Prepared by Coby Harmon University of California, Santa Barbara Westmont College Chapter 7-1 Auditing Information Technology-Based Processes Chapter 7-2 Study Study Objectives Objectives An introduction to auditing IT processes The various types of audits and auditors Information risk and IT-enhanced internal control Authoritative literature used in auditing Management assertions used in the auditing process and the related audit objectives The phases of an IT audit The use of computers in audits Tests of controls Tests of transactions and tests of balances 10 Audit completion/reporting 11 Other audit considerations 12 Ethical issues related to auditing Chapter 7-3 Introduction Introduction to to Auditing Auditing IT IT Processes Processes Accounting services that improve the quality of information are called assurance services An audit is the most common type of assurance service Chapter 7-4 SO An introduction to auditing IT processes Types Types of of Audits Audits and and Auditors Auditors Main purpose of the audit is to assure users of financial information about the accuracy and completeness of the information Three primary types of audits include Chapter 7-5  compliance audits,  operational audits, and  financial statement audits SO The various types of audits and auditors Types Types of of Audits Audits and and Auditors Auditors Audits are typically conducted by accountants Chapter 7-6  Certified public accountants (CPAs)  Internal auditor  IT auditors  Government auditors SO The various types of audits and auditors Real Real World World Top management at Ford Motor Co is proud of the fact that Ford was the only U.S auto manufacturer to make it through the darkest days of the economic recession (between 2008–2010) without government assistance This is due, in part, to Ford’s long history of focusing on financial processes and controls, and its ability to alter its processes under pressures of elevated risks or new compliance requirements A key element in this process is a rotational succession and development plan in use for staffing Ford’s internal audit team Under this model, the internal audit department is comprised of experienced professionals on rotation from the company’s finance and IT functions, who serve the internal audit department for two to three years before returning to a previous or different functional area This allows Ford’s personnel to gain broad corporate exposure and to develop strong risk, control, and compliance skills to take with them to the various areas where they will work after their internal audit stint This also helps to promote the importance of the internal audit function throughout the organization By carefully planning the succession so that no new auditors will audit their prior functions for at least 12 months, Ford’s plan ensures that its internal auditors maintain a high level of objectivity Chapter 7-7 SO The various types of audits and auditors Types Types of of Audits Audits and and Auditors Auditors IT environment plays a key role in how auditors conduct their work in the following areas: Chapter 7-8  Consideration of risk  Audit procedures used to obtain knowledge of accounting and internal control systems  Design and performance of audit tests SO The various types of audits and auditors Types Types of of Audits Audits and and Auditors Auditors Concept Check Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings? a.Financial statement audits b.Operational audits c.Regulatory audits d.Compliance audits Chapter 7-9 SO The various types of audits and auditors Types Types of of Audits Audits and and Auditors Auditors Concept Check Financial statement audits are required to be performed by a government auditors b CPAs c internal auditors d IT auditors Chapter 7-10 SO The various types of audits and auditors Other Other Audit Audit Considerations Considerations Different IT Environments Some audit techniques used to test controls specifically in the use of PCs: Chapter 7-48  Make sure that PCs and removable hard drives are locked in place to ensure physical security  Programs and data files should be password protected  Make sure computer programmers not have access to systems operations SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Different IT Environments Some audit techniques used to test controls specifically in the use of PCs: Chapter 7-49  Software programs should not permit the users to make program changes  Ascertain that computer-generated reports are regularly reviewed by management  Determine the frequency of backup procedures  Verify the use of antivirus software and the frequency of virus scans SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Different IT Environments Using PCs, companies may use IT environments that involve  networks,  database management systems,  e-commerce systems,  cloud computing, and/or  other forms of IT outsourcing Chapter 7-50 SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Changes in a Client’s IT Environment Auditors must consider whether additional audit testing is needed Specific audit tests include verification of: Chapter 7-51  Assessment of user needs  Authorization for new projects and program changes  Adequate feasibility study and cost–benefit analysis  Proper design documentation  Proper user instructions  Adequate testing before system is put into use SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Sampling Chapter 7-52  Test a limited number of items or transactions and then draw conclusions about the balance as a whole on the basis of the results  Auditors try to use sampling so that a fair representation of the population is evaluated  The choice of an appropriate sampling technique is very subjective SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Concept Check Independent auditors are generally actively involved in each of the following tasks except: a preparation of a client’s financial statements and accompanying notes b advising client management as to the applicability of a new accounting standard c proposing adjustments to a client’s financial statements d advising client management about the presentation of the financial statements Chapter 7-53 SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Concept Check Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions? a Due professional care b Competence c Independence d A complex underlying body of professional knowledge Chapter 7-54 SO 11 Other audit considerations Other Other Audit Audit Considerations Considerations Concept Check Which of the following terms is not associated with the auditor’s requirement to maintain independence? a Objectivity b Neutrality c Professional skepticism d Competence Chapter 7-55 SO 11 Other audit considerations Ethical Ethical Issues Issues Related Related to to Auditing Auditing PCAOB/AICPA Code of Professional Conduct Six principles of the code: Chapter 7-56 Auditors must practice professional skepticism Responsibilities The Public Interest Integrity Objectivity and Independence Due Care Scope and Nature of Services SO 12 Ethical issues related to auditing Real Real World World In the case of the Phar-Mor pharmaceutical company fraud, the auditors became too close to the management of Phar-Mor and shared audit information that they should not have For example, the auditors told management which stores they would select for inventory testing Phar-Mor managers were then able to move inventory between stores to conceal inventory shortages in the stores that were to be audited by the CPA firm Chapter 7-57 SO 12 Ethical issues related to auditing Ethical Ethical Issues Issues Related Related to to Auditing Auditing The Sarbanes–Oxley Act placed restrictions on auditors by prohibiting certain types of services Chapter 7-58  Auditors can no longer perform IT design and implementation services for companies which are also audit clients  requires public companies to have an audit committee as a subcommittee of the board of directors  requires top management to verify in writing that the financial statements are fairly stated and that the company has adequate internal controls over financial reporting SO 12 Ethical issues related to auditing Real Real World World A widely publicized case of management fraud involved Crazy Eddie’s electronics retail stores in New York This case is particularly outrageous because the management of the company, including Eddie Antar and his family, used nearly every trick in the book to commit financial statement fraud and the auditors in the process Some of the tactics used by Antar included the reporting of fictitious sales and overstated inventories, hiding liabilities and expenses, and falsifying financial statement disclosures The Antars used their employees and suppliers to help carry out their illegal schemes They also tampered with audit evidence Because the auditors were too trusting and did not carefully protect the audit files when they went home at the end of the day, the client (Crazy Eddie’s) had the opportunity to alter audit documents Even though this fraud occurred over two decades ago, it still provides a clear example of how management fraud can be pulled off and how auditors can be deceived Chapter 7-59 SO 12 Ethical issues related to auditing Ethical Ethical Issues Issues Related Related to to Auditing Auditing Auditors must Professional skepticism - Auditors practice should not automatically assume that professional their clients are honest, but must have a skepticism questioning mind and a persistent approach to evaluating evidence for possible misstatements Auditors should: Examine financial reporting for unauthorized or unusual entries Review estimated information and changes in financial reporting for possible biases Determine a reasonable business purpose for all significant transactions Chapter 7-60 SO 12 Ethical issues related to auditing Real Real World World Examples of management fraud were discovered at Enron, Xerox, WorldCom, and other large, well-known companies during the past 15 years In fact, many of the big corporate fraud cases that have been in the news in recent years involved the company’s chief executive or top accounting managers The financial statement misstatements resulting from these frauds have been staggering At WorldCom, for example, nearly $4 billion in operating expenses were hidden when management decided to capitalize the expenditures rather than report them on the income statement This illustrates the importance to auditors of varying the mix of audit procedures to include a reasonable combination of tests of controls and substantive tests Even in large companies with sophisticated systems of internal control, the audit needs to include tests of the accounting balances in order to increase the chances of discovering whether management may have circumvented controls in order to perpetrate fraud Chapter 7-61 SO 12 Ethical issues related to auditing Copyright Copyright Copyright © 2013 John Wiley & Sons, Inc All rights reserved Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc The purchaser may make back-up copies for his/her own use only and not for distribution or resale The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein Chapter 7-62 ... part of generally accepted auditing standards? a general standards b standards of fieldwork c standards of information systems d standards of reporting Chapter 7-14 SO Authoritative literature... financial processes and controls, and its ability to alter its processes under pressures of elevated risks or new compliance requirements A key element in this process is a rotational succession and. ..Auditing Information Technology-Based Processes Chapter 7-2 Study Study Objectives Objectives An introduction to auditing IT processes The various types of audits and auditors Information risk and