Principles of Computer Auditing and Implications for Practice

1
Principles of Computer Auditing and Implications
for Practice

• PBCS Week 8

2
Information Systems Auditing Concepts

• What is auditing though the computer?
• It is the process of reviewing and evaluating the
  internal controls in an electronic data
  processing system.
• What is auditing with the computer?
• It is the utilization of the computer by an
  auditor to perform some audit work that otherwise
  would have to be done manually.

3
Structure of Financial Statement Audit

• The primary objective and responsibility of the
  external auditor is to attest to the fairness of
  a firms financial reports.
• The external auditor serves the firms
  stockholders, the government, and the general
  public.
• The internal auditor serves a firms management.

4
Structure of Financial Statement Audit
Accounting System
Transactions
Financial Reports

• Cash Bank
• Receivables Customers
• (Confirm balances)

Compliance Testing Interim Audit
Substantive Testing Financial Statement Audit
5
Auditing Around the Computer

• An accounting system is comprised of input,
  processing, and output.
• In the around-the-computer approach, the
  processing portion is ignored.
• Source documents supplying the input to the
  system are selected and summarized manually so
  that they can be compared to the output.

6
Auditing Around the Computer

• As batches are processed through the system,
  totals are accumulated for accepted and rejected
  records.
• Auditors emphasize control over rejected
  transactions, their correction, and then
  resubmission.
• The around-the-computer approach is no longer
  widely used.

7
Auditing Through the Computer

• Auditing through the computer may be defined as
  the verification of controls in a
  computerized system.
• General controls are relevant to the information
  systems themselves, as well as to the systems
  development aspects of IT.
• Application controls are related to specific
  computer application systems.

8
Control Framework in IT Environment
Applications Controls
Computer Application Systems and Programs
Internal Controls
Application Systems Development
Computer Service Center
General Controls
9
Auditing with the Computer

• Auditing with the computer is the process of
  using information technology in auditing.
• Most of the data that auditors must evaluate are
  already in an electronic format.
• The use of information technology is essential to
  increase the effectiveness and efficiency of
  auditing.

10
Auditing with the Computer

• What are some of the potential benefits of using
  information systems technology in an audit?
• Computer-generated working papers are generally
  more legible and consistent.
• Time may be saved by eliminating manual footing,
  cross footing, and other routine calculations.

11
Auditing with the Computer

• Calculations, comparisons, and other data
  manipulations are more accurately performed.
• Analytical review calculations may be more
  efficiently performed.
• Project information may be more easily generated
  and analyzed.

12
Auditing with the Computer

• Standardized audit correspondence may be
  stored and easily modified.
• Morale and productivity may be improved by
  reducing the time spent on clerical tasks.
• Increased cost-effectiveness is obtained by
  reusing and extending existing electronic audit
  applications to subsequent audits.
• Increased independence from information systems
  personnel is obtained.

13
Information Systems Auditing Technology

• Information system audit technology has evolved
  along with computer system development.
• There is no one overall auditing technology.
• Rather, there is a variety of tools and
  techniques that may be used to accomplish an
  audits objective.

14
Information Systems Auditing Technology

• Technique Test data
• Description Test data are input containing
  both valid and invalid data.
• Example Payroll transactions for fictitious
  employees are processed concurrently
  with valid payroll transactions.

15
Information Systems Auditing Technology
Test Data Hypothetical Transactions
Computer Processing Using Master Program
Error Listing
Auditors Expected Output
Compare
16
Information Systems Auditing Technology

• Technique Integrated test facility (ITF)
• Description ITF involves both the use of test
  data and the creation of fictitious records
  (vendors, employees) on the master files of a
  computer system.
• Example Payroll transactions for fictitious
  employees are processed concurrently
  with valid payroll transactions.

17
Information Systems Auditing Technology
ITF Transactions
Transactions
Computer Application System
Data Files
ITF Data
Reports Without ITF Data
Reports Containing ITF Information
18
Information Systems Auditing Technology

• Technique Parallel simulation
• Description Processing real data through audit
  programs. The simulated output and the
  regular output are then compared.
• Example Depreciation calculations are
  verified by processing the fixed- asset
  master file with an audit program.

19
Information Systems Auditing Technology
Computer Application System Function to Be
Verified
Transactions
Parallel Simulation Program
Report
Simulation Report
Compare
20
Information Systems Auditing Technology

• Technique Audit software
• Description Computer programs that permit
  the computer to be used as an auditing
  tool.
• Example An auditor uses a computer program
  to extract data records from a master file.

21
Information Systems Auditing Technology

• Technique Generalized audit software (GAS)
• Description GAS is audit software that has
  been specifically designed to allow
  auditors to perform audit- related data
  processing functions.
• Example An auditor uses GAS to search
  computer files for unusual items.

22
Information Systems Auditing Technology

• Technique PC software
• Description Software that allows the auditor to
  use a PC to perform audit tasks.
• Example A PC spreadsheet package is used to
  maintain audit working papers and audit
  schedules.

23
Information Systems Auditing Technology
Smart Audit Support
Access to Information
Work Papers
Document Manager
File Interrogation
Trial Balance
Multiplication Support
MS Word
MS Excel
MS Access
Lotus ccmail
ACL
Folio VIEWS
Other Applications
24
Information Systems Auditing Technology

• Technique Embedded audit routines
• Description Special auditing routines included
  in regular computer programs so that
  transaction data can be subjected to audit
  analysis.
• Example Data items that are exceptions to
  auditor-specified edit tests included in
  a program are written to a special audit file.

25
Information Systems Auditing Technology
Production Transactions
Production Computer Application System Embedded
Audit Data Collection Module
Production Reports
Audit Reports
26
Information Systems Auditing Technology

• Technique Extended records
• Description Modification of programs to
  collect and store data of audit interest.
• Example A payroll program is modified to
  collect data pertaining to overtime pay.

27
Information Systems Auditing Technology

• Technique Snapshot
• Description Modifications of programs to
  output data of audit interest.
• Example A payroll program is modified to
  output data pertaining to overtime pay.

28
Information Systems Auditing Technology

• Technique Tracing
• Description Tracing provides a detailed audit
  trail of the instructions executed during
  the programs operation.
• Example A payroll program is traced to
  determine if certain edit tests are
  performed in the correct order.

29
Information Systems Auditing Technology

• Technique Review of system documentation
• Description Existing system documentation
  such as program flowcharts are reviewed
  for audit purposes.
• Example An auditor desk checks the
  processing logic of a payroll program.

30
Information Systems Auditing Technology

• Technique Control flowcharting
• Description Analytic flowcharts or other
  graphic techniques are used to describe
  the controls in a system.
• Example An auditor prepares an analytic
  flowchart to review controls in the
  payroll application system.

31
Information Systems Auditing Technology

• Technique Mapping
• Description Special software is used to
  monitor the execution of a program.
• Example The execution of a program with test
  data as input is mapped to indicate how
  extensively the input tested compares with
  individual program statements.

32
General Approach to an Information Systems Audit

• Most approaches to an information systems audit
  follow some variation of a three-phase structure.
• The first phase consists of an initial review and
  evaluation of the area to be audited and audit
  plan preparation.
• The second phase is a detailed review and
  evaluation of controls.

33
General Approach to an Information Systems Audit

• The third phase involves compliance testing and
  is followed by analysis and reporting of results.
• The initial review phase determines the course of
  action the audit will take.
• It includes the following
• decisions concerning specific areas to be
  investigated

34
General Approach to an Information Systems Audit

• the deployment of audit labor
• the audit technology to be used
• the development of time and/or cost budget for
  the audit
• The primary control over the conduct of an
  information systems audit centers on
  documentation and review of performance.

35
General Approach to an Information Systems Audit

• What is an audit program?
• It is a detailed list of the audit procedures to
  be applied on a particular audit.
• Standardized audit programs for particular audit
  areas have been developed and are common in all
  types of auditing.

36
General Approach to an Information Systems Audit

• In the second general phase of the audit, effort
  is focused on fact-finding in the area(s)
  selected for audit.
• Documentation of the application area is
  reviewed.
• Data concerning the operation of the system are
  reviewed.

37
General Approach to an Information Systems Audit

• In the third phase of the audit, compliance tests
  are undertaken to provide reasonable assurance
  that internal controls exist and operate as
  prescribed.

38
Information Systems Application Audits

• Application controls are divided into three
  general areas.
• What are these areas?
• Input
• Processing
• Output

39
Information Systems Application Audits

• An information systems application audit
  generally involves reviewing the controls in
  each of these areas.
• The specific technology used will depend on the
  ingenuity and resources of the auditor.

40
Application Systems Development Audits

• Systems development audits are directed at the
  activities of the systems analyst and
  programmers.
• Controls governing the systems development
  process directly affect the reliability of the
  application programs that are developed.

41
Application Systems Development Audits

• There are three general areas of audit concern
  in the systems development process.
• They are
• Systems development standards
• Project management
• Program change control
• What are systems development standards?

42
Application Systems Development Audits

• Systems development standards are the
  documentation governing the design, development,
  and implementation of application systems.
• What is project management?
• It consists of project planning and project
  supervision.

43
Application Systems Development Audits

• What is the objective of program change controls?
• It is to prevent unauthorized and potentially
  fraudulent changes from being introduced into
  previously tested and accepted programs.

44
Computer Service Center Audits

• Normally, an audit of the computer service center
  is undertaken before any application audits to
  ensure the general integrity of the environment
  in which the application will function.
• Audits might be undertaken in several areas.
• What are some examples?

45
Computer Service Center Audits

• environmental controls
• physical security of the center
• data release, reports, and computer programs
• management controls
• Audits of computer service center operations
  require a high degree of technical training and
  familiarity with computer operations.