Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
CHAPTER 11
AUDITING COMPUTER-BASED INFORMATION SYSTEMS
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and
their accounting applications. However, it may not be feasible for every auditor to be a
computer expert. Discuss the extent to which auditors should possess computer expertise to
be effective auditors.
Since most organizations make extensive use of computer-based systems in processing data, it is
essential that computer expertise be available in the organization's audit group. Such expertise
should include:
Not all auditors need to possess expertise in all of these areas. However, there is certainly some
minimum level of computer expertise that is appropriate for all auditors to have. This would
include:
An understanding of computer hardware, software, accounting applications, and controls.
11.2 Should internal auditors be members of systems development teams that design and
implement an AIS? Why or why not?
Many people believe that internal auditors should be involved in systems development projects in
order to ensure that newly developed systems are auditable and have effective controls. However,
There are indirect forms of auditor involvement that are appropriate. The auditor can
1. Recommend a series of control and audit guidelines that all new systems should meet.
In both cases, the auditor is working through management rather than with the systems
development team.
11-1
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
11.3 At present, no Berwick employees have auditing experience. To staff its new internal audit
function, Berwick could (a) train some of its computer specialists in auditing, (b) hire
experienced auditors and train them to understand Berwick’s information system, (c) use a
combination of the first two approaches, or (d) try a different approach. Which approach
would you support, and why?
The most effective auditor is a person who has training and experience as an auditor and training
11.4 The assistant finance director for the city of Tustin, California, was fired after city officials
discovered that she had used her access to city computers to cancel her daughter’s $300 water
bill. An investigation revealed that she had embezzled a large sum of money from Tustin in
this manner over a long period. She was able to conceal the embezzlement for so long because
the amount embezzled always fell within a 2% error factor used by the city’s internal
auditors. What weaknesses existed in the audit approach? How could the audit plan be
improved? What internal control weaknesses were present in the system? Should Tustin’s
internal auditors have discovered this fraud earlier?
Audit approach weaknesses
1. The question implies Tustin's internal auditors never bothered to investigate transactions below
Audit plan improvements
1. Audit software could be used to fully reconcile collections with billings, and list any
Internal control weaknesses
1. An assistant finance director should not have the authority to enter credits to customer
11-2
©2018 Pearson Education, Inc.
Accounting Information Systems
Should the auditors have detected the audit earlier?
The easy answer here is yes; they should have uncovered the fraud earlier. While she was able to
11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an anonymous
note from an assembly-line operator who has worked at the company’s West Coast factory for
the past 15 years. The note indicated that there are some fictitious employees on the payroll
as well as some employees who have left the company. He offers no proof or names. What
computer-assisted audit technique could Lou use to help him substantiate or refute the
employee’s claim? (CIA Examination, adapted)
Computer-assisted audit tools and techniques (CAATTs) could have been used to identify employees
11.6. Explain the four steps of the risk-based audit approach, and discuss how they apply to the
overall security of a company.
The risk-based audit approach provides a framework for conducting information system audits. It
consists of the following 4 steps:
1. Determine the threats (fraud and errors) facing the company. This is a list of the accidental or
2. Identify the control procedures that prevent, detect, or correct the threats. These are all the
3. Evaluate control procedures. Controls are evaluated two ways. First, a systems review
4. Evaluate control weaknesses to determine their effect on the nature, timing, or extent of
The risk-based approach provides auditors with a clearer understanding of the overall security of a
company, including the fraud and errors that can occur in the company. It also helps them
11-3
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
11.7. Compare and contrast the frameworks for auditing program development/acquisition and for
auditing program modification.
The two are similar in that:
They both deal with the review of software.
They both are exposed to the same types of errors and fraud.
They use many of the same control procedures, audit procedures (both systems review and
tests of controls), and compensating controls, except that one set applies to program
The two are dissimilar in that:
The auditor’s role in systems development is to perform an independent review of systems
There are some control procedures, audit procedures (both systems review and tests of
Auditors test for unauthorized program changes, often on a surprise basis, is several ways that
they do not have to test program development and acquisition. These include:
oUsing a source code comparison program to compare the current version of the program
oReprocessing data using the source code and comparing the output with the company’s
oParallel simulation, where the auditor writes a program instead of using the source code
11-4
©2018 Pearson Education, Inc.
Accounting Information Systems
SUGGESTED SOLUTIONS TO THE PROBLEMS
11.1 You are the director of internal auditing at a university. Recently, you met with Issa Arnita,
the manager of administrative data processing, and expressed the desire to establish a more
effective interface between the two departments. Issa wants your help with a new
computerized accounts payable system currently in development. He recommends that your
department assume line responsibility for auditing suppliers’ invoices prior to payment. He
also wants internal auditing to make suggestions during system development, assist in its
installation, and approve the completed system after making a final review.
Would you accept or reject each of the following? Why?
a. The recommendation that your department be responsible for the pre-audit of
supplier's invoices.
Internal auditing should not assume responsibility for pre-audit of disbursements. Objectivity
is essential to the audit function, and internal auditors should be independent of the activities
b. The request that you make suggestions during system development.
It would be advantageous for internal auditing to make specific suggestions during the design
Determine that there are documentation standards and that they are being followed.
Determine that the project itself is under control and that there is a system for gauging
design progress.
c. The request that you assist in the installation of the system and approve the system after
making a final review.
The auditor must remain independent of any system they will subsequently audit. Therefore,
the auditor must refrain from giving overall approval of the system in final review. The
auditor may help in the installation or conversion of the system by continuing to offer
11-5
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
11.2 As an internal auditor for the Quick Manufacturing Company, you are participating in the
audit of the company’s AIS. You have been reviewing the internal controls of the computer
system that processes most of its accounting applications. You have studied the company’s
extensive systems documentation. You have interviewed the information system manager,
operations supervisor, and other employees to complete your standardized computer internal
control questionnaire. You report to your supervisor that the company has designed a
successful set of comprehensive internal controls into its computer systems. He thanks you for
your efforts and asks for a summary report of your findings for inclusion in a final overall
report on accounting internal controls.
Have you forgotten an important audit step? Explain. List five examples of specific audit
procedures that you might recommend before reaching a conclusion.
The important audit step that has not been performed is tests of controls (sometimes called
Examples of audit procedures that would be considered tests of controls are:
Observe computer operations, data control procedures, and file library control procedures.
Inquiry of key systems personnel with respect to the way in which prescribed control
procedures are interpreted and implemented. A questionnaire or checklist often facilitates
such inquiry.
11-6
©2018 Pearson Education, Inc.
Accounting Information Systems
11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a
computer payroll system. To test the computer systems and programs, you submit
independently created test transactions with regular data in a normal production run.
List four advantages and two disadvantages of this technique.
a. Advantages b. Disadvantages
Does not require extensive programming
knowledge
Impractical to test all error
possibilities.
(CIA Examination, adapted)
11-7
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
11.4 You are involved in the audit of accounts receivable, which represent a significant portion of
the assets of a large retail corporation. Your audit plan requires the use of the computer, but
you encounter the following reactions:
For each situation, state how the auditor should proceed with the accounts receivable audit.
a. The computer operations manager says the company’s computer is running at full
capacity for the foreseeable future and the auditor will not be able to use the system for
audit tests.
b. The computer scheduling manager suggests that your computer program be stored in
the computer program library so that it can be run when computer time becomes
available.
c. You are refused admission to the computer room.
The auditor's charter should clearly provide for access to all areas and records of the
d. The systems manager tells you that it will take too much time to adapt the auditor’s
computer audit program to the computer’s operating system and that company
programmers will write the programs needed for the audit.
Auditors should insist on using their own computer audit program, since someone at the
(CIA Examination, adapted)
11-8
©2018 Pearson Education, Inc.
Accounting Information Systems
11.5 You are a manager for the CPA firm of Dewey, Cheatem, and Howe (DC&H). While
reviewing your staff’s audit work papers for the state welfare agency, you find that the test
data approach was used to test the agency’s accounting software. A duplicate program copy,
the welfare accounting data file obtained from the computer operations manager, and the test
transaction data file that the welfare agency’s programmers used when the program was
written were processed on DC&H’s home office computer. The edit summary report listing no
errors was included in the working papers, with a notation by the senior auditor that the test
indicates good application controls. You note that the quality of the audit conclusions obtained
from this test is flawed in several respects, and you decide to ask your subordinates to repeat
the test.
Identify three existing or potential problems with the way this test was performed. For each
problem, suggest one or more procedures that might be performed during the revised test to
avoid flaws in the audit conclusions.
Problems Suggested Solutions
Duplicate copy of the program may not be a
Source code comparison.
Programmer's test data file
Auditor must devise their own test
Audit senior's conclusion has no basis (no
Must predetermine the result of test data
11-9
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
11.6 You are performing an information system audit to evaluate internal controls in Aardvark Wholesalers’
(AW) computer system. From an AW manual, you have obtained the following job descriptions for key
personnel:
Director of information systems: Responsible for defining the mission of the information systems
division and for planning, staffing, and managing the IS department.
Manager of systems development and programming: Reports to director of information systems.
Responsible for managing the systems analysts and programmers who design, program, test,
implement, and maintain the data processing systems. Also responsible for establishing and monitoring
documentation standards.
11-10
©2018 Pearson Education, Inc.
Manager of
Manager of
Data Entry
Supervision
Operations
Supervisor
Data Control
Clerk
a. Prepare an organizational chart for AW’s information systems division.
2. What is bad about this organization structure:
The manager of operations is responsible for systems programming, which is a
c. What additional information would you require before making a final judgment on the
adequacy of AW’s separation of functions in the information systems division?
Is access to equipment, files, and documentation restricted and documented?
11.7 Robinson’s Plastic Pipe Corporation uses a data processing system for inventory. The input to
this system is shown in Table 11-7. You are using an input controls matrix to help audit the
source data controls.
Table 11-7 Parts Inventory Transaction File
Field Name Field Type
Item number Numeric
Prepare an input controls matrix using the format and input controls shown in Figure 11-3;
11-11
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
Inventory transactions input control matrix:
RECORD
NAME:
Parts inventory
transactions
FIELD NAMES
Item
number
Description Transaction
date
Transaction
type
Document
number Quantity
Unit
cost Comments
INPUT
CONTROLS:
balance
inspection
verification
Limit check
Other:
11-12
©2018 Pearson Education, Inc.
Accounting Information Systems
11.8 As an internal auditor for the state auditor’s office, you are assigned to review the implementation of a
new computer system in the state welfare agency. The agency is installing an online computer system to
maintain the state’s database of welfare recipients. Under the old system, applicants for welfare
assistance completed a form giving their name, address, and other personal data, plus details about
their income, assets, dependents, and other data needed to establish eligibility. The data are checked by
welfare examiners to verify their authenticity, certify the applicant’s eligibility for assistance, and
determine the form and amount of aid.
Under the new system, welfare applicants enter data on the agency’s Web site or give their data to
clerks, who enter it using online terminals. Each applicant record has a “pending” status until a welfare
examiner can verify the authenticity of the data used to determine eligibility. When the verification is
completed, the examiner changes the status code to “approved,” and the system calculates the aid
amount.
Periodically, recipient circumstances (income, assets, dependents, etc.) change, and the database is
updated. Examiners enter these changes as soon as their accuracy is verified, and the system
recalculates the recipient’s new welfare benefit. At the end of each month, payments are electronically
deposited in the recipient’s bank accounts.
Welfare assistance amounts to several hundred million dollars annually. You are concerned about the
possibilities of fraud and abuse.
a. Describe how to employ concurrent audit techniques to reduce the risks of fraud and
abuse.
Audits should be concerned about a dishonest welfare examiner or unauthorized person
submitting fictitious transactions into the system. Fictitious transactions could cause
The most useful concurrent audit technique to minimize the risk of fraudulent update
transactions would be audit hooks. These program subroutines would review every record
Any welfare application record that is entered into the system by someone other than one
Any welfare record status change or modification that is entered into the system by
Assuming that it takes a minimum of n days for a welfare examiner to verify the
11-13
©2018 Pearson Education, Inc.
Ch. 11: Auditing Computer-Based Information Systems
Any welfare record modification transaction that causes a welfare recipient's benefits to
Any welfare record that is modified more than two or three times within a short period,
Any record modification transaction that involves a change in the recipient's address.
Any record entered into the system at a time of day other than during the agency's normal
Undoubtedly, other useful audit hooks could be identified. The audit staff should
11-14
©2018 Pearson Education, Inc.
