Transcript Conducting an Information Systems Audit Chapter 2

Conducting an Information
Systems Audit
Chapter 2
The Nature of Controls
Preventive control
Detective control
Corrective control
Dealing with Complexity
1.
2.
Given the purposes of the IS audit, factor the system to
be evaluated into subsystems.
Determine the reliability of each subsystem and the
implications of each subsystem’s level of reliability for
the overall level of reliability in the system.
Decomposition of the information systems
function
IS Function
Management
systems
Cycles
Management
subsystems
Application
systems
Application
subsystems
Management Subsystem :
- Top management
- IS management
- Systems development management
- Programming management
- Data administration
- Quality assurance management
- Security administration
- Operations management
Application Subsystems :
- Boundary
- Input
- Communication
- Processing
- Database
- Output
Assessing Subsystem Reliability
Audit Risks
Audit risk model for the external audit
function :
DAR = IR x CR x DR
DAR
= Desired audit risk
IR
= inherent risk
CR
= control risk
DR
= detection risk
Types of Audit Procedures
1. Procedures to obtain an understanding
2.
3.
4.
5.
of controls
Tests of controls
Substantive tests of details of
transactions
Substantive tests of details of account
balances
Analytical review procedures
Auditors can use similar types of procedures
if they are concerned with evaluating the
effectiveness and efficiency of
organization’s operation :
1. Procedures to obtain an understanding
of controls
2. Tests of controls
3. Substantive tests of details of
transactions
4. Substantive tests of overall results
5. Analytical review procedures
Overview of Steps in an Audit
Planning The Audit
no
Start
Rely on
Controls ?
Preliminary
Audit work
Yes
Tests of
controls
Obtain
Understanding
Of control structure
Reassess
Control risk
Assess control
risk
Still
Rely on
Control ?
no
Form audit
Opinion and
Issue report
yes
yes
Increase
Reliance on
Controls ?
Extended
Substantive
testing
no
Limited
Substantive
testing
Stop
Tests of controls
Tests of transactions
Tests of balances or overall results
Completion of the audit
Auditing Around or Through The Computer
Auditing around the computer
Auditing through the computer