JAMES A. HALL - Accounting Information System Chapter 17
JAMES A. HALL - Accounting Information System Chapter 17
JAMES A. HALL - Accounting Information System Chapter 17
Hall
COPYRIGHT 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western are trademarks used herein under license
development Risks and controls for program changes and the source program library Auditing techniques (CAATTs) used to verify application controls Auditing techniques used to perform substantive tests in an IT environment
1. Systems Strategy
- Assessment - Develop Strategic Plan
2. Project Initiation
- Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis
3. In-house Development
- Construct - Deliver
4. Commercial Packages
- Configure - Test - Roll-out
Systems Development
Auditing objectives: ensure that...
SDLC activities are applied consistently and in
accordance with managements policies the system as originally implemented was free from material errors and fraud the system was judged to be necessary and justified at various checkpoints throughout the SDLC system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities
Systems Development IC
New systems must be authorized. Feasibility studies were conducted. User needs were analyzed and addressed. Cost-benefit analysis was done. Proper documentation was completed. All program modules must be thoroughly
System Maintenance IC
Last, longest and most costly phase of
SDLC
Up to 80-90% of entire cost of a system
All maintenance actions should require Technical specifications Testing Documentation updates Formal authorizations for any changes
Program Change
Auditing objectives: detect unauthorized program maintenance and determine that...
maintenance procedures protect
applications from unauthorized changes applications are free from material errors program libraries are protected from unauthorized access
purposes deleting obsolete programs from the library documenting program changes to provide an audit trail of the changes
and the audit function Assigns program version numbers automatically Controlled access to maintenance commands
Program Change
Auditing procedures: verify that programs
program changes identification and correction of application errors control of access to systems libraries
Application Controls
Narrowly focused exposures within a
cash receipts
general ledger
Application Controls
Risks within specific applications
INPUT
PROCESSING
OUTPUT
accurate, and complete input data Two common causes of input errors:
transcription errors wrong character or
control digit
especially useful for transcription and
transposition errors
limits Range checks identify values outside upper and lower bounds Reasonableness checks compare one field to another to see if relationship is appropriate Validity checks compares values to known or standard values
processes that transform input data into information for output Three categories:
Batch controls
Run-to-run controls
Audit trail controls
output with the input originally entered into the system Based on different types of batch totals:
total number of records total dollar value hash totals sum of non-financial
numbers
to monitor the batch as it moves from one programmed procedure (run) to another Audit trail controls - numerous logs used so that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements
that system output is not lost, misdirected, or corrupted, and that privacy is not violated. In the following flowchart, there are exposures at every stage.
Output Flowchart
during the printing process that may be inappropriately accessed Printing create two risks:
production of unauthorized copies of
disposed of, e.g., shredding Report distribution for sensitive reports, the following are available:
use of secure mailboxes require the user to sign for reports in
output message can be intercepted, disrupted, destroyed, or corrupted as it passes along communications links
approaches:
black box around the computer white box through the computer
problems - good for new systems or systems which have undergone recent maintenance
base case system evaluation (BCSE) - using a
comprehensive set of test transactions tracing - performs an electronic walkthrough of the applications internal logic
automated, on-going technique that enables the auditor to test an applications logic and controls during its normal operation Parallel simulation: auditor writes simulation programs and runs actual transactions of the client through the system
Substantive Testing
Techniques to substantiate account balances. For
example:
search for unrecorded liabilities confirm accounts receivable to ensure they are not
overstated
Requires first extracting data from the system. Two technologies commonly used to select, access, and organize data are: embedded audit module generalized audit software
material transactions The chosen, material transactions are used for sampling in substantive tests Requires additional computing resources by the client Hard to maintain in systems with high maintenance
them:
screen data statistical sampling methods foot & balance format reports compare files and fields recalculate data fields