Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
CHAPTER 11
AUDITING COMPUTER-BASED INFORMATION SYSTEMS
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and
their accounting applications. However, it may not be feasible for every auditor to be a
computer expert. Discuss the extent to which auditors should possess computer expertise to
be effective auditors.
Since most organizations make extensive use of computer-based systems in processing data, it is
essential that computer expertise be available in the organization's audit group. Such expertise
should include:
Not all auditors need to possess expertise in all of these areas. However, there is certainly some
minimum level of computer expertise that is appropriate for all auditors to have. This would
include:
11.2 Should internal auditors be members of systems development teams that design and
implement an AIS? Why or why not?
11.3 At present, no Berwick employees have auditing experience. To staff its new internal audit
function, Berwick could (a) train some of its computer specialists in auditing, (b) hire
experienced auditors and train them to understand Berwick’s information system, (c) use a
combination of the first two approaches, or (d) try a different approach. Which approach
would you support, and why?
11.4 The assistant finance director for the city of Tustin, California, was fired after city officials
discovered that she had used her access to city computers to cancel her daughter’s $300 water
bill. An investigation revealed that she had embezzled a large sum of money from Tustin in
this manner over a long period. She was able to conceal the embezzlement for so long because
the amount embezzled always fell within a 2% error factor used by the city’s internal
auditors. What weaknesses existed in the audit approach? How could the audit plan be
improved? What internal control weaknesses were present in the system? Should Tustin’s
internal auditors have discovered this fraud earlier?
Audit approach weaknesses
practice.
Audit plan improvements
Internal control weaknesses
Should the auditors have detected the audit earlier?
11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an
anonymous note from an assembly-line operator who has worked at the company’s West
Coast factory for the past 15 years. The note indicated that there are some fictitious
employees on the payroll as well as some employees who have left the company. He offers no
proof or names. What computer-assisted audit technique could Lou use to help him
substantiate or refute the employee’s claim? (CIA Examination, adapted)
11.6. Explain the four steps of the risk-based audit approach, and discuss how they apply to the
overall security of a company.
The risk-based audit approach provides a framework for conducting information system audits. It
consists of the following 4 steps:
11.7. Compare and contrast the frameworks for auditing program development/acquisition and for
auditing program modification.
The two are similar in that:
The two are dissimilar in that:
SUGGESTED SOLUTIONS TO THE PROBLEMS
11.1 You are the director of internal auditing at a university. Recently, you met with Issa Arnita,
the manager of administrative data processing, and expressed the desire to establish a more
effective interface between the two departments. Issa wants your help with a new
computerized accounts payable system currently in development. He recommends that your
department assume line responsibility for auditing suppliers’ invoices prior to payment. He
also wants internal auditing to make suggestions during system development, assist in its
installation, and approve the completed system after making a final review.
Would you accept or reject each of the following? Why?
a. The recommendation that your department be responsible for the pre-audit of
supplier's invoices.
b. The request that you make suggestions during system development.
c. The request that you assist in the installation of the system and approve the system after
making a final review.
11.2 As an internal auditor for the Quick Manufacturing Company, you are participating in the
audit of the company’s AIS. You have been reviewing the internal controls of the computer
system that processes most of its accounting applications. You have studied the company’s
extensive systems documentation. You have interviewed the information system manager,
operations supervisor, and other employees to complete your standardized computer internal
control questionnaire. You report to your supervisor that the company has designed a
successful set of comprehensive internal controls into its computer systems. He thanks you for
your efforts and asks for a summary report of your findings for inclusion in a final overall
report on accounting internal controls.
Have you forgotten an important audit step? Explain. List five examples of specific audit
procedures that you might recommend before reaching a conclusion.
11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a
computer payroll system. To test the computer systems and programs, you submit
independently created test transactions with regular data in a normal production run.
List four advantages and two disadvantages of this technique.
a. Advantages
b. Disadvantages
• Does not require extensive programming knowledge
• Approach and results are easy to understand.
• The complete system may be reviewed.
• Results are often easily checked.
• An opinion may be formed as to the system's data
processing accuracy.
• A regular computer program may be used.
• It may save time.
• The auditor gains experience.
• The auditor maintains control over the test.
• Invalid data can be submitted to test for rejections.
• Impractical to test all error possibilities.
• May be unable to relate input data to
output reports in a complex system.
• If independent files are not used, it may be
difficult to reverse or back out test data.
• Preparation of satisfactory test transactions
may be time consuming.
(CIA Examination, adapted)
a. Advantages
b. Disadvantages
• Extensive programming knowledge is not necessary.
• Understandable approach and results.
• Revision on the complete system
• Results are often easily evaluated.
• An opinion may be formed as to the system's data
processing accuracy.
• Make use of a regular computer program
• Time saving
• The auditor gains experience.
• The auditor maintains control over the test.
• Impossible to test all error cases.
• Not easy to identify a connection between
input data and output reports in a complex
system.
• Trouble in reserving or back out test data
due to the lack of use of independent files
• Preparation of satisfactory test transactions
may be time consuming.
11.4 You are involved in the audit of accounts receivable, which represent a significant portion of
the assets of a large retail corporation. Your audit plan requires the use of the computer, but
you encounter the following reactions:
For each situation, state how the auditor should proceed with the accounts receivable audit.
a. The computer operations manager says the company’s computer is running at full
capacity for the foreseeable future and the auditor will not be able to use the system for
audit tests.
b. The computer scheduling manager suggests that your computer program be stored in
the computer program library so that it can be run when computer time becomes
available.
c. You are refused admission to the computer room.
d. The systems manager tells you that it will take too much time to adapt the auditor’s
computer audit program to the computer’s operating system and that company
programmers will write the programs needed for the audit.
(CIA Examination, adapted)
11.5 You are a manager for the CPA firm of Dewey, Cheatem, and Howe (DC&H). While
reviewing your staff’s audit work papers for the state welfare agency, you find that the test
data approach was used to test the agency’s accounting software. A duplicate program copy,
the welfare accounting data file obtained from the computer operations manager, and the test
transaction data file that the welfare agency’s programmers used when the program was
written were processed on DC&H’s home office computer. The edit summary report listing
no errors was included in the working papers, with a notation by the senior auditor that the
test indicates good application controls. You note that the quality of the audit conclusions
obtained from this test is flawed in several respects, and you decide to ask your subordinates
to repeat the test.
Identify three existing or potential problems with the way this test was performed. For each
problem, suggest one or more procedures that might be performed during the revised test to
avoid flaws in the audit conclusions.
Problems
Suggested Solutions
Duplicate copy of the program may not be a
true duplicate of the current version.
• Source code comparison.
• Reprocessing (use previously valid program).
• Process test transactions concurrently with live
ones, on a concealed basis.
Duplicate copy of the file may not be a true
duplicate of the current version.
• Obtain the live file and duplicate it under audit
control.
• Process test transactions concurrently with live
ones, on a concealed basis.
Programmer's test data file
a. was not independently prepared, and
b. may not have contained any erroneous
transactions to test the program’s ability
to detect errors.
• Auditor must devise their own test transactions,
either (a) manually, or (b) using a test data
generator. Erroneous transactions should
deliberately be included.
The test only checks the programs, not the
source data controls, error procedures, etc.
• Process test transactions concurrently with live
ones, on a concealed basis.
• Use mini-company test (Integrated Test
Facility).
Audit senior's conclusion has no basis (no
supporting evidence).
• Must predetermine the result of test data
processing, and then compare these to actual
results.
11.6 You are performing an information system audit to evaluate internal controls in Aardvark
Wholesalers’ (AW) computer system. From an AW manual, you have obtained the following job
descriptions for key personnel:
Director of information systems: Responsible for defining the mission of the information systems
division and for planning, staffing, and managing the IS department.
Manager of systems development and programming: Reports to director of information systems.
Responsible for managing the systems analysts and programmers who design, program, test,
implement, and maintain the data processing systems. Also responsible for establishing and monitoring
documentation standards.
Manager of operations: Reports to director of information systems. Responsible for management of
computer center operations, enforcement of processing standards, and systems programming,
including implementation of operating system upgrades.
Data entry supervisor: Reports to manager of operations. Responsible for supervision of data entry
operations and monitoring data preparation standards.
Operations supervisor: Reports to manager of operations. Responsible for supervision of computer
operations staff and monitoring processing standards.
Data control clerk: Reports to manager of operations. Responsible for logging and distributing
computer input and output, monitoring source data control procedures, and custody of programs and
data files.
b. Name two positive and two negative aspects (from an internal control standpoint) of this
organizational structure.
c. What additional information would you require before making a final judgment on the
adequacy of AW’s separation of functions in the information systems division?
a. Prepare an organizational chart for AW’s information systems division.
Director of
Information
Systems
Manager of
Systems
Development and
Programming
Manager of
Operations
Data Entry
Supervision
Operations
Supervisor
Data Control
Clerk
11.7 Robinson’s Plastic Pipe Corporation uses a data processing system for inventory. The input to
this system is shown in Table 11-7. You are using an input controls matrix to help audit the
source data controls.
Table 11-7 Parts Inventory Transaction File
Field Name
Field Type
Item number
Numeric
Description
Alphanumeric
Transaction date
Date
Transaction type
Alphanumeric
Document number
Alphanumeric
Quantity
Numeric
Unit cost
Monetary
Prepare an input controls matrix using the format and input controls shown in Figure 11-3;
however, replace the field names shown in Figure 11-3 with those shown in Table 11-7. Place
checks in the matrix cells that represent input controls you might expect to find for each field.
Inventory transactions input control matrix:
RECORD
NAME:
Parts inventory
transactions
FIELD NAMES
Item
number
Description
Transaction
date
Transaction
type
Document
number
Quantity
Unit
cost
Comments
INPUT
CONTROLS:
Financial totals
X
Compute Total
cost if possible
Hash totals
X
X
Record counts
Yes
Cross-footing
balance
No
Visual
inspection
X
X
X
X
X
X
X
All fields
Check digit
verification
X
Prenumbered
forms
X
Use prenumbered
form
Turnaround
document
No
Edit program
Yes
Sequence check
X
Field check
X
X
X
X
Sign check
X
X
Also for balance
on hand
Validity check
X
X
X
Limit check
Reasonableness
test
X
X
Compare quantity
with item number
Completeness
test
Completeness
Test
Completeness
Test
X
X
X
X
X
X
X
All fields
Size check
X
X
X
X
X
X
X
All fields
Other:
