Chapter 12-1

Chapter 12:Information Technology

Auditing

Introduction

The Audit Function

The Information Technology Auditor’s Toolkit

Auditing Computerized Accounting Information Systems

Information Technology Auditing Today

Chapter 12-2

Introduction

Audits of AISs Ensure controls are functioning properly Confirm additional controls not necessary

Nature of Auditing Internal and external auditing IT Audit and financial audit Tools of an IT auditor

Chapter 12-3

The Audit Function

Internal versus External Auditing

Information Technology Auditing

Evaluating the Effectiveness of Information Systems Controls

Chapter 12-4

Internal Auditing

Responsibility of Performance Company’s own employees External of the department being audited

Evaluation of: Employee compliance with policies and procedures Effectiveness of operations Compliance with external laws and regulations Reliability of financial reports Internal controls

Chapter 12-5

External Auditing

Responsibility of Performance Those outside the organization Accountants working for independent CPA

Audit Purpose Performance of the attest function Evaluate the accuracy and fairness of the financial

statements relative to GAAP

Chapter 12-6

Information Technology Auditing

Function Evaluate computer’s role in achieving audit and

control objectives

Assurance Provided Data and information are reliable, confidential,

secure, and available Safeguarding assets, data integrity, and

operational effectiveness

Chapter 12-7

The Componentsof an IT Audit

Chapter 12-8

The IT Audit Process

Computer-Assisted Audit Techniques (CAAT) Use of computer processes to perform audit

functions Performing substantive tests

Approaches Auditing through the computer Auditing with the computer

Chapter 12-9

The IT Audit Process

Chapter 12-10

Careers in IT Auditing

Background Accounting skills Information systems or computer science skills

Certified Information System Auditor (CISA) Successfully complete examination Experience requirements Comply with Code of Professional Ethics Continuing professional education Comply with standards

Chapter 12-11

CISA Exam Components

Chapter 12-12

Careers in IT Auditing

Certified Information Security Manager (CISM) Business orientation Understand risk management and security

CISM Knowledge Information security governance Information security program management Risk management Information security management Response management

Chapter 12-13

Evaluating the Effectiveness of

Information Systems Controls

Impact on Substantive Testing Strong controls, less substantive testing Weak controls, more substantive testing

Risk Assessment Evaluate the risks associated with control

weaknesses Make recommendations to improve controls

Chapter 12-14

Risk Assessment

Risk-Based Audit Approach Determine the threats Identify the control procedures needed Evaluate the current control procedures Evaluate the weaknesses within the AIS

Benefits Understanding of errors and irregularities Sound basis for recommendations

Chapter 12-15

Information Systems Risk Assessment

Method of evaluating desirability of IT controls

Types of Risks Errors and accidents Loss of company secrets Unauthorized manipulation of company files Interrupted computer access

Penetration Testing

Chapter 12-16

An IT auditor:

A.Must be an external auditor

B.Must be an internal auditor

C.Can be either an internal or external auditor

D.Must be a Certified Public Accountant

Study Break #1

Chapter 12-17

An IT auditor:

A.Must be an external auditor

B.Must be an internal auditor

C.Can be either an internal or external auditor

D.Must be a Certified Public Accountant

Study Break #1 - Answer

Chapter 12-18

In determining the scope of an IT audit, the auditor should pay most attention to:

A.Threats and risks

B.The cost of the audit

C.What the IT manager asks to be evaluated

D.Listings of standard control procedures

Study Break #2

Chapter 12-19

In determining the scope of an IT audit, the auditor should pay most attention to:

A.Threats and risks

B.The cost of the audit

C.What the IT manager asks to be evaluated

D.Listings of standard control procedures

Study Break #2 - Answer

Chapter 12-20

The IT Auditor’s Toolkit

Utilization of CAATs Auditing with the computer Manual access to data stored on computers is

impossible

Tools Auditing Software People Skills

Chapter 12-21

General-Use Software

Productivity tools that improve the auditor’s work

Types Word processing programs Spreadsheet software Database management systems (DBMS) Structured Query Language (SQL)

Chapter 12-22

Generalized Audit Software

Overview Allow for reviewing of files without rewriting

processing programs Basic data manipulation Tailored to auditor tasks

Common Programs Audit Command Language (ACL) Interactive Data Extraction and Analysis (IDEA)

Chapter 12-23

Generalized Audit Software - Inventory

Chapter 12-24

Automated Workpapers

Overview Automate and standardize audit tests Can prepare financial statements and other financial

measures

Features Generate trial balances Make adjusting entries Perform consolidations Conduct analytical procedures Document audit procedures and conclusions

Chapter 12-25

People Skills

Examples Working as a team Interact with clients and other auditors Interviewing clients

Importance of Interviews Gain understanding of organization Evaluate internal controls

Chapter 12-26

Auditing Computerized AISs

Auditing Around the Computer Assumes accurate output verifies proper

processing Not effective in a computerized environment

Auditing Through the Computer Follows audit trail through the computer Verifies proper functioning of processing controls

in AIS programs

Chapter 12-27

Auditing Computerized AISs

Testing Computer Programs

Validating Computer Programs

Review of Systems Software

Validating Users and Access Privileges

Continuous Auditing

Chapter 12-28

Testing Computer Programs

Test Data Create set of transactions Covering range of exception situations Compare results and investigate further

Integrated Test Facility Establish a fictitious entity Enter transactions for that entity Observe how they are processed

Chapter 12-29

Testing Computer Programs

Parallel Simulation Utilized live input data Simulates all or some of the operations Compare results Very time-consuming and cost-prohibitive

Chapter 12-30

Edit Tests and Test Data

Chapter 12-31

Validating Computer Programs

Tests of Program Change Controls Protect against unauthorized program changes Documentation of requests for program changes Utilize special forms for authorization

Program Comparison Test of Length Comparison Program

Chapter 12-32

Reviewing a Responsibility System

Chapter 12-33

Review of Systems Software

Systems Software Controls Operating system software Utility programs Program library software Access control software

Inspect Outputs Logs Incident reports

Chapter 12-34

Password Parameters

Chapter 12-35

Validating Users and Access Privileges

Purpose Ensure all system users are valid Appropriate access privileges

Utilize Software Tools Examine login times Exception conditions Irregularities

Chapter 12-36

Continuous Auditing

Embedded Audit Modules (Audit Hooks) Capture data for audit purposes

Exception Reporting Transactions falling outside given parameters are

rejected

Transaction Tagging Certain transactions tagged and progress recorded

Chapter 12-37

Continuous Auditing

Snapshot Technique Examines how transactions are processed

Continuous and Intermittent Simulation (CIS) Embeds audit module in a database management

system (DBMS) Similar to parallel simulation

Chapter 12-38

Continuous Auditing – Spreadsheet Errors

Chapter 12-39

Which of the following is NOT an audit technique for auditing computerized AIS?

A.Parallel simulation

B.Use of specialized control software

C.Continuous auditing

D.All of the above are techniques used to audit computerized AIS

Study Break #3

Chapter 12-40

Which of the following is NOT an audit technique for auditing computerized AIS?

A.Parallel simulation

B.Use of specialized control software

C.Continuous auditing

D.All of the above are techniques used to audit computerized AIS

Study Break #3 - Answer

Chapter 12-41

Continuous auditing:

A.Has been talked about for years but will never catch on

B.Will likely become popular if organizations adopt XBRL in their financial reporting

C.Does not include techniques such as embedded audit modules

D.Will never allow IT auditors to provide some types of assurance on a real-time basis

Study Break #4

Chapter 12-42

Continuous auditing:

A.Has been talked about for years but will never catch on

B.Will likely become popular if organizations adopt XBRL in their financial reporting

C.Does not include techniques such as embedded audit modules

D.Will never allow IT auditors to provide some types of assurance on a real-time basis

Study Break #4 - Answer

Chapter 12-43

IT Auditing Today

Auditing for Fraud: Statement on Auditing Standards No. 99

The Sarbanes-Oxley Act of 2002

Auditing Standard No. 5 (AS5)

Third Party and Information Systems Reliability Assurances

Chapter 12-44

IT Governance

Overview Process of using IT resources effectively Efficient, responsible, strategic use of IT

Objectives Using IT strategically to fulfill mission of

organization Ensure effective management of IT

Chapter 12-45

Auditing for Fraud: Statement on Auditing

Standard No. 99

Overview Supersedes SAS No. 82 Provides more guidance to prevent and deter fraud

Fraud Triangle Motive for committing fraud Opportunity that allows fraud to occur Rationalization by individual

Chapter 12-46

Fraud Triangle

Chapter 12-47

The Sarbanes-Oxley Act of 2002

Overview Limits services that auditors can provide clients while

they are conducting audits

Groups of Compliance Requirements Audit committee/corporate governance requirements Certification, disclosure, and internal control Financial statement reporting rules Executive reporting and conduct

Chapter 12-48

The Sarbanes-Oxley Act of 2002

Section 302 CEOs and CFOs are required to certify the

financial statements Internal controls and disclosures are adequate

Section 404 CEOs and CFOs assess and attest to the

effectiveness of internal controls

Chapter 12-49

Key Provisions of SOX

Chapter 12-50

Key Provisions of SOX

Chapter 12-51

Auditing Standard No. 5 (AS5)

Purpose PCAOB guidance Focus on most critical controls

Rebalancing of Auditor’s Work Internal auditors help to advise board of directors External auditors reduce redundant testing

Chapter 12-52

Third Party and Information Systems Reliability

Assurances

Growth of Electronic Commerce Area of growing risk Security and privacy concerns Difficult to audit

AICPA Trust Services CPA WebTrust SysTrust

Chapter 12-53

Third Party and Information Systems Reliability

Assurances

Principles of Trust Services Security Availability Processing integrity Online privacy Confidentiality

Chapter 12-54

Copyright

Copyright 2012 John Wiley & Sons, Inc. All rights reserved.

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful.

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 12-55

Chapter 12