ACG 6936

1
ACG 6936

ITAuditing Using GAS CAATs
2
The Audit Function

• The audit is to examine and to assure.
• The nature of auditing differs according to the
  subject under examination.
• Audits can be internal,
  external, and audits of
  information systems.

3
Internal versus External Auditing

• In an internal audit a companys own accounting
  employees perform the audit.
• Accountants working for an
  independent CPA firm normally
  perform the external audit.
• The chief function of the external audit is the
  attest function.
• The fairness evaluation of the
  financial statements in an external audit
  is conducted according to GAAP.

4
Information Systems Auditing

• Information systems auditing or electronic data
  processing (EDP) auditing involves evaluating the
  computers role in achieving audit and control
  objectives.
• The AIS components of a computer-based AIS are
  people, procedures, hardware, data
  communications, software and databases.
• These components are a system of interacting
  elements.

5
The Information Audit Process

• If computer controls are weak or nonexistent,
  auditors will need to do more substantive
  testing.
• Substantive tests are detailed tests of
  transactions and account balances.
• Compliance testing is performed to ensure that
  the controls are in place and working as
  prescribed.
• This may entail using computer-assisted audit
  techniques (CAATs).

6
Careers in Information Systems Auditing

• Information systems auditors may obtain a
  Certified Information Systems Auditor (CISA)
  professional certification.
• May be employed as either internal or external
  auditors.
• Specialized skills and broad-based set of
  technical knowledge needed.

7
Information Systems Audit Process
NO Audit around the computer
Is system large and complex?
Review general and application controls
YES Audit through the computer
Perform compliance tests of computer controls
Preliminary review of information systems
controls
YES Audit through the computer
Rely on IT controls?
Perform substantive test of account balances
NO Audit around the computer
8
Evaluating the Effectiveness of IT ControlsRisk
Assessment

• External auditors main objective in reviewing
  information systems control procedures is to
  evaluate the risks to the integrity of accounting
  data.
• Information Systems Risk Assessment is a method
  for evaluating the desirability of IT-related
  controls for a particular aspect
  of business risk.

9
Guidance in Designing and Evaluating IT Controls

• Systems Auditability and Control (SAC) report
  identifies important information technologies and
  the specific risks related to these technologies.
• Control Objectives for Information and Related
  Technology (COBIT) provides auditors with
  guidance in assessing and controlling for
  business risk associated with IT environments.

10
Auditing Around the Computer

• Auditing Around the Computer assumes that the
  presence of accurate output verifies proper
  processing operations.
• This type of auditing pays little or no attention
  to the control procedures within the IT
  environment.
• Generally not an effective approach to auditing
  a computerized environment.

11
Auditing Through the Computer

• When Auditing Through the Computer, an auditor
  follows the audit trail through the internal
  computer operations phase of automated data
  processing.
• Attempts to verify the processing controls
  involved in the AIS programs.
• Primary approaches are 1) testing programs,
  2) validating computer programs, 3)
  reviewing systems software, and 4) continuous
  auditing.

12
1) Testing Computer Programs -Test Data

• The Test Data Approach uses a set of hypothetical
  transactions to test the edit checks in programs.
  
• Auditor should use as many different exception
  situations as possible.
• Auditor can also use software programs called
  test data generators to develop a set of test
  data.

13
Testing Computer Programs -Integrated Test
Facility

• An Integrated Test Facility (ITF) is effective in
  evaluating integrated online systems and complex
  programming logic.
• ITF examines both the manual steps and the
  computerized steps that a company uses to process
  business transactions
• Its purpose is to audit an AIS in an operational
  setting.
• Establish a fictitious entity
• Enter transactions for that entity
• Observe how these transactions are processed.
• The auditors role is to examine results of
  transaction processing to find out how well the
  AIS does the tasks required of it.

14
Testing Computer Programs - Parallel Simulation

• With Parallel Simulation, the auditor uses live
  input data, rather than test data, in a program
  written or controlled by the auditor.
• The auditors program usually simulates only
  certain critical functions of a client program.
• Auditor needs complete understanding of client
  system and sufficient technical knowledge.

15
2) Validating Computer Programs

• An auditor must validate any program with which
  he or she is presented.
• Procedures that assist in program validation are
  1) tests of program change control, 2)
  program comparison, and 3) surprise audits and
  surprise use of programs.

16
Tests of Program Change Control

• Program Change Control is a set of internal
  controls developed to ensure against unauthorized
  program changes.
• Requires documentation of every request for
  application program changes.
• Test begins with inspection of documentation
  maintained by information processing subsystem.

17
Program Comparison

• To guard against unauthorized program tampering,
  a test of length control total can be performed.
• A comparison program can compare code
  line-by-line to ensure consistency between
  authorized version and version being
  used.

18
Surprise Audits and Surprise Use of Programs

• The Surprise Audit Approach involves examining
  application programs unexpectedly.
• With the Surprise Use Approach, an auditor visits
  the computer center unannounced and requests
  that previously obtained authorized
  programs be used for the required data
  processing.

19
3) Review of Systems Software

• Systems software includes 1) operating system
  software, 2) utility programs, 3) program library
  software, and 4) access control software.
• Auditors should review systems software
  documentation.
• Software tools can be used to review systems
  software.
• Systems software can generate incident reports.

20
4) Continuous Approach

• Audit tools can be installed within an
  information system to achieve Continuous
  Auditing.
• Particularly effective when most of an
  applications data is in electronic form.
• Examples 1) embedded audit modules,
  2) exception reporting, 3)
  transaction tagging.

21
Auditing with the Computer

• Auditing with the Computer entails using
  computer-assisted audit techniques (CAATs) to
  help in various auditing tasks.
• This approach is virtually mandatory since data
  are stored on computer media and manual access is
  impossible.
• CAATs is effective and saves time.

22
General-Use Software

• Auditors use General-Use Software such as
  spreadsheets and database management systems as
  productivity tools to improve their work.
• Auditors use Structured Query Language (SQL) to
  retrieve a clients data and display these
  data in a variety of formats
  for audit purposes.

23
Generalized Audit Software

• Generalized Audit Software (GAS) packages enable
  auditors to review computer files without
  continually rewriting processing programs.
• GAS programs are specifically tailored
  to auditor tasks.
• Audit Command Language (ACL) and
  Interactive Data Extraction and
  Analysis (IDEA) are examples of GAS.

24
Advantages of a GAS Package

• Allows the auditor to access computer-readable
  records for a wide variety of applications and
  organizations.
• Enables the auditor to examine much more data
  than could be examined through manual means.
• Rapidly and accurately performs a variety of
  routine audit functions.
• Reduces dependence on non-auditing personnel for
  performing routine functions, thus enabling
  better control over the audit.
• Requires only minimal computer knowledge on the
  part of the auditor.

25
Limitation of Using GAS Packages

• The main limitation of using GAS packages is that
  they do not directly examine the application
  programs and programmed checks.
• Thus, they cannot replace the techniques of
  auditing through the computer.

26
Automated Workpaper Software

• Automated Workpaper Software handles accounts for
  many organizations in a flexible manner.
• Features include 1) generated trial
  balances, 2) adjusting entries, 3)
  consolidations,and 4) analytical procedures.

27
Auditing in the Information Age

• Software can control audit
• Audit tools stored on CD-ROM
• Electronic spreadsheets
• Client/server systems