1 / 92

CHAPTER 22 Auditing Automated Information Systems: Special Topics

CHAPTER 22 Auditing Automated Information Systems: Special Topics. A / R master. monday’s A / R transactions. As client computing facilities become more sophisticated, “paperless” accounting systems evolve wherein little “hard copy” documentation is produced.

cullen-short
Download Presentation

CHAPTER 22 Auditing Automated Information Systems: Special Topics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHAPTER 22 Auditing Automated Information Systems: Special Topics

  2. A / R master monday’s A / R transactions As client computing facilities become more sophisticated, “paperless” accounting systems evolve wherein little “hard copy” documentation is produced.

  3. What challenges does a sophisti- cated EDP accounting system present for an auditor?

  4. What challenges does a sophisti- cated EDP accounting system present for an auditor? - audit trails, documentation may only exist on disk (no printed copies)

  5. What challenges does a sophisti- cated EDP accounting system present for an auditor? - audit trails, documentation may only exist on disk (no printed copies) - program errors may exist that cause uniform transaction errors ERROR!!!

  6. What challenges does a sophisti- cated EDP accounting system present for an auditor? - audit trails, documentation may only exist on disk (no printed copies) - program errors may exist that cause uniform transaction errors - in some circumstances, controls may have to make up for a lack of adequate segregation of duties

  7. What challenges does a sophisti- cated EDP accounting system present for an auditor? - audit trails, documentation may only exist on disk (no printed copies) - program errors may exist that cause uniform transaction errors - in some circumstances, controls may have to make up for a lack of adequate segregation of duties - detecting unauthorized access may be difficult

  8. Electronic Data Interchange (EDI) Presents Even More Challenges - electronic method of sending documents between companies - no “paper trail” for the auditor to follow - increased emphasis on front-end controls - security becomes key element in controlling system

  9. Electronic Funds Transfer (EFT) Also Presents Challenges - also referred to as electronic commerce, or e-commerce - greatly increased through “internet shopping” - direct payment systems, e.g. payroll, remove the paper trail once relied upon by auditors

  10. Data Communications Risks and Control Procedures - loss of confidential information, through corporate espionage or “hackers” - create multiple levels of passwords; change regularly - data intercepted during data communication - encrypt (scramble) information during transmission

  11. Data Communications Risks and Control Procedures - inappropriate access to information via the Internet - use of firewalls - physically separate homepage equipment and software from other systems - viruses invading systems - same as above - use current anti-virus software

  12. Disaster Recovery Process 1. Management commitment to disaster recovery planning. 2. Ranking of business processes: What will happen if process x fails? 3. Identifying minimum resources required to restore vital operations.

  13. Disaster Recovery Process 4. Prepare a data centre plan and a user plan. 5. Test the plan, to discover any shortcomings in the plan before disaster strikes.

  14. Categories of Controls in an EDP Environment GENERAL CONTROLS APPLICATION CONTROLS

  15. Categories of Controls in an EDP Environment GENERAL CONTROLS relate to all parts of the EDP system. revenue system expenditure system payroll system

  16. Categories of Controls in an EDP Environment GENERAL CONTROLS relate to all parts of the EDP system. APPLICATION CONTROLS relate to one specific use of the system revenue system revenue system expenditure system payroll system

  17. Separate duties in EDP systems as discussed in chapter 9. Categories of General Controls 1. plan of organization

  18. Categories of General Controls 2. systems development and documentation controls - each system should have documented, authorized specifications System Specifications -Confidential-

  19. authorized Categories of General Controls 2. systems development and documentation controls - each system should have documented, authorized specifications - any system changes should be author- ized and documented System Changes

  20. Categories of General Controls 3. hardware controls

  21. Categories of General Controls 3. hardware controls - diagnostic routines - hardware or software that checks the system’s internal operations and devices

  22. Categories of General Controls 3. hardware controls - boundary protection - ensures that simulta- neous jobs do not interfere with one another CENTRAL PROCESSING UNIT daily weekly payroll calculation accounts payable update boundary

  23. Categories of General Controls 3. hardware controls - periodic maintenance - hardware should be examined periodically by qualified technicians

  24. data files & programs Categories of General Controls 4. controls over access to equipment, pro- grams, and data files ACCESS TO: program documentation computer hardware

  25. data files & programs Categories of General Controls 4. controls over access to equipment, pro- grams, and data files SHOULD BE LIMITED TO: ACCESS TO: program documentation those who need access to perform their duties computer hardware

  26. Physical Access Controls manual key locks visitor security guards controls regarding visitors

  27. Electronic Access Controls - access control software - passwords and ID codes which should be changed periodically. A password may provide access to only part of the system. user ID? password?

  28. Electronic Access Controls ajdienal k448an*& ddb dueb8 ao0#$ dd87cbd ^^7dbd8cba sbc((su Uduud(765@@ c38,s dus8 s8d890++s8 !! - encryption boards - devices that are programmed with a unique key that makes data unread- able to anyone who may intercept a transmission

  29. Objectives of General Controls 1. Responsibility for control - senior management, user management and information systems management has responsibilities

  30. Objectives of General Controls 1. Responsibility for control 2. Information system meets needs of entity

  31. Objectives of General Controls 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems

  32. Objectives of General Controls 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4. Efficient and effective maintenance of information systems

  33. Objectives of General Controls 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4. Efficient and effective maintenance of information systems 5. Effective and efficient development and acquisition of information systems

  34. Objectives of General Controls 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4. Efficient and effective maintenance of information systems 5. Effective and efficient development and acquisition of information systems 6. Present and future requirements of users can be met

  35. Objectives of General Controls 1. Responsibility for control 2. Information system meets needs of entity 3. Efficient implementation of information systems 4. Efficient and effective maintenance of information systems 5. Effective and efficient development and acquisition of information systems 6. Present and future requirements of users can be met 7. Efficient and effective use of resources within information systems processing

  36. Objectives of General Controls 8. Complete, accurate and timely processing of authorized information systems

  37. Objectives of General Controls 8. Complete, accurate and timely processing of authorized information systems 9. Appropriate segregation of incompatible functions

  38. Objectives of General Controls 8. Complete, accurate and timely processing of authorized information systems 9. Appropriate segregation of incompatible functions 10. All access to information and information systems is authorized

  39. Objectives of General Controls 8. Complete, accurate and timely processing of authorized information systems 9. Appropriate segregation of incompatible functions 10. All access to information and information systems is authorized 11. Hardware facilities are physically protected from unauthorized access, loss or damage

  40. Objectives of General Controls 8. Complete, accurate and timely processing of authorized information systems 9. Appropriate segregation of incompatible functions 10. All access to information and information systems is authorized 11. Hardware facilities are physically protected from unauthorized access, loss or damage 12. Recovery and resumption of information systems processing

  41. Objectives of General Controls 8. Complete, accurate and timely processing of authorized information systems 9. Appropriate segregation of incompatible functions 10. All access to information and information systems is authorized 11. Hardware facilities are physically protected from unauthorized access, loss or damage 12. Recovery and resumption of information systems processing 13. Maintenance and recovery of critical user activities

  42. processing input output Application controls can be grouped into three categories:

  43. Input Controls - input data should be authorized & approved

  44. Input Controls - input data should be author- ized & approved - the system should edit the input data ERROR!!! Try again!

  45. SALES INVOICE4527 Date: Ace Company Customer: 834 Reynolds Rd. Winnipeg, MB R2V 4E3 Sales Representative: Quantity Description Price total invoice amount Est. shipment date: Terms of sale (including discounts and freight costs): Carrier: Credit authorization: Examples of Input Controls adequate documents - data has an assigned place and format

  46. Acct#description $amount_ 50011 factory wage-reg 54,321.89 50021 factory wage-ot 11,573.91 50101 office wage-reg 32,811.00 50111 office wage-ot 1.64 98,708.44 Examples of Input Controls check digit- an extra digit is added to numbers to detect errors in transmission check digits

  47. Examples of Input Controls record count - a control total of records processed (example: number of employee records processed in calculating payroll) SI numberEmp. name HoursRate 423988745 Jon Duchac 46 6.45 127874639 Paul Juras 51 6.55 567398674 Dale Martin 41 8.30 245376868 Tom Taylor 43 8.60 RECORD COUNT = 4

  48. reasonableness and limit tests - deter- mine if amounts are too high, too low, or unreasonable (example: the maximum employee pay rate may be $15/hour) Examples of Input Controls SS numberEmp. name HoursRate 423988745 Jon Duchac 46 6.45 127874639 Paul Juras 51 6.55 567398674 Dale Martin 41 8.30 245376868 Tom Taylor 43 28.60 ERROR MESSAGE: Rate exceeds specified parameters.

  49. Examples of Input Controls field size check - results in an error message if more or less than a certain number of characters is input (example: social insurance numbers always have 9 characters) SI numberEmp. name HoursRate 423988745 Jon Duchac 46 6.45 127874639 Paul Juras 51 6.55 567398674 Dale Martin 41 8.30 2453768688Tom Taylor 43 8.60 ERROR MESSAGE: SIN has excess characters.

  50. Examples of Input Controls field check - ensures that only numbers, alphabetic characters, or special characters are accepted into a specific field (example: SI numbers always have numeric characters) SI numberEmp. name HoursRate 423988745 Jon Duchac 46 6.45 127874639 Paul Juras 51 6.55 567398674 Dale Martin 41 8.30 245at6868 Tom Taylor 43 8.60 ERROR MESSAGE: SIN has non- numeric characters.

More Related