...Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. How to Use a New Computer Audit Fraud Prevention and Detection Tool By Richard B. Lanza, CPA, PMP W hile occupational fraud takes various forms, the result is always the same: the numbers generated by fraud cannot hold up to the unfailing logic of the accounting equation. If executives add false sales and accounts receivable to increase the organization’s revenue, profits and cash will be out of kilter. The advancement of technology has allowed for this “accounting equation” to be systematized into computer logic and applied to company data.1 Results of this logic could take the form of a simple matching of the human resource file to the accounts payable vendor master file. On the other side of the coin, it could be an advanced neural network application focused on detecting money laundering schemes. Whether it is simple or advanced, data analysis provides many benefits in the prevention and detection of fraud. On one hand, the fraud examiner gains insight on 100 percent of an organization’s transaction data vs. more limited manual methods of selection. Further, this approach can generally be completed in less time than manual procedures, given the automation of the work. Examiners also gain improved business intelligence as the generated reports often lead to conclusions beyond whether just fraud occurred. Such new insights can lead to suggested process improvements...
Words: 2941 - Pages: 12
...and risks for an audit proposal. After analyzing the necessary components the team recommends that an SAS 94 audit is appropriate for Kudler. To conduct the audit the auditor will use computer assisted audit tools and techniques (CAATTs) or in Kudler’s case computer assisted audit techniques (CAATs). The following brief is an explanation of how CAATs is used to validate data and the system integrity, and explain audit productivity software. CAATs CAAT is techniques that increase the auditor’s productivity and effectiveness during the audit function. CAATTs uses tools, such as software to increase the auditor’s productivity and extract data, and analyze the data in addition to the techniques. The techniques are used to validate application integrity and verify data integrity of Kudler’s information systems. “These techniques include generating test decks of data, writing and embedding automated audit modules, and performing digital analysis and linear regression on a client’s data” (Hunton, 2004, p. 179). CAAT assists the auditor in collecting sufficient, reliable, relevant, and useful evidence that supports the planned audit objects. The Standards Board of the Information Systems Audit and Control Association (ISACA) governs the use of CAATs with Guideline 70. Guideline 70 provides guidance in the areas of planning, execution, documentation, and reporting when using CAATs. The auditor uses a decision-making process when and how to use CAATs in the audit. The process is a...
Words: 919 - Pages: 4
...would assist with the audit and with management decisions by having information more readily available to all users. There were recommendations to the audit plan and the documentation and audit processing. KFF is going to implement proposed computer assisted auditing techniques (CAAT). CAAT will also serve as a validation agent for the reliability of the data. Recommendations The recommendations to KFF include industry specific software to improve the tracking of the inventory to help reduce spoilage and better rotation of products. It also reviewed and tied the accounts payable and receivable systems as well as payroll to the inventory system. The recommended system tied inventory into the accounts payable and receivable systems already being used. IT audits were reviewed and evaluated to assist with the design of the software and system. After reviewing the accounting information systems for Kudler Fine Foods (KFF) recommendations have been made to update and replace certain aspects of the information technology (IT) system to make the company more productive. From the review and research, it was recommended that the most appropriate audit was the findings and recommendation audit. Audits are required of most businesses and are time consuming for all involved. It can be nearly impossible for companies to conduct these audits efficiently without incorporating software to make this process more efficient. Computer Assisted Audit Tools One way to streamline...
Words: 822 - Pages: 4
...organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment. INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements. Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal...
Words: 6299 - Pages: 26
...the following conditions will not normally cause the auditor to question whether material misstatements exist? (1) Bookkeeping errors are listed on an IT-generated error listing. c. As general IT controls weaken, the auditor is most likely to (3) expand testing of automated application controls used to reduce control risk to cover greater portions of the fiscal year under audit. d. Which of the following is an example of an application control? (3) The sales system automatically computes the total sale amount and posts the total to the sales journal master file. 12-18 (Objectives 12-2, 12-4) The following questions concern auditing complex IT systems. Choose the best response. a. Which of the following client IT systems generally can be audited without examining or directly testing the computer programs of the system? (1) A system that performs relatively uncomplicated processes and produces detailed output. b. Which of the following is true of generalized audit software programs? (3) They each have their own characteristics that the auditor must carefully consider before using in a given audit situation. c. Assume that an auditor estimates that 10,000 checks were issued during the accounting period. If an automated application control that does a limit check for each check request is to be subjected to the auditor’s test data approach, the sample should include (2) a number of test items determined by the auditor to be sufficient under the circumstances. d....
Words: 1273 - Pages: 6
...following conditions will not normally cause the auditor to question whether material misstatements exist? 1. Bookkeeping errors are listed on an IT-generated error listing. c. As general IT controls weaken, the auditor is most likely to 3. expand testing of automated application controls used to reduce control risk to cover greater portions of the fiscal year under audit. d. Which of the following is an example of an application control? 3.The sales system automatically computes the total sale amount and posts the total to the sales journal master file. 12-18 (Objectives 12-2, 12-4) The following questions concern auditing complex IT systems. Choose the best response. a. Which of the following client IT systems generally can be audited without examining or directly testing the computer programs of the system? 1. A system that performs relatively uncomplicated processes and produces detailed output. b. Which of the following is true of generalized audit software programs? 3. They each have their own characteristics that the auditor must carefully consider before using in a given audit situation. c. Assume that an auditor estimates that 10,000 checks were issued during the accounting period. If an automated application control that does a limit check for each check request is to be subjected to the auditors test data approach, the sample should include 2. A number of test items determined by the...
Words: 1286 - Pages: 6
...Mississauga Airport Mississauga Airport (MA) is one of Ontario’s smaller airports that has been established since 1965. MA has undergone a management change recently: a new Vice President has been appointed. MA has switched to another audit firm since the new VP is a good friend of the former engagement partner resulting in a conflict of interest. MA has now appointed E&Y as its new audit firm. The engagement partner has, in turn, appointed you to gather information about MA ‘s general and application controls as well as some of CAATs that we can use in this new audit. You spoke to some of MA’s employees and did some additional research regarding the MA’s operations. The observations based on the research have been outlined in the exhibits. Your next step is to analyze those observations and come up with the general and application controls that need to be tested as well as the CAATs that can be used to audit MA’s financial statements. MA’s year-end is December. Exhibit 1 1. To protect the safety of the airport and the airlines, Mississauga Airport uses security-screening processes, during which, the airport collects a passenger’s personal information during the following occasions: * When the prohibited items are found to be a threat to aviation security; * When the amount of the money carried by a passenger exceeds $10,000; * When passengers are not cooperative or use violence. 2. Earlier this year, a traveller was suspected to take...
Words: 4452 - Pages: 18
...current computer system and evaluated the possibility of threats to it and recommend integrated software solutions. The T3 line at Kudler is clearly more data transmission than is necessary for the company, so it was recommended they switch to T1 dedicated line to reduce costs. Due to the importance of inventory control, we showed management how to take their current inventory data tables and construct pivot tables to improve decision making on inventory. Internal controls were reviewed on payroll, accounts payable, accounts receivable, and inventory processes to ensure the accuracy and validity of data. The review determined that if Kudler does not implement the recommended internal controls system suggested, the business could be under serious threats. Information Technology (IT) auditing is another important improvement that Kudlers should make since our analysis showed that there are risks and vulnerabilities in the AIS process. Our final recommendation will be in the way that the audit process is improved by using computer assisted auditing techniques. This will complete the firm’s analysis and recommendations for Kudler Fine Foods. o Our firm last week analyzed and recommended different types of Information Technology (IT) audits that Kudler Fine Foods can use to assess the risks and vulnerabilities in Accounting Information Systems (AIS) processes. In addition to audit types, owner Kathy Kudler needs to consider the various types of computer assisted...
Words: 1144 - Pages: 5
...Review Checkpoints | Exercises, Problems and Simulations | 1. List and describe the general and application controls in a computerized information system. | 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 | 52, 53, 54, 55, 57, 58, 59, 60, 61, 62, 66 | 2. Explain the difference between auditing around the computer and auditing through the computer. | 14, 15, 16 | 51, 65 | 3. List several techniques auditors can use to perform tests of controls in a computerized information system. | 17, 18, 19, 20, 21 | 64 | 4. Describe the characteristics and control issues associated with end-user and other computing environments. | 22, 23, 24, 25 | 63 | 5. Define and describe computer fraud and the controls that an entity can use to prevent it. | 26, 27, 28, 29, 30 | 56 | SOLUTIONS FOR REVIEW CHECKPOINTS H.1 Given its extensive use, auditors must consider clients’ computerized information systems technology. All auditors should have sufficient familiarity with computers, computerized information systems, and computer controls to be able to complete the audit of simple systems and to work with information system auditors. More importantly, auditors must assess the control risk (and the risk of material misstatement) regardless of the technology used for preparing the financial statements. In a computerized processing environment, auditors must study and test information technology...
Words: 10310 - Pages: 42
...completeness at Kudler’s intranet and developed a pivot table; therefore, making the decision-making process easy. External and internal risks were analyzed and internal control points were developed by incorporating both risks and controls into a flowchart. Team D also showed why findings and recommendations are more useful to the company in comparison to SAS70 and SAS94 audits. The team identified events that will lessen the dependence on auditing through computer and showed a brief description how the audit should be conducted. System Integrity and Validation Kudler Finer Foods has looked for recommendations regarding the company, to include computer information system, automated process of an accounting information system, data table analysis, internal control and risk evaluation, and auditing procedures. The most recent visit was necessary because of apprehension of the company’s system integrity and validation. The accounting firm will inform Kudler on the selected auditing techniques the accounting firm will use to validate data and system integrity. The firm will provide details information on functions of the audit productivity software and...
Words: 1182 - Pages: 5
...to be easily sent from a patient’s doctor to the facility that needs them. Fixem Orthopedic must ensure that only authorized individuals, mainly the receptionists and physical therapists, can have access to these sensitive records. These files contain information that malicious people can take advantage of such as Social Security numbers and credit card and billing information. The lack of a proper security policy can result in severe penalties for Fixem Orthopedic under the HIPAA Security Rule (“HIPAA Security Rule”). Measures must also be taken to protect the network from malware, including worms and viruses. These are very serious security threats that can slow or bring down the network as well as pose a threat to data stored on the computers. Finally, the employees can pose a risk to the network’s security if they have not been properly trained to handle social engineering tactics. Improvement The security of this business’s network is vital to its continued operation. As such, all devices within the network must be properly secured. The ISP has provided each Fixem Orthopedic office with a router that has firewall capabilities, which connect each office to the Internet. A firewall is also placed on the DMZ that contains the web/email and file servers. These firewalls implement access control lists, or ACLs, to filter packets based on a number of...
Words: 1725 - Pages: 7
...Question HHH Negligence Element • There must be a duty care owed to the party suing the auditor. • There must be a breach of duty of care (failure to follow GAAS, negligent audit). • There must be proof that the party suffered a loss or damage • There must be a connection between the party’s loss or damage and the breach of the duty. Question A HHH Company’s Case • HHH hired the auditors; therefore the auditors owe a duty of case to the shareholders. • The shareholders would have to show that the auditors were negligent in their audit, that is, the auditor issued an unqualified report even though there is a misstatement in the financial statements. • HHH lost its investment in the commodities • HHH shareholders would have to show that they suffered the loss due to the auditor’s negligence. Question A • Each store is managed by an owner of the business, which suggests that an external audit is not required. • The company is not public, so there is no statutory requirement for an audit. • If the company borrows from an outside source, then an external audit may be a requirement by the lender. • The existing shareholders are already creditors of the company, and they may wish to have an audit. Question B • Collusion requires 2 or more people to work together to circumvent the controls. In this case, the 2 purchasing clerks could have colluded by having 1 clerk record a false vendor number on the invoice and then the other clerk prepare the payment to M. Smith. • This...
Words: 683 - Pages: 3
...IT AUDIT REPORT FOR Contents Contents 2 Contents 2 1. Introduction 4 1.1 Purpose 4 1.2 Scope 4 2. Background Information 4 3. Assets Identification 5 4. Threat Assesment 5 5. LAWS, REGULATIONS AND POLICY . 5 5.1 Hospital Policy. 5 5.2 Vulnerabilities. 5 6. PERSONNEL 5 6.2 Management. 6 6.3 Operations. 6 6.4 Development 6 6.5 Vulnerabilities. 7 7. Systems and Applications. 7 7.1 Vulnerabilities. 7 8. Information Processing Facilities (Data Centers) 7 8.1 Vulnerabilities 7 9. Systems Development 8 9.1 Vulnerabilities 8 10. Management of IT and Enterprise Architecture 8 11. Client, Server, Telecommunications, Intranets and Extranets 8 11.1 Building Vulnerabilities 8 11.1 Security Perimeter 8 11.1 Server Area 8 12. Summary 8 12.1 Action Plan 8 1. Introduction • At present the Hospital has 250 beds including 40 adult ICU and 8 Pediatric ICU beds. • The Hospital is well equipped with latest technology like 1.5 Tesla MRI, 6 Slice Spiral CT Scan, Digital X-ray, Mammography, Intense Pulse Light (Cosmetic) and Diabetic Foot Care Equipment’s in the year 2007-08, the hospital provided services to 46000 patients. So far the hospital has repaired approximately 2400 cleft lip and cleft palate...
Words: 2618 - Pages: 11
...Running head: Huffman Trucking Company Service Request, SR-HT-001 Huffman Trucking Company Service Request, SR-HT-001 University of Phoenix Security/risks with Benefits Elections Systems The purpose of this information is to address the possible security requirements and the possible risks associated with the Benefits Elections Systems being requested by the Huffman Trucking Company. Huffman's mission is to "be a profitable, growing, adaptive company in an intensively competitive logistical services business environment." Huffman plans to fulfill its mission is through technology, security and risk assessment/reduction. Huffman Trucking is a national company founded in 1936 by K. Huffman a native of Cleveland OH. Huffman employs 1,400 employees in four hubs located in Cleveland OH, Los Angeles, CA, St. Louis, MO and Bayonne, NJ. With so many employees divided in four locations, Keneth Colbert, Director of HR makes a valid request for the development and installation of a benefits election system to support the tracking and reporting of employee (union and non-union) benefits. However, because...
Words: 1381 - Pages: 6
...Accreditation Audit: AFT2 task 2 1 Accreditation Audit: AFT2 Task 2 Confidential—For internal use only to support performance improvement activities. This information is provided within the confidentiality protections of state statute. It is not to be distributed outside the quality assurance, performance improvement, peer review process. Accreditation Audit: AFT2 task 2 2 Analysis of Key Components RCA: Child Abduction Please note that the root cause analysis and action plan must show evidence of an analysis within the key components as outlined on the root cause analysis matrix for the specific type of event. An area on the matrix that may not have an identified process breakdown should still be summarized to determine that the component was evaluated. Brief description of event Briefly summarize the circumstances surrounding the occurrence including the patient outcome (e.g., death, loss of function). A 3-‐year-‐old female pediatric patient...
Words: 3407 - Pages: 14