Prepared by Paula Funkhouser University of Nevada, Reno Core Concepts of Accounting Information Systems, 13th Edition Mark G Simkin ● Jacob M Rose ● Carolyn S Norman Information Technology Auditing Chapter 15 Chapter 15: Information Technology Auditing • Introduction • The Audit Function • The Information Technology Auditor’s Toolkit • Auditing Computerized Accounting Information Systems • Information Technology Auditing Today Copyright © 2015 John Wiley & Sons, Inc All rights reserved Introduction • Audits of AISs – Ensure controls are functioning properly – Confirm additional controls not necessary • Nature of Auditing – Internal and external auditing – IT Audit and financial audit – Tools of an IT auditor Copyright © 2015 John Wiley & Sons, Inc All rights reserved The Audit Function • Internal versus External Auditing • Information Technology Auditing • Evaluating the Effectiveness of Information Systems Controls Copyright © 2015 John Wiley & Sons, Inc All rights reserved Internal Auditing • Responsibility of Performance – Company’s own employees – External of the department being audited • Evaluation of: – Employee compliance with policies and procedures – Effectiveness of operations – Compliance with external laws and regulations – Reliability of financial reports – Internal controls Copyright © 2015 John Wiley & Sons, Inc All rights reserved External Auditing • Responsibility of Performance – Those outside the organization – Accountants working for independent CPA • Audit Purpose – Performance of the attest function – Evaluate the accuracy and fairness of the financial statements relative to GAAP Copyright © 2015 John Wiley & Sons, Inc All rights reserved Information Technology Auditing • Function – Evaluate computer’s role in achieving audit and control objectives • Assurance Provided – Data and information are reliable, confidential, secure, and available – Safeguarding assets, data integrity, and operational effectiveness Copyright © 2015 John Wiley & Sons, Inc All rights reserved The Components of an IT Audit Copyright © 2015 John Wiley & Sons, Inc All rights reserved The IT Audit Process • Computer-Assisted Audit Techniques (CAAT) – Use of computer processes to perform audit functions – Performing substantive tests • Approaches – Auditing through the computer – Auditing with the computer Copyright © 2015 John Wiley & Sons, Inc All rights reserved The IT Audit Process 10 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Validating Users and Access Privileges • Purpose – Ensure all system users are valid – Appropriate access privileges • Utilize Software Tools – Examine login times – Exception conditions – Irregularities 34 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Continuous Auditing • Embedded Audit Modules (Audit Hooks) – Capture data for audit purposes • Exception Reporting – Transactions falling outside given parameters are rejected • Transaction Tagging – Certain transactions tagged and progress recorded 35 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Continuous Auditing • Snapshot Technique – Examines how transactions are processed • Continuous and Intermittent Simulation (CIS) – Embeds audit module in a database management system (DBMS) – Similar to parallel simulation 36 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Continuous Auditing – Spreadsheet Errors 37 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Study Break #3 Which of the following is NOT an audit technique for auditing computerized AIS? A Parallel simulation B Use of specialized control software C Continuous auditing D All of the above are techniques used to audit computerized AIS 38 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Study Break #4 Continuous auditing: A Has been talked about for years but will never catch on B Will likely become popular if organizations adopt XBRL in their financial reporting C Does not include techniques such as embedded audit modules D Will never allow IT auditors to provide some types of assurance on a real-time basis 39 Copyright © 2015 John Wiley & Sons, Inc All rights reserved IT Governance • Overview – Process of using IT resources effectively – Efficient, responsible, strategic use of IT • Objectives – Using IT strategically to fulfill mission of organization – Ensure effective management of IT 40 Copyright © 2015 John Wiley & Sons, Inc All rights reserved IT Auditing Today • The Sarbanes-Oxley Act of 2002 • Auditing Standard No (AS5) • Third Party and Information Systems Reliability Assurances 41 Copyright © 2015 John Wiley & Sons, Inc All rights reserved The Sarbanes-Oxley Act of 2002 • Overview – Limits services that auditors can provide clients while they are conducting audits • Groups of Compliance Requirements – – – – Audit committee/corporate governance requirements Certification, disclosure, and internal control Financial statement reporting rules Executive reporting and conduct 42 Copyright © 2015 John Wiley & Sons, Inc All rights reserved The Sarbanes-Oxley Act of 2002 • Section 302 – CEOs and CFOs are required to certify the financial statements – Internal controls and disclosures are adequate • Section 404 – CEOs and CFOs assess and attest to the effectiveness of internal controls 43 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Key Provisions of SOX 44 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Key Provisions of SOX 45 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Auditing Standard No (AS5) • Purpose – Public Company Accounting Oversight Board (PCAOB) guidance – Focus on most critical controls • Rebalancing of Auditor’s Work – Internal auditors help to advise board of directors – External auditors reduce redundant testing 46 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Third Party and Information Systems Reliability Assurances • Growth of Electronic Commerce – Area of growing risk – Security and privacy concerns – Difficult to audit • AICPA Trust Services – CPA WebTrust – SysTrust 47 Copyright © 2015 John Wiley & Sons, Inc All rights reserved Third Party and Information Systems Reliability Assurances • Principles of Trust Services – Security – Availability – Processing integrity – Online privacy – Confidentiality 48 Copyright © 2015 John Wiley & Sons, Inc All rights reserved .. .Chapter 15: Information Technology Auditing • Introduction • The Audit Function • The Information Technology Auditor’s Toolkit • Auditing Computerized Accounting Information Systems • Information. .. Effectiveness of Information Systems Controls Copyright © 2 015 John Wiley & Sons, Inc All rights reserved Internal Auditing • Responsibility of Performance – Company’s own employees – External of the... Risk management Information security management Response management 13 Copyright © 2 015 John Wiley & Sons, Inc All rights reserved Evaluating the Effectiveness of Information Systems Controls