IT3 Auditing in a CIS Environment

Reminders:
1) We will not be using the laptop or netbook every meeting. Thus, I will announce when we need it. A minimum of
one device is required, thus every group can have more than one.
2) Sometimes, our case analysis is based on “Information Technology Auditing” pdf, so please bring it every meeting.

PRELIM

Chapter 1 Auditing and Internal Control

Reporter 1: CHAPTER 1 - Auditing and Internal Control

Overview of Auditing 2
External (Financial) Audits 2
Attest Service versus Advisory Services 2
Internal Audits 3
External versus Internal Auditors 4
Fraud Audits 4
The Role of the Audit Committee 5

Assignment:
 What is the difference between information system and information technology?
 What is flipped classroom?
 Define objectivity as it relates to the internal audit function.
 Difference between publicly traded companies and private companies.
 Bring index card with 2x2 photo. Attributes: Name, Permanent address, Email Address, Cellphone No., Birthdate,
School Year, Course & Year, School, Subject & Section, Favorite quote or tagline.

Guide questions:
1) What is the impact of IT on the field of auditing? What is its implications?
Impacts: inspired the reengineering of traditional business processes
Implications: more efficient operations, improved communications; new risks, new internal control
2) What is the purpose of an IT audit?

3) Explain the various types of audits? Who among them can perform IT audit?
Types:
external (financial audit) – aka attest service by CPA working at public acctg. firms and in independent of audited
organization
internal audit
fraud audit
((who??))

4) What are the 4 authoritative rules to be followed strictly by the external auditor in conducting financial audits? If
there is conflict, which rule will prevail?
SEC – will prevail
FASB – financial accounting standards board
AICPA
SOX – Sarbanes-Oxley Act of 2002
5) What are the two services that can be rendered by the external auditors? Distinguish these services. In which area of
these services is the IT audit belong?
Attest Service – express conclusion about the reliability of assertions of responsible party; requires: written
assertions, written report, formal measurement criteria, service levels limited to examination, review and
application of agreed-upon procedures
Advisory Service – offered to improve operational efficiency and effectiveness; unbounded domain; included:
actuarial advice, business advice, fraud investigation, IS design and implementation, internal control
assessments
6) Define and contrast attestation services and advisory services.
Refer to number 5
7) Distinguish the legislation prior to the passage of SOX and on the SOX legislation regarding audit services and non-
audit services.
Before: accounting firms could provide advisory services to audit clients
After: Great restriction on nonaudit services to audit clients
8) What are the nine services that cannot be performed by external auditor who is performing audit services to the
same client?
Bookkeeping
systems design and implementation
appraisal
actuarial internal audit outsourcing
management of HR
broker/dealer/investment adviser/investment banking services
legal services
other services impermissible by board regulation
9) Can internal auditor perform financial audit? Explain.
internal auditors can cooperate and assist external auditors in performing aspects of financial audits; they can
perform certain procedures under the supervision of external auditors
10) Can external auditor rely on the work of the internal auditor? Explain.
Rely: if competent, organizationally-independent, reports to board of directors’ audit committee
Not rely: if incompetent or reports directly to controller which compromises internal auditor’s independence
11) Explain the difference between external auditor and internal auditor.
Their respective constituencies
External auditor: represent outsiders
Internal auditor: represent interests of the organization
12) Discuss the concept of independence within the context of a financial audit. How is independence different for
internal auditors?
External auditors: independent of organization being audited, outsiders
Internal auditors: are employees of the organization, organizationally-independent depending on who they
report to
Independent if to board of directors audit committee
Not independent if to controller
13) Are all companies required to form an audit committee? Explain.
All publicly traded companies are mandated by SOX to form an audit committee to serve as independent check
and balance for internal audit function in liaison with external editors; external auditors report to the audit
committee who hire and fire auditors and resolve disputes
14) What are the requirements of the audit committee?
Usually three people who should be outsiders (not associated with families of executives, not former officers)
 At least one member that must be a financial expert
15) What are the roles of the audit committee?
Check and balance, liaison of external auditors, hire/fire auditors, resolve disputes
16) What are the 4 factors that have some bearing on audit committee failures that may result to Corporate frauds?
Audit committee failures
Lack of independence of audit committee members
Inactive audit committees
Total absence of an audit committee
Lack of experienced members
17) Why is an Independent Audit Committee important to a company?
They look for ways to identify risk
Employees who observe suspicious behavior or do fraudulent activities
Independent guardian of entity’s assets
18) An organization’s internal audit department is usually considered to be an effective control mechanism for
evaluating the organization’s internal structure. The ABC Company’s internal auditing function reports directly to the
controller. Comment on the effectiveness of this organizational structure.
Independence of the audit committee is compromised especially when there are disputes over audit practices

Reporter 2: CHAPTER 1 - Auditing and Internal Control 1

Financial Audit Components 5
Auditing Standards 5
A Systematic Process 6
Management Assertions and Audit Objectives 6
Obtaining Evidence 7
Ascertaining Materiality 7
Communicating Results 8

Assignment:
Definition of management assertion.
Statements by the management that assert that financial statements are fairly presented

Guide questions:
1) What is the product of the attestation function?
Formal written report that expresses an opinion about the reliability of the assertions contained in the financial
statements
The report expresses an opinion of whether FS conform with GAAP
2) What are the 5 Financial Audit Components?
Auditing standards
Systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining materiality
Communicating results
((I’m not sure??))
3) What are the four qualifications of the auditor in rendering its services?
Competence, professionalism, integrity, independence
4) How are auditors guided in their professional responsibility?
 Guided by the 10 GAAS, generally accepted auditing standards ex. Auditors must have adequate technical
training/proficiency, auditors must have independence of mental attitude]
5) What is the difference between auditing standards and auditing procedures?
6) What are the 3 classes of auditing standards? Explain each.
7) Distinguish between GAAS and SAS.
8) Explain what is a systematic process.
9) Where can an auditor find the management assertions? How can auditor determine whether the management
assertions are true?
10) Definition of management assertions.
11) What are the 6 management assertions? Explain the audit objectives for each.
12) What are the two categories of audit objectives?
13) What is the purpose of obtaining evidence in an audit? On what area of the IT environment the evidences are
gathered?
14) What are the two methods used in collecting evidence? Distinguish the two methods.
15) Explain the concept of materiality.
16) How do IT auditors communicate their audit findings?

Reporter 3: CHAPTER 1 - Auditing and Internal Control

Audit Risk 8
Audit Risk Components 8
Inherent Risk 8
Detection Risk 9
Audit Risk Model 9
The Relationship Between Tests of Controls and Substantive Tests 10
The IT Audit 10
The Structure of an IT Audit 10

Assignment:
Difference between business risk and audit risk.

Guide questions:
1) What is audit risk?
2) Difference between business risks and audit risk.
3) What are the 2 causes of material misstatements of financial statements? Differentiate the 2. Which do you think
concern the auditors the most?
4) What are the 3 Audit Risk Components?
5) Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in?
6) Why is it necessary for the auditor to perform tests of controls and substantive tests?
7) How do the tests of controls affect substantive tests?
8) Explain the relationship between internal controls and substantive testing.
9) Explain the relationship between Tests of Controls and Substantive Tests.
10) What are the conceptual phases of an audit? How do they differ between financial auditing and IT auditing?
11) What are the focus of an IT Audit?
12) What is the auditor’s objective of the Audit Planning?
13) In an audit planning, how does an auditor gain a thorough understanding of the client’s business? Or what method is
used in order for the auditor gain a thorough understanding of the client’s business?
14) What are the 3 factors to consider by the auditor in the audit risk analysis?
15) What are the techniques used to gather evidence for audit planning?
16) What is the objective of tests of controls?
17) What are the techniques used to gather evidence for tests of controls?
18) What is the focus of tests of controls? What kind of risk is being assessed in the tests of controls? Explain.
19) What is the focus of Substantive Testing?
20) What are the techniques used to gather evidence for substantive testing?

Reporter 4: CHAPTER 1 - Auditing and Internal Control

Internal Control 11
Brief History of Internal Control Legislation 12
Internal Control Objectives, Principles, and Models 14
Modifying Principles 14
The PDC Model 16
Coso Internal Control Framework 17
Audit Implications of SOX 24

Chapter 2 Auditing IT Governance Controls

CHAPTER 2 - Auditing IT Governance Controls 35

Information Technology Governance 36 Fire Suppression 48
IT Governance Controls 36 Fault Tolerance 48
Structure of the Information Technology Function 36 Audit Objectives 49
Centralized Data Processing 36 Audit Procedures 49
Segregation of Incompatible IT Functions 39
The Distributed Model 41 Disaster Recovery Planning 50
Controlling the DDP Environment 45 Identify Critical Applications 51
Creating a Disaster Recovery Team 52
The Computer Center 47 Providing Second-Site Backup 52
Physical Location 47 Outsourcing the IT Function 57
Construction 47 Risks Inherent to IT Outsourcing 58
Access 47 Audit Implications of IT Outsourcing 59
Air Conditioning 48 Summary 60

Chapter 3 Security Part I: Auditing Operating Systems and Networks

CHAPTER 3 - Security Part I: Auditing Operating Systems and Networks 67

Auditing Operating Systems 68 Controlling Risks from Equipment Failure 92
Operating System Objectives 68
Operating System Security 69 Auditing Electronic Data Interchange (EDI) 93
Threats to Operating System Integrity 69 EDI Standards 94
Operating System Controls and Audit Tests 70 Benefits of EDI 95
Auditing Networks 75 Financial EDI 97
Intranet Risks 76 EDI Controls 99
Internet Risks 77 Access Control 99
Controlling Networks 80 Auditing PC-Based Accounting Systems 101
Controlling Risks from Subversive Threats 82 PC Systems Risks and Controls 102
Summary 105 Appendix 106

Chapter 5 Systems Development and Program Change Activities

CHAPTER 5 - Systems Development and Program Change Activities 171

Participants in Systems Development 172
Why Are Accountants and Auditors Involved with SDLC?
172
How Are Accountants Involved with the SDLC? 172
Information Systems Acquisition 173
In-House Development 173
Commercial Systems 173
The Systems Development Life Cycle 175
Systems Planning—Phase I 177
Systems Analysis—Phase II 179
Conceptual Systems Design—Phase III 183
System Evaluation and Selection—Phase IV 187
Detailed Design—Phase V 195
Application Programming and Testing—Phase VI 195
System Implementation—Phase VII 198
Systems Maintenance—Phase VIII 204
Controlling and Auditing the SDLC 204
Controlling New Systems Development 205
The Controlling Systems Maintenance 206
Summary 213

MIDTERM

Chapter 4 Security Part II: Auditing Database Systems

CHAPTER 4 - Security Part II: Auditing Database Systems 129

Data Management Approaches 130 Databases in a Distributed Environment 149
The Flat-File Approach 130 Centralized Databases 150
The Database Approach 132 Distributed Databases 151
Key Elements of the Database Environment 133 Concurrency Control 154
Database Management System 133 Controlling and Auditing Data Management
Users 136 Systems 155
The Database Administrator 138 Access Controls 155
The Physical Database 139 Summary 164
DBMS Models 141

Chapter 8 Data Structures and CAATTs for Data Extraction

CHAPTER 8 - Data Structures and CAATTs for Data Extraction 327

Data Structures 328 Prepare the User Views 358
Flat-File Structures 329 Global View Integration 359
Hierarchical and Network Database Structures 336 Embedded Audit Module 359
Relational Database Structure, Concepts, and Disadvantages of EAMs 360
Terminology 338 Generalized Audit Software 361
Relational Database Concepts 339 Using GAS to Access Simple Structures 361
Anomalies, Structural Dependencies, and Data Using GAS to Access Complex Structures 361
Normalization 344 Audit Issues Pertaining to the Creation of Flat Files 363
Designing Relational Databases 350 ACL Software 363
Identify Entities 350 Data Definition 364
Construct a Data Model Showing Entity Associations 352 Customizing a View 366
Add Primary Keys and Attributes to the Model 354 Filtering Data 367
Normalize Data Model and Add Foreign Keys 355 Stratifying Data 369
Construct the Physical Database 356 Statistical Analysis 369
Summary 370 Appendix 371

Chapter 11 Enterprise Resource Planning Systems

CHAPTER 11 - Enterprise Resource Planning Systems 545

What Is an ERP? 546 Risks Associated with ERP Implementation 561
ERP Core Applications 547 Big Bang Versus Phased-in Implementation 561
Online Analytical Processing 548 Opposition to Changes in the Business’s Culture 562
ERP System Configurations 549 Choosing the Wrong ERP 562
Server Configurations 549 Choosing the Wrong Consultant 564
OLTP Versus OLAP Servers 549 High Cost and Cost Overruns 565
Database Configuration 553 Disruptions to Operations 566
Bolt-On Software 553 Implications for Internal Control and Auditing 566
Data Warehousing 554 Transaction Authorization 567
Modeling Data for the Data Warehouse 555 Segregation of Duties 567
Extracting Data from Operational Databases 555 Supervision 567
Cleansing Extracted Data 557 Accounting Records 567
Transforming Data into the Warehouse Model 557 Independent Verification 568
Loading the Data into the Data Warehouse Database Access Controls 568
558 Internal Control Issues Related to ERP Roles 570
Decisions Supported by the Data Warehouse 559 Contingency Planning 572
Supporting Supply Chain Decisions from the Data Summary 572
Warehouse 560 Appendix 573

Chapter 6 Transaction Processing and Financial Reporting Systems Overview

CHAPTER 6 - Transaction Processing and Financial Reporting Systems Overview 223

An Overview of Transaction Processing 224 A System without Codes 258
Transaction Cycles 224 A System with Codes 260
Accounting Records 226 Numeric and Alphabetic Coding Schemes 261
Manual Systems 226 The General Ledger System 264
The Audit Trail 231 The Journal Voucher 264
Computer-Based Systems 234 The GLS Database 264
Documentation Techniques 236 The Financial Reporting System 266
Data Flow Diagrams and Entity Relationship Sophisticated Users with Homogeneous Information
Diagrams 236 Needs 267
System Flowcharts 239 Financial Reporting Procedures 267
Program Flowcharts 249 XBRL—Reengineering Financial Reporting 269
Record Layout Diagrams 250 XML 270
Computer-Based Accounting Systems 251 XBRL 271
Differences Between Batch and Real-Time Systems 252 The Current State of XBRL Reporting 275
Alternative Data Processing Approaches 253 Controlling the FRS 275
Batch Processing Using Real-Time Data Collection 256 COSO Internal Control Issues 275
Real-Time Processing 258 Internal Control Implications of XBRL 278
Controlling the TPS 258 Summary 278
Data Coding Schemes 258

PREFINAL
 Chapter 7 Computer-Assisted Audit Tools and Techniques

CHAPTER 7 - Computer-Assisted Audit Tools and Techniques 289

Application Controls 290 Computer-aided Audit Tools and Techniques for Testing
Input Controls 290 Controls 314
Processing Controls 303 Test Data Method 314
Output Controls 306 The Integrated Test Facility 317
Testing Computer Application Controls 310 Parallel Simulation 319
Black-Box Approach 310 Summary 320
White-Box Approach 311

Chapters 9 Auditing the Revenue Cycle

CHAPTER 9 - Auditing the Revenue Cycle 393

Revenue Cycle Activities and Technologies 393 Input Controls 409
Batch Processing Using Sequential Files—Manual Output Controls 417
Procedures 394 Substantive Tests of Revenue Cycle Accounts 419
Batch Processing Using Sequential Files—Automated Revenue Cycle Risks and Audit Concerns 419
Procedures 397 Understanding Data 420
Batch Cash Receipts System with Direct Access Files 401 Testing the Accuracy and Completeness Assertions 423
Real-Time Sales Order Entry and Cash Receipts 401 Testing the Existence Assertion 429
Point-of-Sale (POS) Systems 405 Testing the Valuation/Allocation Assertion 434
Daily Procedures 405 Summary 435
End-of-day Procedures 407 Appendix 436
Revenue Cycle Audit Objectives, Controls, and Tests of
Controls 407

Chapters 10 Auditing the Expenditure Cycle

CHAPTER 10 - Auditing the Expenditure Cycle 469

Expenditure Cycle Activities and Technologies 469
Purchases and Cash Disbursement Procedures Using
Batch Processing Technology 470
Reengineering the Purchases/Cash Disbursement
System 475
Overview of Payroll Procedures 479
Expenditure Cycle Audit Objectives, Controls, and Tests
of Controls 482
Input Controls 483
Process Controls 487
Output Controls 492
Substantive Tests of Expenditure Cycle Accounts 493
Expenditure Cycle Risks and Audit Concerns 494
Understanding Data 494
Testing the Accuracy and Completeness Assertions 497
Review Disbursement Vouchers for Unusual Trends and
Exceptions 498
Testing the Completeness, Existence, and Rights and
Obligations Assertions 503
Summary 506
Appendix 507

Chapter 12 Business Ethics, Fraud, and Fraud Detection

CHAPTER 12 - Business Ethics, Fraud, and Fraud Detection 585

Ethical Issues in Business 586 Computer Ethics 587
Business Ethics 586 Sarbanes-Oxley Act and Ethical Issues 590
Fraud and Accountants 592
Definitions of Fraud 592
The Fraud Triangle 593
Financial Losses from Fraud 595
The Perpetrators of Frauds 595
Fraud Schemes 598
Auditor’s Responsibility for Detecting Fraud 608
Fraudulent Financial Reporting 609
Misappropriation of Assets 609
Auditor’s Response to Risk Assessment 610
Response to Detected Misstatements Due to Fraud 610
Documentation Requirements 610
Fraud Detection Techniques 611
Payments to Fictitious Vendors 611
Payroll Fraud 612
Lapping Accounts Receivable 613
Summary 614
Glossary 629
Index 637