La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
Télécharger Lire

Audit and Information Technology

De
14 pages
Auditing in an advanced IT environment Introduction People often say that the advancement of information technology in today will be remembered as the greatest revolution of human history. That is, yes, bigger than the Industrial Revolution. Today’s business environment reflects accelerating technological advancement. Innovations in data processing help boost transaction volumes exponentially and technological advances in telecommunications have changed the way transactions are being initiated and conveyed. More and more firms now heavily rely on sophisticated computerized information systems. Today, effective use of technological advancement not only helps a firm run its business more efficiently than ever before but it also has become a requirement for a firm to stay competitive in the market place. Such an advance in information technology has also made a significant impact in auditing profession and changed the way audit is conducted fundamentally. Information technology had enabled auditors to use automated software packages in many areas by which an audit can be conducted more efficiently as well as effectively with less cost and time. However, IT poses danger and threat to auditors at the same time. With the increased dependence on computerized information system comes a great need for appropriate control systems to be in place to ensure that systems are operating properly and without error. An error created by a faulty system can ...
Voir plus Voir moins

Vous aimerez aussi

Auditing in an advanced IT environment
 Introduction  People often say that the advancement of information technology in today will be remembered as the greatest revolution of human history. That is, yes, bigger than the Industrial Revolution. Today’s business environment reflects accelerating technological advancement. Innovations in data processing help boost transaction volumes exponentially and technological advances in telecommunications have changed the way transactions are being initiated and conveyed. More and more firms now heavily rely on sophisticated computerized information systems. Today, effective use of technological advancement not only helps a firm run its business more efficiently than ever before but it also has become a requirement for a firm to stay competitive in the market place. Such an advance in information technology has also made a significant impact in auditing profession and changed the way audit is conducted fundamentally.  Information technology had enabled auditors to use automated software packages in many areas by which an audit can be conducted more efficiently as well as effectively with less cost and time. However, IT poses danger and threat to auditors at the same time. With the increased dependence on computerized information system comes a great need for appropriate control systems to be in place to ensure that systems are operating properly and without error. An error created by a faulty system can be damaging to the financial well-being of a company. Electronic data interchange (EDI) made it more
 
1
difficult for auditors detect errors that are not feasible. New types of fraud could be hard to detect by the same token. With this new environment auditing profession needs to understand the client’s information systems, control system in particular, thoroughly to effectively audit in this unfamiliar territory. In this article we will first review key issues and concerns in security and frauds in IT from two academic research papers and then present our view with analysis.  Review of academic research on IT and Audit   Issues and Concerns       Security             The degree of automation in the typical business environment has led to an increase in the complexity in internal control systems. Technological advances in distributed processing, worldwide networking, and remote access to corporate systems increase an organization's vulnerability to control breaches and present new challenges for the auditor. One of the most critical issues for an auditor in such a highly computerized environment is security that includes the security policies and procedures for ensuring that access to equipment, software and data is restricted to authorized users. Both software and physical resources require controls to prevent intentional or unintentional modifications or destruction of any resources. Examples of software security include the use of passwords to access information and encryption techniques in
 
2
data transmission. Physical security measures include storing backup files offsite and keeping equipment behind locked doors. If controls are not in place properly, fictitious or erroneous transactions may find their way into the financial accounting system. This can ultimately result in material errors in the financial statements.   The computer audit committee recently identified  four main areas with the major audit concerns for each area he or she should be aware of when planning financial statement audits. First, Electronic commerce and Internet. An increasing number of financial transactions are conducted online. The auditor has to consider control issues associated with electronic commerce. The major audit concerns are that only authorized transactions are transmitted and received and that they are not been duplicated, lost or modified during processing. Second, Continuous Auditing. The auditor may consider employing continuous auditing by embedding audit module with the auditor’s selection criteria into a transaction application when most information exists only in electronic form, such as in a paperless airline reservation system. To prevent unauthorized modification to the embedded audit module, the auditor also might investigate controls such as the use of passwords to restrict access to source codes and procedures to ensure the entity's compliance with adequate application software maintenance procedures. Third, EDI. EDI presents numerous auditor and control implications. The auditor needs to understand how the entity conducts business using EDI and to adjust audit procedures accordingly. EDI creates dependence on the trading partner’s computer system, so its errors and security breaches might affect the client’s system. Controls, such as firewalls, encryption and authentication, associated with communications technologies
 
3
also apply to EDI. The auditor might wish to review trading partner agreements since traditional revenue and expense recognition concepts might be modified because of new business practices. For example, the agreement might state that a purchaser pays for goods when they are placed into production instead of on receipt. The supplier then becomes dependent on the purchaser's system to determine when to recognize revenue. Last, Image processing. This technology involves the conversion of paper documents into electronic form through scanning and the subsequent storage and retrieval of the electronic image. A key issue in image processing is document authenticity: Is the electronic image actually what it purports to be-or has it been subtly altered so it no longer is correct? The auditor should test controls that provide assurance that only valid and authorized documents are scanned into the system. For example, the auditor could review an image of a purchase order when someone had used a desktop publishing program to alter the quantities, prices and other relevant data, creating an image that could be substantially different from the now-discarded original paper document. A quality control function is needed to ensure that the scanned image is captured without errors before the paper document is destroyed. The auditor should test controls, such as the use of passwords that prevent unauthorized changes to the stored electronic image.  Fraud         Detecting new frauds has become increasingly difficult as a result of recent paperless transactions. According to the Association of Certified Fraud Examiners, financial losses due to fraud in the United States amounted to $400 billion in 1998
 
4
(Coderre, p27). As more business operations use computerized information, more fraud is committed by using computers. Frauds can take various forms. Take a payroll area for example. Fraudulent employees may set up a fictitious employee, leave a severed employee, or submit excessive overtime by manipulating a company’s database. Likewise, if control is not properly in place, purchasing scam, such as generating a fraudulent invoice, can be easily delivered by circumventing authorization controls and is much more difficult to detect, particularly for collusive scam. Another unique characteristic of IT era fraud is its domino effect. Since most of information is connected through centralized database systems, a single insignificant fraud could affect many other areas, which, in turn, cause bigger problems for an organization. Today, clients insist on lower costs, while the public demands that auditors accept greater responsibility to detect fraud and other irregularities. The AICPA mandates that auditors "design the audit to provide reasonable assurance of detecting errors and irregularities that are material to the financial statements" (SAS 53).       Technological advances in distributed processing, worldwide networking, and remote access to corporate systems, for example, increase an organization's vulnerability to control breaches and present new challenges for the internal and external auditor. The same technology that creates this type of challenges, however, provides auditors with more sophisticated weapons to use in their fight against it. Computer assisted audit techniques (CAATs) generally assist the auditor in testing application controls (Messier, p251.) In fact, fraud detection is an ideal application for CAAT. CAATs enable investigators to obtain a quick overview of business operations, develop an understanding
 
5
of the relationships among various data elements, and easily drill down into the details of specific areas of interest. A systematic approach to fraud investigation that involves the identification of unusual activity with the aid of CAATs is a efficient way to detect fraud. Moreover, CAAT equipped with data extraction and analysis capabilities enable auditors to perform effective, comprehensive, and low-cost substantive testing on audit engagements. Financial Crime Investigator (FCI), which is distributed by the Anthem Corporation is a computer program which helps users to recognize fraud indicators in contracts or in purchases. This program allows the user to write queries for any database management (Crowder, p20). By incorporating computer assisted fraud detection techniques into their routine audits, auditors can increase the probability that they will uncover fraud if it exists.  Our view with supplemental information   Security and IT  We totally agree with security issues in 11 key technologies practitioners should be aware of when planning financial statement audits, which are identified by the computer auditing subcommittee of the AICPA ASB. More and more business entities implement more sophisticated and computerized information systems to get competitive advantage in the market, so the information system security issue has been more critical in terms of the financial statement auditing. That is, security issues are not only the issue for the IT, consulting, and assurance service personnel but also the issues for financial
 
6
statement auditors because fictitious or erroneous transactions due to improper controls on the IS security can ultimately result in material errors in the financial statements.  The computer auditing subcommittee’s article clearly shows us what practitioners should be aware of when planning financial statement audits for a highly automated business entity in terms of technical concerns on IS security, that is, the article mainly discusses about the importance of access control on the information security, such as user authentication and firewalls, and encryption techniques in data transmission. However, we believe that accessing control risks on information system security should start with reviewing the client company’s information security policy. The information security policy means developing procedures and plans that safeguard the organization’s network resources against loss and damage. To facilitate auditor’s understanding of the company’s security policy, the following might be auditor’s key concerns. ! What resources is company trying to protect? ! Which people does the organization need to protect the resources from? ! How likely are the threats? ! How important is the resource? ! What measures can the organization implement to protect the assets in a cost- effective and timely manner? ! Periodically examine of the network security policy to see if the organization objectives and network circumstances have changed. The auditor should ensure whether the proper information security policy is in place. According to Information security survey by Ernst & Young (1998), only 56% of
 
7
respondents (4300 information technology (IT) professionals in 35 countries) said they have security policies in place, and 64% of those who had security policies compliance with their policies. The auditor should also ensure whether all appropriate personnel are aware of and comply with the policy. 50% of network attacks come from inside the company. This result indicates that the auditor should focus more on the internal users rather than focusing on outside users. In addition, auditors need to verify whether the management checks the system maintenance routinely to ensure its safety because today’s IT environment and technologies are constantly changing. Auditor’s major concern might include routine analysis of threats, such as potential security risks and consequences of security breach, and active penetration testing by applying its own hacking techniques against the target system.   Fraud and CAAT     In general we agree with the information given in the fraud part of summary section mainly because they are rather informative articles than argumentative ones. Therefore, we would like to supplement further information which we grasped through various readings rather than arguing for or against those articles. With the creation of new types of fraud as a result of development of information technology, today’s auditors require much more skills than just financial expertise. Since computer fraud is hard to detect, an auditor need new skills and method in order to uncover the red flags that signal
 
8
fraud. We believe a desirable auditor should possess a substantial knowledge of computers, systems, and networking in order to effectively perform his or her duty.  There are many computer tools and techniques that can help auditors respond to this new audit environment. As fore-mentioned above by other scholars and practitioners, CAATs can help auditors identify fraud. For example,  Data analysis software can assist by highlighting transactions that contain the characteristics often associated with fraudulent activity. These programs feature many commands that review records for fraud symptoms, such as the existence of duplicate transactions, missing transactions, and other anomalies. CAATs can also help to reveal fraud symptoms that may be elusive because the evidence is spread across separate databases. For example, reviewing data from the accounts payable file may identify a trend in the expenditures to a particular vendor that seems unusual, but not necessarily indicative of fraud. As automation system has advanced rapidly, the use of CAATs has been increased and more CAATs have been developed over the years. ACL from ACL Software, IDEA from AICPA, Monarch from Datawatch Corp., and Microsoft Excel from Microsoft are among many popular commercial audit software programs. More recently, audit profession started using a new technique called Expert Systems (ES). An expert system is a computer program that captures human thought process. Unlike typical CAATs, these programs can actually make a logical decision in a similar way that humans do. Neural Networks are even more advanced software program. These ‘artificial intellengence’ programs can learn the characteristics of potentially fraudulent schemes by comparing new data to stored data and detecting hidden patterns.
 
9
    Although helpful tremendously, however, CAAT is not a solution for everything. Without a proactive approach and well-equipped knowledge by auditors, the effectiveness of CAAT can be significantly limited. In addition, obtaining the security manuals and reviewing them in detail early in the audit process to verify the solidity of internal control, coupled with well-designed audit plan is not new or innovative, but still the most important technique that auditors should not overlook. Well-organized teamwork and effective communication among team members will certainly facilitate to add a value to audit performance. Besides, audit firms should put continuous efforts to train employees to help them keep up with ever fast-changing IT environment. Because new audit frauds are more invisible than before, auditors are required to take a more forensic side of audit. Good combination of customized CAATs and auditors’ thorough preparation is not just an ideal variable, but also an absolute necessity.  Conclusio  n   Many organizations today extensively use complex computer-based systems to process transactions and financial information. Emergence of E-Commerce and advancement of telecommunication system have made audit more complicated. To make things worse, it appears to me that information technology and its environment are changing in a much faster pace than accounting or auditing profession. Public are hungrier than ever for accurate information. Various security problems and new type of computer frauds are created on a daily basis. In order to cope with these new concerns,
 
10
audit firms and auditors need to educate themselves vigorously on information systems
and how to adjust to the new changes. Continuous development of customized audit
software to fit in various types of environment seems a way to go. Audit profession
should also contemplate in developing an innovative way to reduce the cost of audit in
the future. Moreover, although GAAS and their interpretation may remain the same,
methods for implementing auditing concepts should definitely be changed as systems
become more complex. It is uncertain how far and which direction the IT will go
tomorrow. CAATs may be O.K. now, but they may not be enough tomorrow. It is time
to change.
 
11
Un pour Un
Permettre à tous d'accéder à la lecture
Pour chaque accès à la bibliothèque, YouScribe donne un accès à une personne dans le besoin