Summary
Auditing
Proses memperoleh dan mengevaluasi bukti tentang pernyataan tentang tindakan dan
peristiwa ekonomi untuk menentukan seberapa baik mereka sesuai dengan kriteria
yang ditetapkan.
Major Steps in the Auditing Process
Perencanaan audit
Pengumpulan bukti audit
Evaluasi bukti
Komunikasi hasil
Risk-Based Audit Approach
Tentukan ancaman (penipuan dan kesalahan) yang dihadapi perusahaan
Identifikasi prosedur kontrol (cegah, deteksi, koreksi ancaman)
Mengevaluasi prosedur kontrol
Tentukan efek kelemahan kontrol
Information Systems Audit
Menggunakan kerangka kerja berbasis risiko untuk audit sistem informasi
memungkinkan auditor untuk meninjau dan mengevaluasi kontrol internal yang
melindungi sistem untuk memenuhi masing-masing tujuan berikut:
Lindungi keamanan sistem secara keseluruhan (termasuk peralatan komputer,
program, dan data)
Pengembangan dan akuisisi program terjadi di bawah otorisasi manajemen
Modifikasi program terjadi di bawah otorisasi manajemen
Pemrosesan transaksi, catatan, file, dan laporan yang akurat dan lengkap
Cegah, deteksi, atau koreksi data sumber yang tidak akurat atau tidak sah
File data yang akurat, lengkap, dan rahasia
Audit Techniques Used to Test Programs
Fasilitas Uji Terpadu (ITF)
Menggunakan input fiktif
Teknik Snapshot
File master sebelum dan sesudah pembaruan disimpan untuk transaksi yang
ditandai khusus
File Tinjauan Audit Kontrol Sistem (SCARF)
Pemantauan dan penyimpanan transaksi berkelanjutan yang memenuhi pra-
spesifikasi
Kait Audit
Beri tahu auditor tentang transaksi yang dipertanyakan
Simulasi Berkelanjutan dan Berselang (CIS)
Mirip dengan SCARF untuk DBMS
Discussion Question
11.1 Auditing an AIS effectively requires that an auditor have some knowledge of
computers and their accounting applications. However, it may not be feasible for
every auditor to be a computer expert. Discuss the extent to which auditors should
possess computer expertise in order to be effective auditors.
Answer :
Since most organizations make extensive use of computer-based systems in
processing data, it is essential that computer expertise be available in the
organization's audit group. Such expertise should include:
Extensive knowledge of computer hardware, software, data communications, and
accounting applications
A detailed understanding of appropriate control policies and procedures in
computer systems
An ability to read and understand system documentation
Experience in planning computer audits and in using modern computer assisted
auditing tools and techniques (CAATTs).
Not all auditors need to possess expertise in all of these areas. However, there is
certainly some minimum level of computer expertise that is appropriate for all
auditors to have. This would include:
An understanding of computer hardware, software, accounting applications, and
controls.
The ability to examine all elements of the computerized AIS
The ability to use the computer as a tool to accomplish these auditing objectives.
11.4 The mayor of Groningen in the Netherlands has been accused of using
government funding for private lessons in Spanish. He took this course because he
wanted to find a new job in Spain. This has become the focal point of a lot of debate:
is this embezzlement or not? In this case, a local government clerk noticed the
declaration and notified the press. However, if it weren’t a declaration but a direct
transfer, would it have been discovered by the auditors given that an error factor of
2% is used? How can the audit plan be improved in such a situation?
Answer :
11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an
anonymous note from an assembly-line operator who has worked at the company’s
West Coast factory for the past 15 years. The note indicated that there are some
fictitious employees on the payroll as well as some employees who have left the
company. He offers no proof or names. What CAAT could Lou use to substantiate or
refute the employee’s claims? (CIA Examination, adapted)
Answer :
Computer-assisted audit tools and techniques (CAATTs) could have been used to
identify employees who have no deductions. Experience has shown that fictitious or
terminated employees will generally not have deductions. This happens because the
fraud perpetrator wants as much money from each fraudulent or terminated employee
paycheck as possible. Another reason for this is that they fear that a deduction
payment sent to a third party might cause an investigation and uncover their fraud.
11.6 When performing an information systems audit, auditors must review and
evaluate the program development process. What errors or fraud could occur during
the program development process? Briefly describe the tests that can be used to detect
unauthorized program modifications.
Answer :
11.7 What is test data processing? Explain how it is done, and list the sources that an
auditor can use to generate test data.
Answer :
Test data processing is a technique used to examine the integrity of the computer
processing controls. Test data processing involves the creation of a series of
hypothetical valid and invalid transactions and the introduction of those transactions
into the system. The invalid data may include records with missing data, fields
containing unreasonably large amounts, invalid account numbers, etc. If the program
controls are working, then all invalid transactions should be rejected. Valid
transactions should all be properly processed. The various ways test data can be
generated are: A listing of actual transactions. The initial transactions used by the
programmer to test the system. A test data generator program that generates data
using program specifications.