978-1118742938 Chapter 15

Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman

SM 15.1

Chapter 15

INFORMATION TECHNOLOGY AUDITING

Discussion Questions

15-1. As noted in the text, an internal auditor is an individual working for the company

being audited while the external auditor works for an outside organization, typically a CPA firm.

and state laws that specifically define the relationship between the external auditor and client,

and how this relationship is to be implemented during the course of an audit.

internal auditor are:

 Inventory records that have no financial implications

 Personnel records that have no financial implications

variables

 Minor discrepancies in financial accounts (immaterial)

 Organizational procedures that are primarily a matter of policy and do not involve assets

or liabilities

Preferences vary. Many accounting graduates begin their career as external auditors and then

move into internal auditing.

15-2. The primary objective of a financial audit is to attest to the reliability of financial

statements. The audit process includes an evaluation of internal controls (now mandated). Some

of these controls are present in all processing environments, while others are unique to

Financial auditors should possess technical accounting skills, knowledge of accounting and

business processes, a certain amount of skepticism, knowledge of the audit process, internal

SM 15.2

interpersonal skills. Information systems auditors should possess an understanding of technical

information systems security, internal control expertise, knowledge of information systems audit

process.

The reality is that it is difficult for one individual to possess all skills in both realms. This reality

has led to a shortage of information systems auditors with a solid foundation in accounting.

Because of this, it may be difficult for financial auditors to know how to use the work of the

15-3. General-use software is software that has a wide range of applicability. This software

may be used by auditors, managers, accountants, system designers, and others. It includes word

Spreadsheet software is most useful when computations are required. Recalculating totals for

fixed assets or depreciation schedules can be facilitated with spreadsheet software. Database

existence of fixed assets.

15-4. Interviewing is one of the most important functions performed by auditors.

Interestingly, auditing and accounting curricula do not always work on these skills with students.

Interviewers need to understand the need to plan for an interview session. This includes

structuring the interview a priority, informing the person to be questioned of the interview,

each has advantages and disadvantages. The interviewer needs to know when to use which and

also must decide how open-ended the questions should be. A skilled interviewer is always in

SM 15.3

15-5. With an integrated test facility, it is necessary to observe the complete cycle of

activities. Thus, a set of fictitious purchase transactions would be introduced to the transaction

how effectively the system pays debt in time to take advantage of time-dependent discounts. Yet

a third test would be to see whether or not the system will pay an outside company for goods

condition.

With the passage of time, the auditor would observe the systems response to these and other such

15-6. The recommendations to use certain controls or not is ultimately dependent upon the

organizations attitude towards risk. More often than not, a collective group is likely to be

effective.

auditor.

15-7. The Better Business Bureau offers a BBB Online Trustmark that symbolizes

compliance with a variety of standards and rules of practice. These include privacy and security

Several accounting firms and other organizations offer their own assurance. These may rely on

the brand of the company offering the assurance, rather than on a generic assurance label.

Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman

SM 15.4

Problems

15-8.

a.

Hazard

Probability that

Expected Losses

Estimated

loss will occur

Low

High

Control Costs

Equipment failure

.08

$50,000

$150,000

$ 2,000

Software failure

.10

4,000

18,000

1,400

Vandalism

.65

1,000

15,000

8,000

Embezzlement

.05

3,000

9,000

1,000

Brownout

.40

850

2,000

250

Power surge

.40

850

2,000

300

Flood

.15

250,000

500,000

2,500

Fire

.10

150,000

300,000

4,000

decisions:

1) The hazard controls should be implemented for equipment failure, brownout, power

surge, flood, and fire. The cost of implementing these controls are outweighed by the

expected savings.

for managers’ decisions.

15-9. There are many case studies available at the ISACA web site. An example is the

consensus among management, IT and audit.

15-10. Simply by searching on the term “computer security,” students will be able to identify

15-11. By searching on the phrase “continuous auditing examples,” a student should be able

Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman

techniques, they could have more confidence in their systems on an ongoing basis, freeing

resources for other analyses.

Case Analyses

15-12 Basic Requirements (Systems Reliability Assurance)

1. There are many security, availability, and privacy risks faced by Basic Requirements due to

their online access. (Comprehensive lists of general risks may be found in the AICPA’s

workers. Availability of the web site is important to a retail business as downtime may mean

lost sales and lack of credibility. For Kara and Scott, availability risks include hardware and

This means ensuring that hackers cannot “steal” mailing lists and that there is no

unauthorized access to customer accounts. A small business such as Basic Requirements will

or dissemination of customer information.

2.

Risk

Control

Hacker access to web site

 Maintain anti-virus software

 Use acceptable length passwords

Student access to computers (physical)

 Do not leave student workers in

office alone or always have two

workers

 Do not use group logons for access

in office

Student access to accounts or passwords

(logical)

 Use a hierarchy of passwords and

logons to secure sections of the

system

 Change default passwords of

system administrators

Hardware and software malfunctions

 Maintain anti-virus software

 Maintain proper environmental

conditions over hardware

 Have backup and contingency plans

and test them

Failure of logon procedures

 Provide quick response to

customers experiencing difficulties

with logon or forgotten passwords

 Be sure to describe logon

procedures fully to customers,

including case sensitivity of

passwords. Possibly maintain a

system for forgotten passwords

where a private question is used to

authenticate (e.g., mother’s maiden

name)

Student workers compromising privacy

 Check student references

 Convey policies and privacy

warnings to workers

3. To be effective, an internal control must be auditable. This means that the auditor must be

able to inspect it. For example, Kara might tell the auditor that she always checks references

those controls. Some specific examples are:

 Auditors would check that the system uses current versions of anti-virus software and

that there is a subscription that allows for continuous updates

passwords with respect to length

 The IT auditor will check the user listing for the system to ensure that there are no

group passwords (e.g., STUWRKER)

work

1. Unfortunately, Dick’s approach is a typical one. Small accounting firms, in particular, lack

personnel with information systems audit expertise. The inability of a financial auditor to

audit process.

Expanding the scope of an audit to 100% of all transactions is one way to reduce risk.

Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman

SM 15.7

2. Tiffany should suggest calling in personnel who are experienced in information systems

backgrounds.

3. Public accounting firms are faced with a dilemma. The nature of auditing is changing rapidly

due to computerized information systems. Many firms are moving towards the concept of

financial and information systems auditors to communicate with each other, the audit will be

both inefficient and ineffective. For instance, financial auditors might be told to call in

what lies behind the report, they are likely to disregard it and expand the scope of the audit to

a conservative level with respect to risk.

4. Tiffany needs to call in information systems auditors for this particular engagement. She

understanding between financial auditors and information systems auditors is to have

each year.

1. There are many risks associated with a lack of controls to restrict logical access to programs

2. It is important to include an audit of User IDs and passwords in order to evaluate the levels of

at risk.

3. There are many different control procedures that Jason could use to ensure that only

authorized users access the system. Some of them are:

Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman

SM 15.8

locked/deleted

 Groups – groups are established within the application according to SOD

determinations and group rights are reviewed periodically

management

changes