Rais12 Sm Ch11

8/9/2019 Rais12 Sm Ch11

1/24

Accounting Information Systems

CHAPTER 11

AUDITING COMPUTER-BASED INFORMATION SYSTEMS

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

11.1 Auditing an AIS !! "ti# $% & 'ui& ( t)at an audit*& )a# (*+ ,n* $ dg *! "*+ ut &( andt) i& a""*unting a $i"ati*n(. H* # &/ it +a% n*t 0 ! a(i0$ !*& # &% audit*& t* 0 a"*+ ut & &t. Di("u(( t) t nt t* )i") audit*&( ()*u$d *(( (( "*+ ut & &ti( t*0 !! "ti# audit*&(.

Since most organizations make extensive use of computer-based systems in processing data, it isessential that computer expertise be available in the organization's audit group. Such expertiseshould include:

• Extensive kno ledge of computer hard are, soft are, data communications, and accounting

applications

• ! detailed understanding of appropriate control policies and procedures in computer systems

• !n ability to read and understand system documentation

• Experience in planning computer audits and in using modern computer assisted auditing toolsand techni"ues #$!!%%s&.

ot all auditors need to possess expertise in all of these areas. (o ever, there is certainly someminimum level of computer expertise that is appropriate for all auditors to have. %his ouldinclude:

• !n understanding of computer hard are, soft are, accounting applications, and controls.

• %he ability to examine all elements of the computerized !)S

• %he ability to use the computer as a tool to accomplish these auditing ob*ectives.

11.2 S)*u$d int &na$ audit*&( 0 + +0 &( *! (%(t +( d # $* + nt t a+( t)at d (ign andi+ $ + nt an AIS3 W)% *& )% n*t3

+any people believe that internal auditors should be involved in systems development pro*ects in

order to ensure that ne ly developed systems are auditable and have effective controls. (o ever,if the auditor's involvement is too great, then his or her independence may be impaired ith respectto subse"uent revie and evaluation of the system. !ccordingly, the auditor should not be amember of a systems development team, or be other ise directly involved in designing orimplementing ne systems.

%here are indirect forms of auditor involvement that are appropriate. %he auditor can

. ecommend a series of control and audit guidelines that all ne systems should meet.

-

8/9/2019 Rais12 Sm Ch11

2/24

Ch. 11: Auditing Computer-Based Information Systems

/. )ndependently revie the ork of the systems development team, evaluate both the "uality of the systems development effort and its adherence to control and audit guidelines, and reportthe findings to management.

)n both cases, the auditor is orking through management rather than ith the systemsdevelopment team.

11.4 At & ( nt/ n* B & i", + $*% ( )a# auditing &i n" . T* (ta!! it( n int &na$ audit!un"ti*n/ B & i", "*u$d 5a6 t&ain (*+ *! it( "*+ ut & ( "ia$i(t( in auditing/ 506 )i&

&i n" d audit*&( and t&ain t) + t* und &(tand B & i",7( in!*&+ati*n (%(t +/ 5"6 u( a"*+0inati*n *! t) !i&(t t * a &*a") (/ *& 5d6 t&% a di!! & nt a &*a"). W)i") a &*a")

*u$d %*u (u *&t/ and )%3%he most effective auditor is a person ho has training and experience as an auditor and trainingand experience as a computer specialist. (o ever, fe people have such an extensive background,and personnel training and development are both expensive and time consuming.

0er ick may find it necessary to accept some tradeoffs in staffing its audit function. Since auditorsgenerally ork in teams, 0er ick should probably begin by using a combination of the first t oapproaches. %hen, as audit teams are created for specific purposes, care should be taken to ensurethat the members of each audit team have an appropriate mix of skills and experience.

11.8 T) a((i(tant !inan" di& "t*& !*& t) "it% *! Tu(tin/ Ca$i!*&nia/ a( !i& d a!t & "it% *!!i"ia$(di("*# & d t)at () )ad u( d ) & a"" (( t* "it% "*+ ut &( t* "an" $ ) & daug)t &7( 94:: at &0i$$. An in# (tigati*n & # a$ d t)at () )ad +0 ;;$ d a $a&g (u+ *! +*n % !&*+ Tu(tin int)i( +ann & *# & a $*ng &i*d. S) a( a0$ t* "*n" a$ t) +0 ;;$ + nt !*& (* $*ng 0 "au(t) a+*unt +0 ;;$ d a$ a%( ! $$ it)in a 2< &&*& !a"t*& u( d 0% t) "it%7( int &na$

audit*&(. W)at a,n (( ( i(t d in t) audit a &*a")3 H* "*u$d t) audit $an 0i+ &*# d3 W)at int &na$ "*nt&*$ a,n (( ( & & ( nt in t) (%(t +3 S)*u$d Tu(tin7(int &na$ audit*&( )a# di("*# & d t)i( !&aud a&$i &3

!udit approach eaknesses

. %he "uestion implies %ustin's internal auditors never bothered to investigate transactions beloa certain dollar amount, and1or shortages of less than a certain percent. %his is not good audit

practice.

/. 2hile auditors generally examine transaction samples that are selected to include a high percentage of items having a high dollar value, their sampling procedures should not ignore

transactions ith lo er dollar values. %here must have been hundreds of falsified transactions,and an effective sampling plan might have uncovered a fe of them.

3. !n internal control audit should have detected inade"uacies in %ustin's computer accesscontrols, as ell as a lack of transaction documentation.

!udit plan improvements

. !udit soft are could be used to fully reconcile collections ith billings, and list any

-/

8/9/2019 Rais12 Sm Ch11

3/24


discrepancies for further investigation.

)nternal control eaknesses

. !n assistant finance director should not have the authority to enter credits to customeraccounts. $ertainly, there should have been documentation to support such transactions.

/. %he assistant finance director should not have been granted rights to cancel ater or otherutility bills

Should the auditors have detected the audit earlier4

%he easy ans er here is yes, they should have uncovered the fraud earlier. 2hile she as able toembezzle a large sum of money from %ustin, it as over a long period. 5ne of the keys to hersuccess as that she did not get greedy and the amounts taken in any one year as probablyimmaterial to the city. %hese kinds of frauds are very hard to detect.

11.= >*u G*0$ / an int &na$ audit*& !*& a $a&g +anu!a"tu&ing nt & &i( / & " i# d an an*n%+*u(n*t !&*+ an a(( +0$%-$in * &at*& )* )a( *&, d at t) "*+ an%7( W (t C*a(t !a"t*&% !*&t) a(t 1= % a&(. T) n*t indi"at d t)at t) & a& (*+ !i"titi*u( + $*% ( *n t) a%&*$$a( $$ a( (*+ + $*% ( )* )a# $ !t t) "*+ an%. H *!! &( n* &**! *& na+ (. W)at"*+ ut &-a((i(t d audit t ")ni'u "*u$d >*u u( t* ) $ )i+ (u0(tantiat *& & !ut t)

+ $*% 7( "$ai+3 #$)! Examination, adapted&

$omputer-assisted audit tools and techni"ues #$!!%%s& could have been used to identify employeesho have no deductions. Experience has sho n that fictitious or terminated employees ill

generally not have deductions. %his happens because the fraud perpetrator ants as much moneyfrom each fraudulent or terminated employee paycheck as possible. !nother reason for this is that

they fear that a deduction payment sent to a third party might cause an investigation and uncovertheir fraud.

11.?. E $ain t) !*u& (t ( *! t) &i(,-0a( d audit a &*a")/ and di("u(( )* t) % a $% t* t)*# &a$$ ( "u&it% *! a "*+ an%.

%he risk-based audit approach provides a frame ork for conducting information system audits. )tconsists of the follo ing 6 steps:

. 7etermine the threats #fraud and errors& facing the company. %his is a list of the accidental orintentional abuse and damage to hich the system is exposed.

/. )dentify the control procedures that prevent, detect, or correct the threats. %hese are all the controls

that management has put into place and that auditors should revie and test, to minimize thethreats.3. Evaluate control procedures. $ontrols are evaluated t o ays. 8irst, a systems revie determines

hether control procedures are actually in place. Second, a tests of controls are conducted todetermine hether existing controls ork as intended.

6. Evaluate control eaknesses to determine their effect on the nature, timing, or extent of auditing procedures. )f the auditor determines that control risk is too high because the control system isinade"uate, the auditor may have to gather more evidence, better evidence, or more timelyevidence. $ontrol eaknesses in one area may be acceptable if there are compensating controls in

-

8/9/2019 Rais12 Sm Ch11

4/24


other areas.

%he risk-based approach provides auditors ith a clearer understanding of the overall security of acompany, including the fraud and errors that can occur in the company. )t also helps them

understand the related risks and exposures. )n addition, it helps them plan ho to test and evaluateinternal controls, as ell as ho to plan subse"uent audit procedures. %he result is a sound basis for developing recommendations to management on ho the !)S control system should be improved.

11.@. $ompare and contrast the frame orks for auditing program development1ac"uisition and forauditing program modification.

%he t o are similar in that:

• %hey both deal ith the revie of soft are.• %hey both are exposed to the same types of errors and fraud.• %hey use many of the same control procedures, audit procedures #both systems revie and

tests of controls&, and compensating controls, except that one set applies to programdevelopment and ac"uisition and the other set is tailored to address program modifications.%hese include management and user authorization and approval9 thorough testing9 revie ofthe policies, procedures, and standards9 and proper documentation. #$ompare %ables / and 3in the chapter.&

%he t o are dissimilar in that:• %he auditor s role in systems development is to perform an independent revie of systems

development and ac"uisition activities. %he auditor s role in program modification is to perform an independent revie of the procedures and controls used to modify soft are programs.

• %here are some control procedures, audit procedures #both systems revie and tests ofcontrols&, and compensating controls that are uni"ue to program development and ac"uisitionand others that are uni"ue to program modifications. #$ompare %ables / and 3 in thechapter.&

• !uditors test for unauthorized program changes, often on a surprise basis, is several ays thatthey do not have to test program development and ac"uisition. %hese include:o ;sing a source code comparison program to compare the current version of the program

ith the source code.o eprocessing data using the source code and comparing the output ith the company s

output.o

8/9/2019 Rais12 Sm Ch11

5/24


SUGGESTED SO>UTIONS TO THE PROB>EMS

11.1 Y*u a& t) di& "t*& *! int &na$ auditing at a uni# &(it%. R " nt$%/ %*u + t it) I((a A&nita/t) +anag & *! ad+ini(t&ati# data &*" ((ing/ and & (( d t) d (i& t* (ta0$i() a +*&

!! "ti# int &!a" 0 t n t) t * d a&t+ nt(. I((a ant( %*u& ) $ it) a n"*+ ut &i; d a""*unt( a%a0$ (%(t + "u&& nt$% in d # $* + nt. H & "*++ nd( t)at %*u&d a&t+ nt a((u+ $in & ( *n(i0i$it% !*& auditing (u $i &(7 in#*i" ( &i*& t* a%+ nt. Ha$(* ant( int &na$ auditing t* +a, (ugg (ti*n( du&ing (%(t + d # $* + nt/ a((i(t in it(in(ta$$ati*n/ and a &*# t) "*+ $ t d (%(t + a!t & +a,ing a !ina$ & #i .

W*u$d %*u a"" t *& & "t a") *! t) !*$$* ing3 W)%3

a. T) & "*++ ndati*n t)at %*u& d a&t+ nt 0 & ( *n(i0$ !*& t) & -audit *!(u $i & ( in#*i" (.

)nternal auditing should not assume responsibility for pre-audit of disbursements. 5b*ectivityis essential to the audit function, and internal auditors should be independent of the activitiesthey must revie . %hey should not prepare records or engage in any activity that couldcompromise their ob*ectivity and independence. 8urthermore, because internal auditing is astaff function, involvement in such a line function ould be inconsistent ith the proper roleof an internal auditor.

0. T) & 'u (t t)at %*u +a, (ugg (ti*n( du&ing (%(t + d # $* + nt.

)t ould be advantageous for internal auditing to make specific suggestions during the design phase concerning controls and audit trails to be built into a system. )nternal auditing should build an appropriate interface ith the 7ata

8/9/2019 Rais12 Sm Ch11

6/24


audit, either alone or as part of a team. #$)! Examination, adapted&

11.2 A( an int &na$ audit*& !*& t) Qui", Manu!a"tu&ing C*+ an%/ %*u a& a&ti"i ating in t)

audit *! t) "*+ an%7( AIS. Y*u )a# 0 n & #i ing t) int &na$ "*nt&*$( *! t) "*+ ut &(%(t + t)at &*" (( ( +*(t *! it( a""*unting a $i"ati*n(. Y*u )a# (tudi d t) "*+ an%7(

t n(i# (%(t +( d*"u+ ntati*n. Y*u )a# int i d t) in!*&+ati*n (%(t + +anag &/* &ati*n( (u i(*&/ and *t) & + $*% ( t* "*+ $ t %*u& (tanda&di; d "*+ ut & int &na$"*nt&*$ 'u (ti*nnai& . Y*u & *&t t* %*u& (u i(*& t)at t) "*+ an% )a( d (ign d a(u"" ((!u$ ( t *! "*+ & ) n(i# int &na$ "*nt&*$( int* it( "*+ ut & (%(t +(. H t)an,( %*u !*&%*u& !!*&t( and a(,( !*& a (u++a&% & *&t *! %*u& !inding( !*& in"$u(i*n in a !ina$ *# &a$$& *&t *n a""*unting int &na$ "*nt&*$(.

Ha# %*u !*&g*tt n an i+ *&tant audit (t 3 E $ain. >i(t !i# a+ $ ( *! ( "i!i" audit&*" du& ( t)at %*u +ig)t & "*++ nd 0 !*& & a")ing a "*n"$u(i*n.

%he important audit step that has not been performed is tests of controls #sometimes calledcompliance tests&. ! system revie only tells the auditor hat controls are prescribed. %ests ofcontrols allo the auditor to determine hether the prescribed controls are being adhered to andthey are operating effectively.

Examples of audit procedures that ould be considered tests of controls are:• 5bserve computer operations, data control procedures, and file library control procedures.

• )n"uiry of key systems personnel ith respect to the ay in hich prescribed control procedures are interpreted and implemented. ! "uestionnaire or checklist often facilitatessuch in"uiry.

• evie a sample of source documents for proper authorization.

• evie a sample of on-line data entries for authorization.

• evie the data control log, computer operations log, file librarian's log, and error log forevidence that prescribed policies are adhered to.

• %est data processing by submitting a set of hypothetical transactions and comparing systemoutputs ith expected results.

• %race selected transactions through the system and check their processing accuracy.

• $heck the accuracy of a sample of batch totals.

• evie system operating statistics.

• ;se a computer audit soft are package to edit data on selected master files and databases.

-=

8/9/2019 Rais12 Sm Ch11

7/24


11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of acomputer payroll system. To test the computer systems and programs, you submitindependently created test transactions with regular data in a normal production run.

>i(t !*u& ad#antag ( and t * di(ad#antag ( *! t)i( t ")ni'u .a. Ad#antag ( 0. Di(ad#antag (

• 7oes not re"uire extensive programmingkno ledge

• !pproach and results are easy to understand.• %he complete system may be revie ed.• esults are often easily checked.• !n opinion may be formed as to the system's

data processing accuracy.• ! regular computer program may be used.• )t may save time.• %he auditor gains experience.• %he auditor maintains control over the test.• )nvalid data can be submitted to test for

re*ections.

• )mpractical to test all error possibilities.

• +ay be unable to relate input data tooutput reports in a complex system.

• )f independent files are not used, itmay be difficult to reverse or back out testdata.

•

8/9/2019 Rais12 Sm Ch11

8/24


11.4 Y*u a& in#*$# d in t) audit *! a""*unt( & " i#a0$ / )i") & & ( nt a (igni!i"ant *&ti*n *!t) a(( t( *! a $a&g & tai$ "*& *&ati*n. Y*u& audit $an & 'ui& ( t) u( *! t) "*+ ut &/ 0ut%*u n"*unt & t) !*$$* ing & a"ti*n(

F*& a") (ituati*n/ (tat )* t) audit*& ()*u$d &*" d it) t) a""*unt( & " i#a0$ audit.

a. T) "*+ ut & * &ati*n( +anag & (a%( t) "*+ an%7( "*+ ut & i( &unning at !u$$"a a"it% !*& t) !*& ( a0$ !utu& and t) audit*& i$$ n*t 0 a0$ t* u( t) (%(t + !*&audit t (t(.

• %he auditor should not accept this explanation and should arrange ith companyexecutives for access to the computer system.

• %he auditor should recommend that the procedures manual spell out computer use andaccess for audits.

0. T) "*+ ut & (") du$ing +anag & (ugg (t( t)at %*u& "*+ ut & &*g&a+ 0 (t*& d int) "*+ ut & &*g&a+ $i0&a&% (* t)at it "an 0 &un ) n "*+ ut & ti+ 0 "*+ (a#ai$a0$ .

• The auditor should not permit the computer program to be stored because it could then bechanged without the auditor's knowledge.

". Y*u a& & !u( d ad+i((i*n t* t) "*+ ut & &**+.

• %he auditor's charter should clearly provide for access to all areas and records of theorganization.

d. T) (%(t +( +anag & t $$( %*u t)at it i$$ ta, t** +u") ti+ t* ada t t) audit*&7("*+ ut & audit &*g&a+ t* t) "*+ ut &7( * &ating (%(t + and t)at "*+ an%

&*g&a++ &( i$$ &it t) &*g&a+( n d d !*& t) audit.

• !uditors should insist on using their o n computer audit program, since someone at thecompany may ish to conceal falsified data or records.

• !uditors should insist on using their o n computer audit program to expedite the audit,simplify the application, and avoid misunderstanding.

#$)! Examination, adapted&

->

8/9/2019 Rais12 Sm Ch11

9/24


11.= Y*u a& a +anag & !*& t) CPA !i&+ *! D %/ C) at +/ and H* 5DC H6. W)i$& #i ing %*u& (ta!!7( audit *&, a &( !*& t) (tat $!a& ag n"%/ %*u !ind t)at t) t (tdata a &*a") a( u( d t* t (t t) ag n"%7( a""*unting (*!t a& . A du $i"at &*g&a+ "* %/t) $!a& a""*unting data !i$ *0tain d !&*+ t) "*+ ut & * &ati*n( +anag &/ and t) t (t

t&an(a"ti*n data !i$ t)at t) $!a& ag n"%7( &*g&a++ &( u( d ) n t) &*g&a+ a(&itt n & &*" (( d *n DC H7( )*+ *!!i" "*+ ut &. T) dit (u++a&% & *&t $i(ting n*&&*&( a( in"$ud d in t) *&,ing a &(/ it) a n*tati*n 0% t) ( ni*& audit*& t)at t) t (t

indi"at ( g**d a $i"ati*n "*nt&*$(. Y*u n*t t)at t) 'ua$it% *! t) audit "*n"$u(i*n( *0tain d!&*+ t)i( t (t i( !$a d in ( # &a$ & ( "t(/ and %*u d "id t* a(, %*u& (u0*&dinat ( t* & att) t (t.

Id nti!% t)& i(ting *& *t ntia$ &*0$ +( it) t) a% t)i( t (t a( &!*&+ d. F*& a")&*0$ +/ (ugg (t *n *& +*& &*" du& ( t)at +ig)t 0 &!*&+ d du&ing t) & #i( d t (t t*

a#*id !$a ( in t) audit "*n"$u(i*n(.

8/9/2019 Rais12 Sm Ch11

10/24


11.? Y*u a& &!*&+ing an in!*&+ati*n (%(t + audit t* #a$uat int &na$ "*nt&*$( in Aa&d#a&,W)*$ (a$ &(7 5AW6 "*+ ut & (%(t +. F&*+ an AW +anua$/ %*u )a# *0tain d t) !*$$* ing *0d ("&i ti*n( !*& , % &(*nn $

Director of information systems: R ( *n(i0$ !*& d !ining t) +i((i*n *! t) in!*&+ati*n (%(t +(

di#i(i*n and !*& $anning/ (ta!!ing/ and +anaging t) IS d a&t+ nt. Manager of systems development and programming: R *&t( t* di& "t*& *! in!*&+ati*n (%(t +(.R ( *n(i0$ !*& +anaging t) (%(t +( ana$%(t( and &*g&a++ &( )* d (ign/ &*g&a+/ t (t/i+ $ + nt/ and +aintain t) data &*" ((ing (%(t +(. A$(* & ( *n(i0$ !*& (ta0$i()ing and +*nit*&ingd*"u+ ntati*n (tanda&d(.

Manager of operations: R *&t( t* di& "t*& *! in!*&+ati*n (%(t +(. R ( *n(i0$ !*& +anag + nt *!"*+ ut & " nt & * &ati*n(/ n!*&" + nt *! &*" ((ing (tanda&d(/ and (%(t +( &*g&a++ing/in"$uding i+ $ + ntati*n *! * &ating (%(t + u g&ad (.

Data entry supervisor: R *&t( t* +anag & *! * &ati*n(. R ( *n(i0$ !*& (u i(i*n *! data nt&%* &ati*n( and +*nit*&ing data & a&ati*n (tanda&d(.

Operations supervisor: R *&t( t* +anag & *! * &ati*n(. R ( *n(i0$ !*& (u i(i*n *! "*+ ut &

* &ati*n( (ta!! and +*nit*&ing &*" ((ing (tanda&d(. Data control clerk: R *&t( t* +anag & *! * &ati*n(. R ( *n(i0$ !*& $*gging and di(t&i0uting"*+ ut & in ut and *ut ut/ +*nit*&ing (*u&" data "*nt&*$ &*" du& (/ and "u(t*d% *! &*g&a+( anddata !i$ (.

a. P& a& an *&gani;ati*na$ ")a&t !*& AW7( in!*&+ati*n (%(t +( di#i(i*n.

- ?

8/9/2019 Rais12 Sm Ch11

11/24


0. Na+ t * *(iti# and t * n gati# a( "t( 5!&*+ an int &na$ "*nt&*$ (tand *int6 *! t)i(*&gani;ati*na$ (t&u"tu& .

. 2hat is good about this organization structure:

• Systems development and programming are organizationally independent of theoperations functions.

• $omputer operations organizationally independent of data entry and data control.

/. 2hat is bad about this organization structure:

• %he manager of operations is responsible for systems programming, hich is aviolation of segregation of systems duties.

• %he data control clerk is responsible for the file library, hich is a violation ofsegregation of systems duties.

c. W)at additi*na$ in!*&+ati*n *u$d %*u & 'ui& 0 !*& +a,ing a !ina$ udg+ nt *n t)ad 'ua"% *! AW7( ( a&ati*n *! !un"ti*n( in t) in!*&+ati*n (%(t +( di#i(i*n3

• )s access to e"uipment, files, and documentation restricted and documented4

• !re activity logs for operating functions maintained and revie ed4

• )s there rotation of operations personnel and mandatory vacations4

• )s source data authorized4

-

8/9/2019 Rais12 Sm Ch11

12/24


11.@ R*0in(*n7( P$a(ti" Pi C*& *&ati*n u( ( a data &*" ((ing (%(t + !*& in# nt*&%. T) in ut t*t)i( (%(t + i( ()* n in Ta0$ 11-@. Y*u a& u(ing an in ut "*nt&*$( +at&i t* ) $ audit t)(*u&" data "*nt&*$(.

Table 11-7 Pa&t( In# nt*&% T&an(a"ti*n Fi$Field Name Field Type)tem number umeric7escription !lphanumeric%ransaction date 7ate%ransaction type !lphanumeric7ocument number !lphanumeric@uantity umeric;nit cost +onetary

P& a& an in ut "*nt&*$( +at&i u(ing t) !*&+at and in ut "*nt&*$( ()* n in Figu& 11-4)* # &/ & $a" t) !i $d na+ ( ()* n in Figu& 11-4 it) t)*( ()* n in Ta0$ 11-@. P$a"") ",( in t) +at&i " $$( t)at & & ( nt in ut "*nt&*$( %*u +ig)t "t t* !ind !*& a") !i $d.

- /

8/9/2019 Rais12 Sm Ch11

13/24


In# nt*&% t&an(a"ti*n( in ut "*nt&*$ +at&i :

E$5 7 !+E:

8/9/2019 Rais12 Sm Ch11

14/24


11. A( an int &na$ audit*& !*& t) (tat audit*&7( *!!i" / %*u a& a((ign d t* & #i t) i+ $ + ntati*n *! an "*+ ut & (%(t + in t) (tat $!a& ag n"%. T) ag n"% i( in(ta$$ing an *n$in "*+ ut & (%(t + t*+aintain t) (tat 7( data0a( *! $!a& & "i i nt(. Und & t) *$d (%(t +/ a $i"ant( !*& $!a&a((i(tan" "*+ $ t d a !*&+ gi#ing t) i& na+ / add& ((/ and *t) & &(*na$ data/ $u( d tai$( a0*utt) i& in"*+ / a(( t(/ d nd nt(/ and *t) & data n d d t* (ta0$i() $igi0i$it%. T) data a& ") ", d 0%

$!a& a+in &( t* # &i!% t) i& aut) nti"it%/ " &ti!% t) a $i"ant7( $igi0i$it% !*& a((i(tan" / andd t &+in t) !*&+ and a+*unt *! aid.

Und & t) n (%(t +/ $!a& a $i"ant( nt & data *n t) ag n"%7( W 0 (it *& gi# t) i& data t*"$ &,(/ )* nt & it u(ing *n$in t &+ina$(. Ea") a $i"ant & "*&d )a( a nding (tatu( unti$ a

$!a& a+in & "an # &i!% t) aut) nti"it% *! t) data u( d t* d t &+in $igi0i$it%. W) n t)# &i!i"ati*n i( "*+ $ t d/ t) a+in & ")ang ( t) (tatu( "*d t* a &*# d/ and t) (%(t +"a$"u$at ( t) aid a+*unt.

P &i*di"a$$%/ & "i i nt "i&"u+(tan" ( 5in"*+ / a(( t(/ d nd nt(/ t".6 ")ang / and t) data0a( i(u dat d. E a+in &( nt & t) ( ")ang ( a( (**n a( t) i& a""u&a"% i( # &i!i d/ and t) (%(t +& "a$"u$at ( t) & "i i nt7( n $!a& 0 n !it. At t) nd *! a") +*nt)/ a%+ nt( a& $ "t&*ni"a$$%d *(it d in t) & "i i nt7( 0an, a""*unt(.

W $!a& a((i(tan" a+*unt( t* ( # &a$ )und& d +i$$i*n d*$$a&( annua$$%. Y*u a& "*n" &n d a0*ut t)*((i0i$iti ( *! !&aud and a0u( .

a. D ("&i0 )* t* + $*% "*n"u&& nt audit t ")ni'u ( t* & du" t) &i(,( *! !&aud anda0u( .

!udits should be concerned about a dishonest elfare examiner or unauthorized personsubmitting fictitious transactions into the system. 8ictitious transactions could causeexcessive elfare benefits to be paid to a valid elfare recipient, or payments made to anineligible or fictitious recipient.

%he concurrent audit techni"ues needed most deal ith submitting changes in record statusfrom pending to approved and modifying elfare records to reflect changes in therecipient's circumstances. %he auditor should verify that the system is set up to:

check the pass ord of every person ho uses the system

permit applicant records to be entered only by persons classified as elfare clerks

• permit transaction update records to be entered only by persons classified as elfareexaminers

• capture and store the identity of the person entering every applicant record and

transaction update record%he most useful concurrent audit techni"ue to minimize the risk of fraudulent updatetransactions ould be audit hooks. %hese program subroutines ould revie every recordentered into the system, capture all data relating to any record that is suspicious and possiblyfraudulent, rite these records on an audit log or file, and report these records to the auditstaff on a real-time basis. Some examples of "uestionable records that audit hooks might bedesigned to flag ould be:• !ny elfare application record that is entered into the system by someone other than one

- 6

8/9/2019 Rais12 Sm Ch11

15/24


of the authorized elfare clerks, and especially if entered by a elfare examiner.• !ny elfare record status change or modification that is entered into the system by

someone other than one of the authorized elfare examiners.

• !ssuming that it takes a minimum of n days for a elfare examiner to verify theauthenticity of the data provided by a elfare applicant, any record update transactionentered in less than n days of the original applicant record entry.

• !ny elfare record modification transaction that causes a elfare recipient's benefits toincrease by a significant amount #say, /?F&, or to exceed some upper limit that is close tothe maximum amount a recipient can collect.

• !ny elfare record that is modified more than t o or three times ithin a short period,such as t o or three months.

• !ny record modification transaction that involves a change in the recipient's address.

• !ny elfare record here the recipient's address is a post office box.

• !ny elfare record that is not modified ithin a five-year period.

• !ny attempt to access the system by someone not able to supply a valid elfare clerk orelfare examiner pass ord.

• !ny record entered into the system at a time of day other than during the agency's normal business hours, or one that is entered during a eekend or holiday period.

;ndoubtedly, other useful audit hooks could be identified. %he audit staff shouldbrainstorm about methods that a fraud perpetrator could use to defraud the system, and

develop audit hooks to counteract plausible fraud schemes.

!s the audit staff receives the data captured by these audit hooks, they must promptly folloup to verify the validity of the data in each "uestionable record.

%he auditor should verify that the program code that calculates elfare recipient's benefits isthoroughly tested during the implementation process. She should copy the program code soit can be compared ith the code that is in use at subse"uent intervals. %o supplement this

procedure, as ell as to provide additional protection against a possible fraud perpetrator, theauditor could add another audit hook that captures relevant data relating to any attempt toaccess and modify the elfare processing program itself.

-

8/9/2019 Rais12 Sm Ch11

16/24


b. D ("&i0 )* t* u( "*+ ut & audit (*!t a& t* & #i t) *&, $!a& a+in &( d* t*# &i!% a $i"ant $igi0i$it% data. A((u+ t)at t) (tat audit*&7( *!!i" )a( a"" (( t* *t) & (tatand $*"a$ g*# &n+ nt ag n"% data0a( (.

$omputer audit soft are can process the elfare recipient database against other databases thatcontain data about elfare recipients, identify any discrepancies in the data items used to determineeligibility for benefits and1or calculate the amount of benefits, and report these discrepancies to theaudit staff. 5ther possible databases that might be used for this purpose ould include:

• State income tax records, hich contain data on the income and dependents of elfarerecipients.

• State unemployment and1or disability compensation records, hich contain data on othersources of income for elfare recipients.

• State motor vehicle registration records, hich might contain data about valuable assets o ned by elfare recipients.

•

8/9/2019 Rais12 Sm Ch11

17/24


11. M $inda R*0in(*n/ t) di& "t*& *! int &na$ auditing at Sa") + Manu!a"tu&ing C*+ an%/0 $i # ( t) "*+ an% ()*u$d u&")a( (*!t a& t* a((i(t in t) !inan"ia$ and &*" du&a$audit( ) & d a&t+ nt "*ndu"t(. R*0in(*n i( "*n(id &ing t) !*$$* ing (*!t a& a",ag (

A g n &a$i; d audit (*!t a& a",ag t* a((i(t in 0a(i" audit *&,/ (u") a( t) & t&i #a$ *!

$i# data !&*+ $a&g "*+ ut & !i$ (. T) d a&t+ nt *u$d & #i t)i( in!*&+ati*n u(ing"*n# nti*na$ audit in# (tigati*n t ")ni'u (. T) d a&t+ nt "*u$d &!*&+ "&it &ia( $ "ti*n/ (a+ $ing/ 0a(i" "*+ utati*n( !*& 'uantitati# ana$%(i(/ & "*&d )and$ing/g&a )i"a$ ana$%(i(/ and &int *ut ut 5i. ./ "*n!i&+ati*n(6.An ITF a",ag t)at u( (/ +*nit*&(/ and "*nt&*$( du++% t (t data &*" (( d 0% i(ting

&*g&a+(. It a$(* ") ",( t) i(t n" and ad 'ua"% *! data nt&% and &*" ((ing"*nt&*$(.

A !$* ")a&ting a",ag t)at g&a )i"a$$% & ( nt( t) !$* *! in!*&+ati*n t)&*ug) a(%(t + and in *int( "*nt&*$ (t& ngt)( and a,n (( (.A a&a$$ $ (i+u$ati*n and +*d $ing a",ag t)at u( ( a"tua$ data t* "*ndu"t t) (a+t (t( u(ing a $*gi" &*g&a+ d # $* d 0% t) audit*&. T) a",ag "an a$(* 0 u( d t* ( , an( &( t* di!!i"u$t audit &*0$ +( 5in#*$#ing +an% "*+ a&i(*n(6 it)in (tati(ti"a$$%a"" ta0$ "*n!id n" $i+it(.

#$+! Examination, adapted&

a. Wit)*ut & ga&d t* an% ( "i!i" "*+ ut & audit (*!t a& / id nti!% t) g n &a$ ad#antag (*! u(ing "*+ ut & audit (*!t a& t* a((i(t it) audit(.

!udits can be more efficient, saving labor time spent on routine calculations. %he routineoperations of footing extensions, transcription bet een reports, report generation, etc., are

performed by the computer.

%he auditor's time spent on the audit is more analytical than clerical.

%he auditor can examine more records and extract data more readily through ad hocreporting.

$omputer-generated reports and schedules are more ob*ective and professional, improvingdata communication.

!udit sampling is improved. !ny bias in sample selection is eliminated because of assuredrandomness. %his has a direct effect on sampling precision, reliability, and audit accuracy.

8/9/2019 Rais12 Sm Ch11

18/24


transactions must be representative of all of the transactions the dummy unitemulates. !ll types of valid and invalid transactions must be used and blended ithregular transactions over time to test the system properly under normal conditions.

evie all output and processing routines including a comparison of actual results to predetermined results.

F$* ")a&ting a",ag %he purpose of a control flo charting package is to interpret the program source code and generate a program flo chart corresponding to it in order tofacilitate the revie of internal controls. %o use a control flo charting package, the internalauditor should:

Establish the audit ob*ective by identifying the systems and programs to be tested.

evie manuals and documentation of the system and intervie involved personnelto get an overvie of the operations to be tested.

Parallel simulation and modeling package The purpose of a parallel simulation package isto ensure that organizational objectives are being met, ensure compliance to technicalstandards, and detect unauthorized program changes. To use a parallel simulation package:

un the same data used in the company's current application program using thesimulated application program.

$ompare the results from the simulated application ith the results from thecompany's current application program to verify that ob*ectives are being met.

- >

8/9/2019 Rais12 Sm Ch11

19/24


11.10 The fixed-asset master file at Thermo-Bond includes the following data items:

A(( t nu+0 & Dat *! & ti& + nt 5 J J2: !*& a(( t( (ti$$ in ( i" 6D ("&i ti*n D & "iati*n + t)*d "*d

T% "*d D & "iati*n &at>*"ati*n "*d U( !u$ $i! 5% a&(6Dat *! a"'ui(iti*n A""u+u$at d d & "iati*n at 0 ginning *! % a&O&igina$ "*(t Y a&-t*-dat d & "iati*n

E $ain ( # &a$ a%( audit*&( "an u( "*+ ut & audit (*!t a& in &!*&+ing a !inan"ia$audit *! T) &+*-B*nd7( !i d a(( t(.

• Edit the file for obvious errors or inconsistencies such as:

o etired assets that have a non-zero net value.

o etirement date that precedes ac"uisition date.

o !ccumulated depreciation that exceeds original cost.

o ;seful life that exceeds a reasonable limit #such as 6? years&.

o )nvalid type code, location code, or depreciation method code.

o umeric fields that contain non-numeric data.

• ecalculate year-to-date depreciation for each asset record, compare to the amount in therecord, and list all asset records for hich a discrepancy exists.

•

8/9/2019 Rais12 Sm Ch11

20/24


11.11 Y*u a& auditing t) !inan"ia$ (tat + nt( *! a "*(+ ti"( di(t&i0ut*& t)at ( $$( t)*u(and( *!indi#idua$ it +(. T) di(t&i0ut*& , ( it( in# nt*&% in it( di(t&i0uti*n " nt & and in t *

u0$i" a& )*u( (. At t) nd *! a") 0u(in (( da%/ it u dat ( it( in# nt*&% !i$ / )*(& "*&d( "*ntain t) !*$$* ing data

It + nu+0 & C*(t & it +It + d ("&i ti*n Dat *! $a(t u&")a(Quantit%-*n-)and Dat *! $a(t (a$It + $*"ati*n Quantit% (*$d du&ing % a&

Y*u i$$ u( audit (*!t a& t* a+in in# nt*&% data a( *! t) dat *! t) di(t&i0ut*&7()%(i"a$ in# nt*&% "*unt. Y*u i$$ &!*&+ t) !*$$* ing audit &*" du& (

1. O0( t) di(t&i0ut*&7( )%(i"a$ in# nt*&% "*unt at % a&- nd and t (t a (a+ $ !*&a""u&a"%.

2. C*+ a& t) audit*&7( t (t "*unt( it) t) in# nt*&% & "*&d(.4. C*+ a& t) "*+ an%7( )%(i"a$ "*unt data it) t) in# nt*&% & "*&d(.

8. T (t t) +at) +ati"a$ a""u&a"% *! t) di(t&i0ut*&7( !ina$ in# nt*&% #a$uati*n.=. T (t in# nt*&% &i"ing 0% *0taining it + "*(t( !&*+ 0u% &(/ # nd*&(/ *& *t) & (*u&" (.?. E a+in in# nt*&% u&")a( and (a$ t&an(a"ti*n( *n *& n a& t) % a&- nd dat t* # &i!%

t)at a$$ t&an(a"ti*n( & & "*&d d in t) &* & a""*unting &i*d.@. A(" &tain t) &* &i t% *! in# nt*&% it +( $*"at d in u0$i" a& )*u( (.

. Ana$%; in# nt*&% !*& #id n" *! *((i0$ *0(*$ (" n" .

. Ana$%; in# nt*&% !*& #id n" *! *((i0$ *# &(t*",ing *& ($* -+*#ing it +(.1:. T (t t) a""u&a"% *! indi#idua$ data it +( $i(t d in t) di(t&i0ut*&7( in# nt*&% +a(t &

!i$ .

D ("&i0 )* t) u( *! t) audit (*!t a& a",ag and a "* % *! t) in# nt*&% !i$ data+ig)t 0 ) $ !u$ t* t) audit*& in &!*&+ing a") *! t) ( auditing &*" du& (.

#$

-/?

8/9/2019 Rais12 Sm Ch11

21/24


Audit P&*" du& H* Audit S*!t a& Can H $

. 5bserve the distributor s physical count

of inventories as of a given date, andtest a sample of the distributor sinventory counts for accuracy.

7etermine hich items are to be test counted by

taking a random sample of a representativenumber of items from the inventory file as of thedate of the physical count.

/. $ompare the auditor s test counts to theinventory records.

!rrange test counts in a format identical to theinventory file, and then match the counts.

3. $ompare physical count data to theinventory records.

$ompare the total of the extended values of allinventory items counted, and the extended valuesof each inventory item counted, to the inventoryrecords.

6. %est the mathematical accuracy of thedistributors final inventory valuation.

$alculate the dollar value of each inventory itemcounted by multiplying the "uantity on hand bythe cost per unit, and then verify the addition ofthe extended dollar values.

G. %est the pricing of the inventory byobtaining a list of costs per item from

buyers, vendors, or other sources.

$ompare the unit costs on the auditor s price testto those on the inventory file.

=.Examine inventory purchase and saletransactions on or near the year-end dateto verify that all such transactions ererecorded in the proper accounting period.

%ake a sample of inventory file items for hichthe date of last purchase and date of the last saleare on or immediately prior to the date of the

physical count, hich is usually at fiscal yearend.

H.!scertain the propriety of items ofinventory located in public arehouses.

.!nalyze inventory for evidence of possible obsolescence.

8/9/2019 Rais12 Sm Ch11

22/24


11.12 W)i") *! t) !*$$* ing ()*u$d )a# t) &i+a&% & ( *n(i0i$it% t* d t "t and "*&& "t data&*" ((ing &&*&(3 E $ain )% t)at !un"ti*n ()*u$d )a# &i+a&% & ( *n(i0i$it% and )%

t) *t) &( ()*u$d n*t. #$

a. T) data &*" ((ing +anag & J %he data processing manager should have primaryresponsibility to detect and correct data processing errors. %he data processing manager has

primary responsibility for the four stages of the data processing cycle, hich are data input, data processing, data storage, and information output. Setting up a system that ill detect and correctdata processing errors falls s"uarely into the data processing cycle.

b. T) "*+ ut & * &at*& J !lthough the computer operator is responsible for the operation of thehard are and soft are of the organization, he is not responsible for detecting and correcting data

processing errors. 0eing able to both process data and correct data processing errors ould allothe operator to KfixL non-existent errors in a ay that ould benefit the operator personally9 thatis, it ould allo the perpetrator to commit and conceal fraud.

c. T) "*& *&at "*nt&*$$ & J %he corporate controller has overall responsibility for the operationof the accounting function, but ould not have primary responsibility to detect and correct data

processing errors.

d. T) ind nd nt u0$i" a""*untant J %he independent auditor has no responsibility to detectand correct a client s data processing errors. %he independent auditor s responsibility is to attestto fairness of the financial statements.

-//

8/9/2019 Rais12 Sm Ch11

23/24


SUGGESTED SO>UTIONS TO THE CASES

11.1 Y*u a& &!*&+ing a !inan"ia$ audit *! t) g n &a$ $ dg & a""*unt( *! P& (t*nManu!a"tu&ing. A( t&an(a"ti*n( a& &*" (( d/ (u++a&% *u&na$ nt&i ( a& add d t* t)

g n &a$ $ dg & !i$ at t) nd *! t) da%. At t) nd *! a") da%/ t) g n &a$ *u&na$ !i$ i(&*" (( d again(t t) g n &a$ $ dg & "*nt&*$ !i$ t* "*+ ut a n "u&& nt 0a$an" !*& a")

a""*unt and t* &int a t&ia$ 0a$an" .

T) !*$$* ing & (*u&" ( a& a#ai$a0$ a( %*u "*+ $ t t) audit

Y*u& !i&+7( g n &a$i; d "*+ ut & audit (*!t a& A "* % *! t) g n &a$ *u&na$ !i$ !*& t) nti& % a& A "* % *! t) g n &a$ $ dg & !i$ a( *! !i("a$ % a&- nd

5"u&& nt 0a$an" K % a&- nd 0a$an" 6 A &int*ut *! P& (t*n7( % a&- nd t&ia$ 0a$an" $i(ting t) a""*unt nu+0 &/ a""*unt na+ /

and 0a$an" *! a") a""*unt *n t) g n &a$ $ dg & "*nt&*$ !i$

C& at an audit &*g&a+ !*& P& (t*n Manu!a"tu&ing. F*& a") audit (t / $i(t t) audit*0 "ti# ( and t) &*" du& ( %*u *u$d u( t* a""*+ $i() t) audit &*g&a+ (t .

General JournalFi $d Na+ Fi $d T%

!ccount number umeric!mount +onetary7ebit1credit code !lphanumeric7ate #++1771CC& 7ate

eference document type !lphanumericeference document number umeric

General Ledger

ControlFi $d Na+ Fi $d T%

!ccount number umeric!ccount name !lphanumeric0eginning balance1year +onetary0eg-bal-debit1credit code !lphanumeric$urrent balance +onetary$ur-bal-debit1credit code !lphanumeric

-

8/9/2019 Rais12 Sm Ch11

24/24


AUDIT PROGRAM AUDIT OBLECTI ES AND PROCEDURES

a. Edit the general *ournal file for errors and

inconsistencies such as:• )nvalid debit1credit code or document type.• 7ate not ithin current fiscal year.• +issing data values.• on-numeric data in account number,

amount, or document number fields.

5b*ective: Evaluate the "uality of the file data.

Rais12 Sm Ch11

Documents