Transcription of INFORMATION SYSTEM AUDITING AND ASSURANCE
1 17 James A. HallChapterAccounting INFORMATION Systems, 4th. & AssuranceStudy Notes Prepared by H. M. Savage South-Western Publishing Co., 2004 Page 17-1 CHAPTER 17 INFORMATION SYSTEM AUDITING AND ASSURANCEAs more and more accounting and business systems were automated, it became more andmore evident that the field of AUDITING had to change. As the systems being audited increasedtheir use of technology, new techniques for evaluating them were required. This chapterfocuses on computer or INFORMATION systems (IS) AUDITING . It begins with a discussion ofhow the AUDITING profession has expanded in response to the spread of objectives of this chapter are:!
2 To understand the general purpose of an audit and to have a firm grasp of the basicconceptual elements of the audit process;!to know the difference between internal and external AUDITING and to be able toexplain the relationship between these two types of AUDITING ;!to understand how AUDITING objectives and tests of control are determined by thecontrol structure of the firm that is being audited;!to be familiar with the audit objective and tests of control for each of the nine generalcontrol areas;!to understand the AUDITING techniques that are used to verify the effective functioningof application controls; and!
3 To understand the AUDITING techniques used to perform substantive tests in a CBIS environment. 17 James A. HallChapterAccounting INFORMATION Systems, 4th. & AssuranceNotesStudy Notes Prepared by H. M. Savage South-Western Publishing Co., 2004 Page services versus ASSURANCE ServicesBecause AIS is a prerequisite to the AUDITING course on manycampuses, it is understandable that you not be too sure of thenature and purpose of an audit. This introduction is, ofnecessity, brief. It will not take the place of your auditingcourse. But it is a start.
4 Read carefully to distinguish betweentraditional AUDITING (the attest function) and the emerging fieldof ASSURANCE services . Fig. 17-1, on page 861, is a schematicof the is a Financial Audit? AUDITING is a form of independent attestation (orverification) performed by an expert who expressesan opinion about the fairness of a company sfinancial statements. Independence is of greatimportance since it is fundamental to stakeholderconfidence in the audit of an audit involves studying the clientorganization, evaluating the internal controls of thesystem to see how it works, and evaluating theinformation in the StandardsYou are familiar with GAAP, Generally AcceptedAccounting Principles.
5 These must be followed bycompanies required by SEC regulation to providefinancial statements. In order for users to be confidentthat the audit did examine the books thoroughly, theexternal auditor must follow GAAS, GenerallyAccepted AUDITING Standards. This section introducesGAAS, in particular, the Statements on AuditingStandards issued by the AICPA as needed, since1972. Early in the text you were introduced to SAS78. Read carefully the discussion related to Table17-1, on page AUDITING versus Internal AuditingMany of the same tasks are often carried out byexternal auditors and by individuals who areemployees of the client.
6 These employees who areinvolved in audit-related activities are called internalauditors. Although employed by the client firm,many duties can be conducted with a reasonable levelof objectivity if the internal auditors report to theaudit committee of the board of trustees, and not tothe controller, who is responsible for the accountingsystem. Rather than representing the interests of 17 James A. HallChapterAccounting INFORMATION Systems, 4th. & AssuranceNotesStudy Notes Prepared by H. M. Savage South-Western Publishing Co., 2004 Page 17-3external stakeholders, they serve the best interests ofthe client organization text presents the standard definition of auditingand discusses the key elements.
7 This is brief is an INFORMATION Technology (IT) Audit?IT AUDITING refers to the part of an audit that involvesthe computerized elements of an accountinginformation SYSTEM . It is here that the elements ofauditing are present. Note in particular, the discussionof audit objectives. See Table 17-2, on page Structure of an IT AuditFig. 17-2, on page 867, is a schematic of an IT auditshowing three phases: audit planning, tests ofcontrols (tests of the SYSTEM ), and substantive testing(tests of the data in the SYSTEM ). Each of these phasesis comprised of several steps.
8 The discussion is Audit Risk and Designing Testsof ControlsSeveral concerns face an auditor that material errors do existin the accounting SYSTEM and that the audit will not detectthem. The text discusses audit risk the probability that anauditor will render a clean audit opinion when material errorsexist. Risk ComponentsThere are three basic components of audit risk:!inherent risk,!control risk, and!detection are two basic types of audit tests: tests ofcontrols, which determine whether the internalcontrols are operating correctly ( , these are tests ofthe accounting SYSTEM ), and substantive tests, whichdetermine whether the data fairly reflects theorganization s financial affairs ( , these are tests ofthe accounting INFORMATION in the SYSTEM ).
9 17 James A. HallChapterAccounting INFORMATION Systems, 4th. & AssuranceNotesStudy Notes Prepared by H. M. Savage South-Western Publishing Co., 2004 Page between Tests of Controls andSubstantive TestsThe results of the tests of controls have great impacton the extent of substantive testing required. If theinternal controls SYSTEM is judged to be strong, lesssubstantive testing is needed. Or, if the controls aredeemed to be weak, more testing must be done tojudge the of General ControlsThis section of the text follows the framework developed inChapter 15 with regard to general controls.
10 The next sectionfocuses on application controls. But first, you must understandthe concept of an audit Audit ObjectivesThe objective(s) of any audit test relates to theexposures that may threaten the organization sactivities and the internal controls that are in place. The approach that will be taken will relate risk,control, the audit objective, and the appropriate auditprocedure. Significant professional judgment isrequired in 17-3, on pages 870-01, summarizes exposuresand controls in a CBIS environment. Use this as yourguide for reading the related narrative.
