$$ ta, t** +u") ti+ t* adat t) audit*&7( "*+ut& audit &*g&a+ t* t) "*+ut&7( *&ating (%(t+ and t )at "*+an% &*g&a++&( i$$ &it t) &*g&a+( ndd !*& t) audit. •

•

!uditors should insist on using their on computer audit program, since someone at the company may ish to conceal falsified data or records. !uditors should insist on using their on computer audit program to expedite the audit, simplify the application, and avoid misunderstanding. #$)! Examination, adapted&

->


11.= Y*u a& a +anag& !*& t) CPA !i&+ *! D%/ C)at+/ and H* 5DCH6. W)i$ &#iing %*u& (ta!!7( audit *&, a&( !*& t) (tat $!a& agn"%/ %*u !ind t)at t) t(t data a&*a") a( u(d t* t(t t) agn"%7( a""*unting (*!ta&. A du$i"at &*g&a+ "*%/ t) $!a& a""*unting data !i$ *0taind !&*+ t) "*+ut& *&ati*n( +anag&/ and t) t(t t&an(a"ti*n data !i$ t)at t) $!a& agn"%7( &*g&a++&( u(d )n t) &*g&a+ a( &ittn & &*"((d *n DCH7( )*+ *!!i" "*+ut&. T) dit (u++a&% &*&t $i(ting n* &&*&( a( in"$udd in t) *&,ing a&(/ it) a n*tati*n 0% t) (ni*& audit*& t)at t) t(t indi"at( g**d a$i"ati*n "*nt&*$(. Y*u n*t t)at t) 'ua$it% *! t) audit "*n"$u(i*n( *0taind !&*+ t)i( t(t i( !$ad in (#&a$ &("t(/ and %*u d"id t* a(, %*u& (u0*&dinat( t* &at t) t(t. Idnti!% t)& i(ting *& *tntia$ &*0$+( it) t) a% t)i( t(t a( &!*&+d. F*& a") &*0$+/ (ugg(t *n *& +*& &*"du&( t)at +ig)t 0 &!*&+d du&ing t) &#i(d t(t t* a#*id !$a( in t) audit "*n"$u(i*n(.
!udit senior's conclusion has no basis #no supporting evidence&.

•

-

+ust predetermine the result of test data processing, and then compare these to actual results.


11.? Y*u a& &!*&+ing an in!*&+ati*n (%(t+ audit t* #a$uat int&na$ "*nt&*$( in Aa&d#a&, W)*$(a$&(7 5AW6 "*+ut& (%(t+. F&*+ an AW +anua$/ %*u )a# *0taind t) !*$$*ing *0 d("&iti*n( !*& ,% &(*nn$ Director of information systems: R(*n(i0$ !*& d!ining t) +i((i*n *! t) in!*&+ati*n (%(t+( di#i(i*n and !*& $anning/ (ta!!ing/ and +anaging t) IS da&t+nt. Manager of systems development and programming: R*&t( t* di&"t*& *! in!*&+ati*n (%(t+(. R(*n(i0$ !*& +anaging t) (%(t+( ana$%(t( and &*g&a++&( )* d(ign/ &*g&a+/ t(t/ i+$+nt/ and +aintain t) data &*"((ing (%(t+(. A$(* &(*n(i0$ !*& (ta0$i()ing and +*nit*&ing d*"u+ntati*n (tanda&d(. Manager of operations: R*&t( t* di&"t*& *! in!*&+ati*n (%(t+(. R(*n(i0$ !*& +anag+nt *! "*+ut& "nt& *&ati*n(/ n!*&"+nt *! &*"((ing (tanda&d(/ and (%(t+( &*g&a++ing/ in"$uding i+$+ntati*n *! *&ating (%(t+ ug&ad(. Data entry supervisor: R*&t( t* +anag& *! *&ati*n(. R(*n(i0$ !*& (u&#i(i*n *! data nt&% *&ati*n( and +*nit*&ing data &a&ati*n (tanda&d(. Operations supervisor: R*&t( t* +anag& *! *&ati*n(. R(*n(i0$ !*& (u&#i(i*n *! "*+ut& *&ati*n( (ta!! and +*nit*&ing &*"((ing (tanda&d(. Data control clerk: R*&t( t* +anag& *! *&ati*n(. R(*n(i0$ !*& $*gging and di(t&i0uting "*+ut& inut and *utut/ +*nit*&ing (*u&" data "*nt&*$ &*"du&(/ and "u(t*d% *! &*g&a+( and data !i$(.

a. P&a& an *&gani;ati*na$ ")a&t !*& AW7( in!*&+ati*n (%(t+( di#i(i*n.

-?


0.

Na+ t* *(iti# and t* ngati# a("t( 5!&*+ an int&na$ "*nt&*$ (tand*int6 *! t)i( *&gani;ati*na$ (t&u"tu&.

. 2hat is good about this organization structure: •

Systems development and programming are organizationally independent of the operations functions.

•

$omputer operations organizationally independent of data entry and data control.

/. 2hat is bad about this organization structure:

c.

•

%he manager of operations is responsible for systems programming, hich is a violation of segregation of systems duties.

•

%he data control clerk is responsible for the file library, hich is a violation of segregation of systems duties.

W)at additi*na$ in!*&+ati*n *u$d %*u &'ui& 0!*& +a,ing a !ina$ udg+nt *n t) ad'ua"% *! AW7( (a&ati*n *! !un"ti*n( in t) in!*&+ati*n (%(t+( di#i(i*n3 •

)s access to e"uipment, files, and documentation restricted and documented4

•

!re activity logs for operating functions maintained and revieed4

•

)s there rotation of operations personnel and mandatory vacations4

•

)s source data authorized4

-


11.@ R*0in(*n7( P$a(ti" Pi C*&*&ati*n u(( a data &*"((ing (%(t+ !*& in#nt*&%. T) inut t* t)i( (%(t+ i( ()*n in Ta0$ 11-@. Y*u a& u(ing an inut "*nt&*$( +at&i t* )$ audit t) (*u&" data "*nt&*$(.

Table 11-7 Pa&t( In#nt*&% T&an(a"ti*n Fi$ Field Name

Field Type

)tem number

umeric

7escription

!lphanumeric

%ransaction date

7ate

%ransaction type

!lphanumeric

7ocument number

!lphanumeric

@uantity

umeric

;nit cost

+onetary

P&a& an inut "*nt&*$( +at&i u(ing t) !*&+at and inut "*nt&*$( ()*n in Figu& 11-4 )*#&/ &$a" t) !i$d na+( ()*n in Figu& 11-4 it) t)*( ()*n in Ta0$ 11-@. P$a" ")",( in t) +at&i "$$( t)at &&(nt inut "*nt&*$( %*u +ig)t "t t* !ind !*& a") !i$d.

-/


In#nt*&% t&an(a"ti*n( inut "*nt&*$ +at&i :

E$57 8)EA7 !+ES !+E: )tem 7escription %ransaction %ransaction 7ocument ;nit
Ces

$ross-footing balance

o

Disual ins ection $heck digit verification
B

B

B

B

B

B

!ll fields

;se prenumbered form o Ces

B B

B

Sign check Dalidity check

B

B

Se"uence check 8ield check

B

B

B

B

B

B

B

!lso for balance on hand

B

Aimit check easonableness test $ompleteness test Size check

B

B

B

B

B

B

B

B

B

$ompare "uantity ith item number !ll fields

B

B

B

B

B

B

B

!ll fields

5ther:

-


11. A( an int&na$ audit*& !*& t) (tat audit*&7( *!!i"/ %*u a& a((ignd t* &#i t) i+$+ntati*n *! a n "*+ut& (%(t+ in t) (tat $!a& agn"%. T) agn"% i( in(ta$$ing an *n$in "*+ut& (%(t+ t* +aintain t) (tat7( data0a( *! $!a& &"iint(. Und& t) *$d (%(t+/ a$i"ant( !*& $!a& a((i(tan" "*+$td a !*&+ gi#ing t)i& na+/ add&((/ and *t)& &(*na$ data/ $u( dtai$( a0*ut t)i& in"*+/ a((t(/ dndnt(/ and *t)& data ndd t* (ta0$i() $igi0i$it%. T) data a& ")",d 0% $!a& a+in&( t* #&i!% t)i& aut)nti"it%/ "&ti!% t) a$i"ant7( $igi0i$it% !*& a((i(tan"/ and dt&+in t) !*&+ and a+*unt *! aid. Und& t) n (%(t+/ $!a& a$i"ant( nt& data *n t) agn"%7( W0 (it *& gi# t)i& data t* "$&,(/ )* nt& it u(ing *n$in t&+ina$(. Ea") a$i"ant &"*&d )a( a nding (tatu( unti$ a $!a& a+in& "an #&i!% t) aut)nti"it% *! t) data u(d t* dt&+in $igi0i$it%. W)n t) #&i!i"ati*n i( "*+$td/ t) a+in& ")ang( t) (tatu( "*d t* a&*#d/ and t) (%(t+ "a$"u$at( t) aid a+*unt. P&i*di"a$$%/ &"iint "i&"u+(tan"( 5in"*+/ a((t(/ dndnt(/ t".6 ")ang/ and t) data0a( i( udatd. Ea+in&( nt& t)( ")ang( a( (**n a( t)i& a""u&a"% i( #&i!id/ and t) (%(t+ &"a$"u$at( t) &"iint7( n $!a& 0n!it. At t) nd *! a") +*nt)/ a%+nt( a& $"t&*ni"a$$% d*(itd in t) &"iint7( 0an, a""*unt(. W$!a& a((i(tan" a+*unt( t* (#&a$ )und&d +i$$i*n d*$$a&( annua$$%. Y*u a& "*n"&nd a0*ut t) *((i0i$iti( *! !&aud and a0u(.

a.

D("&i0 )* t* +$*% "*n"u&&nt audit t")ni'u( t* &du" t) &i(,( *! !&aud and a0u(.

!udits should be concerned about a dishonest elfare examiner or unauthorized person submitting fictitious transactions into the system. 8ictitious transactions could cause excessive elfare benefits to be paid to a valid elfare recipient, or payments made to an ineligible or fictitious recipient. %he concurrent audit techni"ues needed most deal ith submitting changes in record status from pending to approved and modifying elfare records to reflect changes in the recipient's circumstances. %he auditor should verify that the system is set up to: •

•

check the passord of every person ho uses the system permit applicant records to be entered only by persons classified as elfare clerks •

•

permit transaction update records to be entered only by persons classified as elfare examiners capture and store the identity of the person entering every applicant record and transaction update record

%he most useful concurrent audit techni"ue to minimize the risk of fraudulent update transactions ould be audit hooks. %hese program subroutines ould revie every record entered into the system, capture all data relating to any record that is suspicious and possibly fraudulent, rite these records on an audit log or file, and report these records to the audit staff on a real-time basis. Some examples of "uestionable records that audit hooks might be designed to flag ould be: •

!ny elfare application record that is entered into the system by someone other than one

-6


of the authorized elfare clerks, and especially if entered b y a elfare examiner. •

!ny elfare record status change or modification that is entered into the system by someone other than one of the authorized elfare examiners.

•

!ssuming that it takes a minimum of n days for a elfare examiner to verify the authenticity of the data provided by a elfare applicant, any record update transaction entered in less than n days of the original applicant record entry.

•

!ny elfare record modification transaction that causes a elfare recipient's benefits to increase by a significant amount #say, /?F&, or to exceed some upper limit that is close to the maximum amount a recipient can collect.

•

!ny elfare record that is modified more than to or three times ithin a short period, such as to or three months.

•

!ny record modification transaction that involves a change in the recipient's address.

•

!ny elfare record here the recipient's address is a post office box.

•

!ny elfare record that is not modified ithin a five-year period.

•

•

!ny attempt to access the system by someone not able to supply a valid elfare clerk or elfare examiner passord. !ny record entered into the system at a time of day other than during the agency's normal business hours, or one that is entered during a eekend or holiday period.

;ndoubtedly, other useful audit hooks could be identified. %he audit staff should brainstorm about methods that a fraud perpetrator could use to defraud the system, and develop audit hooks to counteract plausible fraud schemes. !s the audit staff receives the data captured b y these audit hooks, they must promptly follo up to verify the validity of the data in each "uestionable record. %he auditor should verify that the program code that calculates elfare recipient's benefits is thoroughly tested during the implementation process. She should copy the program code so it can be compared ith the code that is in use at subse"uent intervals. %o supplement this procedure, as ell as to provide additional protection against a possible fraud perpetrator, the auditor could add another audit hook that captures relevant data relating to any attempt to access and modify the elfare processing program itself.

-


b.

D("&i0 )* t* u( "*+ut& audit (*!ta& t* &#i t) *&, $!a& a+in&( d* t* #&i!% a$i"ant $igi0i$it% data. A((u+ t)at t) (tat audit*&7( *!!i" )a( a""(( t* *t)& (tat and $*"a$ g*#&n+nt agn"% data0a((.

$omputer audit softare can process the elfare recipient database against other databases that contain data about elfare recipients, identify any discrepancies in the data items used to determine eligibility for benefits and1or calculate the amount of benefits, and report these discrepancies to the audit staff. 5ther possible databases that might be used for this purpose ould include: •

•

•

State income tax records, hich contain data on the income and dependents of elfare recipients. State unemployment and1or disability compensation records, hich contain data on other sources of income for elfare recipients. State motor vehicle registration records, hich might contain data about valuable assets oned by elfare recipients.

•

•

7eath records, hich ould reflect changes in eligibility for benefits. %he reason it is important to revie these is that a very common fraud scheme involves failure to enter a death record, folloed by the diversion of subse"uent benefit checks.

)f a elfare recipient does not appear in any of the first four databases listed above, it ould raise the issue of hether the person exists at all #e.g., is the elfare recipient a fictitious person4&. %o investigate this, driver license registration records and voter registration records could also be checked. )f the recipient does not sho up there, the audit staff should probably insist that a 2elfare !gency employee #other than a elfare examiner& verify the recipient's existence. )f a recipient appears in the death records database, it represents either deliberate fraud or failure to update the elfare records properly. %he use of computer audit softare serves to purposes. 8irst, it helps reduce the risk of system abuse by elfare applicants ho provide inaccurate or incomplete data about the factors on hich benefit calculations are based. 2elfare examiners are responsible for identifying such cases, but may not alays do so effectively, so audit revies of this kind provide a second line of defense against this form of abuse. Second, it should increase the chance that the audit staff ill identify cases here a elfare examiner attempts to perpetrate fraud by entering false records into the system. $ombined ith the audit hooks described in part #a&, the use of computer audit softare should provide strong assurance that the risks of fraud and abuse have been minimized.

-=


11. M$inda R*0in(*n/ t) di&"t*& *! int&na$ auditing at Sa")+ Manu!a"tu&ing C*+an%/ 0$i#( t) "*+an% ()*u$d u&")a( (*!ta& t* a((i(t in t) !inan"ia$ and &*"du&a$ audit( )& da&t+nt "*ndu"t(. R*0in(*n i( "*n(id&ing t) !*$$*ing (*!ta& a",ag( A gn&a$i;d audit (*!ta& a",ag t* a((i(t in 0a(i" audit *&,/ (u") a( t) &t&i#a$ *! $i# data !&*+ $a&g "*+ut& !i$(. T) da&t+nt *u$d &#i t)i( in!*&+ati*n u(ing "*n#nti*na$ audit in#(tigati*n t")ni'u(. T) da&t+nt "*u$d &!*&+ "&it&ia ($"ti*n/ (a+$ing/ 0a(i" "*+utati*n( !*& 'uantitati# ana$%(i(/ &"*&d )and$ing/ g&a)i"a$ ana$%(i(/ and &int *utut 5i../ "*n!i&+ati*n(6. An ITF a",ag t)at u((/ +*nit*&(/ and "*nt&*$( du++% t(t data &*"((d 0% i(ting &*g&a+(. It a$(* ")",( t) i(tn" and ad'ua"% *! data nt&% and &*"((ing "*nt&*$(. A !$*")a&ting a",ag t)at g&a)i"a$$% &(nt( t) !$* *! in!*&+ati*n t)&*ug) a (%(t+ and in*int( "*nt&*$ (t&ngt)( and a,n(((. A a&a$$$ (i+u$ati*n and +*d$ing a",ag t)at u(( a"tua$ data t* "*ndu"t t) (a+ t(t( u(ing a $*gi" &*g&a+ d#$*d 0% t) audit*&. T) a",ag "an a$(* 0 u(d t* (, an(&( t* di!!i"u$t audit &*0$+( 5in#*$#ing +an% "*+a&i(*n(6 it)in (tati(ti"a$$% a""ta0$ "*n!idn" $i+it(. #$+! Examination, adapted&

a. Wit)*ut &ga&d t* an% ("i!i" "*+ut& audit (*!ta&/ idnti!% t) gn&a$ ad#antag( *! u(ing "*+ut& audit (*!ta& t* a((i(t it) audit(. 

b.

!udits can be more efficient, saving labor time spent on routine calculations. %he routine operations of footing extensions, transcription beteen reports, report generation, etc., are performed by the computer.



%he auditor's time spent on the audit is more analytical than clerical.



%he auditor can examine more records and extract data more readily through ad hoc reporting.



$omputer-generated reports and schedules are more ob*ective and professional, improving data communication.



!udit sampling is improved. !ny bias in sample selection is eliminated because of assured randomness. %his has a direct effect on sampling precision, reliability, and audit accuracy.



D("&i0 t) audit u&*( !a"i$itatd and t) &*"du&a$ (t( t* 0 !*$$*d 0% t) int&na$ audit*& in u(ing t) !*$$*ing Gn&a$i;d audit (*!ta& a",ag. The purpose of generalized audit software programs is to perform a variety of auditing operations on the computer files used to store the information. The steps to be followed by the internal auditor to use generalized computer audit software would include things such as planning and designing the audit application. Intg&atd t(t !a"i$it% a",ag . !n integrated test facility #)%8& can be used to test both source data controls and processing controls as follos: •

Select and prepare the test transactions to be passed through the )%8. %hese -


transactions must be representative of all of the transactions the dummy unit emulates. !ll types of valid and invalid transactions must be used and blended ith regular transactions over time to test the system properly under normal conditions. 

evie all output and processing routines including a comparison of actual results to predetermined results.

F$*")a&ting a",ag %he purpose of a control flocharting package is to interpret the program source code and generate a program flochart corresponding to it in order to facilitate the revie of internal controls. %o use a control flocharting package, the internal auditor should: 

Establish the audit ob*ective by identifying the systems and programs to be tested.



evie manuals and documentation of the system and intervie involved personnel to get an overvie of the operations to be tested.

Parallel simulation and modeling package The purpose of a parallel simulation package is to ensure that organizational objectives are being met, ensure compliance to technical standards, and detect unauthorized program changes. To use a parallel simulation package: 

un the same data used in the company's current application program using the simulated application program.



$ompare the results from the simulated application ith the results from the company's current application program to verify that ob*ectives are being met.

->


11.10

The fixed-asset master file at Thermo-Bond includes the following data items: A((t nu+0&

Dat *! &ti&+nt 5JJ2: !*& a((t( (ti$$ in (&#i"6

D("&iti*n

D&"iati*n +t)*d "*d

T% "*d

D&"iati*n &at

>*"ati*n "*d

U(!u$ $i! 5%a&(6

Dat *! a"'ui(iti*n

A""u+u$atd d&"iati*n at 0ginning *! %a&

O&igina$ "*(t

Ya&-t*-dat d&"iati*n

E$ain (#&a$ a%( audit*&( "an u( "*+ut& audit (*!ta& in &!*&+ing a !inan"ia$ audit *! T)&+*-B*nd7( !id a((t(. •

Edit the file for obvious errors or inconsistencies such as: o

etired assets that have a non-zero net value.

o

etirement date that precedes ac"uisition date.

o

!ccumulated depreciation that exceeds original cost.

o

;seful life that exceeds a reasonable limit #such as 6? years&.

o

)nvalid type code, location code, or depreciation method code.

o

•

•

umeric fields that contain non-numeric data.

ecalculate year-to-date depreciation for each asset record, compare to the amount in the record, and list all asset records for hich a discrepancy exists.
•

•

Select a sample of assets, stratified by net dollar value, and sorted and listed b y location, for possible physical examination by the auditor.

•

8oot the entire file to obtain file totals for total original cost, total accumulated depreciation, total current year depreciation, and total cost of current year ac"uisitions, for comparison to externally maintained records.

-


11.11

Y*u a& auditing t) !inan"ia$ (tat+nt( *! a "*(+ti"( di(t&i0ut*& t)at ($$( t)*u(and( *! indi#idua$ it+(. T) di(t&i0ut*& ,( it( in#nt*&% in it( di(t&i0uti*n "nt& and in t* u0$i" a&)*u((. At t) nd *! a") 0u(in(( da%/ it udat( it( in#nt*&% !i$/ )*( &"*&d( "*ntain t) !*$$*ing data It+ nu+0& It+ d("&iti*n Quantit%-*n-)and It+ $*"ati*n

C*(t & it+ Dat *! $a(t u&")a( Dat *! $a(t (a$ Quantit% (*$d du&ing %a&

Y*u i$$ u( audit (*!ta& t* a+in in#nt*&% data a( *! t) dat *! t) di(t&i0ut*&7( )%(i"a$ in#nt*&% "*unt. Y*u i$$ &!*&+ t) !*$$*ing audit &*"du&( 1. O0(&# t) di(t&i0ut*&7( )%(i"a$ in#nt*&% "*unt at %a&-nd and t(t a (a+$ !*& a""u&a"%. 2. C*+a& t) audit*&7( t(t "*unt( it) t) in#nt*&% &"*&d(. 4. C*+a& t) "*+an%7( )%(i"a$ "*unt data it) t) in#nt*&% &"*&d(. 8. T(t t) +at)+ati"a$ a""u&a"% *! t) di(t&i0ut*&7( !ina$ in#nt*&% #a$uati*n. =. T(t in#nt*&% &i"ing 0% *0taining it+ "*(t( !&*+ 0u%&(/ #nd*&(/ *& *t)& (*u&"(. ?. Ea+in in#nt*&% u&")a( and (a$ t&an(a"ti*n( *n *& na& t) %a&-nd dat t* #&i!% t)at a$$ t&an(a"ti*n( & &"*&dd in t) &*& a""*unting &i*d. @. A("&tain t) &*&it% *! in#nt*&% it+( $*"atd in u0$i" a&)*u((. . Ana$%; in#nt*&% !*& #idn" *! *((i0$ *0(*$("n". . Ana$%; in#nt*&% !*& #idn" *! *((i0$ *#&(t*",ing *& ($*-+*#ing it+(. 1:. T(t t) a""u&a"% *! indi#idua$ data it+( $i(td in t) di(t&i0ut*&7( in#nt*&% +a(t& !i$. D("&i0 )* t) u( *! t) audit (*!ta& a",ag and a "*% *! t) in#nt*&% !i$ data +ig)t 0 )$!u$ t* t) audit*& in &!*&+ing a") *! t)( auditing &*"du&(.

#$
-/?


Audit P&*"du&

H* Audit S*!ta& Can H$

. 5bserve the distributors physical count of inventories as of a given date, and test a sample of the distributors inventory counts for accuracy.

7etermine hich items are to be test counted by taking a random sample of a representative number of items from the inventory file as of the date of the physical count.

/. $ompare the auditors test counts to the inventory records.

!rrange test counts in a format identical to the inventory file, and then match the counts.

3. $ompare physical count data to the inventory records.

$ompare the total of the extended values of all inventory items counted, and the extended values of each inventory item counted, to the inventory records.

6. %est the mathematical accuracy of the distributors final inventory valuation.

$alculate the dollar value of each inventory item counted by multiplying the "uantity on hand by the cost per unit, and then verify the addition of the extended dollar values.

G. %est the pricing of the inventory by obtaining a list of costs per item from buyers, vendors, or other sources.

$ompare the unit costs on the auditors price test to those on the inventory file.

=.Examine inventory purchase and sale transactions on or near the year-end date to verify that all such transactions ere recorded in the proper accounting period.

%ake a sample of inventory file items for hich the date of last purchase and date of the last sale are on or immediately prior to the date of the physical count, hich is usually at fiscal year end.

H.!scertain the propriety of items of inventory located in public arehouses.

>.!nalyze inventory for evidence of possible obsolescence.

I.!nalyze inventory for evidence of possible overstocking or slo-moving items.

?.%est the accuracy of individual data items listed in distributors inventory master file.

-


11.12

a.

W)i") *! t) !*$$*ing ()*u$d )a# t) &i+a&% &(*n(i0i$it% t* dt"t and "*&&"t data &*"((ing &&*&(3 E$ain )% t)at !un"ti*n ()*u$d )a# &i+a&% &(*n(i0i$it% and )% t) *t)&( ()*u$d n*t. #$
b. T) "*+ut& *&at*& J !lthough the computer operator is responsible for the operation of the hardare and softare of the organization, he is not responsible for detecting and correcting data processing errors. 0eing able to both process data and correct data processing errors ould allo the operator to KfixL non-existent errors in a a y that ould benefit the operator personally9 that is, it ould allo the perpetrator to commit and conceal fraud. c.

T) "*&*&at "*nt&*$$& J %he corporate controller has overall responsibility for the operation of the accounting function, but ould not have primary responsibility to detect and correct data processing errors.

d. T) indndnt u0$i" a""*untant J %he independent auditor has no responsibility to detect and correct a clients data processing errors. %he independent auditors responsibility is to attest to fairness of the financial statements.

-//


SUGGESTED SO>UTIONS TO THE CASES 11.1

Y*u a& &!*&+ing a !inan"ia$ audit *! t) gn&a$ $dg& a""*unt( *! P&(t*n Manu!a"tu&ing. A( t&an(a"ti*n( a& &*"((d/ (u++a&% *u&na$ nt&i( a& addd t* t) gn&a$ $dg& !i$ at t) nd *! t) da%. At t) nd *! a") da%/ t) gn&a$ *u&na$ !i$ i( &*"((d again(t t) gn&a$ $dg& "*nt&*$ !i$ t* "*+ut a n "u&&nt 0a$an" !*& a") a""*unt and t* &int a t&ia$ 0a$an". T) !*$$*ing &(*u&"( a& a#ai$a0$ a( %*u "*+$t t) audit Y*u& !i&+7( gn&a$i;d "*+ut& audit (*!ta& A "*% *! t) gn&a$ *u&na$ !i$ !*& t) nti& %a& A "*% *! t) gn&a$ $dg& !i$ a( *! !i("a$ %a&-nd 5"u&&nt 0a$an" K %a&-nd 0a$an"6 A &int*ut *! P&(t*n7( %a&-nd t&ia$ 0a$an" $i(ting t) a""*unt nu+0&/ a""*unt na+/ and 0a$an" *! a") a""*unt *n t) gn&a$ $dg& "*nt&*$ !i$ C&at an audit &*g&a+ !*& P&(t*n Manu!a"tu&ing. F*& a") audit (t/ $i(t t) audit *0"ti#( and t) &*"du&( %*u *u$d u( t* a""*+$i() t) audit &*g&a+ (t. General Journal Fi$d Na+

Fi$d T%

!ccount number

umeric

!mount

+onetary

7ebit1credit code

!lphanumeric

7ate #++1771CC&

7ate

eference document type

!lphanumeric

eference document number

umeric

General Ledger Control Fi$d Na+

Fi$d T%

!ccount number

umeric

!ccount name

!lphanumeric

0eginning balance1year

+onetary

0eg-bal-debit1credit code

!lphanumeric

$urrent balance

+onetary

$ur-bal-debit1credit code

!lphanumeric

-


AUDIT PROGRAM

AUDIT OBLECTIES AND PROCEDURES

a. Edit the general *ournal file for errors and inconsistencies such as: •

)nvalid debit1credit code or document type.

•

7ate not ithin current fiscal year.

•

+issing data values.

5b*ective: Evaluate the "uality of the file data.
on-numeric data in account number, amount, or document number fields.

•

b. Edit the general ledger file for errors and exceptions such as: •

)nvalid debit1credit codes.

•

+issing data values.

5b*ective: Evaluate the "uality of the file data
on-numeric data in account number or balance fields.

•

c. Select a sample of general *ournal transactions, stratified by dollar value. Sort and list by document type.

5b*ective: %est the transaction data entry accuracy.
d. +erge the general *ournal and general ledger files by account number, and list all unmatched general *ournal entries. #or look them up in the appropriate tables& e. ecalculate each ledger accounts current balance from the beginning balance and the general *ournal amounts, and list any discrepancies beteen the recalculated balance and the file balance.

5b*ective: %est transaction data entry accuracy.
f.
5b*ective: )dentify accounts to be investigated in detail.
-/6

Rais12 Sm Ch11

Recommend Documents