2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 1
Auditing Information Technology
Chapter 16
What is auditing through the computer? It is the process of reviewing and evaluating the
internal controls in an electronic data processing system.
What is auditing with the computer? It is the utilization of the computer by an auditor to
perform some audit work that otherwise would have to be done manually.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 2
Structure of Financial Statement Audit
The primary objective and responsibility of the external auditor is to attest to the fairness of a firm’s financial reports.
The external auditor serves the firm’s stockholders, the government, and the general public.
The internal auditor serves a firm’s management.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 3
Structure of Financial Statement Audit
Various types of professional certifications are applicable to auditing.
What are these? CPA (certified public accountant) CISA (certified information systems auditor) CIA (certified internal auditor) Audits are almost universally divided into two
components.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 4
Structure of Financial Statement Audit
AccountingSystem
AccountingSystem
TransactionsTransactionsFinancialReportsFinancialReports
Compliance TestingInterim Audit
Substantive TestingFinancial Statement Audit
• Cash BankReceivables Customers• (Confirm balances)
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 5
Auditing Around the Computer
An accounting system is comprised of input, processing, and output.
In the around-the-computer approach, the processing portion is ignored.
Auditing through the computer may be defined as the verification of controls in a computerized system.
Auditing with the computer is the process of using information technology in auditing.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 6
Control Framework in IT Environment
ComputerApplicationSystems and
Programs
ComputerApplicationSystems and
Programs
ApplicationsControls
ApplicationsControls
InternalControlsInternalControls
GeneralControlsGeneralControls
ApplicationSystems
Development
ApplicationSystems
Development
ComputerServiceCenter
ComputerServiceCenter
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 7
Auditing with the Computer
What are some of the potential benefits of using information systems technology in an audit?
1 Computer-generated working papers are generally more legible and consistent.
2 Time may be saved by eliminating manual footing, cross footing, and other routine calculations.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 8
Auditing with the Computer
3 Calculations, comparisons, and other data manipulations are more accurately performed.
4 Analytical review calculations may be more efficiently performed.
5 Project information may be more easily generated and analyzed.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 9
Auditing with the Computer
6 Standardized audit correspondence may be stored and easily modified.
7 Morale and productivity may be improved by reducing the time spent on clerical tasks.
8 Increased cost-effectiveness is obtained by reusing and extending existing electronic audit applications to subsequent audits.
9 Increased independence from information systems personnel is obtained.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 10
Information Systems Auditing Technology
Technique: Test data Description: Test data are input containing
both valid and invalid data. Example: Payroll transactions for fictitious
employees are processed concurrently with valid
payroll transactions.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 11
Information Systems Auditing Technology
Test DataHypotheticalTransactions
Test DataHypotheticalTransactions
Computer ProcessingUsing Master Program
Computer ProcessingUsing Master Program
Error ListingError ListingAuditor’sExpectedOutput
Auditor’sExpectedOutput
Compare
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 12
Information Systems Auditing Technology
Technique: Integrated test facility (ITF) Description: ITF involves both the use of test
data and the creation of fictitious records (vendors, employees) onthe master files of a computer system.
Example: Payroll transactions for fictitious employees are processed concurrently with valid payroll transactions.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 13
Information Systems Auditing Technology
TransactionsTransactionsITF
TransactionsITF
Transactions
ComputerApplication
System
ComputerApplication
System
ReportsWithoutITF Data
ReportsWithoutITF Data
ReportsContaining
ITF Information
ReportsContaining
ITF Information
Data Files
ITF Data
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 14
Information Systems Auditing Technology
Technique: Parallel simulation Description: Processing real data through
audit programs. The simulated output and the regular output are then compared.
Example: Depreciation calculations are verified by processing the fixed-
asset master file with an audit program.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 15
Information Systems Auditing Technology
TransactionsTransactions
ParallelSimulationProgram
ParallelSimulationProgram
ReportReportSimulation
ReportSimulation
Report
ComputerApplication
System
Function toBe Verified
Compare
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 16
Information Systems Auditing Technology
Technique: Audit software Description: Computer programs that permit
the computer to be used as an auditing tool.
Example: An auditor uses a computer program to extract data records
from a master file.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 17
Information Systems Auditing Technology
Technique: Generalized audit software (GAS) Description: GAS is audit software that has
been specifically designed to allow auditors to perform audit-related data processing functions.
Example: An auditor uses GAS to search computer files for unusual items.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 18
Information Systems Auditing Technology
Technique: PC software Description: Software that allows the auditor
to use a PC to perform audit tasks. Example: A PC spreadsheet package is used
to maintain audit working papers and audit schedules.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 19
Information Systems Auditing Technology
Deloitte & Touche AuditSystem/2™
Smart AuditSupport
Smart AuditSupport Access to
InformationAccess to
Information
FileInterrogation
FileInterrogation
WorkPapersWorkPapers
TrialBalance
TrialBalance Multilocation
SupportMultilocation
Support
DocumentManagerDocumentManager
MSWord
MSExcel
MSAccess
Lotuscc:mail ACL
FolioVIEWS
OtherApplications
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 20
Information Systems Auditing Technology
Technique: Embedded audit routines Description: Special auditing routines included
in regular computer programs so that transaction data can be subjected to audit analysis.
Example: Data items that are exceptions to auditor-specified edit tests included in a program are written to a special audit file.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 21
Information Systems Auditing Technology
ProductionTransactions
ProductionTransactions
ProductionReports
ProductionReports
AuditReports
AuditReports
ProductionComputerApplicationSystem
EmbeddedAudit DataCollectionModule
ProductionComputerApplicationSystem
EmbeddedAudit DataCollectionModule
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 22
Information Systems Auditing Technology
Technique: Extended records Description: Modification of programs to
collect and store data of audit interest.
Example: A payroll program is modified to collect data pertaining to
overtime pay.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 23
Information Systems Auditing Technology
Technique: Snapshot Description: Modifications of programs to
output data of audit interest.
Example: A payroll program is modified to output data pertaining to
overtime pay.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 24
Information Systems Auditing Technology
Technique: Tracing Description: Tracing provides a detailed audit
trail of the instructions executed during the program’s operation.
Example: A payroll program is traced to determine if certain edit tests are performed in the correct order.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 25
Information Systems Auditing Technology
Technique: Review of system documentation Description: Existing system documentation
such as program flowcharts are reviewed for audit purposes.
Example: An auditor desk checks the processing logic of a payroll program.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 26
Information Systems Auditing Technology
Technique: Control flowcharting Description: Analytic flowcharts or other
graphic techniques are used to describe the controls in a system.
Example: An auditor prepares an analytic flowchart to review controls in the payroll application system.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 27
Information Systems Auditing Technology
Technique: Mapping Description: Special software is used to
monitor the execution of a program. Example: The execution of a program with
test data as input is mapped toindicate how extensively
the input tested compares with individual program statements.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 28
General Approach to an Information Systems Audit
Most approaches to an information systems audit follow some variation of a three-phase structure.
The first phase consists of an initial review and evaluation of the area to be audited and audit plan preparation.
The second phase is a detailed review and evaluation of controls.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 29
General Approach to an Information Systems Audit
The third phase involves compliance testing and is followed by analysis and reporting of results.
The initial review phase determines the course of action the audit will take.
It includes the following:– decisions concerning specific areas to be
investigated
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 30
General Approach to an Information Systems Audit
– the deployment of audit labor– the audit technology to be used– the development of time and/or cost budget
for the audit The primary control over the conduct of an
information systems audit centers on documentation and review of performance.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 31
General Approach to an Information Systems Audit
What is an audit program? It is a detailed list of the audit procedures
to be applied on a particular audit. Standardized audit programs for particular
audit areas have been developed and are common in all types of auditing.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 32
General Approach to an Information Systems Audit
In the second general phase of the audit, effort is focused on fact-finding in the area(s) selected for audit.
Documentation of the application area is reviewed.
Data concerning the operation of the system are reviewed.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 33
General Approach to an Information Systems Audit
In the third phase of the audit, compliance tests are undertaken to provide reasonable assurance that internal controls exist and operate as prescribed.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 34
Information Systems Application Audits
Application controls are divided into three general areas.
What are these areas?1 Input2 Processing3 Output
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 35
Application Systems Development Audits
There are three general areas of audit concern in the systems development process.
They are:1 Systems development standards2 Project management3 Program change control What are systems development standards?
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 36
Application Systems Development Audits
Systems development standards are the documentation governing the design, development, and implementation of application systems.
What is project management? It consists of project planning and project
supervision.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 37
Application Systems Development Audits
What is the objective of program change controls?
It is to prevent unauthorized and potentially fraudulent changes from being introduced into previously tested and accepted programs.
Normally, an audit of the computer service center is undertaken before any application audits to ensure the general integrity of the environment in which the application will function.