SlideShare uma empresa Scribd logo

Conducting an Information Systems Audit

Transferir como PPTX, PDF
S
Sreekanth Narendran

Chapter 2 Information Systems Control & Audit www.lifein01.com - for presentations of all chapters of ron weber

Engenharia
1 de 41
Chapter 2 Conducting an Information Systems Audit Sreekanth N 1
Contents • Introduction • The big Question • Learning objectives • Nature of controls • Dealing with complexity • Audit Risks • Types of Audit Procedures • Overview of Steps in an Audit • Auditing Around or Through the computer. 2
Introduction • Auditors can perform a detailed audit in small organizations. • All organizations are of not the same size. • Auditing in big organizations are difficult. • Detailed check on data process inside IS systems become complex. • Auditors resort to sampling. 3
The big question? • How can an auditor perform IS audit so that they obtain reasonable assurance that an organization safeguards its data-processing assets, maintains data integrity, and achieve system effectiveness and efficiency ? 4
Learning Objectives • Learn the general approach followed for information systems audit. • Learn the nature of controls. • Learn techniques for simplifying complexity encountered while making evaluation judgements or computer-based information systems. • Learn the basic risks auditors face and the type of audit procedures used to control and asses these risks. • Finally we examine a major decision auditors must make while doing an IS audit. 5
Attestation vs Audit • Attestation: An attestation is a type of engagement in which an attester (auditor,practitioner,accountant) provides a report as to whether an assertion (made by an asserter management) has been prepared in conformity with the appropriate criteria. • Attestations include financial statement audits, reporting on forecasts, projections, pro-forma information, effectiveness of internal control etc. • Attestation Standards apply only to situations not addressed by other professional standards. • Audit: An audit is a type of attest function in which an auditor provides an independent opinion (positive assurance) about whether management (asserter) has prepared financial statements in conformity with an applicable financial reporting framework (criteria). 6
Nature of controls • A control is a system that prevents, detects, or correct unlawful events. • System – Set of interrelated components working together to achieve some overall purpose • Unlawful event- Arises if unauthorized, in accurate, incomplete, redundant, ineffective, or inefficient input enters the system. • Preventive control • Detective control • Corrective control 7
Dealing with Complexity • Conducting an IS audit is an exercise in dealing with complexity. • Because complexity is the root cause of problems face by many professionals two guidelines have been developed in IS audit. 1. Given the purpose of IS audit, factor the system to be evaluated into subsystems. 2. Determine the reliability of each subsystem and implications of each subsystems level of reliability for the overall reliability of the system. 8
Dealing with Complexity –> Subsystem Factoring • Subsystem performs basic function and are logical components • Factoring – Decomposing a system into subsystems (iterative process) • Systems theory gives two guidelines to identify and delineate subsystems • should be relatively independent • should be internally cohesive • Auditors have recognized some systems cannot be audited based on these. • Over time two methodologies were developed to factor systems. 9
Dealing with Complexity –> Subsystem Factoring IS Function Application subsystems Application systems Cycles Management subsystems Management systems 10
Dealing with Complexity –> Subsystem Factoring –> Management subsystems • Based on managerial functions that must be performed to ensure that development, implementation, operation and maintenance of IS proceed in planned and controlled manner. • Managerial systems function to provide a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis. • Some of the management subsystems are : Top management, IS management, Systems development management, Programming management, Data administration, Quality assurance, Security administration, Operations management 11
Dealing with Complexity –> Subsystem Factoring –> Application Subsystems • Based of cycles approach. • IS systems are grouped into cycles. • Examples of cycles : Sales and collection, payroll and personnel, acquisition and payments, inventory etc. • Each cycle is then factored into application subsystems. • Application systems into application subsystems. • Application Subsystems can includes Boundary, Input, Communication, Processing, Database, Output 12
Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Beginning with the lowest-level subsystems, all the different types of lawful and unlawful events that can occur to the system are identified. • Primary concern are unlawful events. • To identify we focus on the major functions each subsystem performs. • As a basis we focus on (walk-through technique) • the transactions that can occur as an input to the subsystem as all events arise from a transaction. • How the subsystem processes this transaction and understand each processing step. 13
Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Costly to trace each transaction. • Auditors focus on classes. • Group similar transactions into classes and analyze it. • When events are identified auditors evaluate if controls are in place. • They collect evidence on the controls and see if the losses are reduced to acceptable levels. • Errors made at one level can propagate to higher levels 14
Audit Risks • Systems auditors are concerned with four objectives: • Asset safeguarding • Data integrity • System effectiveness • System efficiency • Auditors are concerned with whether errors or irregularities cause material losses or material misstatements in the financial information • Because of test nature of auditing, auditors might fail to detect real or potential material losses and account misstatements. 15
Audit Risks • The risk of an auditor failing to detect actual or potential material losses or account misstatements at the conclusion of the audit is called the audit risk. • Auditors choose an audit approach and design audit procedures in an attempt to reduce this risk to a level deemed acceptable. • For determining desired audit risk following audit risk model is adopted : DAR = IR x CR x DR • DAR is the desired audit risk • IR is the inherent risk, likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal controls is considered. • CR is the control risk, likelihood that internal controls in some segment of the audit will not prevent, detect, or correct material losses or account misstatements that arise. • DR is the detection risk, the audit procedures used in some segment Of the audit will fail to detect material losses or account misstatements. 16
Audit Risks • To apply the model, auditors first choose their level of desired audit risk. • Auditors consider such factors as the level of reliance external parties are likely to place on the financial statements, the likelihood of the organization encountering financial difficulties subsequent to the audit, they assess the short- and long-run consequences for their organizations if they fail to detect real or potential material losses from ineffective or inefficient operations. • Next auditors consider the level of inherent risk. Initially auditors consider general factors such as • the nature of the organization, • the industry in which it operates, • the characteristics of management, and accounting and auditing concerns. 17
Audit Risks Inherent Risk in Financial System • Those that usually provide financial control over the major assets of an organization : • cash receipts and disbursements, • payroll, • accounts receivable and payable—often have higher inherent risk. • Because they are frequently the target of fraud. 18
Audit Risks • To assess the level of control risk associated with a segment of the audit, auditors consider the reliability of both management and application controls. • Auditors usually identify and evaluate controls in management subsystems first. • Management (subsystem) controls are fundamental controls because they cover all application systems. • Thus, the absence of a management control is a serious concern for auditors. • Next auditors calculate the level of detection risk they must attain to achieve their desired audit risk. They then design evidence collection procedures in an attempt to achieve this level of detection risk. 19
Audit Risks • The whole point in considering the audit risk model is that audit efforts should be focused where they will have the highest payoffs. • In most cases auditors cannot collect evidence to the extent they would like. • Accordingly, they must be judicious in terms of where they apply their audit procedures and how they interpret the evidence they collect. 20
Types of Audit Procedures When external auditors gather evidence to determine whether material losses have occurred or financial information has been materially misstated, they use five types Of procedures: • Procedures to obtain an understanding of controls: Inquiries, inspections, and observations can be used to gain an understanding Of what controls supposedly exist, how well they have been designed, and whether they have been placed in operation. • Tests of controls: Inquiries, inspections, observations, and performance of control procedures can be used to evaluate whether controls are operating effectively. • Substantive tests of details of transactions: These tests are designed to detect dollar errors or irregularities in transactions that would affect the financial statements. 21
Types of Audit Procedures • Substantive tests of details of account balances: These tests focus on the ending general ledger balances in the balance sheet and income statement. • Analytical review procedures: These tests focus on relationships among data items with the objective of identifying areas that require further audit work. • Auditors usually carry out the less costly audit procedures first in the hope the evidence obtained from these procedures indicates it is unlikely a material loss or material misstatement has occurred or will occur. If this outcome arises, auditors can alter the nature, timing, and extent of the more costly tests used. 22
Overview of Steps in an Audit Start Stop Obtain Understanding Of control structure Assess control risk Preliminary Audit work Reassess Control risk Tests of controls Limited Substantive testing Extended Substantive testing Form audit Opinion and Issue report Rely on Controls ? Increase Reliance on Controls ? Still Rely on Control ? no Yes no yes no yes Major Steps to be undertaken in an audit 23
Overview of Steps in an Audit – Planning audit • Planning is the first phase of an audit. • For External auditor - investigating new and continuing clients to determine whether the audit engagement should be accepted, assigning appropriate staff to the audit, obtaining an engagement letter, obtaining background information on the client, understanding the client's legal obligations, and undertaking analytical review procedures to understand the client's business better and identify areas of risk in the audit • For an internal auditor -understanding the objectives to be accomplished in the audit, obtaining background information, assigning appropriate staff, and identifying areas of risk. 24
Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Control Environment - Elements that establish the control Context in which specific accounting systems and control procedures must operate. • Risk Assessment - Elements that identify and analyze the risks faced by an Organization and the ways these risks can be managed. • Control Activities - Elements that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks on performance and valuation of recorded amounts occur. 25
Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Information and Communication-Elements in which information is identified, captured, and exchanged in a timely and appropriate form to allow personnel to discharge their responsibilities properly. • Monitoring- Elements that ensure internal controls operate reliably over time. 26
Overview of Steps in an Audit – Planning audit • After auditors obtain an understanding of the internal controls, they then must determine the control risk in relation to each assertion: • If auditors assess control risk at less than the maximum level, they must then identify the material controls that relate to the assertion and test the controls to evaluate whether they are operating effectively. • If auditors assess control risk at the maximum level, they do not test controls; they might conclude that internal controls are unlikely to be effective and therefore cannot be relied upon or that a more effective and efficient audit can be conducted using a substantive approach. 27
Overview of Steps in an Audit – Tests of Controls • Auditors test controls when they assess the control risk for an assertion at less than the maximum level. • They rely on controls as a basis for reducing more costly testing. • Tests of controls evaluate whether specific, material controls are reliable. • This phase usually begins by again focusing first on management controls. • If testing shows that, contrary to expectations, management controls are not operating reliably, there might be little point to testing application controls. • If auditors identify serious management-control weaknesses, they might have to issue an adverse opinion or undertake substantive tests of transactions and balances or overall results. • Auditors conduct the evaluation iteratively for each management subsystem and each application subsystem that is important. 28
Overview of Steps in an Audit – Tests of Controls • If auditors conclude that management controls are in place and working satisfactorily, they then would evaluate the reliability of application controls. • For each transaction considered, auditors evaluate whether the control is operating effectively. 29
Overview of Steps in an Audit – Tests of Controls • After auditors have completed tests of controls, they again assess control risk. • After the test results, auditors might conclude that internal controls are stronger or weaker than initially anticipated. • They might also conclude that it is worthwhile to perform more tests of controls with a view to further reducing the further testing. • Accordingly, auditors conclude control risk has decreased and seek further evidence to support this assessment. 30
Overview of Steps in an Audit – Tests of Transactions • Auditors use tests of transactions to evaluate whether erroneous or irregular processing of a transaction has led to a material misstatement of financial information. • Typical attest tests of transactions include • tracing journal entries to their source documents, • examining price files for propriety, and • testing computational accuracy. • Ex : Auditors usually use generalized audit software to check whether the interest paid on bank accounts has been calculated correctly. • From an operational perspective, auditors use tests of transactions to evaluate whether transactions or events have been handled effectively and efficiently. 31
Overview of Steps in an Audit – Tests of Transactions • In an attest audit, auditors conduct tests of transactions at interim dates in order to reduce the amount of substantive tests of balances to be done at financial year end and thus to reduce the overall costs of the audit. • In an operational audit for effectiveness and efficiency purposes, auditors also use tests of transactions at interim dates in order to reduce the amount of substantive testing of overall results to be done near the reporting date. 32
Overview of Steps in an Audit – Tests of Transactions • If the results of tests of transactions indicate that material losses have occurred or might occur or that financial information is or might be materially misstated, substantive tests of balances or overall results will be expanded. • Auditors can use expanded tests of balances or overall results to obtain a better estimate of the losses or misstatements that have occurred or might occur. 33
Overview of Steps in an Audit – Tests of Balances or Overall Result • Auditors conduct tests of balances or overall results to obtain sufficient evidence for making a final judgment on the extent of losses or account misstatements that occur when • the information systems function fails to safeguard assets, • maintain data integrity, • achieve system effectiveness and efficiency. 34
Overview of Steps in an Audit – Completion of the Audit • In the final phase of the audit, external auditors undertake several additional tests to bring the collection of evidence to a close. • They must then formulate an opinion about whether material losses or account misstatements have occurred and issue a report. • The professional standards in many countries require one of four types of opinion be issued: • Disclaimer of opinion: On the basis of the audit work conducted, the auditor is unable to reach an opinion. • Adverse opinion: The auditor concludes that material losses have occurred or that the financial statements are materially misstated. • Qualified opinion: The auditor concludes that losses have occurred or that the financial statements are misstated but that the amounts are not material. • Unqualified opinion: The auditor believes that no material losses or account misstatements have occurred. 35
Auditing Around or Through the Computer • When auditors come to the controls testing phase of an information systems audit, one of the major decisions they must make is whether to test controls by auditing around or through the computer. • The phrases "auditing around the computer" and "auditing through the computer" are carryovers from the past. • Debate on how much technical knowledge was required to audit computer systems. Two methods were formulated: • Auditors could evaluate computer systems simply by checking their input and output. • Internal workings of computer systems were examined and evaluated. • Both has its own merits and demerits and both are considered now for auditing. 36
Around the Computer • Auditing around the computer involves arriving at an audit opinion through examining and evaluating management controls and then input and output only for application systems. • Based on the quality of an application system's input and output, auditors infer the quality of the application system's processing. • The application system's processing is not examined directly. Instead, auditors view the computer as a black box. • Cost effective way if the SW used is one package. 37
Around the Computer • Auditors seek to ensure • the organization has not modified the package in any way, • adequate controls exist over the source code, object code, and documentation to prevent unauthorized modification of the package • high-quality controls exist over input to and output from the package. 38
Through the Computer • The Advantage of auditing through the computer is that auditors have increased power to test an application system effectively. • Increase their confidence in the reliability of the evidence collection and evaluation. • By directly examining the processing logic embedded within an application system auditors are better able to assess the system's ability to cope with change and the likelihood of losses or account misstatements arising in the future. • The approach has two disadvantages. • it can sometimes be costly • extensive technical expertise to understand how the system works 39
Through the Computer • They use the computer to test • the processing logic and controls existing within the system • the records produced by the system. 40
Thank You 41

Recomendados

Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
Sreekanth Narendran
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Sreekanth Narendran
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
arif prasetyo
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Sreekanth Narendran
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
Ed Tobias
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 

Recomendados

Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
Sreekanth Narendran
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Sreekanth Narendran
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
arif prasetyo
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Sreekanth Narendran
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
Ed Tobias
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Information System audit
Information System auditInformation System audit
Information System audit
Pratapchandra
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
Rajeswaran Muthu Venkatachalam
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
jayussuryawan
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
Mahesh Patwardhan
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
CenapSerdarolu
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
essbaih
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
himalya sharma
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
Kashif Rana ACCA
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
Cicero Ray Rufino
 
Internal control system
Internal control systemInternal control system
Internal control system
Madiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control system
Madiha Hassan
 

Mais conteúdo relacionado

Mais procurados

Information System audit
Information System auditInformation System audit
Information System audit
Pratapchandra
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
Kashif Rana ACCA
 

Mais procurados (20)

Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Information System audit
Information System auditInformation System audit
Information System audit
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Internal controls
Internal controlsInternal controls
Internal controls
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 

Semelhante a Conducting an Information Systems Audit

Internal control system
Internal control systemInternal control system
Internal control system
Madiha Hassan
 

Semelhante a Conducting an Information Systems Audit (20)

Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Technology Auditing, Assurance, Internal Control
Technology Auditing, Assurance, Internal ControlTechnology Auditing, Assurance, Internal Control
Technology Auditing, Assurance, Internal Control
 
Compliance
ComplianceCompliance
Compliance
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Control
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision file
 
Audit Risk and Fraud
Audit Risk and FraudAudit Risk and Fraud
Audit Risk and Fraud
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptx
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Internal Control
Internal ControlInternal Control
Internal Control
 
IT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the GameIT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the Game
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
Advance audit
Advance auditAdvance audit
Advance audit
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems Auditing
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
 
Internal control
Internal controlInternal control
Internal control
 

Mais de Sreekanth Narendran

Mais de Sreekanth Narendran (17)

Quantum cryptography
Quantum cryptographyQuantum cryptography
Quantum cryptography
 
Nmap
NmapNmap
Nmap
 
Transactional vs transformational leadership
Transactional vs transformational leadershipTransactional vs transformational leadership
Transactional vs transformational leadership
 
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
ECGC, Exim Bank, RBI, FEDAI, FEMA and SWIFT.
 
Web services for banks
Web services for banksWeb services for banks
Web services for banks
 
Virus vs worms vs trojans
Virus vs worms vs trojansVirus vs worms vs trojans
Virus vs worms vs trojans
 
Business process reengineering
Business process reengineeringBusiness process reengineering
Business process reengineering
 
Hash cat
Hash catHash cat
Hash cat
 
Phishing
PhishingPhishing
Phishing
 
International banking
International bankingInternational banking
International banking
 
Master Data Management
Master Data ManagementMaster Data Management
Master Data Management
 
Maltego Information Gathering
Maltego Information Gathering Maltego Information Gathering
Maltego Information Gathering
 
Leadership traits
Leadership traitsLeadership traits
Leadership traits
 
Network Miner Network forensics
Network Miner Network forensicsNetwork Miner Network forensics
Network Miner Network forensics
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Organizational development
Organizational developmentOrganizational development
Organizational development
 
Indigo Case study
Indigo Case study Indigo Case study
Indigo Case study
 

Último

Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 

Último (20)

Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 

Conducting an Information Systems Audit

  • 1. Chapter 2 Conducting an Information Systems Audit Sreekanth N 1
  • 2. Contents • Introduction • The big Question • Learning objectives • Nature of controls • Dealing with complexity • Audit Risks • Types of Audit Procedures • Overview of Steps in an Audit • Auditing Around or Through the computer. 2
  • 3. Introduction • Auditors can perform a detailed audit in small organizations. • All organizations are of not the same size. • Auditing in big organizations are difficult. • Detailed check on data process inside IS systems become complex. • Auditors resort to sampling. 3
  • 4. The big question? • How can an auditor perform IS audit so that they obtain reasonable assurance that an organization safeguards its data-processing assets, maintains data integrity, and achieve system effectiveness and efficiency ? 4
  • 5. Learning Objectives • Learn the general approach followed for information systems audit. • Learn the nature of controls. • Learn techniques for simplifying complexity encountered while making evaluation judgements or computer-based information systems. • Learn the basic risks auditors face and the type of audit procedures used to control and asses these risks. • Finally we examine a major decision auditors must make while doing an IS audit. 5
  • 6. Attestation vs Audit • Attestation: An attestation is a type of engagement in which an attester (auditor,practitioner,accountant) provides a report as to whether an assertion (made by an asserter management) has been prepared in conformity with the appropriate criteria. • Attestations include financial statement audits, reporting on forecasts, projections, pro-forma information, effectiveness of internal control etc. • Attestation Standards apply only to situations not addressed by other professional standards. • Audit: An audit is a type of attest function in which an auditor provides an independent opinion (positive assurance) about whether management (asserter) has prepared financial statements in conformity with an applicable financial reporting framework (criteria). 6
  • 7. Nature of controls • A control is a system that prevents, detects, or correct unlawful events. • System – Set of interrelated components working together to achieve some overall purpose • Unlawful event- Arises if unauthorized, in accurate, incomplete, redundant, ineffective, or inefficient input enters the system. • Preventive control • Detective control • Corrective control 7
  • 8. Dealing with Complexity • Conducting an IS audit is an exercise in dealing with complexity. • Because complexity is the root cause of problems face by many professionals two guidelines have been developed in IS audit. 1. Given the purpose of IS audit, factor the system to be evaluated into subsystems. 2. Determine the reliability of each subsystem and implications of each subsystems level of reliability for the overall reliability of the system. 8
  • 9. Dealing with Complexity –> Subsystem Factoring • Subsystem performs basic function and are logical components • Factoring – Decomposing a system into subsystems (iterative process) • Systems theory gives two guidelines to identify and delineate subsystems • should be relatively independent • should be internally cohesive • Auditors have recognized some systems cannot be audited based on these. • Over time two methodologies were developed to factor systems. 9
  • 10. Dealing with Complexity –> Subsystem Factoring IS Function Application subsystems Application systems Cycles Management subsystems Management systems 10
  • 11. Dealing with Complexity –> Subsystem Factoring –> Management subsystems • Based on managerial functions that must be performed to ensure that development, implementation, operation and maintenance of IS proceed in planned and controlled manner. • Managerial systems function to provide a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis. • Some of the management subsystems are : Top management, IS management, Systems development management, Programming management, Data administration, Quality assurance, Security administration, Operations management 11
  • 12. Dealing with Complexity –> Subsystem Factoring –> Application Subsystems • Based of cycles approach. • IS systems are grouped into cycles. • Examples of cycles : Sales and collection, payroll and personnel, acquisition and payments, inventory etc. • Each cycle is then factored into application subsystems. • Application systems into application subsystems. • Application Subsystems can includes Boundary, Input, Communication, Processing, Database, Output 12
  • 13. Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Beginning with the lowest-level subsystems, all the different types of lawful and unlawful events that can occur to the system are identified. • Primary concern are unlawful events. • To identify we focus on the major functions each subsystem performs. • As a basis we focus on (walk-through technique) • the transactions that can occur as an input to the subsystem as all events arise from a transaction. • How the subsystem processes this transaction and understand each processing step. 13
  • 14. Dealing with Complexity –> Subsystem Factoring –> Assessing Subsystem Reliability • Costly to trace each transaction. • Auditors focus on classes. • Group similar transactions into classes and analyze it. • When events are identified auditors evaluate if controls are in place. • They collect evidence on the controls and see if the losses are reduced to acceptable levels. • Errors made at one level can propagate to higher levels 14
  • 15. Audit Risks • Systems auditors are concerned with four objectives: • Asset safeguarding • Data integrity • System effectiveness • System efficiency • Auditors are concerned with whether errors or irregularities cause material losses or material misstatements in the financial information • Because of test nature of auditing, auditors might fail to detect real or potential material losses and account misstatements. 15
  • 16. Audit Risks • The risk of an auditor failing to detect actual or potential material losses or account misstatements at the conclusion of the audit is called the audit risk. • Auditors choose an audit approach and design audit procedures in an attempt to reduce this risk to a level deemed acceptable. • For determining desired audit risk following audit risk model is adopted : DAR = IR x CR x DR • DAR is the desired audit risk • IR is the inherent risk, likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal controls is considered. • CR is the control risk, likelihood that internal controls in some segment of the audit will not prevent, detect, or correct material losses or account misstatements that arise. • DR is the detection risk, the audit procedures used in some segment Of the audit will fail to detect material losses or account misstatements. 16
  • 17. Audit Risks • To apply the model, auditors first choose their level of desired audit risk. • Auditors consider such factors as the level of reliance external parties are likely to place on the financial statements, the likelihood of the organization encountering financial difficulties subsequent to the audit, they assess the short- and long-run consequences for their organizations if they fail to detect real or potential material losses from ineffective or inefficient operations. • Next auditors consider the level of inherent risk. Initially auditors consider general factors such as • the nature of the organization, • the industry in which it operates, • the characteristics of management, and accounting and auditing concerns. 17
  • 18. Audit Risks Inherent Risk in Financial System • Those that usually provide financial control over the major assets of an organization : • cash receipts and disbursements, • payroll, • accounts receivable and payable—often have higher inherent risk. • Because they are frequently the target of fraud. 18
  • 19. Audit Risks • To assess the level of control risk associated with a segment of the audit, auditors consider the reliability of both management and application controls. • Auditors usually identify and evaluate controls in management subsystems first. • Management (subsystem) controls are fundamental controls because they cover all application systems. • Thus, the absence of a management control is a serious concern for auditors. • Next auditors calculate the level of detection risk they must attain to achieve their desired audit risk. They then design evidence collection procedures in an attempt to achieve this level of detection risk. 19
  • 20. Audit Risks • The whole point in considering the audit risk model is that audit efforts should be focused where they will have the highest payoffs. • In most cases auditors cannot collect evidence to the extent they would like. • Accordingly, they must be judicious in terms of where they apply their audit procedures and how they interpret the evidence they collect. 20
  • 21. Types of Audit Procedures When external auditors gather evidence to determine whether material losses have occurred or financial information has been materially misstated, they use five types Of procedures: • Procedures to obtain an understanding of controls: Inquiries, inspections, and observations can be used to gain an understanding Of what controls supposedly exist, how well they have been designed, and whether they have been placed in operation. • Tests of controls: Inquiries, inspections, observations, and performance of control procedures can be used to evaluate whether controls are operating effectively. • Substantive tests of details of transactions: These tests are designed to detect dollar errors or irregularities in transactions that would affect the financial statements. 21
  • 22. Types of Audit Procedures • Substantive tests of details of account balances: These tests focus on the ending general ledger balances in the balance sheet and income statement. • Analytical review procedures: These tests focus on relationships among data items with the objective of identifying areas that require further audit work. • Auditors usually carry out the less costly audit procedures first in the hope the evidence obtained from these procedures indicates it is unlikely a material loss or material misstatement has occurred or will occur. If this outcome arises, auditors can alter the nature, timing, and extent of the more costly tests used. 22
  • 23. Overview of Steps in an Audit Start Stop Obtain Understanding Of control structure Assess control risk Preliminary Audit work Reassess Control risk Tests of controls Limited Substantive testing Extended Substantive testing Form audit Opinion and Issue report Rely on Controls ? Increase Reliance on Controls ? Still Rely on Control ? no Yes no yes no yes Major Steps to be undertaken in an audit 23
  • 24. Overview of Steps in an Audit – Planning audit • Planning is the first phase of an audit. • For External auditor - investigating new and continuing clients to determine whether the audit engagement should be accepted, assigning appropriate staff to the audit, obtaining an engagement letter, obtaining background information on the client, understanding the client's legal obligations, and undertaking analytical review procedures to understand the client's business better and identify areas of risk in the audit • For an internal auditor -understanding the objectives to be accomplished in the audit, obtaining background information, assigning appropriate staff, and identifying areas of risk. 24
  • 25. Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Control Environment - Elements that establish the control Context in which specific accounting systems and control procedures must operate. • Risk Assessment - Elements that identify and analyze the risks faced by an Organization and the ways these risks can be managed. • Control Activities - Elements that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks on performance and valuation of recorded amounts occur. 25
  • 26. Overview of Steps in an Audit – Planning audit • Judgment on the level of control risk associated with each segment of the audit is hard. • To decide on the level of control risk, auditors must first understand the internal controls used within an organization. Internal controls comprise of five interrelated components: • Information and Communication-Elements in which information is identified, captured, and exchanged in a timely and appropriate form to allow personnel to discharge their responsibilities properly. • Monitoring- Elements that ensure internal controls operate reliably over time. 26
  • 27. Overview of Steps in an Audit – Planning audit • After auditors obtain an understanding of the internal controls, they then must determine the control risk in relation to each assertion: • If auditors assess control risk at less than the maximum level, they must then identify the material controls that relate to the assertion and test the controls to evaluate whether they are operating effectively. • If auditors assess control risk at the maximum level, they do not test controls; they might conclude that internal controls are unlikely to be effective and therefore cannot be relied upon or that a more effective and efficient audit can be conducted using a substantive approach. 27
  • 28. Overview of Steps in an Audit – Tests of Controls • Auditors test controls when they assess the control risk for an assertion at less than the maximum level. • They rely on controls as a basis for reducing more costly testing. • Tests of controls evaluate whether specific, material controls are reliable. • This phase usually begins by again focusing first on management controls. • If testing shows that, contrary to expectations, management controls are not operating reliably, there might be little point to testing application controls. • If auditors identify serious management-control weaknesses, they might have to issue an adverse opinion or undertake substantive tests of transactions and balances or overall results. • Auditors conduct the evaluation iteratively for each management subsystem and each application subsystem that is important. 28
  • 29. Overview of Steps in an Audit – Tests of Controls • If auditors conclude that management controls are in place and working satisfactorily, they then would evaluate the reliability of application controls. • For each transaction considered, auditors evaluate whether the control is operating effectively. 29
  • 30. Overview of Steps in an Audit – Tests of Controls • After auditors have completed tests of controls, they again assess control risk. • After the test results, auditors might conclude that internal controls are stronger or weaker than initially anticipated. • They might also conclude that it is worthwhile to perform more tests of controls with a view to further reducing the further testing. • Accordingly, auditors conclude control risk has decreased and seek further evidence to support this assessment. 30
  • 31. Overview of Steps in an Audit – Tests of Transactions • Auditors use tests of transactions to evaluate whether erroneous or irregular processing of a transaction has led to a material misstatement of financial information. • Typical attest tests of transactions include • tracing journal entries to their source documents, • examining price files for propriety, and • testing computational accuracy. • Ex : Auditors usually use generalized audit software to check whether the interest paid on bank accounts has been calculated correctly. • From an operational perspective, auditors use tests of transactions to evaluate whether transactions or events have been handled effectively and efficiently. 31
  • 32. Overview of Steps in an Audit – Tests of Transactions • In an attest audit, auditors conduct tests of transactions at interim dates in order to reduce the amount of substantive tests of balances to be done at financial year end and thus to reduce the overall costs of the audit. • In an operational audit for effectiveness and efficiency purposes, auditors also use tests of transactions at interim dates in order to reduce the amount of substantive testing of overall results to be done near the reporting date. 32
  • 33. Overview of Steps in an Audit – Tests of Transactions • If the results of tests of transactions indicate that material losses have occurred or might occur or that financial information is or might be materially misstated, substantive tests of balances or overall results will be expanded. • Auditors can use expanded tests of balances or overall results to obtain a better estimate of the losses or misstatements that have occurred or might occur. 33
  • 34. Overview of Steps in an Audit – Tests of Balances or Overall Result • Auditors conduct tests of balances or overall results to obtain sufficient evidence for making a final judgment on the extent of losses or account misstatements that occur when • the information systems function fails to safeguard assets, • maintain data integrity, • achieve system effectiveness and efficiency. 34
  • 35. Overview of Steps in an Audit – Completion of the Audit • In the final phase of the audit, external auditors undertake several additional tests to bring the collection of evidence to a close. • They must then formulate an opinion about whether material losses or account misstatements have occurred and issue a report. • The professional standards in many countries require one of four types of opinion be issued: • Disclaimer of opinion: On the basis of the audit work conducted, the auditor is unable to reach an opinion. • Adverse opinion: The auditor concludes that material losses have occurred or that the financial statements are materially misstated. • Qualified opinion: The auditor concludes that losses have occurred or that the financial statements are misstated but that the amounts are not material. • Unqualified opinion: The auditor believes that no material losses or account misstatements have occurred. 35
  • 36. Auditing Around or Through the Computer • When auditors come to the controls testing phase of an information systems audit, one of the major decisions they must make is whether to test controls by auditing around or through the computer. • The phrases "auditing around the computer" and "auditing through the computer" are carryovers from the past. • Debate on how much technical knowledge was required to audit computer systems. Two methods were formulated: • Auditors could evaluate computer systems simply by checking their input and output. • Internal workings of computer systems were examined and evaluated. • Both has its own merits and demerits and both are considered now for auditing. 36
  • 37. Around the Computer • Auditing around the computer involves arriving at an audit opinion through examining and evaluating management controls and then input and output only for application systems. • Based on the quality of an application system's input and output, auditors infer the quality of the application system's processing. • The application system's processing is not examined directly. Instead, auditors view the computer as a black box. • Cost effective way if the SW used is one package. 37
  • 38. Around the Computer • Auditors seek to ensure • the organization has not modified the package in any way, • adequate controls exist over the source code, object code, and documentation to prevent unauthorized modification of the package • high-quality controls exist over input to and output from the package. 38
  • 39. Through the Computer • The Advantage of auditing through the computer is that auditors have increased power to test an application system effectively. • Increase their confidence in the reliability of the evidence collection and evaluation. • By directly examining the processing logic embedded within an application system auditors are better able to assess the system's ability to cope with change and the likelihood of losses or account misstatements arising in the future. • The approach has two disadvantages. • it can sometimes be costly • extensive technical expertise to understand how the system works 39
  • 40. Through the Computer • They use the computer to test • the processing logic and controls existing within the system • the records produced by the system. 40