Chapter 11 Auditing ComputerBased Information Systems

Summary
Auditing
Proses memperoleh dan mengevaluasi bukti tentang pernyataan tentang tindakan dan
peristiwa ekonomi untuk menentukan seberapa baik mereka sesuai dengan kriteria
yang ditetapkan.
Major Steps in the Auditing Process
 Perencanaan audit
 Pengumpulan bukti audit
 Evaluasi bukti
 Komunikasi hasil
Risk-Based Audit Approach
 Tentukan ancaman (penipuan dan kesalahan) yang dihadapi perusahaan
 Identifikasi prosedur kontrol (cegah, deteksi, koreksi ancaman)
 Mengevaluasi prosedur kontrol
 Tentukan efek kelemahan kontrol
Information Systems Audit
 Menggunakan kerangka kerja berbasis risiko untuk audit sistem informasi
memungkinkan auditor untuk meninjau dan mengevaluasi kontrol internal yang
melindungi sistem untuk memenuhi masing-masing tujuan berikut:
 Lindungi keamanan sistem secara keseluruhan (termasuk peralatan komputer,
program, dan data)
 Pengembangan dan akuisisi program terjadi di bawah otorisasi manajemen
 Modifikasi program terjadi di bawah otorisasi manajemen
 Pemrosesan transaksi, catatan, file, dan laporan yang akurat dan lengkap
 Cegah, deteksi, atau koreksi data sumber yang tidak akurat atau tidak sah
 File data yang akurat, lengkap, dan rahasia
Audit Techniques Used to Test Programs
 Fasilitas Uji Terpadu (ITF)
 Menggunakan input fiktif
 Teknik Snapshot
 File master sebelum dan sesudah pembaruan disimpan untuk transaksi yang
ditandai khusus
 File Tinjauan Audit Kontrol Sistem (SCARF)
 Pemantauan dan penyimpanan transaksi berkelanjutan yang memenuhi pra-
spesifikasi
 Kait Audit
 Beri tahu auditor tentang transaksi yang dipertanyakan
 Simulasi Berkelanjutan dan Berselang (CIS)
 Mirip dengan SCARF untuk DBMS

Discussion Question
11.1 Auditing an AIS effectively requires that an auditor have some knowledge of
computers and their accounting applications. However, it may not be feasible for
every auditor to be a computer expert. Discuss the extent to which auditors should
possess computer expertise in order to be effective auditors.
Answer :
Since most organizations make extensive use of computer-based systems in
processing data, it is essential that computer expertise be available in the
organization's audit group. Such expertise should include:
 Extensive knowledge of computer hardware, software, data communications, and
accounting applications
 A detailed understanding of appropriate control policies and procedures in
computer systems
 An ability to read and understand system documentation
 Experience in planning computer audits and in using modern computer assisted
auditing tools and techniques (CAATTs).
Not all auditors need to possess expertise in all of these areas. However, there is
certainly some minimum level of computer expertise that is appropriate for all
auditors to have. This would include:
 An understanding of computer hardware, software, accounting applications, and
controls.
 The ability to examine all elements of the computerized AIS
 The ability to use the computer as a tool to accomplish these auditing objectives.

11.2 How is a financial audit different from an information systems audit?

Answer :
While a financial audit's purpose is to evaluate whether the financial statements
present fairly, in all material respects, an entity's financial position, results of
operations, and cash flows in conformity to standard accounting practices, the
purposes of an IT audit is to evaluate the system's internal control design and
effectiveness.

11.3 Berwick Industries is a fast-growing corporation that manufactures industrial

containers. The company has a sophisticated AIS that uses advanced technology.
Berwick’s executives have decided to pursue listing the company’s securities on a
national stock exchange, but they have been advised that their listing application
would be stronger if they were to create an internal audit department.
At present, no Berwick employees have auditing experience. To staff its new
internal audit function, Berwick could (a) train some of its computer specialists in
auditing, (b) hire experienced auditors and train them to understand Berwick’s
information system, (c) use a combination of the first two approaches, or (d) try a
different approach. Which approach would you support, and why?
Answer:
The most effective auditor is a person who has training and experience as an auditor
and training and experience as a computer specialist. However, few people have such
an extensive background, and personnel training and development are both expensive
and time consuming.
Berwick may find it necessary to accept some tradeoffs in staffing its audit function.
Since auditors generally work in teams, Berwick should probably begin by using a
combination of the first two approaches. Then, as audit teams are created for specific
purposes, care should be taken to ensure that the members of each audit team have an
appropriate mix of skills and experience.

11.4 The mayor of Groningen in the Netherlands has been accused of using
government funding for private lessons in Spanish. He took this course because he
wanted to find a new job in Spain. This has become the focal point of a lot of debate:
is this embezzlement or not? In this case, a local government clerk noticed the
declaration and notified the press. However, if it weren’t a declaration but a direct
transfer, would it have been discovered by the auditors given that an error factor of
2% is used? How can the audit plan be improved in such a situation?
Answer :

11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an
anonymous note from an assembly-line operator who has worked at the company’s
West Coast factory for the past 15 years. The note indicated that there are some
fictitious employees on the payroll as well as some employees who have left the
company. He offers no proof or names. What CAAT could Lou use to substantiate or
refute the employee’s claims? (CIA Examination, adapted)
Answer :
Computer-assisted audit tools and techniques (CAATTs) could have been used to
identify employees who have no deductions. Experience has shown that fictitious or
terminated employees will generally not have deductions. This happens because the
fraud perpetrator wants as much money from each fraudulent or terminated employee
paycheck as possible. Another reason for this is that they fear that a deduction
payment sent to a third party might cause an investigation and uncover their fraud.

11.6 When performing an information systems audit, auditors must review and
evaluate the program development process. What errors or fraud could occur during
the program development process? Briefly describe the tests that can be used to detect
unauthorized program modifications.
Answer :

11.7 What is test data processing? Explain how it is done, and list the sources that an
auditor can use to generate test data.
Answer :
Test data processing is a technique used to examine the integrity of the computer
processing controls. Test data processing involves the creation of a series of
hypothetical valid and invalid transactions and the introduction of those transactions
into the system. The invalid data may include records with missing data, fields
containing unreasonably large amounts, invalid account numbers, etc. If the program
controls are working, then all invalid transactions should be rejected. Valid
transactions should all be properly processed. The various ways test data can be
generated are: A listing of actual transactions. The initial transactions used by the
programmer to test the system. A test data generator program that generates data
using program specifications.