Both internal and external auditors conduct audits. External auditing is often called independent audit- ing because certified public accounting (CPA) firms that are independent of the client organization’s management perform them. External auditors represent the interests of third-party stakeholders in the or- ganization, such as stockholders, creditors, and government agencies.
External Auditing
Historically, the external accountant’s responsibility as a systems auditor was limited to the attest func- tion described previously. In recent years this role has been expanded by the broader concept of assur- ance. The Big Four public accounting firms have now renamed their traditional audit functions assurance services.
ASSURANCE. Assurance services are professional services, including the attest function, that are designed to improve the quality of information, both financial and nonfinancial, used by decision makers. For example, a client may contract assurance services to obtain an opinion as to the quality or marketabil- ity of a product. Alternatively, a client may need information about the efficiency of a production process or the effectiveness of their network security system. A gray area of overlap exists between assurance and consulting services, which auditors must avoid. They were once allowed to provide consulting services to audit clients. This is now prohibited under SOX legislation. These issues are discussed in later chapters.
IT AUDITING. IT auditing is usually performed as part of a broader financial audit. The organizational unit responsible for conducting IT audits may fall under the assurance services group or be independent. Typically they carry a name such as IT Risk Management, Information Systems Risk Management, or Global Risk Management. The IT auditor attests to the effectiveness of a client’s IT controls to establish their degree of compliance with prescribed standards. Because many of the modern organization’s inter- nal controls are computerized, the IT audit may be a large portion of the overall audit. We examine IT controls, risks, and auditing issues in Chapters 15, 16, and 17.
Internal Auditing
Internal auditing is an appraisal function housed within the organization. Internal auditors perform a wide range of activities on behalf of the organization, including conducting financial statement audits, examining an operation’s compliance with organizational policies, reviewing the organization’s com- pliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits. As you can see, the tasks that external and internal auditors perform are similar. The feature that most clearly distinguishes the two groups is their respective constituen- cies. External auditors represent third-party outsiders, whereas internal auditors represent the interests of management.
Summary
The first section of this chapter introduced basic systems con- cepts and presented a framework for distinguishing between accounting information systems and management information systems. This distinction is related to the types of transactions these systems process. AIS applications process financial trans- actions, and MIS applications process nonfinancial transactions. The section then presented a general model for accounting in- formation systems. The model is composed of four major tasks that exist in all AIS applications: data collection, data process- ing, database management, and information generation.
The second section examined the relationship between organizational structure and the information system. It
focused on functional segmentation as the predominant method of structuring a business and examined the functions of a typical manufacturing firm. The section presented two general methods of organizing the IT function: the centralized approach and the distributed approach.
The third section reviewed the evolution of AIS models. Each new model evolved because of the shortcomings and limitations of its predecessor. As new approaches evolved, however, the predecessor or legacy systems often remained in service. Thus, at any point in time, various generations of
systems coexist across different organizations and even within a single enterprise. Five AIS models were examined.