Chapter 11: Auditing Computer-Based Information Systems
• The systematic process of obtaining and evaluating evidence regarding assertions about
economic actions and events in order to determine how well they correspond with
Types of Audits
o Examines the reliability and integrity of:
Financial transactions, accounting records, and financial statements.
• Information System
o Reviews the controls of an AIS to assess compliance with:
Internal control policies and procedures and effectiveness in safeguarding
o Economical and efficient use of resources and the accomplishment of
established goals and objectives
o Determines whether entities are complying with:
Applicable laws, regulations, policies, and procedures
o Incidents of possible fraud, misappropriation of assets, waste and abuse, or
improper governmental activities.
The Audit Process
• Collecting Evidence
• Evaluating Evidence
• Communicating Audit Results Planning the Audit
• Why, when, how, whom
• Work targeted to area with greatest risk:
Chance of risk in the absence of controls
Risk a misstatement will not be caught by the internal control system
Chance a misstatement will not be caught by auditors or their procedures
Collection of Audit Evidence
• Not everything can be examined so samples are collected
• Observation activates to be audited
• Review of documentation
o Gain understanding of process or control
• Physical examination
o Testing balances with external 3 parties
o Recalculations to test values
o Examination of supporting documents
• Analytical review
o Examining relationships and trends Evaluation of Audit Evidence
• Does evidence support favorable or unfavorable conclusion?
o How significant is the impact of the evidence?
• Reasonable Assurance
o Some risk remains that the audit conclusion is incorrect.
Communication of Audit Conclusion
• Written report summarizing audit findings and recommendations:
o To management
o The audit committee
o The board of directors
o Other appropriate parties
• Determine the threats (fraud and errors) facing the company.
o Accidental or intentional abuse and damage to which the system is exposed
• Identify the control procedures that prevent, detec