Kudler Fine Foods - Information System Audit
Information technology (IT) has become increasingly sophisticated and complex, escalating the ongoing change within Kudler Fine Foods. As IT information is adopted within the organization, automation controls many processes within the Kudler’s environment. As Kudler has become more virtualized, a need for increased trust and assurance in the relationships with consumers, partners and suppliers. The swell of e-commerce business has created new ways of conducting an audit. Statement on Auditing Standard 94 (SAS 94) requires that the auditor understands the technological aspect of the organization in order to grasp the internal controls and the assessment of control risks for a proper audit analysis. The following contains information to the types of audits, audit process recommendations, conducting of audits and events that could prevent reliance on auditing through the computer. Audits
Types of Audits
Kudler Fine Foods has integrated new IT in major system processes. Due to new IT, Kudler Fine Foods is now required to include IT in the financial statement audit per SAS 94. The company should also audit the new IT processes in an independent external audit for assurance in data availability, data security and data integrity. The four main types of IT audits are: Attestation, Finding and Recommendation, SAS 70, and SAS 94. As noted, SAS 94 is a requirement for organizations processing electronic data. The financial auditor considers IT as an overall part of internal control by understanding the design of the relevant controls and evaluating the effectiveness of the controls (Greene 2009). The SAS 94 audit will be conducted at the time of the financial audit and is the majority of IT audits performed (Hunton, 2004). Kudler Fine Foods has two options for independent IT auditing of the internal processes: Attestation and Finding and Recommendation. In an attestation audit, Kudler would make an assertion about a process and that the process is an effective internal control. The auditor then performs an examination of the specific process and provides a written report on the findings. The report is comprehensive about what the auditor did and any findings or lack of findings to provide feedback (Hunton, 2004). The attestation audit is not to be confused with a Finding and Recommendation audit, which does not have a stated set of guidelines. A Finding and Recommendation audit would be a consultant advising about security infrastructure and implementation of IT services. The audit is done by an IT professional with specific hardware and software knowledge. Attestation audits are specific and an opinion rendered by the auditor. Finding and Recommendation audits are general and usually involved in recommendation for implementation of security measures or new software systems. Finally, Kudler Fine Foods should require SAS 70 from any outsourced service organizations currently used. SAS 70 is for service organizations to assure clients of the existence and effectiveness of internal controls. Management at Kudler Fine Foods can use the SAS 70 audit to see how the service organization is affecting the internal controls (Hunton, 2004). SAS 70 is an important tool for Kudler Fine Foods when outsourcing any system and information such as payroll. Audit Recommendations
The outsourcing of payroll has significantly automated much of the processes, which would require a SAS 94 and SAS 70 audit approach. The auditor determines the use of the payroll system and the way the transactions are processed in order to gain a better understanding of the internal controls. The audit would consist of a application software review, which requires testing the reliability of computer-generated information. The payroll “validation of inputs, processing, and output, access control and authorization, error handling, and system log procedures” (Hunton, 2004, p. 220) are tested as...
References: Apex. (2009). Accounts Payable Audit. Retrieved on April 19, 2009 from http://www.apexanalytix.com/Goods_and_Services/Audit/Accounts_Payable_Audit.aspx
Chiappetta, Larson, Wild
Application Security in Internal Control. Retrieved April 19, 2009, from
Hunton, J. E. (2004). Core concepts of Information Technology auditing. In (Ed.), Information Technology auditing (pp. 341-372). Retrieved from University of Phoenix eBook Collection Database.
Hunton, J. E. (2004). Core concepts of Information Technology auditing. In. (Ed), Conducting the IT audit (pp. 207-227). Retrieved from Retrieved from University of Phoenix eBook Collection Database
ISACA. (2008). Reporting Document G20. Retrieved on April 19, 2009 from http://www.isaca.org/Content/ContentGroups/Standards2/Standards,_Guidelines,_Procedures_for_IS_Auditing/IS_Auditing_Guideline_G20_Reporting1.htm
Please join StudyMode to read the full document