Chapter 13Auditing Information Technology

Presentation Outline

I. Concepts in Information Systems Auditing

II. Auditing Technology for Information Systems

I. Concepts in Information Systems Auditing

A. The Phases to the Information Systems Audit

B. Structure of the Financial Statement Audit C. Auditing Around the Computer

D. Auditing With the Computer E. Auditing Through the Computer

A. Phases of the Information Systems Audit

1. Initial review and evaluation of the area to be audited, and the audit plan preparation

2. Detailed review and evaluation of controls

3. Compliance testing4. Analysis and reporting of

results

B. Structure of the Financial Statement Audit

Transactions AccountingSystem

FinancialReports

Interim Audit

Compliance Testing

Financial Statement Audit

Substantive Testing

B1. Compliance Testing

Auditors perform tests of controls to determine that the control policies, practices, and

procedures established by management are functioning as planned. This is known as

compliance testing.

B2. Substantive Testing

Substantive testing is the direct verification of financial statement figures. Examples would

include reconciling a bank account and confirming accounts receivable.

Audit Confirmation

To ABC Co. Customer:

Please confirm that the balance of your account

on Dec. 31 is _____ .

C. Auditing Around the Computer

The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of

computer processing.

Processing

D. Auditing With The Computer

The utilization of the computer by an auditor to perform some audit work that would otherwise

have to be done manually.

E. Auditing Through the Computer

The process of reviewing and evaluating the internal controls in an electronic data

processing system.

Audit

II. Auditing Technology for Information Systems

A. Review of Systems Documentation B. Test Data

C. Integrated-Test-Facility (ITF) Approach D. Parallel Simulation

E. Audit Software F. Embedded Audit Routines

G. MappingH. Extended Records and Snapshots

A. Review of Systems Documentation

The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes

test or real data through the program logic.

B. Test Data

The auditor prepares input containing both valid and invalid data. Prior to processing the test

data, the input is manually processed to determine what the output should look like.

The auditor then compares the computer-processed output with the manually processed

results.

Illustration of Test Data Approach

Computer Operations

Prepare TestTransactionsAnd Results

Auditors

ComputerApplication

System

ComputerOutput

Auditor Compares

TransactionTest Data

Manually Processed

Results

C. Integrated Test Facility (ITF) Approach

A common form of an ITF is as follows:1. A dummy ITF center is created for the auditors.2. Auditors create transactions for controls they

want to test.3. Working papers are created to show expected

results from manually processed information.4. Auditor transactions are run with actual

transactions.5. Auditors compare ITF results to working papers.

Illustration of ITF Approach

ComputerApplication

System

ReportsWith Only Actual Data

AuditorsComputer Operations

Prepare ITFTransactionsAnd Results

ActualTransactions

ITFTransactions

Data FilesITF Data

ReportsWith Only ITF Data

Manually Processed

ResultsAuditor

Compares

D. Parallel SimulationThe test data and ITF methods both process test

data through real programs. With parallel simulation, the auditor processes real client data

on an audit program similar to some aspect of the client’s program. The auditor compares the

results of this processing with the results of the processing done by the client’s program.

Illustration of Parallel SimulationComputer Operations Auditors

ActualTransactions

ComputerApplication

System

Auditor’sSimulationProgram

Actual ClientReport

Auditor Simulation

Report

Auditor Compares

E. Audit SoftwareComputer programs that permit computers to be

used as auditing tools include:1. Generalized audit software

Perform tasks such as selecting sample data from file, checking computations, and searching files for unusual items.

2. P.C. Software Allows auditors to analyze data from

notebook computers in the field.

F. Embedded Audit Routines1. In-line Code – Application program performs audit data collection while it processes data

for normal production purposes.2. System Control Audit Review File (SCARF)– Edit tests for audit transaction analysis are included in program. Exceptions are written to a file for audit review.

The Auditor

G. Mapping

Special software counts the number of times each program statement in a program executes.

Helps identify code that is bypassed when the bypass is not readily apparent in the program code

and/or documentation.

H. Extended Records and Snapshots

Extended RecordsSpecific transactions are

tagged, and the intervening

processing steps that normally would not

be saved are added to the extended record, permitting the audit

trail to be reconstructed for

these transactions.

SnapshotA snapshot is similar to an extended record

except that the snapshot is a printed audit trail.

Summary

Compliance and Substantive TestingAuditing Around the ComputerAuditing with the Computer

Auditing Through the ComputerTesting Approaches Through the Computer