Accounting Information Systems 12th Edition Solution By Romney Paul – Test Bank
CHAPTER 11
AUDITING COMPUTER-BASED INFORMATION SYSTEMS
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and
their accounting applications. However, it may not be feasible for every auditor to be a
computer expert. Discuss the extent to which auditors should possess computer expertise to
be effective auditors.
Since most organizations make extensive use of computer-based systems in processing data, it is
essential that computer expertise be available in the organization’s audit group. Such expertise
should include:
· Extensive knowledge of computer hardware, software, data communications, and accounting
applications
· A detailed understanding of appropriate control policies and procedures in computer systems
· An ability to read and understand system documentation
· Experience in planning computer audits and in using modern computer assisted auditing tools
and techniques (CAATTs).
Not all auditors need to possess expertise in all of these areas. However, there is certainly some
minimum level of computer expertise that is appropriate for all auditors to have. This would
include:
· An understanding of computer hardware, software, accounting applications, and controls.
· The ability to examine all elements of the computerized AIS
· The ability to use the computer as a tool to accomplish these auditing objectives.
11.2 Should internal auditors be members of systems development teams that design and
implement an AIS? Why or why not?
Many people believe that internal auditors should be involved in systems development projects in
order to ensure that newly developed systems are auditable and have effective controls. However,
if the auditor’s involvement is too great, then his or her independence may be impaired with respect
to subsequent review and evaluation of the system. Accordingly, the auditor should not be a
member of a systems development team, or be otherwise directly involved in designing or
implementing new systems.
There are indirect forms of auditor involvement that are appropriate. The auditor can
1. Recommend a series of control and audit guidelines that all new systems should meet.
Ch. 11: Auditing Computer-Based Information Systems
11-2
2. Independently review the work of the systems development team, evaluate both the quality of
the systems development effort and its adherence to control and audit guidelines, and report
the findings to management.
In both cases, the auditor is working through management rather than with the systems
development team.
11.3 At present, no Berwick employees have auditing experience. To staff its new internal audit
function, Berwick could (a) train some of its computer specialists in auditing, (b) hire
experienced auditors and train them to understand Berwick’s information system, (c) use a
combination of the first two approaches, or (d) try a different approach. Which approach
would you support, and why?
The most effective auditor is a person who has training and experience as an auditor and training
and experience as a computer specialist. However, few people have such an extensive background,
and personnel training and development are both expensive and time consuming.
Berwick may find it necessary to accept some tradeoffs in staffing its audit function. Since auditors
generally work in teams, Berwick should probably begin by using a combination of the first two
approaches. Then, as audit teams are created for specific purposes, care should be taken to ensure
that the members of each audit team have an appropriate mix of skills and experience.
11.4 The assistant finance director for the city of Tustin, California, was fired after city officials
discovered that she had used her access to city computers to cancel her daughter’s $300 water
bill. An investigation revealed that she had embezzled a large sum of money from Tustin in
this manner over a long period. She was able to conceal the embezzlement for so long because
the amount embezzled always fell within a 2% error factor used by the city’s internal
auditors. What weaknesses existed in the audit approach? How could the audit plan be
improved? What internal control weaknesses were present in the system? Should Tustin’s
internal auditors have discovered this fraud earlier?
Audit approach weaknesses
1. The question implies Tustin’s internal auditors never bothered to investigate transactions below
a certain dollar amount, and/or shortages of less than a certain percent. This is not good audit
practice.
2. While auditors generally examine transaction samples that are selected to include a high
percentage of items having a high dollar value, their sampling procedures should not ignore
transactions with lower dollar values. There must have been hundreds of falsified transactions,
and an effective sampling plan might have uncovered a few of them.
3. An internal control audit should have detected inadequacies in Tustin’s computer access
controls, as well as a lack of transaction documentation.
Audit plan improvements
1. Audit software could be used to fully reconcile collections with billings, and list any
Accounting Information Systems
11-3
discrepancies for further investigation.
Internal control weaknesses
1. An assistant finance director should not have the authority to enter credits to customer
accounts. Certainly, there should have been documentation to support such transactions.
2. The assistant finance director should not have been granted rights to cancel water or other
utility bills
Should the auditors have detected the audit earlier?
The easy answer here is yes, they should have uncovered the fraud earlier. While she was able to
embezzle a large sum of money from Tustin, it was over a long period. One of the keys to her
success was that she did not get greedy and the amounts taken in any one year was probably
immaterial to the city. These kinds of frauds are very hard to detect.
11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an
anonymous note from an assembly-line operator who has worked at the company’s West
Coast factory for the past 15 years. The note indicated that there are some fictitious
employees on the payroll as well as some employees who have left the company. He offers no
proof or names. What computer-assisted audit technique could Lou use to help him
substantiate or refute the employee’s claim? (CIA
Examination, adapted)
Computer-assisted audit tools and techniques (CAATTs) could have been used to identify employees
who have no deductions. Experience has shown that fictitious or terminated employees will
generally not have deductions. This happens because the fraud perpetrator wants as much money
from each fraudulent or terminated employee paycheck as possible. Another reason for this is that
they fear that a deduction payment sent to a third party might cause an investigation and uncover
their fraud.
11.6. Explain the four steps of the risk-based audit approach, and discuss how they apply to the
overall security of a company.
The risk-based audit approach provides a framework for conducting information system audits. It
consists of the following 4 steps:
1. Determine the threats (fraud and errors) facing the company. This is a list of the accidental or
intentional abuse and damage to which the system is exposed.
2. Identify the control procedures that prevent, detect, or correct the threats. These are all the controls
that management has put into place and that auditors should review and test, to minimize the
threats.
3. Evaluate control procedures. Controls are evaluated two ways. First, a systems review determines
whether control procedures are actually in place. Second, a tests of controls are conducted to
determine whether existing controls work as intended.
4. Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing
procedures. If the auditor determines that control risk is too high because the control system is
inadequate, the auditor may have to gather more evidence, better evidence, or more timely
Ch. 11: Auditing Computer-Based Information Systems
11-4
evidence. Control weaknesses in one area may be acceptable if there are compensating controls in
other areas.
The risk-based approach provides auditors with a clearer understanding of the overall security of a
company, including the fraud and errors that can occur in the company. It also helps them
understand the related risks and exposures. In addition, it helps them plan how to test and evaluate
internal controls, as well as how to plan subsequent audit procedures. The result is a sound basis for
developing recommendations to management on how the AIS control system should be improved.
11.7. Compare and contrast the frameworks for auditing program development/acquisition and for
auditing program modification.
The two are similar in that:
· They both deal with the review of software.
· They both are exposed to the same types of errors and fraud.
· They use many of the same control procedures, audit procedures (both systems review and
tests of controls), and compensating controls, except that one set applies to program
development and acquisition and the other set is tailored to address program modifications.
These include management and user authorization and approval; thorough testing; review of
the policies, procedures, and standards; and proper documentation. (Compare Tables 2 and 3
in the chapter.)
The two are dissimilar in that:
· The auditor’s role in systems development is to perform an independent review of systems
development and acquisition activities. The auditor’s role in program modification is to
perform an independent review of the procedures and controls used to modify software
programs.
· There are some control procedures, audit procedures (both systems review and tests of
controls), and compensating controls that are unique to program development and acquisition
and others that are unique to program modifications. (Compare Tables 2 and 3 in the
chapter.)
· Auditors test for unauthorized program changes, often on a surprise basis, is several ways that
they do not have to test program development and acquisition. These include:
o Using a source code comparison program to compare the current version of the program
with the source code.
o Reprocessing data using the source code and comparing the output with the company’s
output.
o Parallel simulation, where the auditor writes a program instead of using the source code
to compare the outputs.