Accounting Information Systems
11-1
CHAPTER 11
AUDITING COMPUTER-BASED INFORMATION SYSTEMS
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and
their accounting applications. However, it may not be feasible for every auditor to be a
computer expert. Discuss the extent to which auditors should possess computer expertise to
be effective auditors.
Since most organizations make extensive use of computer-based systems in processing data, it is
essential that computer expertise be available in the organization’s audit group. Such expertise
should include:
• Extensive knowledge of computer hardware, software, data communications, and accounting
applications
Not all auditors need to possess expertise in all of these areas. However, there is certainly some
minimum level of computer expertise that is appropriate for all auditors to have. This would
include:
• An understanding of computer hardware, software, accounting applications, and controls.
11.2 Should internal auditors be members of systems development teams that design and
implement an AIS? Why or why not?
Many people believe that internal auditors should be involved in systems development projects in
order to ensure that newly developed systems are auditable and have effective controls. However,
There are indirect forms of auditor involvement that are appropriate. The auditor can
1. Recommend a series of control and audit guidelines that all new systems should meet.
Ch. 11: Auditing Computer-Based Information Systems
11-2
11.3 At present, no Berwick employees have auditing experience. To staff its new internal audit
function, Berwick could (a) train some of its computer specialists in auditing, (b) hire
experienced auditors and train them to understand Berwick’s information system, (c) use a
combination of the first two approaches, or (d) try a different approach. Which approach
would you support, and why?
The most effective auditor is a person who has training and experience as an auditor and training
11.4 The assistant finance director for the city of Tustin, California, was fired after city officials
discovered that she had used her access to city computers to cancel her daughter’s $300 water
bill. An investigation revealed that she had embezzled a large sum of money from Tustin in
this manner over a long period. She was able to conceal the embezzlement for so long because
the amount embezzled always fell within a 2% error factor used by the city’s internal
auditors. What weaknesses existed in the audit approach? How could the audit plan be
improved? What internal control weaknesses were present in the system? Should Tustin’s
internal auditors have discovered this fraud earlier?
Audit approach weaknesses
1. The question implies Tustin’s internal auditors never bothered to investigate transactions below
2. While auditors generally examine transaction samples that are selected to include a high
3. An internal control audit should have detected inadequacies in Tustin’s computer access
controls, as well as a lack of transaction documentation.
Audit plan improvements
Accounting Information Systems
11-3
discrepancies for further investigation.
Internal control weaknesses
1. An assistant finance director should not have the authority to enter credits to customer
accounts. Certainly, there should have been documentation to support such transactions.
Should the auditors have detected the audit earlier?
The easy answer here is yes, they should have uncovered the fraud earlier. While she was able to
11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an
anonymous note from an assembly-line operator who has worked at the company’s West
Coast factory for the past 15 years. The note indicated that there are some fictitious
employees on the payroll as well as some employees who have left the company. He offers no
proof or names. What computer-assisted audit technique could Lou use to help him
substantiate or refute the employee’s claim? (CIA
Examination, adapted)
Computer-assisted audit tools and techniques (CAATTs) could have been used to identify employees
who have no deductions. Experience has shown that fictitious or terminated employees will
11.6. Explain the four steps of the risk-based audit approach, and discuss how they apply to the
overall security of a company.
The risk-based audit approach provides a framework for conducting information system audits. It
consists of the following 4 steps:
1. Determine the threats (fraud and errors) facing the company. This is a list of the accidental or
intentional abuse and damage to which the system is exposed.
2. Identify the control procedures that prevent, detect, or correct the threats. These are all the controls
3. Evaluate control procedures. Controls are evaluated two ways. First, a systems review determines
4. Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing
Ch. 11: Auditing Computer-Based Information Systems
11-4
evidence. Control weaknesses in one area may be acceptable if there are compensating controls in
other areas.
11.7. Compare and contrast the frameworks for auditing program development/acquisition and for
auditing program modification.
The two are similar in that:
• They both deal with the review of software.
• They both are exposed to the same types of errors and fraud.
The two are dissimilar in that:
• The auditor’s role in systems development is to perform an independent review of systems
development and acquisition activities. The auditor’s role in program modification is to
perform an independent review of the procedures and controls used to modify software
programs.
Accounting Information Systems
SUGGESTED SOLUTIONS TO THE PROBLEMS
11.1 You are the director of internal auditing at a university. Recently, you met with Issa Arnita,
the manager of administrative data processing, and expressed the desire to establish a more
effective interface between the two departments. Issa wants your help with a new
computerized accounts payable system currently in development. He recommends that your
department assume line responsibility for auditing suppliers’ invoices prior to payment. He
also wants internal auditing to make suggestions during system development, assist in its
installation, and approve the completed system after making a final review.
Would you accept or reject each of the following? Why?
a. The recommendation that your department be responsible for the pre-audit of
supplier’s invoices.
Internal auditing should not assume responsibility for pre-audit of disbursements. Objectivity
b. The request that you make suggestions during system development.
It would be advantageous for internal auditing to make specific suggestions during the design
phase concerning controls and audit trails to be built into a system. Internal auditing should
build an appropriate interface with the Data Processing Department to help achieve this goal.
Neither objectivity nor independence is compromised if the auditor makes recommendations
for controls in the system under review. For example, internal auditing may:
• Provide a list of control requirements.
c. The request that you assist in the installation of the system and approve the system after
making a final review.
The auditor must remain independent of any system they will subsequently audit. Therefore,
the auditor must refrain from giving overall approval of the system in final review. The
Ch. 11: Auditing Computer-Based Information Systems
11.2 As an internal auditor for the Quick Manufacturing Company, you are participating in the
audit of the company’s AIS. You have been reviewing the internal controls of the computer
system that processes most of its accounting applications. You have studied the company’s
extensive systems documentation. You have interviewed the information system manager,
operations supervisor, and other employees to complete your standardized computer internal
control questionnaire. You report to your supervisor that the company has designed a
successful set of comprehensive internal controls into its computer systems. He thanks you for
your efforts and asks for a summary report of your findings for inclusion in a final overall
report on accounting internal controls.
Have you forgotten an important audit step? Explain. List five examples of specific audit
procedures that you might recommend before reaching a conclusion.
The important audit step that has not been performed is tests of controls (sometimes called
Examples of audit procedures that would be considered tests of controls are:
• Observe computer operations, data control procedures, and file library control procedures.
• Inquiry of key systems personnel with respect to the way in which prescribed control
procedures are interpreted and implemented. A questionnaire or checklist often facilitates
such inquiry.
Accounting Information Systems
11-7
11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a
computer payroll system. To test the computer systems and programs, you submit
independently created test transactions with regular data in a normal production run.
List four advantages and two disadvantages of this technique.
a. Advantages
b. Disadvantages
• Does not require extensive programming knowledge
• Approach and results are easy to understand.
• The complete system may be reviewed.
• Results are often easily checked.
• Impractical to test all error possibilities.
• May be unable to relate input data to
output reports in a complex system.
• If independent files are not used, it may be
Ch. 11: Auditing Computer-Based Information Systems
11.4 You are involved in the audit of accounts receivable, which represent a significant portion of
the assets of a large retail corporation. Your audit plan requires the use of the computer, but
you encounter the following reactions:
For each situation, state how the auditor should proceed with the accounts receivable audit.
a. The computer operations manager says the company’s computer is running at full
capacity for the foreseeable future and the auditor will not be able to use the system for
audit tests.
• The auditor should not accept this explanation and should arrange with company
executives for access to the computer system.
b. The computer scheduling manager suggests that your computer program be stored in
the computer program library so that it can be run when computer time becomes
available.
• The auditor should not permit the computer program to be stored because it could then be
changed without the auditor’s knowledge.
c. You are refused admission to the computer room.
d. The systems manager tells you that it will take too much time to adapt the auditor’s
computer audit program to the computer’s operating system and that company
programmers will write the programs needed for the audit.
• Auditors should insist on using their own computer audit program, since someone at the
company may wish to conceal falsified data or records.
Accounting Information Systems
11-9
11.5 You are a manager for the CPA firm of Dewey, Cheatem, and Howe (DC&H). While
reviewing your staff’s audit work papers for the state welfare agency, you find that the test
data approach was used to test the agency’s accounting software. A duplicate program copy,
the welfare accounting data file obtained from the computer operations manager, and the test
transaction data file that the welfare agency’s programmers used when the program was
written were processed on DC&H’s home office computer. The edit summary report listing
no errors was included in the working papers, with a notation by the senior auditor that the
test indicates good application controls. You note that the quality of the audit conclusions
obtained from this test is flawed in several respects, and you decide to ask your subordinates
to repeat the test.
Problems
Suggested Solutions
Duplicate copy of the program may not be a
true duplicate of the current version.
• Source code comparison.
• Reprocessing (use previously valid program).
• Process test transactions concurrently with live
ones, on a concealed basis.
Duplicate copy of the file may not be a true
duplicate of the current version.
• Obtain the live file and duplicate it under audit
control.
• Process test transactions concurrently with live
Ch. 11: Auditing Computer-Based Information Systems
11-10
11.6 You are performing an information system audit to evaluate internal controls in Aardvark
Wholesalers’ (AW) computer system. From an AW manual, you have obtained the following job
descriptions for key personnel:
Director of information systems: Responsible for defining the mission of the information systems
division and for planning, staffing, and managing the IS department.
a. Prepare an organizational chart for AW’s information systems division.
Director of
Information
Systems
Accounting Information Systems
11-11
b. Name two positive and two negative aspects (from an internal control standpoint) of this
organizational structure.
1. What is good about this organization structure:
• Computer operations organizationally independent of data entry and data control.
2. What is bad about this organization structure:
• The manager of operations is responsible for systems programming, which is a
violation of segregation of systems duties.
c. What additional information would you require before making a final judgment on the
adequacy of AW’s separation of functions in the information systems division?
• Is access to equipment, files, and documentation restricted and documented?
Accounting Information Systems
11-13
11.7 Robinson’s Plastic Pipe Corporation uses a data processing system for inventory. The input to
this system is shown in Table 11-7. You are using an input controls matrix to help audit the
source data controls.
Table 11-7 Parts Inventory Transaction File
Field Name
Field Type
Item number
Numeric
Description
Alphanumeric
Transaction date
Date
Transaction type
Alphanumeric
Document number
Alphanumeric
Quantity
Numeric
Unit cost
Monetary