2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 1 Auditing Information Technology Chapter 16 l What

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 1

Auditing Information Technology

Chapter 16

What is auditing through the computer? It is the process of reviewing and evaluating the

internal controls in an electronic data processing system.

What is auditing with the computer? It is the utilization of the computer by an auditor to

perform some audit work that otherwise would have to be done manually.


Structure of Financial Statement Audit

The primary objective and responsibility of the external auditor is to attest to the fairness of a firm’s financial reports.

The external auditor serves the firm’s stockholders, the government, and the general public.

The internal auditor serves a firm’s management.



Various types of professional certifications are applicable to auditing.

What are these? CPA (certified public accountant) CISA (certified information systems auditor) CIA (certified internal auditor) Audits are almost universally divided into two

components.



AccountingSystem

AccountingSystem

TransactionsTransactionsFinancialReportsFinancialReports

Compliance TestingInterim Audit

Substantive TestingFinancial Statement Audit

• Cash BankReceivables Customers• (Confirm balances)


Auditing Around the Computer

An accounting system is comprised of input, processing, and output.

In the around-the-computer approach, the processing portion is ignored.

Auditing through the computer may be defined as the verification of controls in a computerized system.

Auditing with the computer is the process of using information technology in auditing.


Control Framework in IT Environment

ComputerApplicationSystems and

Programs

ComputerApplicationSystems and

Programs

ApplicationsControls

ApplicationsControls

InternalControlsInternalControls

GeneralControlsGeneralControls

ApplicationSystems

Development

ApplicationSystems

Development

ComputerServiceCenter

ComputerServiceCenter


Auditing with the Computer

What are some of the potential benefits of using information systems technology in an audit?

1 Computer-generated working papers are generally more legible and consistent.

2 Time may be saved by eliminating manual footing, cross footing, and other routine calculations.



3 Calculations, comparisons, and other data manipulations are more accurately performed.

4 Analytical review calculations may be more efficiently performed.

5 Project information may be more easily generated and analyzed.



6 Standardized audit correspondence may be stored and easily modified.

7 Morale and productivity may be improved by reducing the time spent on clerical tasks.

8 Increased cost-effectiveness is obtained by reusing and extending existing electronic audit applications to subsequent audits.

9 Increased independence from information systems personnel is obtained.


Information Systems Auditing Technology

Technique: Test data Description: Test data are input containing

both valid and invalid data. Example: Payroll transactions for fictitious

employees are processed concurrently with valid

payroll transactions.



Test DataHypotheticalTransactions

Test DataHypotheticalTransactions

Computer ProcessingUsing Master Program

Computer ProcessingUsing Master Program

Error ListingError ListingAuditor’sExpectedOutput

Auditor’sExpectedOutput

Compare



Technique: Integrated test facility (ITF) Description: ITF involves both the use of test

data and the creation of fictitious records (vendors, employees) onthe master files of a computer system.

Example: Payroll transactions for fictitious employees are processed concurrently with valid payroll transactions.



TransactionsTransactionsITF

TransactionsITF

Transactions

ComputerApplication

System

ComputerApplication

System

ReportsWithoutITF Data

ReportsWithoutITF Data

ReportsContaining

ITF Information

ReportsContaining

ITF Information

Data Files

ITF Data



Technique: Parallel simulation Description: Processing real data through

audit programs. The simulated output and the regular output are then compared.

Example: Depreciation calculations are verified by processing the fixed-

asset master file with an audit program.



TransactionsTransactions

ParallelSimulationProgram

ParallelSimulationProgram

ReportReportSimulation

ReportSimulation

Report

ComputerApplication

System

Function toBe Verified

Compare



Technique: Audit software Description: Computer programs that permit

the computer to be used as an auditing tool.

Example: An auditor uses a computer program to extract data records

from a master file.



Technique: Generalized audit software (GAS) Description: GAS is audit software that has

been specifically designed to allow auditors to perform audit-related data processing functions.

Example: An auditor uses GAS to search computer files for unusual items.



Technique: PC software Description: Software that allows the auditor

to use a PC to perform audit tasks. Example: A PC spreadsheet package is used

to maintain audit working papers and audit schedules.



Deloitte & Touche AuditSystem/2™

Smart AuditSupport

Smart AuditSupport Access to

InformationAccess to

Information

FileInterrogation

FileInterrogation

WorkPapersWorkPapers

TrialBalance

TrialBalance Multilocation

SupportMultilocation

Support

DocumentManagerDocumentManager

MSWord

MSExcel

MSAccess

Lotuscc:mail ACL

FolioVIEWS

OtherApplications



Technique: Embedded audit routines Description: Special auditing routines included

in regular computer programs so that transaction data can be subjected to audit analysis.

Example: Data items that are exceptions to auditor-specified edit tests included in a program are written to a special audit file.



ProductionTransactions

ProductionTransactions

ProductionReports

ProductionReports

AuditReports

AuditReports

ProductionComputerApplicationSystem

EmbeddedAudit DataCollectionModule

ProductionComputerApplicationSystem

EmbeddedAudit DataCollectionModule



Technique: Extended records Description: Modification of programs to

collect and store data of audit interest.

Example: A payroll program is modified to collect data pertaining to

overtime pay.



Technique: Snapshot Description: Modifications of programs to

output data of audit interest.

Example: A payroll program is modified to output data pertaining to

overtime pay.



Technique: Tracing Description: Tracing provides a detailed audit

trail of the instructions executed during the program’s operation.

Example: A payroll program is traced to determine if certain edit tests are performed in the correct order.



Technique: Review of system documentation Description: Existing system documentation

such as program flowcharts are reviewed for audit purposes.

Example: An auditor desk checks the processing logic of a payroll program.



Technique: Control flowcharting Description: Analytic flowcharts or other

graphic techniques are used to describe the controls in a system.

Example: An auditor prepares an analytic flowchart to review controls in the payroll application system.



Technique: Mapping Description: Special software is used to

monitor the execution of a program. Example: The execution of a program with

test data as input is mapped toindicate how extensively

the input tested compares with individual program statements.


General Approach to an Information Systems Audit

Most approaches to an information systems audit follow some variation of a three-phase structure.

The first phase consists of an initial review and evaluation of the area to be audited and audit plan preparation.

The second phase is a detailed review and evaluation of controls.



The third phase involves compliance testing and is followed by analysis and reporting of results.

The initial review phase determines the course of action the audit will take.

It includes the following:– decisions concerning specific areas to be

investigated



– the deployment of audit labor– the audit technology to be used– the development of time and/or cost budget

for the audit The primary control over the conduct of an

information systems audit centers on documentation and review of performance.



What is an audit program? It is a detailed list of the audit procedures

to be applied on a particular audit. Standardized audit programs for particular

audit areas have been developed and are common in all types of auditing.



In the second general phase of the audit, effort is focused on fact-finding in the area(s) selected for audit.

Documentation of the application area is reviewed.

Data concerning the operation of the system are reviewed.



In the third phase of the audit, compliance tests are undertaken to provide reasonable assurance that internal controls exist and operate as prescribed.


Information Systems Application Audits

Application controls are divided into three general areas.

What are these areas?1 Input2 Processing3 Output


Application Systems Development Audits

There are three general areas of audit concern in the systems development process.

They are:1 Systems development standards2 Project management3 Program change control What are systems development standards?



Systems development standards are the documentation governing the design, development, and implementation of application systems.

What is project management? It consists of project planning and project

supervision.



What is the objective of program change controls?

It is to prevent unauthorized and potentially fraudulent changes from being introduced into previously tested and accepted programs.

Normally, an audit of the computer service center is undertaken before any application audits to ensure the general integrity of the environment in which the application will function.

Documents

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 1 Auditing Information Technology Chapter 16 l What