Chapter 11 Auditing Computerbased Information Systems [PDF]

Citation preview

Chapter 11 Auditing ComputerBased Information Systems Summary Auditing Proses memperoleh dan mengevaluasi bukti tentang pernyataan tentang tindakan dan peristiwa ekonomi untuk menentukan seberapa baik mereka sesuai dengan kriteria yang ditetapkan. Major Steps in the Auditing Process  Perencanaan audit  Pengumpulan bukti audit  Evaluasi bukti  Komunikasi hasil Risk-Based Audit Approach  Tentukan ancaman (penipuan dan kesalahan) yang dihadapi perusahaan  Identifikasi prosedur kontrol (cegah, deteksi, koreksi ancaman)  Mengevaluasi prosedur kontrol  Tentukan efek kelemahan kontrol Information Systems Audit  Menggunakan kerangka kerja berbasis risiko untuk audit sistem informasi memungkinkan auditor untuk meninjau dan mengevaluasi kontrol internal yang melindungi sistem untuk memenuhi masing-masing tujuan berikut:  Lindungi keamanan sistem secara keseluruhan (termasuk peralatan komputer, program, dan data)  Pengembangan dan akuisisi program terjadi di bawah otorisasi manajemen  Modifikasi program terjadi di bawah otorisasi manajemen  Pemrosesan transaksi, catatan, file, dan laporan yang akurat dan lengkap  Cegah, deteksi, atau koreksi data sumber yang tidak akurat atau tidak sah  File data yang akurat, lengkap, dan rahasia Audit Techniques Used to Test Programs  Fasilitas Uji Terpadu (ITF)  Menggunakan input fiktif  Teknik Snapshot  File master sebelum dan sesudah pembaruan disimpan untuk transaksi yang ditandai khusus  File Tinjauan Audit Kontrol Sistem (SCARF)  Pemantauan dan penyimpanan transaksi berkelanjutan yang memenuhi praspesifikasi  Kait Audit  Beri tahu auditor tentang transaksi yang dipertanyakan  Simulasi Berkelanjutan dan Berselang (CIS)  Mirip dengan SCARF untuk DBMS Discussion Question 11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and their accounting applications. However, it may not be feasible for every auditor to be a computer expert. Discuss the extent to which auditors should possess computer expertise in order to be effective auditors. Answer : Since most organizations make extensive use of computer-based systems in processing data, it is essential that computer expertise be available in the organization's audit group. Such expertise should include:







Extensive knowledge of computer hardware, software, data communications, and accounting applications  A detailed understanding of appropriate control policies and procedures in computer systems  An ability to read and understand system documentation  Experience in planning computer audits and in using modern computer assisted auditing tools and techniques (CAATTs). Not all auditors need to possess expertise in all of these areas. However, there is certainly some minimum level of computer expertise that is appropriate for all auditors to have. This would include:  An understanding of computer hardware, software, accounting applications, and controls.  The ability to examine all elements of the computerized AIS  The ability to use the computer as a tool to accomplish these auditing objectives. 11.2 How is a financial audit different from an information systems audit? Answer : While a financial audit's purpose is to evaluate whether the financial statements present fairly, in all material respects, an entity's financial position, results of operations, and cash flows in conformity to standard accounting practices, the purposes of an IT audit is to evaluate the system's internal control design and effectiveness. 11.3 Berwick Industries is a fast-growing corporation that manufactures industrial containers. The company has a sophisticated AIS that uses advanced technology. Berwick’s executives have decided to pursue listing the company’s securities on a national stock exchange, but they have been advised that their listing application would be stronger if they were to create an internal audit department. At present, no Berwick employees have auditing experience. To staff its new internal audit function, Berwick could (a) train some of its computer specialists in auditing, (b) hire experienced auditors and train them to understand Berwick’s information system, (c) use a combination of the first two approaches, or (d) try a different approach. Which approach would you support, and why? Answer: The most effective auditor is a person who has training and experience as an auditor and training and experience as a computer specialist. However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. Berwick may find it necessary to accept some tradeoffs in staffing its audit function. Since auditors generally work in teams, Berwick should probably begin by using a combination of the first two approaches. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience. 11.4 The mayor of Groningen in the Netherlands has been accused of using government funding for private lessons in Spanish. He took this course because he wanted to find a new job in Spain. This has become the focal point of a lot of debate: is this embezzlement or not? In this case, a local government clerk noticed the declaration and notified the press. However, if it weren’t a declaration but a direct



transfer, would it have been discovered by the auditors given that an error factor of 2% is used? How can the audit plan be improved in such a situation? Answer : 11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an anonymous note from an assembly-line operator who has worked at the company’s West Coast factory for the past 15 years. The note indicated that there are some fictitious employees on the payroll as well as some employees who have left the company. He offers no proof or names. What CAAT could Lou use to substantiate or refute the employee’s claims? (CIA Examination, adapted) Answer : Computer-assisted audit tools and techniques (CAATTs) could have been used to identify employees who have no deductions. Experience has shown that fictitious or terminated employees will generally not have deductions. This happens because the fraud perpetrator wants as much money from each fraudulent or terminated employee paycheck as possible. Another reason for this is that they fear that a deduction payment sent to a third party might cause an investigation and uncover their fraud. 11.6 When performing an information systems audit, auditors must review and evaluate the program development process. What errors or fraud could occur during the program development process? Briefly describe the tests that can be used to detect unauthorized program modifications. Answer : 11.7 What is test data processing? Explain how it is done, and list the sources that an auditor can use to generate test data. Answer : Test data processing is a technique used to examine the integrity of the computer processing controls. Test data processing involves the creation of a series of hypothetical valid and invalid transactions and the introduction of those transactions into the system. The invalid data may include records with missing data, fields containing unreasonably large amounts, invalid account numbers, etc. If the program controls are working, then all invalid transactions should be rejected. Valid transactions should all be properly processed. The various ways test data can be generated are: A listing of actual transactions. The initial transactions used by the programmer to test the system. A test data generator program that generates data using program specifications.