Q1. The accounting department of Jhonas hospital maintains AIS for their financi

Question

Q1. The accounting department of Jhonas hospital maintains AIS for their financial statements and reports. Imagine that you are appointed as the auditor to audit the organization’s AIS.

a. As an auditor what are your objectives in conducting the accounting information system audits? Explain.

     b. What are the concurrent audit techniques that you would apply to continually monitor the    system and collect audit evidence while live data are processed during regular operating hours?

Q1. The accounting department of Jhonas hospital maintains AIS for their financial statements and reports. Imagine that you are appointed as the auditor to audit the organization’s AIS.

a. As an auditor what are your objectives in conducting the accounting information system audits? Explain.

     b. What are the concurrent audit techniques that you would apply to continually monitor the    system and collect audit evidence while live data are processed during regular operating hours?

Explanation / Answer

Ans 1- a)

The objectives in conducting the accounting information system audits are as follows-

1. In cases where he can satisfactorily give an opinion on audit report:
a. to obtain a reasonable assurance whether the Financial statements(FS) are free from material misstaments, due to fraud or error, so that the auditor can express an opinion whether FS are prepared in accordance with the applicable Accounting framework ( and it presents the true and fair view of the state of affairs of the company)
b. to make and submit a report on the FS and communicate the findings of audit to the intended users of FS

2. In cases where he cannot satisfactorily issue an audit report as a reasonable assurance could not be obtained and a qualified opinion is insufficient for the purpose of reporting to the intended users of FS, the auditor should either:
a. diclaim an opinion, or
b. withdraw or resign from the engagement, where withdrawal is possible under the applicable laws and regulations.

Many organizations, no matter their size or scope of operation, have come to realize the importance of using information technology to stay ahead in the current global scenario. Companies have invested in information systems because they recognize the numerous benefits IT can bring to their operations. Management should realize the need to ensure IT systems are reliable, secure and invulnerable to computer attacks.

An information systems audit would therefore ensure that the organization’s data is confidentially stored, that data integrity is ensured and data is available at all times for the authorized users. An information systems audit is an audit of an organization’s IT Systems, management, operations and related processes.The importance of information security is to ensure data confidentiality, integrity and availability. Confidentiality of data means protecting the information from disclosure to unauthorized parties. Information such as bank account statements, trade secrets, personal information should be kept private and confidential. Protecting this information is a major part of information security.

Data integrity refers to protection of information from being modified by unauthorized parties. Information is only valuable when it has not been tampered with. Information that has been altered inappropriately could prove costly, for example if you made a transaction of $1,000 and someone altered it to $100,000. Protecting data from tampering by unauthorized persons is paramount in information security.

Availability of information refers to ensuring authorized people have access to the information as and when needed. Denying the rightful users access to information is quite a common attack in this internet age. Users can also be denied access to data through natural disasters such as floods or accidents such as power outages or fire. The key to ensuring data availability is back-up. Backed-up data should ideally be stored at a location far away to ensure its safety, but this distance should take into account the time it would take to recover the backed-up data.

There are three types of information system audits: audit carried out in support of a financial statements audit, audit to evaluate compliance to applicable laws, policies and standards related to IT, and finally an IT audit can also be a performance (or value-for-money) audit. The objectives of this audit include finding out if there are any excesses, inefficiency and wastage in the use and management of IT systems. This audit is carried out to assure the stakeholders that the IT system in place is value for the money invested in it.

IT auditors can be involved from the initial design and installation of information systems to ensure that the three components of information security (confidentiality, integrity and availability) will be complied to. IT auditors’ roles therefore, can be summarized as: participating in the development of high risk systems to ensure appropriate IT controls are in place, auditing of existing information systems, providing technical support to other auditors and providing IT risk consultancy services.

An IT auditor uses some general tools, technical guides and other resources recommended by ISACA or any other accredited body. This is why many audit organizations will encourage their employees to obtain relevant certifications such as CISA (Certified Information Systems Auditor) which is awarded by ISACA.

The general steps followed during an IT audit are establishing the objectives and scope, developing an audit plan to achieve the objectives, gathering information on the relevant IT controls and evaluating them (groundwork), carrying out testing, and finally reporting on the findings of the audit. Additionally, there may be a follow-up step to find out if any recommendations by the audit team have been implemented as well as to address any arising issues.

The basic areas of an IT audit scope can be summarized as: the organization policy and standards, the organization and management of computer facilities, the physical environment in which computers operate, contingency planning, the operation of system software, the applications system development process, review of user applications and end-user access.

Auditors in general have long been perceived as sadists, whose role was to find mistakes employees have made. Perception of IT auditors is somewhat similar, and it’s not strange to encounter slightly uncooperative employees. This is quite unfortunate, because IT auditors (like any other auditors) are not there to make life harder for everyone but to listen, observe and identify any risk areas in order to make life easier for everyone thereafter!

Thus IT Managers and other employees that may be involved in the audit process are encouraged to be cooperative and to look at the audit as a chance to improve their systems’ security and reliability. Any recommendations by the audit team should be taken as advice, because the auditor’s role is purely that of advisory. The management is responsible for developing their security policies and implementing the recommendations from the audit report. Audits are a management tool, not a punishment.

For a company venturing into new markets, it is important to note that an audit is useful in building confidence and public reputation. Suppose a company is setting up in a new market, and the business head decides that cutting costs is priority. The business head then goes ahead and chooses the cheapest information systems to be installed, not taking into account the vulnerabilities of the new systems which he may not be aware of. The process of installation may not take into account various IT controls leading to a system that is vulnerable to tampering. If an incident occurs and is reported in the news, this company risks losing its reputation and any customers it may have gained. Dealing with negative security incidents in the news is much more costly than preventing them in the first place. Losing on your reputation means competitors gain a larger customer base and profit margin.

In summary, an information systems audit is important because it gives assurance that the IT systems are adequately protected, provide reliable information to users, and are properly managed to achieve their intended benefits. It also reduces the risk data tampering, data loss or leakage, service disruption and poor management of IT systems.

Ans 1- b)

Concurrent auditing techniques are tools that auditors use to collect audit evidence on the reliability of a computer-based application system at the same time as the application system carries out live operational processing of transaction data. They are implemented via program instructions that are embedded within the application software or within the system software, such as the database management system, that supports the application system. High-materiality application systems, concurrent auditing techniques may be executed continuously.The evidence they collect can be reported immediately to the auditor, which is likely to be the case if high-risk errors or irregularities are identified during application system processing. Alternatively, they may be executed periodically e.g. during random intervals or during high-risk intervals. Alternatively, the evidence they collect can be stored and reported periodically, which is likely to be the case when the expected losses associated with the exceptions identified are low.

Auditors involved in reviewing an information system should focus their concerns on the system’s control aspects. They must look at the total systems environment not just the computerized segment. This requires their involvement from the time that a transaction is initiated until it is posted to the organisation’s general ledger.
Specifically, auditors must ensure that provisions are made for:
• An adequate audit trail so that transactions can be traced forward and backward through the system.
• Controls over the accounting for all data (i.e. transactions) entered into the system and controls to ensure the integrity of those transactions throughout the computerized segment of the system.
• Handling exceptions to and rejections from the computer system.
• Testing to determine whether the systems perform as stated.
• Control over changes to the computer system to determine whether the proper authorization has been given.
• Adequate security procedures to protect the user’s data.
• Authorisation procedures for system overrides.
• Training user personnel in the operation of the system.
• Developing detailed evaluation criteria so that it is possible to determine whether the implemented system has met predetermined specifications.
• Adequate controls between interconnected computer systems.
•Determining whether organization and Government policies and procedures are adhered to in system implementation.
• Backup and recovery procedures for the operation of the system.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.