There are many different types of audits including internal, external, and information technology. Companies should be familiar with the types of audits that may possibly be used on an Accounting Information System (AIS). Knowing the different types of audits and where they are used will help a company be ready for an audit and make the process much smoother. There are some circumstances where auditing through a computer is not always beneficial. Auditors want to make sure they are completing their audits fully and appropriately to the best of their abilities.
Attestation, SAS 70, SAS 94, and Findings and Recommendations are four main types of Information Technology (IT) audits. If Kudler wants the auditor to provide assurance for each part of the system, an attestation audit could be used. An attestation audit can assist Kudler by issuing reports on examinations, reviews, or agreed-upon procedures. An attestation audit can provide Kudler with independent assurance on the reliability or validity of information related to the four systems under review (KPMG, 2011).
A Findings and Recommendations audit can provide Kudler with other information about each system. This kind of audit includes the following: system implementations, security reviews, database application reviews, project management, IT infrastructure, and IT internal audit services.
If Kudler chooses to use the Findings and Recommendations audit, this type will not produce an opinion, only a summary of the audit for each of the systems (Hunton, Bryant, & Bagranoff, 2004). An SAS 70 audit is to provide assurance about the effectiveness and existence of the company’s internal controls around a service provided to others.
Kudler is not a service provider. However, Kudler does transmit data to the Electronic Payment Clearing House for automatic submission of the credit card transactions to the applicable financial institutions. An SAS 70 could be beneficial because it is a way to prove that adequate controls are in place to protect the consumer through e-commerce. SAS 94 audits are performed with a financial statement audit and focus on the client’s AIS. It addresses the effect of IT on internal controls in a financial statement audit. Kudler will need a much broader assessment than an SAS 94.
There are many routes to perform an IT audit. This audit is internal and will look at both Information Technology General Controls (ITGC) and Application Controls. Specifically, the audit will focus on these categories: systems and applications, information processing facilities, management of IT and enterprise architecture, client/server, telecommunications, and intranets/extranets. The audit style will be via Findings and Recommendations as management will have to consider recommendations and the ultimate decision to make changes according to priority and budget. The audit will verify the systems and applications for efficiency and controls to ensure validity, integrity, and security of data and transactions. Kudler will need the completion of an audit on information processing facilities to assess physical conditions of the main housing units and the offsite locations to support the company’s Disaster Recovery Plan (DRP).
This type of audit will evaluate the organizational structure and procedures to ensure that an efficient, controlled environment is in place. These relate to any telecommunication controls between client and server, the entire network, and any servers communicating eternally including firewalls. Auditors will assess two types of controls: security controls and access controls. Each of these types should include all three sub-controls: preventive, detective, and corrective. The AIS has an imperative need for controls to address any risks that may exist for every process and transaction. Security access controls are in place to protect data from being stolen, lost, or damaged. Access controls protect data from being released to non-authorized users, hackers, and other intruders.
Kudler will conduct an information system audit by examining and evaluating their present hardware and software. They will also examine their IT controls, systems security, risk management, and the adequacy of their current systems. They can carry out their marketing audit by evaluating the effectiveness of their marketing program and examining its capabilities. It will evaluate their functions in respect to their goals, mission, vision, and their values of Kudler, which is done externally. Kudler will examine their faculty, and their deficiencies will be identified. Another suggestion is equipment be audited, the maintenance, and an examination to determine if it’s being operated at the designed levels, safety set-up, security, and access issues. Their audit will be done by an external auditor who will examine their accounts, vouchers to support, financial information tests, evaluation of their financial statements, and also examine the internal control and make comments for improvements.
Events that prevent reliance on auditing through the computer Using computer-based accounting systems does have its disadvantages, such as certain laws pertaining to confidentiality, the requirement to protect against the loss of data through power failures, the infection of viruses, and the abundance of opportunities for hackers to steal data. Computer fraud is also a major worry; the need to initiate internal controls for all those who have access to the business’s information, particularly confidential customer information. An event that Kudler may run into with the need of stronger controls is a security breach, which entails stolen data. Kudler management can be held liable for the loss of personal customer data (University of Phoenix Virtual Organization Portal, 2013).
Another event is a computer-based system with feeble controls over the data input procedures and processing, this requires the need for more thorough testing of financial transactions. The incorrect input of data can not only cause misrepresentation of financial statements in the form of incorrect asset valuations but because a mistake in data entry will give Kudler false analytical data such as sales and inventory. Lastly, an auditor will have to assume that auditing through the use of their computer-based method that their CPU and other hardware are operating properly (Bargnoff, N.A., Simkin, M.G, & Strand, C., 2008).
It is important for companies to stay positive throughout the audit process. There are many different audit processes such as Attestation, SAS70, and SAS94 which are all effective audit strategies that may be used when auditing the company. Companies being audited should be familiar with these audit processes as well as how the audits are conducted to ensure that the process will be as smooth and stress free as possible.