Introduction to AIS

• The Assignment must be submitted on Blackboard (WORD format only) via allocated folder.
• Assignments submitted through email will not be accepted.
• Students are advised to make their work clear and well presented, marks may be reduced for poor presentation. This includes filling your information on the cover page.
• Students must mention question number clearly in their answer.
• Late submission will NOT be accepted.
• Avoid plagiarism, the work should be in your own words, copying from students or other resources without proper referencing will result in ZERO marks. No exceptions.
• All answers must be typed using Times New Roman (size 12, double-spaced) font. No pictures containing text will be accepted and will be considered plagiarism.

Submissions without this cover page will NOT be accepted.

Assignment Question(s):(Marks 15)

IMPORTANT NOTE: Answer in your own words, DO NOT COPY from slides, fellow student, or internet source without proper citation.

312
Part II
Control and Audit of Accounting Information Systems
compliance audit – Examination
of organizational compliance
with applicable laws, regulations, policies, and procedures.
investigative audit – An Examination of incidents of possible
fraud, misappropriation of
assets, waste and abuse, or improper governmental activities.
4. A compliance audit determines whether entities are complying with applicable laws,
regulations, policies, and procedures. These audits often result in recommendations to
improve processes and controls used to ensure compliance with regulations.
5. An investigative audit examines incidents of possible fraud, misappropriation of assets,
waste and abuse, or improper governmental activities.
In contrast, external auditors are responsible to corporate shareholders and are mostly
concerned with gathering the evidence needed to express an opinion on the financial statements. They are only indirectly concerned with the effectiveness of a corporate AIS. However,
external auditors are required to evaluate how audit strategy is affected by an organization’s
use of information technology (IT). External auditors may need specialized skills to (1) determine how the audit will be affected by IT, (2) assess and evaluate IT controls, and (3) design
and perform both tests of IT controls and substantive tests.
Despite the distinction between internal and external auditing, many of the internal audit
concepts and techniques discussed in this chapter also apply to external audits.
The first section of this chapter provides an overview of auditing and the steps in the auditing process. The second section describes a methodology and set of techniques for evaluating internal controls in an AIS and conducting an information system audit. The third section
discusses the computer software and other techniques for evaluating the reliability and integrity of information in an AIS. Finally, operational audits of an AIS are reviewed.
The Nature of Auditing
Overview of the Audit Process
All audits follow a similar sequence of activities. Audits may be divided into four stages: planning, collecting evidence, evaluating evidence, and communicating audit results. Figure 11-1
is an overview of the auditing process and lists many of the procedures performed within each
of these stages.
Audit Planning Audit planning determines why, how, when, and by whom the audit will
be performed. The first step is to establish the audit’s scope and objectives. For example, an
audit of a publicly held corporation determines whether its financial statements are presented
fairly. In contrast, an internal audit may examine a specific department or a computer application. It may focus on internal controls, financial information, operating performance, or some
combination of the three.
An audit team with the necessary experience and expertise is formed. They become familiar with the auditee by conferring with supervisory and operating personnel, reviewing system
documentation, and reviewing prior audit findings.
An audit is planned so the greatest amount of audit work focuses on the areas with the
highest risk factors. There are three types of audit risk:
inherent risk – Susceptibility to
significant control problems in
the absence of internal control.
control risk – Risk that a material misstatement will get
through the internal control
structure and into the financial
statements.
detection risk – Risk that auditors and their audit procedures
will fail to detect a material
error or misstatement.
1. Inherent risk is the susceptibility to material risk in the absence of controls. For example, a system that employs online processing, networks, databases, telecommunications,
and other forms of advanced technology has more inherent risk than a batch processing
system.
2. Control risk is the risk that a material misstatement will get through the internal control
structure and into the financial statements. A company with weak internal controls has a
higher control risk than one with strong controls. Control risk can be determined by reviewing the control environment, testing internal controls, and considering control weaknesses identified in prior audits and evaluating how they have been rectified.
3. Detection risk is the risk that auditors and their audit procedures will fail to detect a
­material error or misstatement.
To conclude the planning stage, an audit program is prepared to show the nature, extent,
and timing of the procedures needed to achieve audit objectives and minimize audit risks.
A time budget is prepared, and staff members are assigned to perform specific audit steps.
CHAPTER 11
Auditing Computer-Based Information Systems
Audit Planning
Establish scope and objectives
Organize audit team
Develop knowledge of business operations
Review prior audit results
Identify risk factors
Prepare audit program
313
Figure 11-1
Overview of the Auditing
Process
Collection of Audit Evidence
Observation of operating activities
Review of documentation
Discussions with employees
Questionnaires
Physical examination of assets
Confirmation through third parties
Reperformance of procedures
Vouching of source documents
Analytical review
Audit sampling
Evaluation of Audit Evidence
Assess quality of internal controls
Assess reliability of information
Assess operating performance
Consider need for additional evidence
Consider risk factors
Consider materiality factors
Document audit findings
Communication of Audit Results
Formulate audit conclusions
Develop recommendations for management
Prepare audit report
Present audit results to management
Collection of Audit Evidence Most audit effort is spent collecting evidence. Because
many audit tests cannot be performed on all items under review, they are often performed on a
sample basis. The following are the most common ways to collect audit evidence:
●
●
●
●
●
●
●
●
Observation of the activities being audited (e.g., watching how data control personnel
handle data processing work as it is received)
Review of documentation to understand how a particular process or internal control system is supposed to function
Discussions with employees about their jobs and about how they carry out certain
procedures
Questionnaires that gather data
Physical examination of the quantity and/or condition of tangible assets, such as equipment and inventory
Confirmation of the accuracy of information, such as customer account balances,
through communication with independent third parties
Reperformance of calculations to verify quantitative information (e.g., recalculating the
annual depreciation expense)
Vouching for the validity of a transaction by examining supporting documents, such as
the purchase order, receiving report, and vendor invoice supporting an accounts payable
transaction
confirmation – Written communication with independent third
parties to confirm the accuracy
of information, such as customer account balances.
reperformance – Performing
­calculations again to verify
quantitative information.
vouching – Comparing accounting journal and ledger entries
with documentary evidence to
verify that a transaction is valid,
accurate, properly authorized,
and correctly recorded.
314
Part II
Control and Audit of Accounting Information Systems
analytical review – Examination
of the relationships between
different sets of data; abnormal
or unusual relationships and
trends are investigated.
●
Analytical review of relationships and trends among information to detect items that
should be further investigated. For example, an auditor for a chain store discovered that
one store’s ratio of accounts receivable to sales was too high. An investigation revealed
that the manager was diverting collected funds to her personal use.
A typical audit has a mix of audit procedures. For example, an internal control audit
makes greater use of observation, documentation review, employee interviews, and reperformance of control procedures. A financial audit focuses on physical examination, confirmation,
vouching, analytical review, and reperformance of account balance calculations.
materiality – Amount of an error,
fraud, or omission that would
affect the decision of a prudent
user of financial information.
reasonable assurance – Obtaining complete assurance that
information is correct is prohibitively expensive, so auditors
accept a reasonable degree of
risk that the audit conclusion is
incorrect.
Evaluation of Audit Evidence The auditor evaluates the evidence gathered and decides
whether it supports a favorable or unfavorable conclusion. If inconclusive, the auditor performs sufficient additional procedures to reach a definitive conclusion.
Because errors exist in most systems, auditors focus on detecting and reporting those that
significantly impact management’s interpretation of the audit findings. Determining materiality,
what is and is not important in an audit, is a matter of professional judgment. Materiality is more
important to external audits, where the emphasis is fairness of financial statement, than to internal
audits, where the focus is on adherence to management policies.
The auditor seeks reasonable assurance that no material error exists in the information or process audited. Because it is prohibitively expensive to seek complete assurance,
the auditor has some risk that the audit conclusion is incorrect. When inherent or control
risk is high, the auditor must obtain greater assurance to offset the greater uncertainty and
risks.
In all audit stages, findings and conclusions are documented in audit working papers.
Documentation is especially important at the evaluation stage, when conclusions must be
reached and supported.
Communication of Audit Results The auditor submits a written report summarizing
audit findings and recommendations to management, the audit committee, the board of directors, and other appropriate parties. Afterwards, auditors often do a follow-up study to ascertain whether recommendations were implemented.
The Risk-Based Audit Approach
The following internal control evaluation approach, called the risk-based audit approach, provides a framework for conducting information system audits:
systems review – An internal
control evaluation step that
determines if necessary control
procedures are actually in place.
tests of control – Tests to determine whether existing controls
work as intended.
compensating controls – Control
procedures that compensate for
the deficiency in other controls.
1. Determine the threats (fraud and errors) facing the company. This is a list of the accidental or intentional abuse and damage to which the system is exposed.
2. Identify the control procedures that prevent, detect, or correct the threats. These are all
the controls that management has put into place and that auditors should review and test,
to minimize the threats.
3. Evaluate control procedures. Controls are evaluated in two ways:
a. A systems review determines whether control procedures are actually in place.
b. Tests of controls are conducted to determine whether existing controls work as
intended.
4. Evaluate control weaknesses to determine their effect on the nature, timing, or extent
of auditing procedures. If the auditor determines that control risk is too high because
the control system is inadequate, the auditor may have to gather more evidence, better
evidence, or more timely evidence. Control weaknesses in one area may be acceptable if
there are compensating controls in other areas.
The risk-based approach provides auditors with a clearer understanding of the fraud and
errors that can occur and the related risks and exposures. It also helps them plan how to test
and evaluate internal controls, as well as how to plan subsequent audit procedures. The result
is a sound basis for developing recommendations to management on how the AIS control system should be improved.
College of Administration and Finance Sciences
Assignment (2)
Deadline:23/11/ 2024 @ 23:59
Course Name: Introduction to AIS
Student’s Name:
Course Code: ACCT402
Student’s ID Number:
Semester: 1st
CRN:
Academic Year: 1446 H
For Instructor’s Use only
Instructor’s Name:
Students’ Grade:
/15
Level of Marks: High/Middle/Low
Instructions – PLEASE READ THEM CAREFULLY
• The Assignment must be submitted on Blackboard (WORD format only) via allocated
folder.
• Assignments submitted through email will not be accepted.
• Students are advised to make their work clear and well presented, marks may be
reduced for poor presentation. This includes filling your information on the cover
page.
• Students must mention question number clearly in their answer.
• Late submission will NOT be accepted.
• Avoid plagiarism, the work should be in your own words, copying from students or
other resources without proper referencing will result in ZERO marks. No exceptions.
• All answers must be typed using Times New Roman (size 12, double-spaced) font.
No pictures containing text will be accepted and will be considered plagiarism.
• Submissions without this cover page will NOT be accepted.
College of Administration and Finance Sciences
Assignment Question(s):
(Marks 15)
IMPORTANT NOTE: Answer in your own words, DO NOT COPY from slides,
fellow student, or internet source without proper citation.
Assignment Question(s):
Q1
Describe the four types of control objectives that companies need to set. (5Mark)
Q2
Explain the factors that influence information systems reliability. (5Mark)
Q3
Describe the scope and objectives of audit work and identify the major steps in the audit
process. (5Mark)
Good Luck