AY 2023-2024

AUDITING IN AN INFORMATION TECHNOLOGY

ENVIRONMENT

LECTURE NOTES

INTRODUCTION TO IT ENVIRONMENT
An IT environment exists when a computer of any type or size in involved in the processing by the
entity of financial information of significance to the audit, whether the computer is operated by the
entity or by a third party.

IT environment consists of the IT applications and supporting IT infrastructure, as well as the It

processes and personnel involved in those processes,

IT application – a program or a set of programs that is used in the initiation, processing,

recording, and reporting of transactions or information. IT applications include data
warehouse and report writers.

IT infrastructure – comprises the network, operating systems, and databases and their
related hardware and software.

IT processes – are the entity’s processes to manage access to the IT environment, manages
program changes or changes to the IT environment and manage IT operations.

Basic Components
A. Hardware – physical devices or equipment used to accomplish data processing function.
Hardware devices include
1. Input- the purpose of the device is to convert information into a machine-readable form.
Examples of input devices
1,1, Online entry – keyboard, mouse, microphone, webcam, and touch-sensitive screens.
1.2. Turnaround documents – documents sent to customers and returned as inputs.
1.3. Electronic commerce and electronic data interchange – involves one entity’s computer
communicating with another’s computer.
2. Central Processing Unit (CPU) – the principal hardware component and processes
programs of instructions for manipulating data, it contains
2.1. Control unit – interpreter of programs coded that will manipulate the data.
2.2. Primary Memory Storage
2.2.1 Random Access Memory (RAM) – stores application programs and data at
execution timer and may be modified by the user.
2.2.2 Read-only Memory (ROM) – is a memory that cannot be changed; contains the
system’s boot input/output system (BIOS) and more.
2.3. Arithmetic and Logic Unit (ALU) – performs arithmetic and logic functions
3. Output - these devices translate processed data into forms understandable by users
3.1 Monitor, printers, plotters, and microfilm.
B. Software – consists of sets of instructions (programs) that direct, control and coordinates the
operation of the hardware components.
1. Systems Software
1.1 Operating System – is a group of computer programs that monitor and control all the
input, output, processing and storage devices and operations of a computer (e.g. DOS,
Windows, Linux, Mac, etc.)
1.2 Utility (user) programs – handle common file, data manipulation and “housekeeping”
tasks. It performs commonly required process such as sorting and merging.
1.3 Communication software – controls and supports transmission between computers,
computers and monitors, and accesses various databases.
2. Application software -these are programs designed for specific uses or desired processing
tasks such as payroll preparation, word processing, and accounting software.
3. Database Management System (DBMS) – a software package for the purpose of creating,
accessing and maintaining a database.
 INTERNAL CONTROL IN A CIS ENVIRONMENT

Auditing in CIS Environment has not changed the fundamental nature of Auditing, it has caused
substantial changes in the method of evidence collection and evaluation.

Impact of computerization on audit approach needs consideration of the following factors:

1. High Speed – In CIS environment information can be generated very quickly. Even complex
reports in specific format can be generated for audit purposes without much loss of time.
2. Low clerical error – computerized operations being a systematic and sequential programmed
course of action, the commission of error is considerably reduced.
3. Concentration of duties – in a manual environment, the auditor needs to deploy separate
individuals carrying out verification process. In a CIS Environment, the traditional approach
does not apply in many cases, a computer programs performs more than one set of activities at
a time thereby concentrating the duties of several personnel in the work.

IT Characteristics and Considerations

1. Organizational structure
a. Concentration of functions and knowledge
Because of the ability of the computer to process data, several functions are combined and
the number of persons involved in the processing of financial information is significantly
reduced.

b. Concentration of programs and data

Transaction and master file data are often concentrated usually in machine-readable form,
making it more vulnerable to unauthorized alteration.

2. Nature of processing
a. Lack of visible transaction trails (input output and audit trail)
In an IT environment, data may be entered directly into the computer system without
supporting documents. Also, records and files may not be printed and cannot be read
without using the computer.
b. Ease of access to data and computer programs
Data and computer programs may be accessed by unauthorized persons, either at the
computer or through the use of computer equipment at remote locations, leaving no visible
evidence.

3. Design and procedural aspects

a. Consistency of performance
IT performs functions exactly as programmed. An incorrect program may result to
consistently erroneous processing that could have an adverse effect to the entity.
b. System generated transaction
Some transaction may be initiated by the IT itself without the need for an input document.
c. Programmed control procedures
The nature of computer processing allows the design of internal control procedures in
computer programs.
d. Single transaction update of multiple or data base computer files.

Skills and Competence Needed

The Auditor should consider whether specialized skills are needed. If so, ask the assistance of a
computer professional who may be a staff or an outside professional.
 The auditor can never delegate his responsibility in forming important audit conclusions or
expressing an opinion on the financial statements.

PLANNING THE AUDIT WHERE CIS IS PRESENT –

OBTAIN INFORMATION ABOUT:

1. Computer hardware and software.

2. Extent to which computer is used in significant accounting applications and nature of
processing and data retentions processes.
3. Complexity of entity’s computer operations
4. Organizational Structure of computer processing activities
5. Availability of data that may exists only for a short period of time, or only in computer
readable form.
6. Use of computer-assisted audit techniques

CLASSIFICATION OF CONTROLS

1. As to objectives
1.1 Preventive
1.2 Detective
1.3 Corrective

2. As to scope
2.1 General Controls – typically related to the entire information systems and apply to all
programs used by the system.
2.2 Application Controls – relate to control over a particular computer task or application.

General Controls

General IT Controls covers controls over the entity’s IT processes that support the continued
proper operation of the IT environment, including continued effective functioning of information
processing controls and the integrity of information in the entity’s information system.

a) Organizational Controls – designed to define the strategic direction and establish an

organizational framework over IT activities including
 strategic information and technology plan
 policies and procedures
 segregation of incompatible functions
o between the IT department and the user department
o segregation of duties within the IT departments
 monitoring of IT activities performed by third-party consultants
 Responsibility within an Information System

1. Inform System Management - handled by a Chief Information Officer and supervises the
operation of the department.
2. System Analysts – responsible for designing the information systems. Focus on setting
the goals of the information systems and means of achieving them after considering the
goals of the organization and the computer processing needs of the entity.
3. Application programming – codes the system specifications determined by system
analysts using programming languages (Pascal, Foxpro, etc.)
4. Database Administration – focus on planning and administering the database by
designing it and controlling its use.
5. Data Entry - prepare and verify input data for processing.
6. Computer operation – run and monitor central computer in accordance with standard
instructions. Sometimes operators may need to access computer console to correct
indicated errors in processing; this is a risk exposure that an operating system should be
designed to maintain a log of computer operator intervention. Also, computer operation
should be separated with application programming to mitigate the possibility of
unauthorized changes in computer programs.
7. Program and file library – protects computer programs, master files, transactions tapes
and other records from loss, damage, and unauthorize use or alteration.
8. Data control – review and test all input procedures, monitor computer processing,
reviews exception reports, handles reprocessing of exceptions detected by the computer
and distributes all computer output; also review computer log of operator intervention
and library log of program usage.
9. Telecommunications – responsible for maintaining and enhancing computer networks
and network connections.
10. Systems Programming – responsible for troubleshoot the operating the operating system
or systems in use, upgrading it and working with application system programs in case of
incompatibility with the operating systems.
11. Quality Assurance – ensures that new systems developed and old ones being replaced are
controlled with and ensures the new system to meet user application and documentation
standards.

b) System development, maintenance and documentation

1. User department must participate in system design
2. Written system specification must be required and approved by management and user
department
3. Both user and IT personnel must test new systems
4. Management, user and IT personnel must approve new system before implementation
5. Control of all master and transaction files to avoid unauthorized changes
6. All programs changed should be approved
7. Adequate documentation should be used to facilitate the use of programs

c) Access controls – provide reasonable assurance that access to equipment, files and programs
are limited only to authorized personnel
1. Physical Access Control
a) Limited physical access – automated key cards and manual key locks
b) Visitor entry log

2. Electronic access control

 a) Requiring user identification (specially on on-line systems) and regular changes of
passwords
b) Defining user data access privilege
c) Call back – users dial up for access to the IT system, the system logs them out and
the re-establish communication link when identification is established.

3. Hardware Controls
a) Diagnostic routines – hardware of software supplied by manufacturers to check the
internal operations and devices within the computer systems.
b) Boundary protection – to ensure integrity of the allocated memory for a job
currently running under a simultaneous processing in a multiprogramming
environment
c) Periodic maintenance

4. Data transmission controls – procedures established to prevent unauthorized access or

changed information being transmitted via telecommunication facilities:
a) Parity check – data are processed and transmitted by computers in arrays of bits.
Redundant bit may be added to verify the integrity of the information that is
processed or transmitted.
b) Data encryption – data are coded into secrets characters to avoid unauthorized
individuals from reading the information.
c) Message acknowledgement technique –receiving device sends a message that
verifies a transmission back to the sending device
d) Private lines – using phone lines owned or leased by the organization thereby more
secure.

5. Other access control activities

a) Programming the operating systems to generate a computer log of failed access
attempt and generates warnings for repeated access failure.
b) Programmers should not have access to input data or application programs that are
currently used.
c) Computer operators should be restricted only to the application programs currently
being used
d) Computer operators should be limited access only to operations manual (instructions
for processing programs) and not detailed program documentations.

d) Data and Procedural Controls

1) Data control group receives all data for processing, ensures complete recording, and follow
up errors, determine that data are corrected and resubmitted by user departments and verify
output distribution.
2) Processing controls.
a) Written manual of systems and procedures for all computer operation.
b) Back-up and recovery.
I. Grandfather-father-son principle on file retention a back-up system employed in
batch processing that enable reproduction of destroyed or lost master files from
multiple (3) generations of master files.
II. Snapshots - daily picture (copy) of the data files taken and retained until the weekly
file is prepared which are retained until the monthly file is prepared, which are also
retained until the annual file is created.
c) Contingency processing - detailed processing plans to be tapped in case of disasters and
 may include a:
I. Reciprocal agreement/Mutual aid pact.
II. Internal site.
III. Hot site -back-up centers that are already installed with equipment.
IV. Cold site-back-up centers that are ready for equipment to be brought in.
d) File Protection Rings - enables writing to a magnetic tape only when the ring is on the
magnetic tape critical information. This controls operator error by writing data on tapes
containing
e) Internal and External Labels - provides identification of files to avoid destruction.

e) Monitoring controls - design to ensure that IT controls are working effectively. These may
include:
• Monitoring of key IT performance indicators
• Internal/external T audits.

IT Application Controls

Control policies and procedures that relate to specific use of the system in order to provide
reasonable assurance that all transactions are authorized, recorded, and are processed completely,
accurately and on a timely basis.

In an IT environment, application controls are controls relating to the processing of information in

IT applications that directly address risks to the integrity of information (i.e. the completeness,
accuracy and validity of transactions and other information).

These may include:

a. Controls over input - designed to provide reasonable assurance that

• Transactions are properly authorized before being processed by the computer.

• Transactions are accurately converted into machine readable form and recorded in the
computer data files.
• Transactions are not lost, added, duplicated, or improperly changed
• Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely
basis.
• Common examples of controls over input are key verification, field check, validity check,
self-checking digit limit check, control totals (financial, hash and record count).
a) Limit test - test of reasonableness of a field of data using predetermined upper and
lower limit.
b) Validity test - a comparison of data against a master file or table for accuracy.
c) Self-checking digit - contains redundant information permitting accuracy check.
d) Completeness check - processing will not continue unless all data required are
supplied (also missing data check).
e) Control total - the total of one field of information for all items in a batch.
• Item (Record) count - a count of the number of items or transactions being
input in a given batch.
• Financial total - the total of the amount for all items in a batch.
• Hash total - a total of one field of information for all items in a batch that has
no intrinsic meaning.
 f) Menu driven input - contains of set of menus or Q&As that guides the user
completion of all the required data.
g) Field check- ensures that the proper character is supplied in a given field (i.e.
Character only, numeric only or alphanumeric only).
h) Field size check - ensures that the data supplied is within the number of digits or
string of characters required for the field.
i) Logic tests - rejects data encoded which are illogical or inconsistent.

b. Controls over processing - designed to provide reasonable assurance that:

• Transactions are processed accurately.
• Transactions are not lost added, excluded, duplicated or improperly changed.
• Processing errors are identified and corrected on a timely basis.
c. Controls over output - designed to provide reasonable assurance that:
• Results of processing are complete accurate
• Output is distributed to authorized personnel only
AUDITING IN AN IT ENVIRONMENT

1. The overall objective and scope of an audit, including auditor's responsibilities, does not change in
an IT environment The overall objective and scope of an audit does not differ whether an entity
operates in a mainly manual environment, a completely automated environment, or an environment
involving some combination of manual and automated elements (ie, manual and automated controls
and other resources used in the entity's system of internal control)

2 An IT environment may affect

a. Auditor's consideration of internal control which will include an assessment of computerized as
well as manual controls
b. Auditor's assessment of control risk
c. Procedures to be performed in considering internal control and performing substantive tests

RISK ASSESSMENT PROCEDURES

1. The auditor should obtain an understanding of the significance and complexity of the IT
environment to be able to design further audit procedures. Furthermore, the following are the
significance why the auditor should understand the IT environment relevant to the information
system:
✓ The auditor's understanding of the information system includes the IT environment
relevant to the flows of transactions and processing of information in the entity's information
system because the entity's use of IT applications or other aspects in the IT environment may
give rise to risks arising from the use of IT.

✓ The understanding of the entity's business model and how it integrates the use of IT may
also provide useful context to the nature and extent of IT expected in the information system.
Understanding the entity's use of IT.
✓ The auditor's understanding of the IT environment may focus on identifying, and
understanding the nature and number of, the specific IT applications and other aspects of the
IT environment that are relevant to the flows of transactions and processing of information
in the information system. Changes in the flow of transactions, or information within the
information system may result from program changes to IT applications, or direct changes to
data in databases involved in processing, or storing those transactions or information.
✓ The auditor may identify the IT applications and supporting IT infrastructure concurrently
with the auditor's understanding of how information relating to significant classes of
transactions, account balances and disclosures flows into, through and out the entity's
information system.

2. When obtaining an understanding of the significance and complexity of the IT environment, the
auditor may use automated tools and techniques. Examples of procedures that may be performed
include:
✓ Perform risk assessment procedures on large volumes of data (from the general ledger,
sub-ledgers or other operational data) including for analysis, recalculations, reperformance
or reconciliations.
✓ Perform analytical procedures (commonly called data analytics).
✓ Observe or inspect, in particular assets, for example through the use of remote observation
tools (eg, a drone).
✓ Understand flows of transactions and processing as part of the auditor's procedures to
 understand the information system. An outcome of these procedures may be that the auditor
obtains information about the entity's organizational structure or those with whom the entity
conducts business (e.g. vendors, customers related parties).
✓ Obtain direct access to, or a digital download from, the databases in the entity's information
system that store accounting records of transactions. With this, the auditor may confirm the
understanding obtained about how transactions flow through the information system by
tracing journal entries, or other digital records related to a particular transaction, or an entire
population of transactions, from initiation in the accounting records through to recording in
the general ledger.
✓ When automated procedures are used to maintain the general ledger and prepare financial
statements such entries may exist only in electronic form and may therefore be more easily
identified through the use of automated techniques.

3. Understanding the risks arising from the use of IT and the general IT controls implemented by the
entity to address those risks may affect:
✓ The auditor's decision about whether to test the operating effectiveness of controls to
address risks of material misstatement at the assertion level,
✓ The auditor's assessment of control risk at the assertion level;
✓ The auditor's strategy for testing information produced by the entity that is produced by
or involves information from the entity's IT applications.
✓ The auditor's assessment of inherent risk at the assertion level, or
✓ The design of further audit procedures

For the IT applications relevant to the information system, understanding the nature and complexity
of the specific IT processes and general IT controls that the entity has in place may assist the auditor
in determining which IT applications the entity is relying upon to accurately process and maintain
the integrity of information in the entity's information system Such IT applications may be subject to
risks arising from the use of IT

4. The auditor shall also consider risk arising from the use of IT. Such risks may arise from:
✓ Susceptibility of information processing controls to ineffective design or operation, or risks
to the integrity of information (i.e. the completeness, accuracy and validity of transactions
and other information) in the entity's information system, due to ineffective design or
operation of controls in the entity's IT processes.
✓ Risks to the integrity of information arise from susceptibility to ineffective implementation
of the entity's information policies, which are policies that define the information flows,
records and reporting processes in the entity's information system. Information processing
controls are procedures that support effective implementation of the entity's information
policies. Information processing controls may be automated (i.e. embedded in IT
applications) or manual (e.g. input or output controls) and may rely on other controls,
including other information processing controls or general IT controls.

Identifying risks arising from the use of IT and general IT controls

In identifying the risks arising from the use of IT the auditor may consider the nature of the identified
IT application or other aspects of the IT environment and the reasons for it being subject to risks
arising from the use of IT Major considerations include:
✓ the auditor may identify applicable risks arising from the use of IT that relate primarily to
unauthorized access or unauthorized program changes, as well as that address risks related
 to inappropriate data changes (e.g. the risk of inappropriate changes to the data through
direct database access or the ability to directly manipulate information).
✓ Extent and nature of the applicable risks arising from the use of IT The extent and nature
of the applicable risks arising from the use of IT vary depending on the nature and
characteristics of the identified IT applications and other aspects of the IT environment,
applicable IT risks may result when the entity uses external or internal service providers for
identified aspects of its IT environment (e.g. outsourcing the hosting of its IT environment to
a third party or using a shared service center for central management of IT processes in a
group).

Applicable risks arising from the use of IT may also be identified related to cybersecurity
Also, it is more likely that there will be more risks arising from the use of IT when the volume
or complexity of automated application controls is higher and management is placing greater
reliance on those controls for effective processing of transactions or the effective
maintenance of the integrity of underlying information.

Specific examples of risk arising from the use of IT

Examples of risks arising from the use of IT include risks related to inappropriate reliance on
IT applications that are inaccurately processing data processing inaccurate data, or both, such
as:
✓ Unauthorized access to data that may result in destruction of data or improper changes to
data, including the recording of unauthorized or non-existent transactions, or inaccurate
recording of transactions. Particular risks may arise where multiple users access a common
database.
✓ The possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties thereby breaking down segregation of duties.
✓ Unauthorized changes to data in master files.
✓ Unauthorized changes to IT applications or other aspects of the IT environment.
✓ Failure to make necessary changes to IT applications or other aspects of the IT
environment.
✓ Inappropriate manual intervention.
✓ Potential loss of data or inability to access data as required.

5. The auditor should have sufficient knowledge of the IT to plan, direct, supervise and review the
work performed Also, the auditor should determine if assistance from the expert is needed When an
entity has greater complexity in its IT environment, identifying the IT applications and other aspects
of the IT environment, determining the related risks arising from the use of IT, and identifying
general IT controls is likely to require the involvement of team members with specialized skills in IT.
Such involvement is likely to be essential, and may need to be extensive, for complex IT
environments.
TEST OF CONTROLS
The effectiveness of application controls is greatly affected by the effectiveness of general controls
Accordingly, it may be more efficient to review the design of the general controls before reviewing
the application controls.
Application controls which the auditor may wish to test include manual controls exercised by the
user, controls over system output, and programmed control procedure.

AUDIT APPROACHES-Test of Controls

The auditor's tests of controls vary depending on whether audit evidence generated by the computer
is
1. External to the computer, and therefore directly observable.
• Procedures involved are usually inquiries, observation and inspection of documents.
• Auditing around the computer technique is applied.
2. Internal to the computer, and therefore not directly observable.
• Require the auditor to use the computer to obtain reasonable degree of assurance that
controls are operating as planned.

To test these controls, the auditor may do the following

1. Black box approach (Auditing around the computer)

• It involves procedures generally performed in testing manual control structure.
•Focuses solely on the input documents and the IT output.
• The auditor ignores the client's data processing procedures.
2. White box approach
a. Auditing with the computer
•The auditor uses the computer as an audit tool.
b. Auditing through the computer
•The auditor enters the client's system and examines directly the computer and its
system and application software using CAATS.

COMPUTER-ASSISTED AUDITING TECHNIQUES (CAATs) FOR TEST OF CONTROLS

1. The following are the factors considered in using CAATS
a. Degree of technical competence in IT
b. Availability of CAATs and appropriate computer facilities
c. Impracticability of manual tests
d. Effectiveness and efficiency
e. Timing of tests

2. Test of controls using CAATs may be divided into the following categories of techniques
a. Program analysis
b. Program testing
c. Continuous testing
d. Review of operating systems
Program Analysis
1. These techniques allow the auditor to gain an understanding of the client's program
a. Code review -This technique involves actual analysis of the logic of the program's
processing routines.
b. Comparison programs -These programs allow the auditor to compare computerized files
c. Flowcharting software - This is used to produce a flowchart of a program's logic and may
be used in both in mainframe and microcomputer environments
d. Program tracing and mapping - Program tracing is a technique in which each instruction
executed is listed along with control information affecting that instruction. On the other hand,
program mapping identifies sections of code that can be "entered" and thus are executable.
These techniques allow the auditor to recognize logic sequence or dormant section of code
that may be a potential source of abuse.
e. Snapshot - This technique in essence "takes a picture of the status of program execution,
intermediate results or transactions data at specified processing points in the program
processing. This technique helps the auditor to analyze the processing logic of specific
programs

Program Testing
2. Program testing involves the use of auditor-controlled actual or simulated data. The approach
provides direct evidence about the operation of programs and programmed controls.
a. Test data
• A set of dummy transactions is developed by the auditor and processed by the
client's computer programs to determine whether the controls which the auditor
intends to test are operating effectively.
• Test data shifts control over the processing to the auditor by utilizing the client's
software to process both valid and invalid transactions.
• If embedded controls are functioning effectively, the client's software should detect
all the exceptions planted in the auditor's test data.
• When this technique is to be used, an auditor should run the test data on a surprise
basis.

b. Integrated test facility (ITF) or Integrated test data or Mini-Company Approach

• This method introduces dummy transactions into a system in the midst of live
transactions and is usually built into the system during the original design.
• Integrates fictitious and actual data without management's knowledge, allowing the
auditor to compare the client's output with the results expected by the auditor.
• One way to accomplish this is to incorporate a simulated or subsidiary into the
accounting system with the sole purpose of running test data through it.

c. Base Case System Evaluation (BSCE)

•A special type of test data.
•Can provide an auditor with more much more assurance than test data alone.
• Develops test data that purports to test every possible condition that an auditor
expects a client's software will confront.
• Time-consuming and expensive to develop and therefore cost-effective only in large
computer systems for which the auditor can rely on internal auditors to develop the
base case

NOTE: When using these techniques, each control need only be tested once because
 several problems, may be encountered during testing. These problems include, but
not limited to the following:
1. Making certain the test data is not included in the client's accounting records.
2. Determining that the program tested is actually used by the client to process data.
3. Adequately developing test data for every possible control.
4. Developing adequate data to test key controls may be extremely time-consuming.

d. Parallel simulation
• Shifts control over the computer software.
• This technique processes actual client data through an auditor's generalized audit
software program and frequently, although not necessarily, the auditor's computer.
• After processing the data, the auditor compares the output obtained with the output
obtained from the client.
• If the client's software is operating effectively, the client's software should generate
the same exceptions as the auditor's software.
• Should be performed on a surprise basis if possible.

The limitations of this method are

1. The time it takes to build an exact duplicate of the client's system.
2. Incompatibility between auditor and the client software.
3. Tracing differences between two sets of outputs to differences in the
programs may be difficult.
4. The time involved in processing large quantities of data.

e. Controlled reprocessing
• This is only a variation of parallel simulation Instead of using generalized audit
software program to processes actual client data, the auditor uses a copy of the
client's application program

The limitations of this method are

1. Determining that the copy of the program is identical to that currently being
used by the client.
2 Keeping current with changes in the program.
3. The time involved in reprocessing large quantities of data.

Continuous/Concurrent Testing
3. Advance computer systems, particularly utilizing EDI (electronic data interchange) sometimes do
not retain permanent audit trails, thus requiring capture of audit data as transactions are processed.
Such systems may require audit procedures that are able to identify and capture data as transaction
occurs
a. Embedded audit modules
• Embedded audit modules are programmed routines incorporated into an
application program that are designed to perform an audit function such as
calculations, or logging activity.
• It is used to select client data for subsequent testing and analysis.
b. System control audit review files (SCARF)
• A log, usually created by an embedded audit module, used to collect information for
subsequent review and analysis.
• The auditor determines the appropriate criteria and the SCARF selects the type of
transactions
 c. Audit hooks
• An audit hook is an exit point in an application program that allows an auditor to
subsequently add an audit module (or particular instructions) by activating the book
to transfer control to an audit module.
• Auditors sometimes use audit hooks to accomplish transaction tagging.
d. Transaction tagging
• Tagging is a technique in which an identifier providing a transaction with a special
designation is added to the transaction record.
• A transaction is tagged and then traced through critical control points in the
information system.
• The tag is often used to allow logging of transactions or snapshot of activities.
e. Extended records
• This technique attaches additional data that would not otherwise be saved to
regular historic records and thereby helps to provide a more complicated audit trail.

Review of Operating systems and other system software

4. System software may perform controls for computer systems. Related audit techniques range from
user-written programs to the use of purchasing operating systems monitoring software.
a. Job accounting data/operating system logs
• These logs, created by either the operating system itself or additional software
packages that track particular functions, include reports of the resources used by the
computer system.
• The auditor may be able to use them to review the work processed to determine
whether unauthorized
applications were processed and to determine that authorized applications were
processed properly.
b. Library management software
- This software logs changes in programs, program modules, job control language, and
other processing activities.
c. Access control and security software
- This software supplements the physical and control measures relating to the
computer and is particularly helpful in online environments or in systems with data
communications because of difficulties of physically securing computers.
Computerized Audit Tools

5. The following are computer assisted audit techniques are available for administering, planning,
performing, and reporting of an audit.
a. Generalized audit software (GAS)/Package programs
- The auditor may use various types of software on PCs and may include customized
programs, utility software. and generalized audit software for performing test of controls and
substantive tests
- They can be designed to perform audit tasks such as:
1. Reading computer files
2. Selecting samples
3. Performing calculations
4. Creating data files
5. Printing reports in an auditor-specified format

b. Electronic spreadsheet
- Often included in GAS, may be used for applications such as analytical procedures and
performing mathematical procedures.
-Contain variety of predefined mathematical operations and functions that can be applied to
data entered into the cells of a spreadsheet.

c. Automated working software

- Microcomputer based and used to generate trial balances, lead schedule and other
workpapers useful for the audit.
- The schedules and reports can be created once the auditor has manually entered or
electronically imported through the use of client's account balance information into the
system.
d. Database management system
- May be used to perform analytical procedures, mathematical calculations, generation of
confirmation request and to prepare customized automated workpapers.
- Manage the creation, maintenance, and processing of information.
- The data are organized in the form of predefined records, and the database software is used
to select, update, sort, display, or print the records.
e. Text retrieval software/ Text database software
- Enables access to various databases, including database of standard-setting bodies.
- The software program allows the user to browse through text files much as a user would
browse through books.
f. Public databases
- May be used to obtain accounting information related to particular companies and
industries as well as other publicly available information
g. Word processing software
- Used in variety of communications-related manners including the consideration of internal
control, developing audit programs, and reporting.