Conducting an Information Conducting an Information Systems AuditSystems Audit

Chapter 2Chapter 2

The Nature of ControlsThe Nature of Controls

Preventive controlPreventive controlDetective controlDetective controlCorrective controlCorrective control

Dealing with ComplexityDealing with Complexity

1.1. Given the purposes of the IS audit, factor the system to Given the purposes of the IS audit, factor the system to be evaluated into subsystems.be evaluated into subsystems.

2.2. Determine the reliability of each subsystem and the Determine the reliability of each subsystem and the implications of each subsystem’s level of reliability for implications of each subsystem’s level of reliability for the overall level of reliability in the system.the overall level of reliability in the system.

Decomposition of the information systems Decomposition of the information systems functionfunction

IS Function

Applicationsubsystems

Applicationsystems

Cycles

Managementsubsystems

Managementsystems

Management Subsystem :Management Subsystem :

- Top management- Top management

- IS management- IS management

- Systems development management- Systems development management

- Programming management- Programming management

- Data administration- Data administration

- Quality assurance management- Quality assurance management

- Security administration- Security administration

- Operations management- Operations management

Application Subsystems :Application Subsystems :

- Boundary- Boundary

- Input- Input

- Communication- Communication

- Processing- Processing

- Database- Database

- Output- Output

Assessing Subsystem ReliabilityAssessing Subsystem Reliability

Audit RisksAudit Risks

Audit risk model for the external audit Audit risk model for the external audit function :function :

DAR = IR x CR x DRDAR = IR x CR x DR

DARDAR = Desired audit risk= Desired audit risk

IRIR = inherent risk= inherent risk

CRCR = control risk= control risk

DRDR = detection risk= detection risk

Types of Audit ProceduresTypes of Audit Procedures

1.1. Procedures to obtain an understanding Procedures to obtain an understanding of controlsof controls

2.2. Tests of controlsTests of controls

3.3. Substantive tests of details of Substantive tests of details of transactionstransactions

4.4. Substantive tests of details of account Substantive tests of details of account balancesbalances

5.5. Analytical review proceduresAnalytical review procedures

Auditors can use similar types of procedures Auditors can use similar types of procedures if they are concerned with evaluating the if they are concerned with evaluating the effectiveness and efficiency of effectiveness and efficiency of organization’s operation :organization’s operation :

1.1. Procedures to obtain an understanding Procedures to obtain an understanding of controlsof controls

2.2. Tests of controlsTests of controls3.3. Substantive tests of details of Substantive tests of details of

transactionstransactions4.4. Substantive tests of overall resultsSubstantive tests of overall results5.5. Analytical review proceduresAnalytical review procedures

Overview of Steps in an AuditOverview of Steps in an AuditPlanning The AuditPlanning The Audit

Start

Stop

ObtainUnderstanding

Of control structure

Assess controlrisk

PreliminaryAudit work

ReassessControl risk

Tests ofcontrols

LimitedSubstantive

testing

ExtendedSubstantive

testing

Form auditOpinion andIssue report

Rely onControls ?

IncreaseReliance onControls ?

StillRely on

Control ?

no

Yes

no

yes

no

yes

Tests of controlsTests of controls

Tests of transactionsTests of transactions

Tests of balances or overall resultsTests of balances or overall results

Completion of the auditCompletion of the audit

Auditing Around or Through The ComputerAuditing Around or Through The Computer

Auditing around the computerAuditing around the computer

Auditing through the computerAuditing through the computer