 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 1 Chapter 13 Auditing Information Technology

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 2 Learning Objective 1 Distinguish between “auditing through the computer” and “auditing with the computer.”

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 3 Information Systems Auditing Concepts

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 4 Structure of a Financial Statement Audit The primary objective and responsibility of the external auditor is to attest to the fairness of a firm’s financial reports. The internal auditor serves a firm’s management. The external auditor serves outsiders.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 5 Structure of a Financial Statement Audit Transactions Compliance testing Interim audit AccountingsystemFinancialreports Substantive testing Financial statement audit CashBank ReceivablesCustomers Confirm balances Confirm balances

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 6 Auditing Around the Computer Accounting system InputOutput In the around-the-computer approach, the processing portion is ignored. Processing

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 7 Auditing Around the Computer Totals are accumulated for accepted and rejected records. The around-the-computer approach is no longer widely used. Auditors emphasize control over rejected transactions, their correction, and then resubmission.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 8 Auditing Through the Computer Auditing through the computer may be defined as the verification of controls in a computerized system.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 9 Control Framework in IT Environment Internalcontrols Applicationscontrols Generalcontrols Computerapplication systems and programs Applicationsystemsdevelopment Computerservicecenter

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 10 Auditing With the Computer Auditing with the computer is the process of using information technology in auditing. The use of information technology is no longer optional.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 11 Auditing With the Computer What are some of the potential benefits of using information systems technology in an audit? 2. Time may be saved by eliminating manual footing, cross footing, and other routine calculations. 1. Computer-generated working papers are generally more legible and consistent.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 12 Auditing With the Computer 3. Calculations, comparisons, and other data manipulations are more accurately performed. 5. Project information may be more easily generated and analyzed. 4. Analytical review calculations may be more efficiently performed.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 13 Auditing With the Computer 6. Standardized audit correspondence may be stored and easily modified. 7. Morale and productivity may be improved by reducing the time spent on clerical tasks.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 14 Auditing With the Computer 8. Increased cost-effectiveness is obtained by reusing and extending existing electronic audit applications to subsequent audits. 9. Increased independence from information systems personnel is obtained.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 15 Learning Objective 2 Describe and evaluate alternative information systems audit technologies.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 16 Information Systems Auditing Technology Information system audit technology has evolved along with computer system development. Rather, there is a variety of tools and techniques that may be used to accomplish an audit’s objective. There is no one overall auditing technology.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 17 Test Data Technique Test data are input containing both valid and invalid data. Payroll transactions for fictitious employees are processed concurrently with valid payroll transactions.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 18 Test Data Approach Test data hypotheticaltransactions Computer processing using master program Error listing Auditor’sexpectedoutput Compare

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 19 Integrated-Test-Facility Technique ITF involves both the use of test data and the creation of fictitious records (vendors, employees) on the master files of a computer system. Payroll transactions for fictitious employees are processed concurrently with valid payroll transactions.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 20 Integrated-Test-Facility Approach TransactionsITFtransactions Computerapplicationsystem Reportscontaining ITF information Reportswithout ITF data Data files ITF data

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 21 Parallel Simulation Technique Processing real data through audit programs. The simulated output and the regular output are then compared. Depreciation calculations are verified by processing the fixed-asset master file with an audit program.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 22 Parallel Simulation TransactionsCompare Parallelsimulationprogram Report Simulationreport Computerapplicationsystem Function to be verified

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 23 Audit Software Technique Computer programs that permit the computer to be used as an auditing tool. An auditor uses a computer program to extract data records from a master file.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 24 Generalized Audit Software (GAS) Technique GAS is audit software that has been specifically designed to allow auditors to perform audit-related data processing functions. An auditor uses GAS to search computer files for unusual items.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 25 PC Software Technique Software that allows the auditor to use a PC to perform audit tasks. A PC spreadsheet package is used to maintain audit working papers and audit schedules.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 26 Embedded Audit Routines Technique Special auditing routines included in regular computer programs so that transaction data can be subjected to audit analysis. Data items that are exceptions to auditor- specified edit tests included in a program are written to a special audit file.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 27 Embedded Audit Data Collection Productiontransactions ProductioncomputerapplicationsystemEmbedded audit data collectionmodule Productionreports Auditreports

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 28 Extended Records Technique Modification of programs to collect and store data of audit interest. A payroll program is modified to collect data pertaining to overtime pay.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 29 Snapshot Technique Modifications of programs to output data of audit interest. A payroll program is modified to output data pertaining to overtime pay.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 30 Tracing Technique Tracing provides a detailed audit trail of the instructions executed during the program’s operation. A payroll program is traced to determine if certain edit tests are performed in the correct order.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 31 Review of System Documentation Technique Existing system documentation as program flowcharts are reviewed for audit purposes. An auditor desk checks the processing logic of a payroll program.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 32 Control Flowcharting Technique Analytic flowcharts or other graphic techniques are used to describe the controls in a system. An auditor prepares an analytic flowchart to review controls in the payroll application system.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 33 Mapping Technique Special software is used to monitor the execution of a program. The execution of a program with test data as input is mapped to indicate how extensively the input tested compares with individual program statements.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 34 Learning Objective 3 Characterize various types of information systems audits.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 35 General Approach to an Information Systems Audit Initial review and evaluation of the area to be audited and audit plan preparation. Detailed review and evaluation of controls. Compliance testing which is followed by analysis and reporting of results.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 36 General Approach to an Information Systems Audit The initial review phase determines the course of action the audit will take. Decisions concerning specific areas to be investigated Deployment of audit labor Audit technology to be used Development of a time and/or cost budget for the audit

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 37 General Approach to an Information Systems Audit What is an audit program? Standardized audit programs for particular audit areas have been developed and are common in all types of auditing. It is a detailed list of the audit procedures to be applied on a particular audit.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 38 General Approach to an Information Systems Audit In the second general phase of the audit, is detailed review and evaluation. Data concerning the operation of the system are reviewed. Documentation of the application area is reviewed.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 39 General Approach to an Information Systems Audit The third phase of the audit is testing. This phase produces evidence of compliance with procedures.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 40 Information Systems Application Audits Application controls are divided into three general areas. InputOutput Processing

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 41 Application Systems Development Audits Systems development audits are directed at the activities of systems analysts and programmers. Controls governing the systems development process directly affect the reliability of the application programs that are developed.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 42 Application Systems Development Audits There are three general areas of audit concern in the systems development process. Systems development standards Project management Program change control

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 43 Systems Development Standards Systems development standards are the documentation governing the design, development, and implementation of application systems.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 44 Project Management It consists of project planning and project supervision. What is project management?

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 45 Program Change Controls It is to prevent unauthorized and potentially fraudulent changes from being introduced into previously tested and accepted programs. What is the objective of program change controls?

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 46 Computer Service Center Audits Normally, an audit of the computer service center is undertaken before any application audits to ensure the general integrity of the environment in which the application will function. What are some examples? Audits might be undertaken in several areas.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 47 Computer Service Center Audits Environmental controls Data release, reports, and computer programs Physical security of the center Management controls

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 48 Computer Service Center Audits Audits of computer service center operations require a high degree of technical training and familiarity with systems operations.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 49 End of Chapter 13