Chapter 13Auditing Information Technology

Presentation Outline

I. Concepts in Information Systems Auditing

II. Auditing Technology for Information Systems

I. Concepts in Information Systems Auditing

A. The Phases to the Information Systems

Audit

B. Structure of the Financial Statement Audit

C. Auditing Around the Computer

D. Auditing With the Computer

E. Auditing Through the Computer

A. Phases of the Information Systems Audit

1. Initial review and evaluation of the area to be audited, and the audit plan preparation

2. Detailed review and evaluation of controls

3. Compliance testing4. Analysis and reporting of

results

B. Structure of the Financial Statement Audit

TransactionsTransactionsAccounting

SystemAccounting

System

FinancialReportsFinancialReports

Interim Audit

Compliance Testing

Financial Statement Audit

Substantive Testing

B1. Compliance Testing

Auditors perform tests of controls to determine that the control policies, practices, and

procedures established by management are functioning as planned. This is known as

compliance testing.

B2. Substantive Testing

Substantive testing is the direct verification of financial statement figures. Examples would

include reconciling a bank account and confirming accounts receivable.

Audit Confirmation

To ABC Co. Customer:

Please confirm that the balance of your account

on Dec. 31 is _____ .

C. Auditing Around the Computer

The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of

computer processing.

Processing

D. Auditing With The Computer

The utilization of the computer by an auditor to perform some audit work that would otherwise

have to be done manually.

E. Auditing Through the Computer

The process of reviewing and evaluating the internal controls in an electronic data

processing system.

Audit

II. Auditing Technology for Information Systems

A. Review of Systems Documentation

B. Test Data

C. Integrated-Test-Facility (ITF) Approach

D. Parallel Simulation

E. Audit Software

F. Embedded Audit Routines

G. Mapping

H. Extended Records and Snapshots

A. Review of Systems Documentation

The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes

test or real data through the program logic.

B. Test Data

The auditor prepares input containing both valid and invalid data. Prior to processing the test

data, the input is manually processed to determine what the output should look like.

The auditor then compares the computer-processed output with the manually processed

results.

Illustration of Test Data Approach

Computer Operations

Prepare TestTransactionsAnd Results

Prepare TestTransactionsAnd Results

Auditors

ComputerApplication

System

ComputerApplication

System

ComputerOutput

ComputerOutput

Auditor Compares

TransactionTest Data

TransactionTest Data

Manually Processed

Results

Manually Processed

Results

C. Integrated Test Facility (ITF) Approach

A common form of an ITF is as follows:

1. A dummy ITF center is created for the auditors.

2. Auditors create transactions for controls they want to test.

3. Working papers are created to show expected results from manually processed information.

4. Auditor transactions are run with actual transactions.

5. Auditors compare ITF results to working papers.

Illustration of ITF Approach

ComputerApplication

System

ComputerApplication

System

ReportsWith Only Actual Data

ReportsWith Only Actual Data

AuditorsComputer Operations

Prepare ITFTransactionsAnd Results

Prepare ITFTransactionsAnd Results

ActualTransactions

ActualTransactions

ITFTransactions

ITFTransactions

Data FilesData FilesITF Data

ReportsWith Only ITF Data

ReportsWith Only ITF Data

Manually Processed

Results

Manually Processed

Results

Auditor

Compares

D. Parallel Simulation

The test data and ITF methods both process test data through real programs. With parallel

simulation, the auditor processes real client data on an audit program similar to some aspect of the

client’s program. The auditor compares the results of this processing with the results of the

processing done by the client’s program.

Illustration of Parallel SimulationComputer Operations Auditors

ActualTransactions

ActualTransactions

ComputerApplication

System

ComputerApplication

System

Auditor’sSimulationProgram

Auditor’sSimulationProgram

Actual ClientReport

Actual ClientReport

Auditor Simulation

Report

Auditor Simulation

Report

Auditor Compares

E. Audit SoftwareComputer programs that permit computers to be

used as auditing tools include:

1. Generalized audit software

Perform tasks such as selecting sample data from file, checking computations, and searching files for unusual items.

2. P.C. Software

Allows auditors to analyze data from notebook computers in the field.

F. Embedded Audit Routines1. In-line Code – Application program performs

audit data collection while it processes data for normal production purposes.

2. System Control Audit

Review File (SCARF)–

Edit tests for audit

transaction analysis are

included in program.

Exceptions are written

to a file for audit review.

The Auditor

G. Mapping

Special software counts the number of times each program statement in a program executes.

Helps identify code that is bypassed when the bypass is not readily apparent in the program code

and/or documentation.

H. Extended Records and Snapshots

Extended RecordsSpecific transactions are

tagged, and the intervening processing

steps that normally would not be saved are added to the extended record, permitting the

audit trail to be reconstructed for these

transactions.

Snapshot

A snapshot is similar to an extended record

except that the snapshot is a printed

audit trail.

Summary

Compliance and Substantive TestingAuditing Around the ComputerAuditing with the Computer

Auditing Through the ComputerTesting Approaches Through the Computer