Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
SM 15.1
Chapter 15
INFORMATION TECHNOLOGY AUDITING
Discussion Questions
15-1. As noted in the text, an internal auditor is an individual working for the company
being audited while the external auditor works for an outside organization, typically a CPA firm.
and state laws that specifically define the relationship between the external auditor and client,
and how this relationship is to be implemented during the course of an audit.
internal auditor are:
Inventory records that have no financial implications
Personnel records that have no financial implications
variables
Minor discrepancies in financial accounts (immaterial)
Organizational procedures that are primarily a matter of policy and do not involve assets
or liabilities
Preferences vary. Many accounting graduates begin their career as external auditors and then
move into internal auditing.
15-2. The primary objective of a financial audit is to attest to the reliability of financial
statements. The audit process includes an evaluation of internal controls (now mandated). Some
of these controls are present in all processing environments, while others are unique to
Financial auditors should possess technical accounting skills, knowledge of accounting and
business processes, a certain amount of skepticism, knowledge of the audit process, internal
SM 15.2
interpersonal skills. Information systems auditors should possess an understanding of technical
information systems security, internal control expertise, knowledge of information systems audit
process.
The reality is that it is difficult for one individual to possess all skills in both realms. This reality
has led to a shortage of information systems auditors with a solid foundation in accounting.
Because of this, it may be difficult for financial auditors to know how to use the work of the
15-3. General-use software is software that has a wide range of applicability. This software
may be used by auditors, managers, accountants, system designers, and others. It includes word
Spreadsheet software is most useful when computations are required. Recalculating totals for
fixed assets or depreciation schedules can be facilitated with spreadsheet software. Database
existence of fixed assets.
15-4. Interviewing is one of the most important functions performed by auditors.
Interestingly, auditing and accounting curricula do not always work on these skills with students.
Interviewers need to understand the need to plan for an interview session. This includes
structuring the interview a priority, informing the person to be questioned of the interview,
each has advantages and disadvantages. The interviewer needs to know when to use which and
also must decide how open-ended the questions should be. A skilled interviewer is always in
SM 15.3
15-5. With an integrated test facility, it is necessary to observe the complete cycle of
activities. Thus, a set of fictitious purchase transactions would be introduced to the transaction
how effectively the system pays debt in time to take advantage of time-dependent discounts. Yet
a third test would be to see whether or not the system will pay an outside company for goods
condition.
With the passage of time, the auditor would observe the systems response to these and other such
15-6. The recommendations to use certain controls or not is ultimately dependent upon the
organizations attitude towards risk. More often than not, a collective group is likely to be
effective.
auditor.
15-7. The Better Business Bureau offers a BBB Online Trustmark that symbolizes
compliance with a variety of standards and rules of practice. These include privacy and security
Several accounting firms and other organizations offer their own assurance. These may rely on
the brand of the company offering the assurance, rather than on a generic assurance label.
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
SM 15.4
Problems
15-8.
a.
Hazard
Probability that
Expected Losses
Estimated
loss will occur
Low
High
Control Costs
Equipment failure
.08
$50,000
$150,000
$ 2,000
Software failure
.10
4,000
18,000
1,400
Vandalism
.65
1,000
15,000
8,000
Embezzlement
.05
3,000
9,000
1,000
Brownout
.40
850
2,000
250
Power surge
.40
850
2,000
300
Flood
.15
250,000
500,000
2,500
Fire
.10
150,000
300,000
4,000
decisions:
1) The hazard controls should be implemented for equipment failure, brownout, power
surge, flood, and fire. The cost of implementing these controls are outweighed by the
expected savings.
for managers’ decisions.
15-9. There are many case studies available at the ISACA web site. An example is the
consensus among management, IT and audit.
15-10. Simply by searching on the term “computer security,” students will be able to identify
15-11. By searching on the phrase “continuous auditing examples,” a student should be able
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
techniques, they could have more confidence in their systems on an ongoing basis, freeing
resources for other analyses.
Case Analyses
15-12 Basic Requirements (Systems Reliability Assurance)
1. There are many security, availability, and privacy risks faced by Basic Requirements due to
their online access. (Comprehensive lists of general risks may be found in the AICPA’s
workers. Availability of the web site is important to a retail business as downtime may mean
lost sales and lack of credibility. For Kara and Scott, availability risks include hardware and
This means ensuring that hackers cannot “steal” mailing lists and that there is no
unauthorized access to customer accounts. A small business such as Basic Requirements will
or dissemination of customer information.
2.
Risk
Control
Hacker access to web site
Maintain anti-virus software
Use acceptable length passwords
Student access to computers (physical)
Do not leave student workers in
office alone or always have two
workers
Do not use group logons for access
in office
Student access to accounts or passwords
(logical)
Use a hierarchy of passwords and
logons to secure sections of the
system
Change default passwords of
system administrators
Hardware and software malfunctions
Maintain anti-virus software
Maintain proper environmental
conditions over hardware
Have backup and contingency plans
and test them
Failure of logon procedures
Provide quick response to
customers experiencing difficulties
with logon or forgotten passwords
Be sure to describe logon
procedures fully to customers,
including case sensitivity of
passwords. Possibly maintain a
system for forgotten passwords
where a private question is used to
authenticate (e.g., mother’s maiden
name)
Student workers compromising privacy
Check student references
Convey policies and privacy
warnings to workers
3. To be effective, an internal control must be auditable. This means that the auditor must be
able to inspect it. For example, Kara might tell the auditor that she always checks references
those controls. Some specific examples are:
Auditors would check that the system uses current versions of anti-virus software and
that there is a subscription that allows for continuous updates
passwords with respect to length
The IT auditor will check the user listing for the system to ensure that there are no
group passwords (e.g., STUWRKER)
work
1. Unfortunately, Dick's approach is a typical one. Small accounting firms, in particular, lack
personnel with information systems audit expertise. The inability of a financial auditor to
audit process.
Expanding the scope of an audit to 100% of all transactions is one way to reduce risk.
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
SM 15.7
2. Tiffany should suggest calling in personnel who are experienced in information systems
backgrounds.
3. Public accounting firms are faced with a dilemma. The nature of auditing is changing rapidly
due to computerized information systems. Many firms are moving towards the concept of
financial and information systems auditors to communicate with each other, the audit will be
both inefficient and ineffective. For instance, financial auditors might be told to call in
what lies behind the report, they are likely to disregard it and expand the scope of the audit to
a conservative level with respect to risk.
4. Tiffany needs to call in information systems auditors for this particular engagement. She
understanding between financial auditors and information systems auditors is to have
each year.
1. There are many risks associated with a lack of controls to restrict logical access to programs
2. It is important to include an audit of User IDs and passwords in order to evaluate the levels of
at risk.
3. There are many different control procedures that Jason could use to ensure that only
authorized users access the system. Some of them are:
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
SM 15.8
locked/deleted
Groups - groups are established within the application according to SOD
determinations and group rights are reviewed periodically
management
changes
