Chapter 13 Auditing Information Technology

1
Chapter 13Auditing Information Technology
2
Presentation Outline

• Concepts in Information Systems Auditing
• Auditing Technology for Information Systems

3
I. Concepts in Information Systems Auditing

• A. The Phases to the Information Systems
• Audit
• B. Structure of the Financial Statement
  Audit
• C. Auditing Around the Computer
• D. Auditing With the Computer
• E. Auditing Through the Computer

4
A. Phases of the Information Systems Audit

• 1. Initial review and evaluation of the area to
  be audited, and the audit plan preparation
• 2. Detailed review and evaluation of controls
• 3. Compliance testing
• 4. Analysis and reporting of results

5
B. Structure of the Financial Statement Audit
Transactions
Accounting System
Financial Reports
Financial Statement Audit Substantive Testing
Interim Audit Compliance Testing
6
B1. Compliance Testing

• Auditors perform tests of controls to determine
  that the control policies, practices, and
  procedures established by management are
  functioning as planned. This is known as
  compliance testing.

7
B2. Substantive Testing

• Substantive testing is the direct verification of
  financial statement figures. Examples would
  include reconciling a bank account and confirming
  accounts receivable.

Audit Confirmation To ABC Co. Customer Please
confirm that the balance of your account on Dec.
31 is _____ .
8
C. Auditing Around the Computer

• The auditor ignores computer processing.
  Instead, the auditor selects source documents
  that have been input into the system and
  summarizes them manually to see if they match the
  output of computer processing.

Processing
9
D. Auditing With The Computer

• The utilization of the computer by an auditor to
  perform some audit work that would otherwise have
  to be done manually.

10
E. Auditing Through the Computer

• The process of reviewing and evaluating the
  internal controls in an electronic data
  processing system.

Audit
11
II. Auditing Technology for Information Systems

• A. Review of Systems Documentation
• B. Test Data
• C. Integrated-Test-Facility (ITF) Approach
• D. Parallel Simulation
• E. Audit Software
• F. Embedded Audit Routines
• G. Mapping
• H. Extended Records and Snapshots

12
A. Review of Systems Documentation

• The auditor reviews documentation such as
  narrative descriptions, flowcharts, and program
  listings. In desk checking the auditor processes
  test or real data through the program logic.

13
B. Test Data

• The auditor prepares input containing both valid
  and invalid data. Prior to processing the test
  data, the input is manually processed to
  determine what the output should look like. The
  auditor then compares the computer-processed
  output with the manually processed results.

14
Illustration of Test Data Approach
Computer Operations
Auditors
Prepare Test Transactions And Results
Transaction Test Data
Computer Application System
Manually Processed Results
Computer Output
Auditor Compares
15
C. Integrated Test Facility (ITF) Approach

• A common form of an ITF is as follows
• A dummy ITF center is created for the auditors.
• Auditors create transactions for controls they
  want to test.
• Working papers are created to show expected
  results from manually processed information.
• Auditor transactions are run with actual
  transactions.
• Auditors compare ITF results to working papers.

16
Illustration of ITF Approach
Computer Operations
Auditors
Prepare ITF Transactions And Results
Actual Transactions
ITF Transactions
Computer Application System
Data Files
ITF Data
Reports With Only Actual Data
Reports With Only ITF Data
Manually Processed Results
Auditor Compares
17
D. Parallel Simulation

• The test data and ITF methods both process test
  data through real programs. With parallel
  simulation, the auditor processes real client
  data on an audit program similar to some aspect
  of the clients program. The auditor compares
  the results of this processing with the results
  of the processing done by the clients program.

18
Illustration of Parallel Simulation
Computer Operations
Auditors
Actual Transactions
Computer Application System
Auditors Simulation Program
Actual Client Report
Auditor Simulation Report
Auditor Compares
19
E. Audit Software

• Computer programs that permit computers to be
  used as auditing tools include
• 1. Generalized audit software
• Perform tasks such as selecting sample data from
  file, checking computations, and searching files
  for unusual items.
• 2. P.C. Software
• Allows auditors to analyze data from
  notebook computers in the field.

20
F. Embedded Audit Routines

• 1. In-line Code Application program performs
• audit data collection while it processes
  data for normal production purposes.
• 2. System Control Audit
• Review File (SCARF)
• Edit tests for audit
• transaction analysis are
• included in program.
• Exceptions are written
• to a file for audit review.

The Auditor
21
G. Mapping

• Special software counts the number of times each
  program statement in a program executes.
• Helps identify code that is bypassed when the
  bypass is not readily apparent in the program
  code and/or documentation.

22
H. Extended Records and Snapshots

• Extended Records
• Specific transactions are tagged, and the
  intervening processing steps that normally would
  not be saved are added to the extended record,
  permitting the audit trail to be reconstructed
  for these transactions.

• Snapshot
• A snapshot is similar to an extended record
  except that the snapshot is a printed audit trail.

23
Summary

• Compliance and Substantive Testing
• Auditing Around the Computer
• Auditing with the Computer
• Auditing Through the Computer
• Testing Approaches Through the Computer