Kiểm soát hệ thống thông tin kế toán CHAPTER 5 Fraud CHAPTER 6 Computer Fraud and Abuse Techniques CHAPTER 7 Internal Control and Accounting Information Systems CHAPTER 8 Controls for Information Security CHAPTER 9 Confidentiality and Privacy Controls CHAPTER 10 Processing Integrity and Availability Controls CHAPTER 11 Auditing ComputerBased Information Systems M05_ROMN4021_14_SE_C05.indd Jason Scott is an internal auditor for Northwest Industries, a forest products company. On March 31, he reviewed his completed tax return and noticed that the federal income tax withholding on his final paycheck was 5 more than the amount indicated on his W2 form. He used the W2 amount to complete his tax return and made a note to ask the payroll department what happened to the other 5. The next day, Jason was swamped, and he dismissed the 5 difference as immaterial. On April 16, a coworker grumbled that the company had taken 5 more from his check than he was given credit for on his W2. When Jason realized he was not the only one with the 5 discrepancy, he investigated and found that all 1,500 employees had the same 5 discrepancy. He also discovered that the W2 of Don Hawkins, the payroll programmer, had thousands of dollars more in withholdings reported to the Internal Revenue Service (IRS) than had been withheld from his paycheck. Jason knew that when he reported the situation, management was going to ask questions, such as: 1. What constitutes a fraud, and is the withholding problem a fraud? 2. How was the fraud perpetrated? What motivated Don to commit it?
Control and Audit of Accounting Information Systems PA R T II CHAPTER Fraud CHAPTER Computer Fraud and Abuse Techniques CHAPTER Internal Control and Accounting Information Systems CHAPTER Controls for Information Security CHAPTER Confidentiality and Privacy Controls CHAPTER 10 Processing Integrity and Availability Controls CHAPTER 11 Auditing Computer-Based Information Systems 125 M05_ROMN4021_14_SE_C05.indd 125 20/10/16 12:06 PM CHAPTER Fraud LEARNING OBJECTIVES After studying this chapter, you should be able to: Explain the threats faced by modern information systems Define fraud and describe both the different types of fraud and the auditor’s responsibility to detect fraud Discuss who perpetrates fraud and why it occurs, including the pressures, opportunities, and rationalizations that are present in most frauds Define computer fraud and discuss the different computer fraud classifications Explain how to prevent and detect computer fraud and abuse I N T E G R AT I V E C A S E Northwest Industries Jason Scott is an internal auditor for Northwest Industries, a forest products company On March 31, he reviewed his completed tax return and noticed that the federal income tax withholding on his final paycheck was $5 more than the amount indicated on his W-2 form He used the W-2 amount to complete his tax return and made a note to ask the payroll department what happened to the other $5 The next day, Jason was swamped, and he dismissed the $5 difference as immaterial On April 16, a coworker grumbled that the company had taken $5 more from his check than he was given credit for on his W-2 When Jason realized he was not the only one with the $5 discrepancy, he investigated and found that all 1,500 employees had the same $5 discrepancy He also discovered that the W-2 of Don Hawkins, the payroll programmer, had thousands of dollars more in withholdings reported to the Internal Revenue Service (IRS) than had been withheld from his paycheck Jason knew that when he reported the situation, management was going to ask questions, such as: What constitutes a fraud, and is the withholding problem a fraud? How was the fraud perpetrated? What motivated Don to commit it? 126 M05_ROMN4021_14_SE_C05.indd 126 16/08/16 9:37 AM Why did the company not catch these mistakes? Was there a breakdown in controls? How can the company detect and prevent fraud? How vulnerable is the company’s computer system to fraud? Introduction As accounting information systems (AIS) grow more complex to meet our escalating needs for information, companies face the growing risk that their systems may be compromised Recent surveys show that 67% of companies had a security breach, over 45% were targeted by organized crime, and 60% reported financial losses The four types of AIS threats a company faces are summarized in Table 5-1 TABLE 5-1 Threats to Accounting Information Systems THREATS Natural and political disasters Software errors and equipment malfunctions Unintentional acts Intentional acts (computer crimes) EXAMPLES Fire or excessive heat Floods, earthquakes, landslides, hurricanes, tornadoes, blizzards, snowstorms, and freezing rain War and attacks by terrorists Hardware or software failure Software errors or bugs Operating system crashes Power outages and fluctuations Undetected data transmission errors Accidents caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel Innocent errors or omissions Lost, erroneous, destroyed, or misplaced data Logic errors Systems that not meet company needs or cannot handle intended tasks Sabotage Misrepresentation, false use, or unauthorized disclosure of data Misappropriation of assets Financial statement fraud Corruption Computer fraud—attacks, social engineering, malware, etc 127 M05_ROMN4021_14_SE_C05.indd 127 20/10/16 12:06 PM 128 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS AIS Threats Natural and political disasters—such as fires, floods, earthquakes, hurricanes, tornadoes, blizzards, wars, and attacks by terrorists—can destroy an information system and cause many companies to fail For example: ● ● ● FOCUS 5-1 Terrorist attacks on the World Trade Center in New York City and on the Federal Building in Oklahoma City destroyed or disrupted all the systems in those buildings A flood in Chicago destroyed or damaged 400 data processing centers A flood in Des Moines, Iowa, buried the city’s computer systems under eight feet of water Hurricanes and earthquakes have destroyed numerous computer systems and severed communication lines Other systems were damaged by falling debris, water from ruptured sprinkler systems, and dust A very valid concern for everyone is what is going to happen when cyber-attacks are militarized; that is, the transition from disruptive to destructive attacks For more on this, see Focus 5-1 Electronic Warfare Shortly after Obama was elected President, he authorized cyber-attacks on computer systems that run Iran’s main nuclear enrichment plants The intent was to delay or destroy Iran’s nuclear-weapons program The attacks were based on the Stuxnet virus, which was developed with help from a secret Israeli intelligence unit The attack damaged 20% of the centrifuges at the Natanz uranium enrichment facility (Iran denied its existence) by spinning them too fast This was the first known cyber-attack intended to harm a real-world physical target A hacker group that is a front for Iran retaliated using distributed denial of service attacks (DDoS) to bring online systems at major American banks to their knees Most denial of service attacks use botnets, which are networks of computers that the bot-herder infected with malware However, the Iranians remotely hijacked and used “clouds” of thousands of networked servers located in cloud computing data centers around the world The attack inundated bank computers with encryption requests (they consume more system resources), allowing the hackers to cripple sites with fewer requests The cloud services were infected with a sophisticated malware, which evaded detection by antivirus programs and made it very difficult to trace the malware back to its user The scale and scope of these attacks and their effectiveness is unprecedented, as there have never been that many financial institutions under simultaneous attack Defense Secretary Leon E Panetta claimed that the United States faces the possibility of a “cyber-Pearl Harbor” because it is increasingly vulnerable to hackers who could shut down power grids, derail trains, crash airplanes, spill oil and gas, contaminate water supplies, and blow up buildings containing combustible materials They can disrupt financial and government networks, destroy M05_ROMN4021_14_SE_C05.indd 128 critical data, and illegally transfer money They can also cripple a nation’s armed forces, as they rely on vulnerable computer networks All of these attacks are especially scary because they can be done remotely, in a matter of seconds, and done either immediately or at any predetermined date and time A large-scale attack could create an unimaginable degree of chaos in the United States The most destructive attacks would combine a cyber-attack with a physical attack Both to be better able to use cyber weapons and to defend against them, the United States has created a new U.S Cyber Command that will have equal footing with other commands in the nation’s military structure In addition, intelligence agencies will search computer networks worldwide looking for signs of potential attacks on the United States Cyber weapons have been approved for preemptive attacks, even if there is no declared war, if authorized by the president—and if an imminent attack on the United States warrants it The implications are clear: the United States realizes that cyber weapons are going to be used and needs to be better at using them than its adversaries Unfortunately, bolstering cyber security and safeguarding systems is significantly lagging the advancement of technology and the constant development of new cyber-attack tools Making it ever harder, advancements such as cloud computing and the use of mobile devices emphasize access and usability rather than security Most companies and government agencies need to increase their security budgets significantly to develop ways to combat the attacks It is estimated that the market demand for cyber security experts is more than 100,000 people per year and the median pay is close to six figures 16/08/16 9:37 AM CHAPTER FRAUD 129 Software errors, operating system crashes, hardware failures, power outages and fluctuations, and undetected data transmission errors constitute a second type of threat A federal study estimated yearly economic losses due to software bugs at almost $60 billion More than 60% of companies studied had significant software errors Examples of errors include: ● ● ● ● Over 50 million people in the Northeast were left without power when an industrial control system in part of the grid failed Some areas were powerless for four days, and damages from the outage ran close to $10 billion At Facebook, an automated system for verifying configuration value errors backfired, causing every single client to try to fix accurate data it perceived as invalid Since the fix involved querying a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries a second The resultant crash took the Facebook system offline for two-and-a-half hours As a result of tax system bugs, California failed to collect $635 million in business taxes A bug in Burger King’s software resulted in a $4,334.33 debit card charge for four hamburgers The cashier accidentally keyed in the $4.33 charge twice, resulting in the overcharge A third type of threat, unintentional acts such as accidents or innocent errors and omissions, is the greatest risk to information systems and causes the greatest dollar losses The Computing Technology Industry Association estimates that human errors cause 80% of security problems Forrester Research estimates that employees unintentionally create legal, regulatory, or financial risks in 25% of their outbound e-mails Unintentional acts are caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel Users lose or misplace data and accidentally erase or alter files, data, and programs Computer operators and users enter the wrong input or erroneous input, use the wrong version of a program or the wrong data files, or misplace data files Systems analysts develop systems that not meet company needs, that leave them vulnerable to attack, or that are incapable of handling their intended tasks Programmers make logic errors Examples of unintentional acts include the following: ● ● ● ● ● ● ● A data entry clerk at Mizuho Securities mistakenly keyed in a sale for 610,000 shares of J-Com for yen instead of the sale of share for 610,000 yen The error cost the company $250 million A programmer made a one-line-of-code error that priced all goods at Zappos, an online retailer, at $49.95—even though some of the items it sells are worth thousands of dollars The change went into effect at midnight, and by the time it was detected at 6:00 A.M., the company had lost $1.6 million on goods sold far below cost A bank programmer mistakenly calculated interest for each month using 31 days Before the mistake was discovered, over $100,000 in excess interest was paid A Fannie Mae spreadsheet error misstated earnings by $1.2 billion UPS lost a box of computer tapes containing sensitive information on 3.9 million Citigroup customers Jefferson County, West Virginia, released a new online search tool that exposed the personal information of 1.6 million people McAfee, the antivirus software vendor, mistakenly identified svchost.exe, a crucial part of the Windows operating system, as a malicious program in one of its updates Hundreds of thousands of PCs worldwide had to be manually rebooted—a process that took 30 minutes per machine A third of the hospitals in Rhode Island were shut down by the error One company reported that the error cost them $2.5 million A fourth threat is an intentional act such as a computer crime, a fraud, or sabotage, which is deliberate destruction or harm to a system Information systems are increasingly vulnerable to attacks Examples of intentional acts include the following: ● sabotage - An intentional act where the intent is to destroy a system or some of its components In a recent three-year period, the number of networks that were compromised rose 700% Experts believe the actual number of incidents is six times higher than reported because companies tend not to report security breaches Symantec estimates that hackers attack computers more than 8.6 million times per day One computer-security company M05_ROMN4021_14_SE_C05.indd 129 16/08/16 9:37 AM 130 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS ● ● ● cookie - A text file created by a website and stored on a visitor’s hard drive Cookies store information about who the user is and what the user has done on the site ● ● reported that in the cases they handled that were perpetrated by Chinese hackers, 94% of the targeted companies didn’t realize that their systems had been compromised until someone else told them The median number of days between when an intrusion started and when it was detected was 416 The Sobig virus wreaked havoc on millions of computers, including shutting down train systems for up to six hours In Australia, a disgruntled employee hacked into a sewage system 46 times over two months Pumps failed, and a quarter of a million gallons of raw sewage poured into nearby streams, flooding a hotel and park A programmer was able to download OpenTable’s database due to an improperly designed cookie (data a website stores on your computer to identify the site so you not have to log on each time you visit the site) A hacker stole 1.5 million credit and debit card numbers from Global Payments, resulting in an $84 million loss and a 90% drop in profits in the quarter following disclosure The activist hacker group called Anonymous played Santa Claus one Christmas, indicating they were “granting wishes to people who are less fortunate than most.” They were inundated with requests for iPads, iPhones, pizzas, and hundreds of other things They hacked into banks and sent over $1 million worth of virtual credit cards to people Cyber thieves have stolen more than $1 trillion worth of intellectual property from businesses worldwide General Alexander, director of the National Security Agency, called cyber theft “the greatest transfer of wealth in history.” When the top cyber cop at the FBI was asked how the United States was doing in its attempt to keep computer hackers from stealing data from corporate networks, he said, “We’re not winning.” The seven chapters in part II focus on control concepts Fraud is the topic of this chapter Computer fraud and abuse techniques are the topic of Chapter Chapter explains general principles of control in business organizations and describes a comprehensive business risk and control framework Chapter introduces five basic principles that contribute to systems reliability and then focuses on security, the foundation on which the other four principles rest Chapter discusses two of the other four principles of systems reliability: confidentiality and privacy Chapter 10 discusses the last two principles: processing integrity and availability Chapter 11 examines the processes and procedures used in auditing computer-based systems This chapter discusses fraud in four main sections: an introduction to fraud, why fraud occurs, approaches to computer fraud, and how to deter and detect computer fraud Introduction to Fraud fraud - Any and all means a person uses to gain an unfair advantage over another person Fraud is gaining an unfair advantage over another person Legally, for an act to be fraudulent there must be: A false statement, representation, or disclosure A material fact, which is something that induces a person to act An intent to deceive A justifiable reliance; that is, the person relies on the misrepresentation to take an action An injury or loss suffered by the victim Annual economic losses resulting from fraudulent activity each year are staggering It is rare for a week to go by without the national or local press reporting another fraud of some kind These frauds range from a multimillion-dollar fraud that captures the attention of the nation to an employee defrauding a local company out of a small sum of money The Association of Certified Fraud Examiners (ACFE) conducts comprehensive fraud studies and releases its findings in a Report to the Nation on Occupational Fraud and Abuse The ACFE estimates that: ● ● M05_ROMN4021_14_SE_C05.indd 130 A typical organization loses 5% of its annual revenue to fraud, indicating yearly global fraud losses of over $3.7 trillion Owner/executive frauds took much longer to detect and were more than four times as costly as manager-perpetrated frauds and more than 11 times as costly as employee frauds 16/08/16 9:37 AM CHAPTER ● ● ● ● ● ● ● ● MISAPPROPRIATION OF ASSETS Misappropriation of assets is the theft of company assets by employees Examples include the following: ● ● ● 131 More than 87% of the perpetrators had never been charged or convicted of fraud Small businesses, with fewer and less effective internal controls, were more vulnerable to fraud than large businesses Occupational frauds are much more likely to be detected by an anonymous tip than by audits or any other means More than 83% of the cases they studied were asset misappropriation frauds with a median loss of $125,000 Billing schemes and check tampering schemes were the most frequent types of asset misappropriation Only 10% of the cases were financial statement fraud, but these cases had a much higher median loss of $975,000 The most prominent organizational weakness in the fraud cases studied was a lack of internal controls The implementation of controls to prevent fraud resulted in lower fraud losses and quicker fraud detection In 79% of the fraud cases studied, perpetrators displayed behavioral warning signs, or red flags, such as living beyond their means, financial difficulties, unusually close association with a vendor or customer, and recent divorce or family problems that created a perceived need in the perpetrator’s mind Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources Because employees understand a company’s system and its weaknesses, they are better able to commit and conceal a fraud The controls used to protect corporate assets make it more difficult for an outsider to steal from a company Fraud perpetrators are often referred to as white-collar criminals There are a great many different types of frauds We briefly define and give examples of some of those and then provide a more extended discussion of some of the most important ones to businesses Corruption is dishonest conduct by those in power and it often involves actions that are illegitimate, immoral, or incompatible with ethical standards There are many types of corruption; examples include bribery and bid rigging Investment fraud is misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk There are many types of investment fraud; examples include Ponzi schemes and securities fraud Two types of frauds that are important to businesses are misappropriation of assets (sometimes called employee fraud) and fraudulent financial reporting (sometimes called management fraud) These two types of fraud are now discussed in greater depth ● FRAUD Albert Milano, a manager at Reader’s Digest responsible for processing bills, embezzled $1 million over a five-year period He forged a superior’s signature on invoices for services never performed, submitted them to accounts payable, forged the endorsement on the check, and deposited it in his account Milano used the stolen funds to buy an expensive home, five cars, and a boat A bank vice president approved $1 billion in bad loans in exchange for $585,000 in kickbacks The loans cost the bank $800 million and helped trigger its collapse A manager at a Florida newspaper went to work for a competitor after he was fired The first employer soon realized its reporters were being scooped An investigation revealed the manager still had an active account and password and regularly browsed its computer files for information on exclusive stories In a recent survey of 3,500 adults, half said they would take company property when they left and were more likely to steal e-data than assets More than 25% said they would take customer data, including contact information Many employees did not believe taking company data is equivalent to stealing M05_ROMN4021_14_SE_C05.indd 131 white-collar criminals - Typically, businesspeople who commit fraud White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence corruption - Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards Examples include bribery and bid rigging investment fraud - Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk Examples include Ponzi schemes and securities fraud misappropriation of assets - Theft of company assets by employees 16/08/16 9:37 AM 132 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS The most significant contributing factor in most misappropriations is the absence of internal controls and/or the failure to enforce existing internal controls A typical misappropriation has the following important elements or characteristics The perpetrator: ● ● ● ● ● ● ● ● Gains the trust or confidence of the entity being defrauded Uses trickery, cunning, or false or misleading information to commit fraud Conceals the fraud by falsifying records or other information Rarely terminates the fraud voluntarily Sees how easy it is to get extra money; need or greed impels the person to continue Some frauds are self-perpetuating; if perpetrators stop, their actions are discovered Spends the ill-gotten gains Rarely does the perpetrator save or invest the money Some perpetrators come to depend on the “extra” income, and others adopt a lifestyle that requires even greater amounts of money For these reasons, there are no small frauds— only large ones that are detected early Gets greedy and takes ever-larger amounts of money at intervals that are more frequent, exposing the perpetrator to greater scrutiny and increasing the chances the fraud is discovered The sheer magnitude of some frauds leads to their detection For example, the accountant at an auto repair shop, a lifelong friend of the shop’s owner, embezzled ever-larger sums of money over a seven-year period In the last year of the fraud, the embezzler took over $200,000 Facing bankruptcy, the owner eventually laid off the accountant and had his wife take over the bookkeeping When the company immediately began doing better, the wife hired a fraud expert who investigated and uncovered the fraud Grows careless or overconfident as time passes If the size of the fraud does not lead to its discovery, the perpetrator eventually makes a mistake that does lead to the discovery FRAUDULENT FINANCIAL REPORTING fraudulent financial reporting - Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements The National Commission on Fraudulent Financial Reporting (the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements Management falsifies financial statements to deceive investors and creditors, increase a company’s stock price, meet cash flow needs, or hide company losses and problems The Treadway Commission studied 450 lawsuits against auditors and found undetected fraud to be a factor in half of them Through the years, many highly publicized financial statement frauds have occurred In each case, misrepresented financial statements led to huge financial losses and a number of bankruptcies The most frequent “cook the books” schemes involve fictitiously inflating revenues, holding the books open (recognizing revenues before they are earned), closing the books early (delaying current expenses to a later period), overstating inventories or fixed assets, and concealing losses and liabilities The Treadway Commission recommended four actions to reduce fraudulent financial reporting: Establish an organizational environment that contributes to the integrity of the financial reporting process Identify and understand the factors that lead to fraudulent financial reporting Assess the risk of fraudulent financial reporting within the company Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting.1 The ACFE found that an asset misappropriation is 17 times more likely than fraudulent financial reporting but that the amounts involved are much smaller As a result, auditors and management are more concerned with fraudulent financial reporting even though they are more likely to encounter misappropriations The following section discusses an auditors’ responsibility for detecting material fraud M05_ROMN4021_14_SE_C05.indd 132 Copyright ©1987 by the National Commission on Fraudulent Financial Reporting 16/08/16 9:37 AM CHAPTER FRAUD 133 SAS NO 99 (AU-C SECTION 240): THE AUDITOR’S RESPONSIBILITY TO DETECT FRAUD Statement on Auditing Standards (SAS) No 99, Consideration of Fraud in a Financial Statement Audit, became effective in December 2002 SAS No 99 requires auditors to: ● ● ● ● ● ● ● Understand fraud Because auditors cannot effectively audit something they not understand, they must understand fraud and how and why it is committed Discuss the risks of material fraudulent misstatements While planning the audit, team members discuss among themselves how and where the company’s financial statements are susceptible to fraud Obtain information The audit team gathers evidence by looking for fraud risk factors; testing company records; and asking management, the audit committee of the board of directors, and others whether they know of past or current fraud Because many frauds involve revenue recognition, special care is exercised in examining revenue accounts Identify, assess, and respond to risks The evidence is used to identify, assess, and respond to fraud risks by varying the nature, timing, and extent of audit procedures and by evaluating carefully the risk of management overriding internal controls Evaluate the results of their audit tests Auditors must evaluate whether identified misstatements indicate the presence of fraud and determine its impact on the financial statements and the audit Document and communicate findings Auditors must document and communicate their findings to management and the audit committee Incorporate a technology focus SAS No 99 recognizes the impact technology has on fraud risks and provides commentary and examples recognizing this impact It also notes the opportunities auditors have to use technology to design fraud-auditing procedures Through the years there have been improvements to and reorganizations of auditing standards The fraud standards are now referred to as AU-C Section 240 Who Perpetrates Fraud and Why When researchers compared the psychological and demographic characteristics of whitecollar criminals, violent criminals, and the public, they found significant differences between violent and white-collar criminals They found few differences between white-collar criminals and the public Their conclusion: Many fraud perpetrators look just like you and me Some fraud perpetrators are disgruntled and unhappy with their jobs and seek revenge against employers Others are dedicated, hard-working, and trusted employees Most have no previous criminal record; they were honest, valued, and respected members of their community In other words, they were good people who did bad things Computer fraud perpetrators are typically younger and possess more computer experience and skills Some are motivated by curiosity, a quest for knowledge, the desire to learn how things work, and the challenge of beating the system Some view their actions as a game rather than as dishonest behavior Others commit computer fraud to gain stature in the hacking community A large and growing number of computer fraud perpetrators are more predatory in nature and seek to turn their actions into money These fraud perpetrators are more like the bluecollar criminals that look to prey on others by robbing them The difference is that they use a computer instead of a gun Many first-time fraud perpetrators that are not caught, or that are caught but not prosecuted, move from being “unintentional” fraudsters to “serial” fraudsters Malicious software is a big business and a huge profit engine for the criminal underground, especially for digitally savvy hackers in Eastern Europe They break into financial accounts and steal money They sell data to spammers, organized crime, hackers, and the intelligence community They market malware, such as virus-producing software, to others Some work with organized crime A recently convicted hacker was paid $150 for every 1,000 computers he infected with his adware and earned hundreds of thousands of dollars a year M05_ROMN4021_14_SE_C05.indd 133 16/08/16 9:37 AM FIGURE 5-1 Rationalization Triangle ty uni n cs ge me nt dit Ma s ion na al on oti n Co ry ust ar ac ter isti Financial Statement Pressure Triangle Ch Employee Pressure Triangle yle Financial Ind est Lif Financial Em ers on a tio Pressure La ck of P ca Op por t tifi Jus l n tio ea nc Fraud Triangle l In t eg Opportunity Triangle liza ona Co Attitude ti Ra Fraud Triangle Commit rity CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS ert PART II Co nv 134 Cyber-criminals are a top FBI priority because they have moved from isolated and uncoordinated attacks to organized fraud schemes targeted at specific individuals and businesses They use online payment companies to launder their ill-gotten gains To hide their money, they take advantage of the lack of coordination between international law enforcement organizations THE FRAUD TRIANGLE For most predatory fraud perpetrators, all the fraudster needs is an opportunity and the criminal mind-set that allows him/her to commit the fraud For most first-time fraud perpetrators, three conditions are present when fraud occurs: a pressure, an opportunity, and a rationalization This is referred to as the fraud triangle, and is the middle triangle in Figure 5-1 pressure - A person’s incentive or motivation for committing fraud M05_ROMN4021_14_SE_C05.indd 134 PRESSURES A pressure is a person’s incentive or motivation for committing fraud Three types of pressures that lead to misappropriations are shown in the Employee Pressure Triangle in Figure 5-1 and are summarized in Table 5-2 Financial pressures often motivate misappropriation frauds by employees Examples of such pressures include living beyond one’s means, heavy financial losses, or high personal debt Often, the perpetrator feels the pressure cannot be shared and believes fraud is the best way out of a difficult situation For example, Raymond Keller owned a grain elevator where TABLE 5-2 Pressures That Can Lead to Employee Fraud FINANCIAL EMOTIONAL LIFESTYLE Living beyond one’s means High personal debt/expenses “Inadequate” salary/income Poor credit ratings Heavy financial losses Bad investments Tax avoidance Unreasonable quotas/goals Excessive greed, ego, pride, ambition Performance not recognized Job dissatisfaction Fear of losing job Need for power or control Overt, deliberate nonconformity Inability to abide by or respect rules Challenge of beating the system Envy or resentment against others Need to win financial oneupmanship competition Coercion by bosses/top management Gambling habit Drug or alcohol addiction Sexual relationships Family/peer pressure 16/08/16 9:37 AM 336 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS TABLE 11-5 Framework for Audit of Source Data Controls TYPES OF ERRORS AND FRAUD ● Inaccurate or unauthorized source data CONTROL PROCEDURES ● ● ● ● ● ● ● ● ● ● Effective handling of source data input by data control personnel User authorization of source data input Preparation and reconciliation of batch control totals Logging the receipt, movement, and disposition of source data input Check digit verification Key verification Use of turnaround documents Data editing routines User department review of file change listings and summaries Effective procedures for correcting and resubmitting erroneous data AUDIT PROCEDURES: SYSTEM REVIEW ● ● ● ● ● ● Review documentation about data control function responsibilities Review administrative documentation for source data control standards Review authorization methods and examine authorization signatures Review documentation to identify processing steps and source data content and controls Document source data controls using an input control matrix Discuss source data controls with data control personnel, system users, and managers AUDIT PROCEDURES: TESTS OF CONTROLS ● ● ● ● ● ● Observe and evaluate data control department operations and control procedures Verify proper maintenance and use of data control log Evaluate how error log items are dealt with Examine source data for proper authorization Reconcile batch totals and follow up on discrepancies Trace disposition of errors flagged by data edit routines COMPENSATING CONTROLS ● Strong user and data processing controls Audit Software computer-assisted audit techniques (CAATS) - Audit software that uses auditor-supplied specifications to generate a program that performs audit functions generalized audit software (GAS) - Audit software that uses auditor-supplied specifications to generate a program that performs audit functions M11_ROMN4021_14_SE_C11.indd 336 Computer-assisted audit techniques (CAATs) refer to audit software, often called generalized audit software (GAS), that uses auditor-supplied specifications to generate a program that performs audit functions, thereby automating or simplifying the audit process Two of the most popular software packages are Audit Control Language (ACL) and Interactive Data Extraction and Analysis (IDEA) CAATs are ideally suited for examining large data files to identify records needing further audit scrutiny The U.S government discovered that CAATs are a valuable tool in reducing massive federal budget deficits The software is used to identify fraudulent Medicare claims and pinpoint excessive charges by defense contractors The General Accounting Office (GAO) crosschecked figures with the Internal Revenue Service (IRS) and discovered that thousands of veterans lied about their income to qualify for pension benefits Some 116,000 veterans who received pensions based on need did not disclose $338 million in income from savings, dividends, or rents More than 13,600 underreported income; one did not report income of over $300,000 When the Veterans Administration (VA) notified beneficiaries that their income would be verified with the IRS and the Social Security Administration, pension rolls dropped by more than 13,000, at a savings of $9 million a month The VA plans to use the same system for checking income levels of those applying for medical care If their income is found to be above a certain level, patients will be required to make copayments In another example, a new tax collector in a small New England town requested a tax audit Using CAATs, the auditor accessed tax collection records for the previous four years, 06/09/16 10:37 AM CHAPTER 11 TABLE 11-6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS 337 Framework for Audit of Data File Controls TYPES OF ERRORS AND FRAUD ● ● Destruction of stored data due to errors, hardware or software malfunctions, and intentional acts of sabotage or vandalism Unauthorized modification or disclosure of stored data CONTROL PROCEDURES ● ● ● ● ● ● ● ● Storage of data in a secure file library and restriction of physical access to data files Logical access controls and an access control matrix Proper use of file labels and write-protection mechanisms Concurrent update controls Data encryption for confidential data Virus protection software Off-site backup of all data files Checkpoint and rollback procedures to facilitate system recovery AUDIT PROCEDURES: SYSTEM REVIEW ● ● ● ● ● ● Review documentation for file library operation Review logical access policies and procedures Review standards for virus protection, off-site data storage, and system recovery procedures Review controls for concurrent updates, data encryption, file conversion, and reconciliation of master file totals with independent control totals Examine disaster recovery plan Discuss file control procedures with managers and operators AUDIT PROCEDURES: TESTS OF CONTROLS ● ● ● ● ● ● ● ● ● Observe and evaluate file library operations Review records of password assignment and modification Observe and evaluate file-handling procedures by operations personnel Observe the preparation and off-site storage of backup files Verify the effective use of virus protection procedures Verify the use of concurrent update controls and data encryption Verify completeness, currency, and testing of disaster recovery plans Reconcile master file totals with separately maintained control totals Observe the procedures used to control file conversion COMPENSATING CONTROLS ● ● Strong user and data processing controls Effective computer security controls sorted them by date, summed collections by month, and created a report of monthly tax collections The analysis revealed that collections during January and July, the two busiest months, had declined by 58% and 72%, respectively Auditors then used CAATs to compare each tax collection record with property records They identified several discrepancies, including one committed by the former tax collector, who used another taxpayer’s payment to cover her own delinquent tax bills The former tax collector was arrested for embezzlement To use CAATs, auditors decide on audit objectives, learn about the files and databases to be audited, design the audit reports, and determine how to produce them This information is recorded on specification sheets and entered into the system The CAATs program uses the specifications to produce an auditing program The program uses a copy of the company’s live data (to avoid introducing any errors) to perform the auditing procedures and produce the specified audit reports CAATs cannot replace the auditor’s judgment or free the auditor from other phases of the audit For example, the auditor must still investigate items on exception reports, verify file totals against other sources of information, and examine and evaluate audit samples CAATs are especially valuable for companies with complex processes, distributed operations, high transaction volumes, or a wide variety of applications and systems M11_ROMN4021_14_SE_C11.indd 337 06/09/16 10:37 AM 338 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS The following are some of the more important uses of CAATs: ● ● ● ● ● ● ● ● ● ● ● ● ● Querying data files to retrieve records meeting specified criteria Creating, updating, comparing, downloading, and merging files Summarizing, sorting, and filtering data Accessing data in different formats and converting the data into a common format Examining records for quality, completeness, consistency, and correctness Stratifying records, selecting and analyzing statistical samples Testing for specific risks and identifying how to control for that risk Performing calculations, statistical analyses, and other mathematical operations Performing analytical tests, such as ratio and trend analysis, looking for unexpected or unexplained data patterns that may indicate fraud Identifying financial leakage, policy noncompliance, and data processing errors Reconciling physical counts to computed amounts, testing clerical accuracy of extensions and balances, testing for duplicate items Formatting and printing reports and documents Creating electronic work papers Operational Audits of an AIS The techniques and procedures used in operational audits are similar to audits of information systems and financial statements The basic difference is audit scope An information systems audit is confined to internal controls and a financial audit to systems output, whereas an operational audit encompasses all aspects of systems management In addition, objectives of an operational audit include evaluating effectiveness, efficiency, and goal achievement The first step in an operational audit is audit planning, during which the scope and objectives of the audit are established, a preliminary system review is performed, and a tentative audit program is prepared The next step, evidence collection, includes the following activities: ● ● ● ● ● ● Reviewing operating policies and documentation Confirming procedures with management and operating personnel Observing operating functions and activities Examining financial and operating plans and reports Testing the accuracy of operating information Testing controls At the evidence evaluation stage, the auditor measures the system against one that follows the best systems management principles One important consideration is that the results of management policies and practices are more significant than the policies and practices themselves That is, if good results are achieved through policies and practices that are theoretically deficient, then the auditor must carefully consider whether recommended improvements would substantially improve results Auditors document their findings and conclusions and communicate them to management The ideal operational auditor has audit training and experience as well as a few years’ experience in a managerial position Auditors with strong auditing backgrounds but weak management experience often lack the perspective necessary to understand the management process Summary and Case Conclusion Jason is trying to determine how his parallel simulation program generated sales commission figures that were higher than those generated by SPP’s program Believing that this discrepancy meant there was a systematic error, he asked to review a copy of SPP’s program The program was lengthy, so Jason used a scanning routine to search the code for occurrences of “40000,” because that was the point at which the commission rate changes, according to the new policy He discovered a commission rate of 0.085 for sales in excess of M11_ROMN4021_14_SE_C11.indd 338 06/09/16 10:37 AM CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS 339 $40,000, whereas the policy called for only 0.075 Some quick calculations confirmed that this error caused the differences between the two programs Jason’s audit manager met with the embarrassed development team, who acknowledged and corrected the coding error The audit manager called Jason to congratulate him He informed Jason that the undetected programming error would have cost over $100,000 per year in excess sales commissions Jason was grateful for the manager’s praise and took the opportunity to point out deficiencies in the development team’s programming practices First, the commission rate table was embedded in the program code; good programming practice requires that it be stored in a separate table to be used by the program when needed Second, the incident called into question the quality of SPP’s program development and testing practices Jason asked whether a more extensive operational audit of those practices was appropriate The audit manager agreed it was worth examining and promised to raise the issue at his next meeting with Northwest’s director of internal auditing KEY TERMS auditing 323 internal auditing 323 financial audit 323 information systems (internal control) audit 323 operational audit 324 compliance audit 324 investigative audit 324 inherent risk 324 control risk 324 detection risk 324 confirmation 325 reperformance 325 vouching 325 analytical review 326 materiality 326 reasonable assurance 326 systems review 326 tests of controls 326 compensating controls 326 source code comparison program 331 reprocessing 331 parallel simulation 331 test data generator 332 concurrent audit techniques 333 embedded audit modules 333 integrated test facility (ITF) 333 snapshot technique 333 system control audit review file (SCARF) 333 audit log 333 audit hooks 333 continuous and intermittent simulation (CIS) 333 automated flowcharting programs 334 automated decision table programs 334 scanning routines 334 mapping programs 334 program tracing 334 input controls matrix 334 computer-assisted audit techniques (CAATs) 336 generalized audit software (GAS) 336 AIS in Action CHAPTER QUIZ Which of the following is a characteristic of auditing? a Auditing is a systematic, step-by-step c Auditing involves the use of estabprocess lished criteria to evaluate evidence b Auditing involves the collection and d All of the above are characteristics of review of evidence auditing Which of the following is NOT a reason an internal auditor should participate in internal control reviews during the design of new systems? a It is more economical to design conc It minimizes the need for expensive trols during the design stage than to modifications after the system is so later implemented b It eliminates the need for testing cond It permits the design of audit trails trols during regular audits while they are economical M11_ROMN4021_14_SE_C11.indd 339 06/09/16 10:37 AM 340 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS Which type of audit involves a review of general and application controls, with a focus on determining whether there is compliance with policies and adequate safeguarding of assets? a information systems audit c operational audit b financial audit d compliance audit At what step in the audit process the concepts of reasonable assurance and materiality enter into the auditor’s decision process? a planning c evidence evaluation b evidence collection d they are important in all three steps What is the four-step approach to internal control evaluation that provides a logical framework for carrying out an audit? a inherent risk analysis c tests of controls b systems review d risk-based approach to auditing Which of the following procedures is NOT used to detect unauthorized program changes? a source code comparison c reprocessing b parallel simulation d reprogramming code Which of the following is a concurrent audit technique that monitors all transactions and collects data on those that meet certain characteristics specified by the auditor? a ITF c SCARF b snapshot techniques d audit hooks Which of the following is a computer technique that assists an auditor in understanding program logic by identifying all occurrences of specific variables? a mapping program c automated flowcharting b program tracing d scanning routine Which of the following is a computer program written especially for audit use? a GAS c ITF b CATAS d CIS 10 The focus of an operational audit is on which of the following? a reliability and integrity of financial c internal controls information d safeguarding assets b all aspects of information systems management DISCUSSION QUESTIONS 11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and their accounting applications However, it may not be feasible for every auditor to be a computer expert Discuss the extent to which auditors should possess computer expertise in order to be effective auditors 11.2 Should internal auditors be members of systems development teams that design and implement an AIS? Why, or why not? 11.3 Berwick Industries is a fast-growing corporation that manufactures industrial containers The company has a sophisticated AIS that uses advanced technology Berwick’s executives have decided to pursue listing the company’s securities on a national stock exchange, but they have been advised that their listing application would be stronger if they were to create an internal audit department At present, no Berwick employees have auditing experience To staff its new internal audit function, Berwick could (a) train some of its computer specialists in auditing, (b) hire experienced auditors and train them to understand Berwick’s information system, (c) use a combination of the first two approaches, or (d) try a different approach Which approach would you support, and why? M11_ROMN4021_14_SE_C11.indd 340 06/09/16 10:37 AM CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS 341 11.4 The assistant finance director for the city of Tustin, California, was fired after city officials discovered that she had used her access to city computers to cancel her daughter’s $300 water bill An investigation revealed that she had embezzled a large sum of money from Tustin over a long period She was able to conceal the embezzlement for so long because the amount embezzled always fell within a 2% error factor used by the city’s internal auditors What weaknesses existed in the audit approach? How could the audit plan be improved? What internal control weaknesses were present in the system? Should Tustin’s internal auditors have discovered this fraud earlier? 11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an anonymous note from an assembly-line operator who has worked at the company’s West Coast factory for the past 15 years The note indicated that there are some fictitious employees on the payroll as well as some employees who have left the company He offers no proof or names What CAAT could Lou use to substantiate or refute the employee’s claims? (CIA Examination, adapted) 11.6 Explain the four steps of the risk-based audit approach, and discuss how they apply to the overall security of a company 11.7 Compare and contrast the frameworks for auditing program development/acquisition and for auditing program modification PROBLEMS 11.1 You are the director of internal auditing at a university Recently, you met with Issa Arnita, the manager of administrative data processing, and expressed the desire to establish a more effective interface between the two departments Issa wants your help with a new computerized accounts payable system currently in development He recommends that your department assume line responsibility for auditing suppliers’ invoices prior to payment He also wants internal auditing to make suggestions during system development, assist in its installation, and approve the completed system after making a final review REQUIRED Would you accept or reject each of the following? Why? a The recommendation that your department be responsible for the preaudit of suppliers’ invoices b The request that you make suggestions during system development c The request that you assist in the installation of the system and approve the system after making a final review (CIA Examination, adapted) 11.2 As an internal auditor for the Quick Manufacturing Company, you are participating in the audit of the company’s AIS You have been reviewing the internal controls of the computer system that processes most of its accounting applications You have studied the company’s extensive systems documentation You have interviewed the information system manager, operations supervisor, and other employees to complete your standardized computer internal control questionnaire You report to your supervisor that the company has designed a successful set of comprehensive internal controls into its computer systems He thanks you for your efforts and asks for a summary report of your findings for inclusion in a final overall report on accounting internal controls REQUIRED Have you forgotten an important audit step? Explain List five examples of specific audit procedures that you might recommend before reaching a conclusion 11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a computer payroll system To test the computer systems and programs, you submit independently created test transactions with regular data in a normal production run M11_ROMN4021_14_SE_C11.indd 341 06/09/16 10:37 AM 342 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS REQUIRED List four advantages and two disadvantages of this technique (CIA Examination, adapted) 11.4 You are involved in the audit of accounts receivable, which represent a significant portion of the assets of a large retail corporation Your audit plan requires the use of the computer, but you encounter the following reactions: a The computer operations manager says the company’s computer is running at full capacity for the foreseeable future and that the auditor will not be able to use the system for audit tests b The scheduling manager suggests that your computer program be stored in the computer program library so that it can be run when computer time becomes available c You are refused admission to the computer room d The systems manager tells you that it will take too much time to adapt the auditor’s computer audit program to the computer’s operating system and that company programmers will write the programs needed for the audit REQUIRED For each situation, state how the auditor should proceed with the accounts receivable audit (CIA Examination, adapted) 11.5 You are a manager for the CPA firm of Dewey, Cheatem, and Howe (DC&H) While reviewing your staff’s audit work papers for the state welfare agency, you find that the test data approach was used to test the agency’s accounting software A duplicate program copy, the welfare accounting data file obtained from the computer operations manager, and the test transaction data file that the welfare agency’s programmers used when the program was written were processed on DC&H’s home office computer The edit summary report listing no errors was included in the working papers, with a notation by the senior auditor that the test indicates good application controls You note that the quality of the audit conclusions obtained from this test is flawed in several respects, and you decide to ask your subordinates to repeat the test REQUIRED Identify three existing or potential problems with the way this test was performed For each problem, suggest one or more procedures that might be performed during the revised test to avoid flaws in the audit conclusions 11.6 You are performing an information system audit to evaluate internal controls in Aardvark Wholesalers’ (AW) computer system From an AW manual, you have obtained the following job descriptions for key personnel: Director of information systems: Responsible for defining the mission of the information systems division and for planning, staffing, and managing the IS department Manager of systems development and programming: Reports to director of information systems Responsible for managing the systems analysts and programmers who design, program, test, implement, and maintain the data processing systems Also responsible for establishing and monitoring documentation standards Manager of operations: Reports to director of information systems Responsible for management of computer center operations, enforcement of processing standards, and systems programming, including implementation of operating system upgrades Data entry supervisor: Reports to manager of operations Responsible for supervision of data entry operations and monitoring data preparation standards Operations supervisor: Reports to manager of operations Responsible for supervision of computer operations staff and monitoring processing standards Data control clerk: Reports to manager of operations Responsible for logging and distributing computer input and output, monitoring source data control procedures, and custody of programs and data files M11_ROMN4021_14_SE_C11.indd 342 06/09/16 10:37 AM AUDITING COMPUTER-BASED INFORMATION SYSTEMS CHAPTER 11 343 REQUIRED a Prepare an organizational chart for AW’s information systems division b Name two positive and two negative aspects (from an internal control standpoint) of this organizational structure c What additional information would you require before making a final judgment on the adequacy of AW’s separation of functions in the information systems division? 11.7 Robinson’s Plastic Pipe Corporation uses a data processing system for inventory The input to this system is shown in Table 11-7 You are using an input controls matrix to help audit the source data controls REQUIRED Prepare an input controls matrix using the format and input controls shown in Figure 11-3; however, replace the field names shown in Figure 11-3 with those shown in Table 11-7 Place checks in the matrix cells that represent input controls you might expect to find for each field 11.8 As an internal auditor for the state auditor’s office, you are assigned to review the implementation of a new computer system in the state welfare agency The agency is installing an online computer system to maintain the state’s database of welfare recipients Under the old system, applicants for welfare assistance completed a form giving their name, address, and other personal data, plus details about their income, assets, dependents, and other data needed to establish eligibility The data are checked by welfare examiners to verify their authenticity, certify the applicant’s eligibility for assistance, and determine the form and amount of aid Under the new system, welfare applicants enter data on the agency’s website or give their data to clerks, who enter it using online terminals Each applicant record has a “pending” status until a welfare examiner can verify the authenticity of the data used to determine eligibility When the verification is completed, the examiner changes the status code to “approved,” and the system calculates the aid amount Periodically, recipient circumstances (income, assets, dependents, etc.) change, and the database is updated Examiners enter these changes as soon as their accuracy is verified, and the system recalculates the recipient’s new welfare benefit At the end of each month, payments are electronically deposited in the recipient’s bank accounts Welfare assistance amounts to several hundred million dollars annually You are concerned about the possibilities of fraud and abuse REQUIRED a Describe how to employ concurrent audit techniques to reduce the risks of fraud and abuse b Describe how to use computer audit software to review the work welfare examiners to verify applicant eligibility data Assume that the state auditor’s office has access to other state and local government agency databases TABLE 11-7 Parts Inventory Transaction File FIELD NAME Item number Description Transaction date Transaction type Document number Quantity Unit Cost M11_ROMN4021_14_SE_C11.indd 343 FIELD TYPE Numeric Alphanumeric Date Alphanumeric Alphanumeric Numeric Monetary 06/09/16 10:37 AM 344 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS 11.9 Melinda Robinson, the director of internal auditing at Sachem Manufacturing Company, believes the company should purchase software to assist in the financial and procedural audits her department conducts Robinson is considering the following software packages: • A GAS package to assist in basic audit work, such as the retrieval of live data from large computer files The department would review this information using conventional audit investigation techniques The department could perform criteria selection, sampling, basic computations for quantitative analysis, record handling, graphical analysis, and print output (i.e., confirmations) • An ITF package that uses, monitors, and controls dummy test data processed by existing programs It also checks the existence and adequacy of data entry and processing controls • A flowcharting package that graphically presents the flow of information through a system and pinpoints control strengths and weaknesses • A parallel simulation and modeling package that uses actual data to conduct the same tests using a logic program developed by the auditor The package can also be used to seek answers to difficult audit problems (involving many comparisons) within statistically acceptable confidence limits REQUIRED a Without regard to any specific computer audit software, identify the general advantages of using computer audit software b Describe the audit purpose facilitated and the procedural steps followed when using the following: • GAS • ITF • Flowcharting • Parallel simulation and modeling (CMA Examination, adapted) 11.10 The fixed-asset master file at Thermo-Bond includes the following data items: Asset number Description Type code Location code Date of acquisition Original cost Date of retirement (99/99/2099 for assets still in service) Depreciation method code Depreciation rate Useful life (years) Accumulated depreciation at beginning of year Year-to-date depreciation REQUIRED Explain how GAS can be used in a financial audit of Thermo-Bond’s fixed assets 11.11 You are auditing the financial statements of a cosmetics distributor that sells thousands of individual items The distributor keeps its inventory in its distribution center and in two public warehouses At the end of each business day, it updates its inventory file, whose records contain the following data: Item number Item description Quantity-on-hand Item location Cost per item Date of last purchase Date of last sale Quantity sold during year You will use audit software to examine inventory data as of the date of the distributor’s physical inventory count You will perform the following audit procedures: Observe the distributor’s physical inventory count at year-end and test a sample for accuracy Compare the auditor’s test counts with the inventory records Compare the company’s physical count data with the inventory records Test the mathematical accuracy of the distributor’s final inventory valuation M11_ROMN4021_14_SE_C11.indd 344 06/09/16 10:37 AM CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS 345 Test inventory pricing by obtaining item costs from buyers, vendors, or other sources Examine inventory purchase and sale transactions on or near the year-end date to verify that all transactions were recorded in the proper accounting period Ascertain the propriety of inventory items located in public warehouses Analyze inventory for evidence of possible obsolescence Analyze inventory for evidence of possible overstocking or slow-moving items 10 Test the accuracy of individual data items listed in the distributor’s inventory master file REQUIRED Describe how an audit software package and a copy of the inventory file can help you perform each auditing procedure (AICPA Examination, adapted) 11.12 Which of the following should have the primary responsibility to detect and correct data processing errors? Explain why that function should have primary responsibility and why the others should not a The data processing manager b The computer operator c The corporate controller d The independent auditor (CPA Examination, adapted) 11.13 Select the correct answer for each of the following multiple choice questions With respect to audit planning, which of the following statements is false? a It determines why, how, when, and by whom the audit will be performed b Among the final steps in audit planning is establishing the audit’s scope and objectives c Except for the smallest audits, an audit team with the necessary experience and expertise is formed d An audit program is prepared to show the nature, extent, and timing of the procedures needed to achieve audit objectives and minimize audit risks e A typical audit has a mix of audit procedures, such as observations, documentation reviews, sending confirmations, and analytical reviews With respect to evaluating audit evidence, which of the following statements is false? a The auditor evaluates the evidence gathered and decides whether it supports a favorable or unfavorable conclusion b Auditors focus on detecting and reporting errors that significantly impact management’s interpretation of the audit findings c To avoid lawsuits, the auditor seeks near absolute assurance that no material error exists in the information or process audited d In all audit stages, findings and conclusions are documented in audit working papers A four-part, risk-based audit approach provides a framework for conducting information system audits Performing a systems review is done in which of the four parts? a Determine the threats (accidental or intentional abuse and damage) to which the system is exposed b Identify the control procedures that management has put into place to prevent, detect, or correct the threats c Evaluate whether control procedures are actually in place and if they work as intended d Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures The first objective in an IS audit is ensuring the overall security of the system Select all of the following controls that would be effective in minimizing the overall security threats faced by an information system a Proper use of internal and external file labels b Information security/protection plan M11_ROMN4021_14_SE_C11.indd 345 06/09/16 10:37 AM 346 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS c Limiting physical access to computer equipment d Limiting logical access to the system using authentication and authorization controls e Key verification The second objective in an IS audit is ensuring proper program development and acquisition Select all of the following controls that would be effective in minimizing the program development and acquisition threats faced by an information system a Management authorization for program development and software acquisition b Reconciliation of batch totals c Thorough testing of new programs, including user acceptance tests d Fault-tolerant systems design e Casualty and business interruption insurance The third objective in an IS audit is ensuring proper program modification Select all of the following controls that would be effective in minimizing the program modification threats faced by an information system a User authorization of source data input b Use of turnaround documents c List program components to be modified d Management authorization and approval of program modifications e User approval of program change specifications The fourth objective in an IS audit is ensuring accurate computer processing Select all of the following controls that would be effective in minimizing the computer processing threats faced by an information system a Check digit verification b Complete program change documentation, including approvals c Competent supervision of computer operations d Maintenance of proper environmental conditions in a computer facility e Firewalls The fifth objective in an IS audit is ensuring accurate source data Select all of the following controls that would be effective in minimizing the threats to source data in an information system a Effective handling of source data input by data control personnel b Logging the receipt, movement, and disposition of source data input c Management and user approval of programming specifications d Effective procedures for correcting and resubmitting erroneous data e Disaster recovery plan The sixth objective in an IS audit is protecting data files Select all of the following controls that would be effective in minimizing the threats to a company’s data files a Storage of data in a secure file library and restriction of physical access to data files b Concurrent update controls c Data editing routines d Off-site backup of all data files e Thorough test of program changes, including user acceptance tests 11.14 There are several different types of tools or techniques that auditors can use in conducting information system audits Match the tool or technique in the left-hand column with its description in the right-hand column M11_ROMN4021_14_SE_C11.indd 346 audit hooks a Software that compares the current version of a program with its original code; differences should have been properly authorized and correctly incorporated audit log b Using source code to process data and comparing the output with the company’s output; discrepancies are investigated to see if unauthorized program changes were made 06/09/16 10:37 AM CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS automated decision table program c Using auditor-written software to process data and comparing the output with the company’s output; discrepancies are investigated to see if unauthorized program changes were made automated flowcharting program d Software that, based on program specifications, generates a set of data used to test program logic concurrent audit techniques e Software that continuously monitors a system as it processes live data and collects, evaluates, and reports information about system reliability continuous and intermittent simulation (CIS) f Program code segments that perform audit functions, report test results, and store the evidence collected for auditor review embedded audit modules g Inserting a dummy entity in a company’s system; processing test transactions to update them will not affect actual records input controls matrix h Marking transactions with a special code, recording them and their master file records before and after processing, and storing the data to later verify that all processing steps were properly executed integrated test facility (ITF) i Using embedded audit modules to continuously monitor transactions, collect data on transactions with special audit significance, and store the data to later identify and investigate questionable transactions 10 mapping program j A file containing transactions that have audit significance 11 parallel simulation k Audit routines that notify auditors of questionable transactions, often as they occur 12 program tracing l Embedding an audit module in a DBMS that uses specified criteria to examine all transactions that update the database 13 reprocessing m Software that interprets a program’s source code and generates a flowchart of the program’s logic 14 scanning routines n Software that interprets a program’s source code and generates a decision table of the program’s logic 15 snapshot technique o Software that searches a program for the occurrence of specified items 16 source code comparison program p Software that identifies unexecuted program code 17 system control audit review file (SCARF) q Sequentially printing all executed program steps, intermingled with output, so a program’s execution sequence can be observed 18 test data generator r A matrix that shows control procedures applied to each input record field; used to document the review of source data controls M11_ROMN4021_14_SE_C11.indd 347 347 06/09/16 10:37 AM 348 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS CASE 11-1 Preston Manufacturing You are performing a financial audit of the general ledger accounts of Preston Manufacturing As transactions are processed, summary journal entries are added to the general ledger file at the end of the day At the end of each day, the general journal file is processed against the general ledger control file to compute a new current balance for each account and to print a trial balance The following resources are available as you complete the audit: ● ● ● ● Your firm’s generalized computer audit software A copy of the general journal file for the entire year A copy of the general ledger file as of fiscal yearend (current balance year-end balance) A printout of Preston’s year-end trial balance listing the account number, account name, and balance of each account on the general ledger control file Create an audit program for Preston Manufacturing For each audit step, list the audit objectives and the procedures you would use to accomplish the audit program step GENERAL JOURNAL Field Name Field Type Account number Amount Debit/credit code Date (MM/DD/YY) Reference document type Reference document number Numeric Monetary Alphanumeric Date Alphanumeric Numeric GENERAL LEDGER CONTROL Field Name Field Type Account number Account name Beginning balance/year Beg-bal-debit/credit code Current balance Cur-bal-debit/credit code Numeric Alphanumeric Monetary Alphanumeric Monetary Alphanumeric AIS in Action Solutions QUIZ KEY Which of the following is a characteristic of auditing? a Auditing is a systematic, step-by-step process [Incorrect While this is true, it is not the only correct answer.] b Auditing involves the collection and review of evidence [Incorrect While this is true, it is not the only correct answer.] c Auditing involves the use of established criteria to evaluate evidence [Incorrect While this is true, it is not the only correct answer.] ▶ d All of the above are characteristics of auditing [Correct Auditing is a systematic, stepby-step process that involves the collection and review of evidence and uses established criteria to evaluate evidence.] Which of the following is NOT a reason an internal auditor should participate in internal control reviews during the design of new systems? a It is more economical to design controls during the design stage than to so later [Incorrect Internal audit should participate in internal control reviews because it is far less expensive to design controls during systems design than to try and implement controls after the system has been designed.] ▶ b It eliminates the need for testing controls during regular audits [Correct Even if the auditor participates in internal control reviews, the auditor will still have to test controls to determine whether they are in place and working as intended.] M11_ROMN4021_14_SE_C11.indd 348 06/09/16 10:37 AM CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS 349 c It minimizes the need for expensive modifications after the system is implemented [Incorrect Internal auditors should participate in internal control reviews because it reduces the likelihood of post-system-implementation modifications.] d It permits the design of audit trails while they are economical [Incorrect Internal auditors should participate in internal control reviews because their participation in systems design does facilitate the design of effective audit trails.] Which type of audit involves a review of general and application controls, with a focus on determining if there is compliance with policies and adequate safeguarding of assets? ▶ a information systems audit [Correct An information systems audit reviews general and application controls, with a focus on determining whether there is compliance with policies and adequate safeguarding of assets.] b financial audit [Incorrect A financial audit examines the reliability of accounting records.] c operational audit [Incorrect An operational audit is concerned with the efficient use of resources and the accomplishment of entity objectives.] d compliance audit [Incorrect A compliance audit is concerned with reviewing whether an entity is meeting prescribed policies, rules, and laws.] At what step in the audit process the concepts of reasonable assurance and materiality enter into the auditor’s decision process? a planning [Incorrect Although materiality and reasonable assurance enter into the auditor’s decision process during planning, they are also important in other steps in the audit process.] b evidence collection [Incorrect Although materiality and reasonable assurance enter into the auditor’s decision process during evidence collection, they are also important in other steps in the audit process.] c evidence evaluation [Incorrect Although materiality and reasonable assurance enter into the auditor’s decision process during evidence evaluation, they are also important in other steps in the audit process.] ▶ d They are important in all three steps [Correct Materiality and reasonable assurance are important when the auditor plans an audit and when the auditor collects and evaluates evidence.] What is the four-step approach to internal control evaluation that provides a logical framework for carrying out an audit? a inherent risk analysis [Incorrect Inherent risk is the susceptibility to material risk in the absence of controls.] b systems review [Incorrect Systems review involves reviewing system documentation and interviewing appropriate personnel to determine whether the necessary procedures are in place.] c tests of controls [Incorrect Tests of controls are conducted to determine whether control policies and procedures are satisfactorily followed.] ▶ d risk-based approach to auditing [Correct The risk-based audit approach is a four-step approach to carrying out an audit The four steps are determining threats, identifying control procedures, evaluating control procedures, and evaluating weaknesses.] Which of the following procedures is NOT used to detect unauthorized program changes? a source code comparison [Incorrect Source code comparison is used to detect unauthorized program changes by thoroughly testing a newly developed program and keeping a copy of its source code.] b parallel simulation [Incorrect To use parallel simulation to detect unauthorized program changes, an auditor writes a version of the program, reprocesses the company’s data, compares the results to the company’s results, and investigates any differences.] c reprocessing [Incorrect To use reprocessing to detect unauthorized program changes, the auditor verifies the integrity of an application program, saves it, and on a surprise basis uses the program to reprocess data and compare that output with the company’s output.] ▶ d reprogramming code [Correct Reprogramming code is not used to test for unauthorized program changes.] M11_ROMN4021_14_SE_C11.indd 349 06/09/16 10:37 AM 350 PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS Which of the following is a concurrent audit technique that monitors all transactions and collects data on those that meet certain characteristics specified by the auditor? a ITF [Incorrect An integrated test facility inserts a dummy company or division into a computer system to test transaction data without affecting real data.] b snapshot techniques [Incorrect The snapshot technique records the content of both a transaction record and a related master file record before each processing step.] ▶ c SCARF [Correct System control audit review file is a concurrent audit technique that embeds audit modules into application software to monitor continuously all transaction activity.] d audit hooks [Incorrect An audit hook is a concurrent audit technique that embeds audit routines into application software to flag certain kinds of transactions that might be indicative of fraud.] Which of the following is a computer technique that assists an auditor in understanding program logic by identifying all occurrences of specific variables? a mapping program [Incorrect Mapping programs are activated during regular processing and provide information about portions of the application program that were not executed.] b program tracing [Incorrect Program tracing is a technique used to determine application program logic in order to test program controls.] c automated flowcharting [Incorrect Automated flowcharting interprets source code and generates a flowchart of that program.] ▶ d scanning routine [Correct Scanning routine software programs search for particular variable names or specific characters.] Which of the following is a computer program written especially for audit use? ▶ a GAS [Correct Generalized audit software is a software program written especially for audit uses, such as testing data files Examples are ACL and IDEA.] b CATAS [Incorrect CATAS has no meaning in information systems auditing Computer-assisted audit techniques [CAATs] is the name given to all computer-assisted techniques used to audit computers.] c ITF [Incorrect An integrated test facility places a small set of fictitious records in master files Transactions are processed for these records, and the actual and expected results are compared.] d CIS [Incorrect Continuous and intermittent simulation embeds an audit module in a DBMS that examines all transactions that update the database.] 10 The focus of an operational audit is on which of the following? a reliability and integrity of financial information [Incorrect A financial audit examines the reliability and integrity of financial information.] ▶ b all aspects of information systems management [Correct An operational audit is concerned with all aspects of information systems management.] c internal controls [Incorrect The focus of an operational audit is much broader than just internal controls.] d safeguarding assets [Incorrect The focus of an operational audit is much broader than just the safeguarding of assets.] M11_ROMN4021_14_SE_C11.indd 350 06/09/16 10:37 AM ... not try to scare you into using their products A second giveaway is poor English; most scareware comes from countries where English is not the creator’s first language The Federal Trade Commission... addresses, logos, and electronic watermarks Furthermore, they usually not include typos and poor English, which were trademarks of earlier phishing e-mails Phishers are also using additional tactics,