1. Auditing Information Technology
Chapter 2
Auditing Information Technology
What is auditing through the computer?
It is the process of reviewing and evaluating the internal controls in an electronic data processing system.
What is auditing with the computer?
It is the utilization of the computer by an auditor to perform some audit work that otherwise would have to be done manually.

2. Structure of Financial Statement Audit
The primary objective and responsibility of the external auditor is to attest to the fairness of a firm’s financial reports.
The external auditor serves the firm’s stockholders, the government, and the general public.
The internal auditor serves a firm’s management.

3. Structure of Financial Statement Audit
Various types of professional certifications are applicable to auditing.
What are these?
CPA (certified public accountant)
CISA (certified information systems auditor)
CIA (certified internal auditor)
Audits are almost universally divided into two components.

4. Structure of Financial Statement Audit
Transactions
Accounting
System
Financial
Reports
Cash Bank
Receivables Customers
(Confirm balances)
Compliance Testing
Interim Audit
Substantive Testing
Financial Statement Audit

5. Auditing Around the Computer
An accounting system is comprised of input, processing, and output.
In the around-the-computer approach, the processing portion is ignored.
Auditing through the computer may be defined as the verification of controls in a computerized system.
Auditing with the computer is the process of using information technology in auditing.

6. Control Framework in IT Environment
Applications
Controls
Computer
Application
Systems and
Programs
Internal
Controls
Application
Systems
Development
General
Controls
Computer
Service
Center

7. Auditing with the Computer
What are some of the potential benefits of using information systems technology in an audit?
Computer-generated working papers are generally more legible and consistent.
Time may be saved by eliminating manual footing, cross footing, and other routine calculations.

8. Auditing with the Computer
Calculations, comparisons, and other data manipulations are more accurately performed.
Analytical review calculations may be more efficiently performed.
Project information may be more easily generated and analyzed.

9. Auditing with the Computer
Standardized audit correspondence may be stored and easily modified.
Morale and productivity may be improved by reducing the time spent on clerical tasks.
Increased cost-effectiveness is obtained by reusing and extending existing electronic audit applications to subsequent audits.
Increased independence from information systems personnel is obtained.

10. Information Systems Auditing Technology
Technique: Test data
Description: Test data are input containing both valid and invalid data.
Example: Payroll transactions for fictitious employees are processed concurrently with valid payroll transactions.

11. Information Systems Auditing Technology
Test Data
Hypothetical
Transactions
Computer Processing
Using Master Program
Error Listing
Auditor’s
Expected
Output
Compare

12. Information Systems Auditing Technology
Technique: Integrated test facility (ITF)
Description: ITF involves both the use of test data and the creation of fictitious records (vendors, employees) on the master files of a computer system.
Example: Payroll transactions for fictitious employees are processed concurrently with valid payroll transactions.

13. Information Systems Auditing Technology
Transactions
ITF
Transactions
Computer
Application
System
Data Files
ITF Data
Reports
Without
ITF Data
Reports
Containing
ITF Information

14. Information Systems Auditing Technology
Technique: Parallel simulation
Description: Processing real data through audit programs. The simulated output and the regular output are then compared.
Example: Depreciation calculations are verified by processing the fixed- asset master file with an audit program.

15. Information Systems Auditing Technology
Computer
Application
System
Function to
Be Verified
Transactions
Parallel
Simulation
Program
Report
Compare
Simulation
Report

16. Information Systems Auditing Technology
Technique: Audit software
Description: Computer programs that permit the computer to be used as an auditing tool.
Example: An auditor uses a computer program to extract data records from a master file.

17. Information Systems Auditing Technology
Technique: Generalized audit software (GAS)
Description: GAS is audit software that has been specifically designed to allow auditors to perform audit-related data processing functions.
Example: An auditor uses GAS to search computer files for unusual items.

18. Information Systems Auditing Technology
Technique: PC software
Description: Software that allows the auditor to use a PC to perform audit tasks.
Example: A PC spreadsheet package is used to maintain audit working papers and audit schedules.

19. Information Systems Auditing Technology
Deloitte & Touche AuditSystem/2™
Smart Audit
Support
Work
Papers
Access to
Information
Document
Manager
Trial
Balance
File
Interrogation
Multilocation
Support MS
Word MS
Excel MS
Access
Lotus
cc:mail
ACL
Folio
VIEWS
Other
Applications

20. Information Systems Auditing Technology
Technique: Embedded audit routines
Description: Special auditing routines included in regular computer programs so that transaction data can be subjected to audit analysis.
Example: Data items that are exceptions to auditor-specified edit tests included in a program are written to a special audit file.

21. Information Systems Auditing Technology
Production
Transactions
Production
Computer
Application
System
Embedded
Audit Data
Collection
Module
Production
Reports
Audit
Reports

22. Information Systems Auditing Technology
Technique: Extended records
Description: Modification of programs to collect and store data of audit interest.
Example: A payroll program is modified to collect data pertaining to overtime pay.

23. Information Systems Auditing Technology
Technique: Snapshot
Description: Modifications of programs to output data of audit interest.
Example: A payroll program is modified to output data pertaining to overtime pay.

24. Information Systems Auditing Technology
Technique: Tracing
Description: Tracing provides a detailed audit trail of the instructions executed during the program’s operation.
Example: A payroll program is traced to determine if certain edit tests are performed in the correct order.

25. Information Systems Auditing Technology
Technique: Review of system documentation
Description: Existing system documentation such as program flowcharts are reviewed for audit purposes.
Example: An auditor desk checks the processing logic of a payroll program.

26. Information Systems Auditing Technology
Technique: Control flowcharting
Description: Analytic flowcharts or other graphic techniques are used to describe the controls in a system.
Example: An auditor prepares an analytic flowchart to review controls in the payroll application system.

27. Information Systems Auditing Technology
Technique: Mapping
Description: Special software is used to monitor the execution of a program.
Example: The execution of a program with test data as input is mapped to indicate how extensively the input tested compares with individual program statements.

28. General Approach to an Information Systems Audit
Most approaches to an information systems audit follow some variation of a three-phase structure.
The first phase consists of an initial review and evaluation of the area to be audited and audit plan preparation.
The second phase is a detailed review and evaluation of controls.

29. General Approach to an Information Systems Audit
The third phase involves compliance testing and is followed by analysis and reporting of results.
The initial review phase determines the course of action the audit will take.
It includes the following:
decisions concerning specific areas to be investigated

30. General Approach to an Information Systems Audit
the deployment of audit labor
the audit technology to be used
the development of time and/or cost budget for the audit
The primary control over the conduct of an information systems audit centers on documentation and review of performance.

31. General Approach to an Information Systems Audit
What is an audit program?
It is a detailed list of the audit procedures to be applied on a particular audit.
Standardized audit programs for particular audit areas have been developed and are common in all types of auditing.

32. General Approach to an Information Systems Audit
In the second general phase of the audit, effort is focused on fact-finding in the area(s) selected for audit.
Documentation of the application area is reviewed.
Data concerning the operation of the system are reviewed.

33. General Approach to an Information Systems Audit
In the third phase of the audit, compliance tests are undertaken to provide reasonable assurance that internal controls exist and operate as prescribed.

34. Information Systems Application Audits
Application controls are divided into three general areas.
What are these areas?
Input
Processing
Output

35. Application Systems Development Audits
There are three general areas of audit concern in the systems development process.
They are:
Systems development standards
Project management
Program change control
What are systems development standards?

36. Application Systems Development Audits
Systems development standards are the documentation governing the design, development, and implementation of application systems.
What is project management?
It consists of project planning and project supervision.

37. Application Systems Development Audits
What is the objective of program change controls?
It is to prevent unauthorized and potentially fraudulent changes from being introduced into previously tested and accepted programs.
Normally, an audit of the computer service center is undertaken before any application audits to ensure the general integrity of the environment in which the application will function.