CHAPTER 34

CONDUCTING AN
INFORMATION SYSTEM
AUDIT
Overview of steps in Information system
Audit
Four phases in Information System Audit:

1. Audit Planning

2. Tests of Controls

3. Substantive test

4. Issuance of Audit Report

Process of an IT Audit
Start

Audit
Planning Review of Plan Tests of
Review General
Organization’s Controls and
Controls and
Policies, Procedures Substantive
Application Controls
and structure Testing Procedure
Tests of
Control
Determine Degree
Perform Test of
Evaluate Test Results of Reliance on
Controls
Controls
Substantive
Testing Phase
Perform Evaluate Results and
Substantive Tests Prepare Audit Report

Issuance of
Audit Report
Audit Planning
Audit planning includes understanding the
client’s:

1. Industry Environment

2. Business and management

3. Accounting and reporting systems

4. Internal control
Audit Planning
Maximum Control Risk- is defined at the greatest
probability that a material misstatement that
could occur in an assertion will not be prevented
or detected on a timely basis by the entity’s
internal control structure.
Audit Planning
Auditors can understand the control
environment and risk assessment
components by examining management
controls.
Audit Planning
Auditors can understand specific control
activities by reviewing both management
controls and application controls.
Audit Planning
Auditors can understand the monitoring
component primarily by examining management
controls.
Management controls differ substantially from
organization to organization.
Test of Controls
Auditor focuses his attention on both the design
and operation of aspects of the internal control
structure to determine whether the necessary
controls were functioning as intended.
Test of Controls
Credit risk is below maximum level, auditors’
may decide to perform test of controls.
Credit risk is at maximum level, not required to
perform any test of controls.
Test of Controls
Procedure involve in test of controls:

1. Inquiries

2. Inspection

3. Observation

4. Reperformance of policies & procedures

Test of Controls
Test of controls precede substantive testing.
Results of the test of controls must be fully
documented.
Auditors use test of transactions to evaluate the
effective and efficient handling of events.
Substantive Test
Auditors conduct test of balances or overall
results to obtain sufficient evidence for making
a final judgment on the extent of losses or
account misstatement that occur when
Information systems function fail.
Specific Objectives for Substantive Test

1. Existence or occurrence and validity

2. Completeness and Accuracy

3. Rights and Obligations

4. Proper valuation or allocation

5. Proper statement presentation and disclosure

Substantive Test
The nature, timing, and extent of the procedures
performed in the substantive tests depend upon
the auditor’s assessed level of control risk and
the resulting detection risks he or she accepts for
each assertion.
Substantive Test
The final audit phase will also include
accumulation of some additional evidence for
the financial statements, summarization of the
results that will enable the auditor to prepare his
audit report.
Substantive Test
Computer support is often required to
undertaken substantive tests of balances or
overall results effectively and efficiently.
The nature and conduct of audit works can vary
depending on the type of the organization.
Completion of the Audit and
Preparation of Report
Expressing an audit opinion is the auditor’s
overriding goal.
Type of audit report will depend on the evidence
accumulated and the audit findings.
Completion of the Audit and Preparation
of Report
Audit report concisely describes the auditor’s
responsibility, the nature of the examination, the
audit findings and his opinion on the financial
statements.
Completion of the Audit and Preparation
of Report
Types of Audit opinions:

1. Disclaimer of Opinion

2. Adverse Opinion

3. Qualified Opinion

4. Unqualified Opinion
Dealing with Complexities
To deal with complexity, auditors:

1. Factor the system, evaluate into subsystem

2. Evaluate the controls over subsystem

3. Progressively aggregate judgment on

subsystem
Audit Risk
Audit Risk- refers to the possibility that the
auditors fail to appropriately modify their
opinion on financial statements that are
materially misstated.
Audit Risk
The risk of occurrence of a material misstatement
maybe separated into two components,
inherent risk and control risk. The risk that
auditors will not detect the misstatement called
detection risk.
Audit Risk
Audit risk model:

DAR IR CR DR
Application of DAR Model
Steps generally followed by Auditor:

1. Choose the level of the desired audit risk

2. Determine the level of inherent risk

3. Assess level of control risk

4. Calculate the level of detection risk

Audit Procedures
To determine whether material losses have
occurred or financial information has been
materially misstated, the following maybe use:

1. Procedure to obtain an understanding of control

Audit Procedures
2. Test of Controls
3. Substantive test of details of transaction
4. Substantive tests of details of account
balances
5. Analytical review procedures
Audit Procedures
Auditors can use similar types of
procedures if they are concerned with
evaluating the effectiveness and efficiency
of an organizations operations.
Audit Procedures
Procedures are the following:

1. Procedures to obtain an understanding of

controls

2. Tests of controls

3. Substantive test of details of transactions

Audit Procedures
4. Substantive test of overall results.
5. Analytical review procedure
Audit Techniques
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Control Consists of •Aids in review Costly to Any type
Flowcharting developing of internal develop and of system
(Analytic flowcharts of control maintain
Audit the overall •Familiarizes
Flowchart) system- manual auditor with the
and computer system
processing •Develops
communication
between auditor
and auditee
•Normally used
by auditors; no
special training
•Can use
flowcharting
software
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Test Data •Involves the use of •Can use test •Difficult to Batch
(Test Deck) specifically data anticipate all processing
prepared sets of generator combinations
input data that test software of
application controls •Test data transactions
by running a variety can be •Must
of transactions to be prepared by determine that
compared with persons with routinely used
previously little edition of
determined results technical application
•The ideal test background program is
includes every used
possible
combination of
transactions and
master file
situations
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Integrated •Involves the use •Enables •Effects of Online,
Test Facility of a fictitious testing of the transactions real-time
(ITF or entity against system as it on operations
“Minicompan which data routinely (books) must
y” Approach) transactions are operates be nullified
processed and •Low •Quantity of
results are processing five data
compared with costs inputs may be
previously •No special limited when
determined processing submitted
results. It is used wuth regular
in the framework runs
of regular •Possibility of
production, contamination
frequently without of database
computer operator
knowledge
Tool/Technique Explanation Advantages Disadvantages Type of
System or
Environment
Used in
Parallel •Involves the use of •Testing can •Usually •Database
Simulation specially prepared be done on a simulation is management
application-type surprise basis for only systems
programs to process •Cost of selected •Most
transactions also preparing test portions of a effective
run in routine data is total when
processing, which eliminated application applied to
simulates routine •Can process •Cost of calculations,
processing in an many of developing decisions
effort to verify auditee’s program may and large
results. A relative of transactions, be prohibitive quantity of
parallel simulation eliminating •Auditor may transactions
is controlled need for small need special
reprocessing that samples skills
uses a copy of the •More •Does not
auditee’s program thorough than have broad
to reprocess actual sampling application
data
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Generalized Involves the use •Can process •Limited Batch
Audit of computer several files and application in processing
Software software file types online, real-
Package packages •Enables use with time systems
(GASP) (programs) that limited training •Limited
may allow not •Packages logical and
only parallel interface with mathematical
simulation but many types of capabilities
also a variety of hardware and
other software
processing •Decreases
functions auditor
dependence on
data processing
personnel and
time
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Transaction Involves •Programs May be costly All
selection reprocessing completely to develop systems
transaction files independent of and execute
with specialized application
computer programs
programs which •Enables efficient
extract or select selection of
particular transactions for
transactions. further review
Transaction •Enables
files are selection of
retained and targeted types of
given to the transactions
auditor
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Embedded A transaction •All system •Additional Online
Data selection activity is subject processing systems
Collection approach to review costs of extra
incorporated •Can be used audit module
within the with online program steps
regular systems that must be
production •Not limited to executed
programs to input transactions •Difficult to
routinely select/ implement
extract unless it can
transactions be developed
meeting along with the
specified system
criteria for
further testing
Tool/Technique Explanation Advantages Disadvantages Type of
System or
Environmen
t Used in
Extended •Involves •Reduces audit •May not be •Database
Records extending the costs associated economical managemen
record of an with tracing because of t systems
application to audit trails added storage •Online
include the •Created an costs systems
data fields audit trail which •High costs of •Systems
necessary to was previously implementation which
complete an nonexistent in normally
audit trail hard copy of lack hard
system input copy of
system input
or other
audit trail
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Tracing Involves the •Aids in verifying •Auditor must advanced
generation of a application of have
complete audit internal controls significant
trail to trace •Allows tagging knowledge of
transactions of certain live the program
through data through the to follow
processing. It system logic
normally •Can be used •Can increase
provides a trail with both test and program
of program live data processing
statements time
executed
through
processing.
Tool/Technique Explanation Advantages Disadvantag Type of
es System or
Environme
nt Used in
Snapshot Involves •No permanent effect •Code must Effective in
capturing the on data be embedded high-
data used in •Can insert code in the volume
processing at quickly with application systems
a specific minimum program where
point in the development time •Code adds complete
stream of •Can help to generate to the transaction
processing hard copy transaction processing trail would
trail for a specified time generate
item •Requires too much
•Can be used to skilled data information
selectively print out processing
data that meet certain personnel
criteria
•Can aid in
debugging
•Can aid in
determining
intermediate values
of data in processing
stream
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Mapping Involves •Can aid in High cost advanced
monitoring the evaluating how
execution of an well test data
application tested a run
program to •Can indicate
determine lines of code
certain which are
statistical extraneous or not
information often used
about the run
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
System •Involves the •All system •Additional advanced
Control Audit incorporation of activity is subject processing
Review File reasonableness to review cost of extra
(SCARF) tests into the •Can be used audit module
(Specific normal with online program steps
Implementati processing of systems that must be
on of application •Not limited to executed
Embedded programs, the input transactions •Difficult to
Data results being implement
Collection) reported to the unless it can
auditor rather be developed
than to the user along with the
for the auditor’s system
review and
investigation
Tool/Techniqu Explanation Advantages Disadvantages Type of
e System or
Environm
ent Used
in
Sample Audit Similar to •All system •Additional Advanced
Review File SCARF but activity is subject processing
(SARF) random to review cost of extra
selection of •Can be used audit module
transactions with online program steps
rather than systems that must be
special edit or •Not limited to executed
reasonableness input transactions •Difficult to
tests implement
unless it can
be developed
along with the
system
Auditing Around the Computer
Used when it is the most cost-effective
way to undertake audit such as when
◦ Application system is simple and batch-
oriented;
◦ Application system uses generalized package
software and;
◦ High reliance is placed on user rather than
computer controls to safeguard assets,
maintain data integrity and attain effectiveness
and efficiency objectives
Major Limitations
The type of computer system in which it
is applicable is very restricted, and should
not be used when systems are complex.
It does not provide information about the
system’s ability to cope with the change.
Auditing Through the Computer
Might be fairly simple or require
extensive technical competence
Auditors use the computers to test:
◦ Processing logic and controls existing within
the system
◦ Records produced by the system
Computer-assisted audit techniques
Used when auditing a client with a
sophisticated system
Auditors use:
◦ Test data
◦ Concurrent audit techniques
◦ Parallel simulation
Cases where auditing through the
computer must be used:
The inherent risk associated with the application
system is high.
The application system processes large volumes
of input and produces large volumes of output
that make extensive, direct examination of the
validity of input and output difficult to
undertake.
Significant parts of internal control
system are embodied in the computer
system.
The processing logic embedded within
the application system is complex.
Substantial gaps in the visible audit trail
are common.
Advantages of Auditing Through the
Computer
Auditors have increased power to test an
application system effectively.
Auditors are better able to assess the
system’s ability to cope with change and
the likelihood of losses or account
misstatements in the future.
Disadvantages of Auditing Through the
Computer
Sometimes costly especially in terms of
labor hours spent in understanding
internal workings of the system
Extensive technical expertise will be
needed in some cases.
The Effect of a Personal Computer
Environment on Audit Procedures (PAPS
1001)
Auditor may often assume that control
risk is high because it may not be
practicable to implement sufficient
controls to reduce the risks of undetected
errors to a minimum level.
It may entail more physical examination
and confirmation of assets, more tests of
details, larger sample sizes and greater use
of computer-assisted audit techniques if
appropriate.
Or, the auditor may decide to use personal
computer systems that process a large
number of transactions when it would be
cost-effective to perform audit work on
the data at a preliminary date.
Control procedures to consider when
relying on stand-alone personal computers:

Segregation of duties and balancing controls:

◦ Segregation of functions
◦ Rotation of duties among employees
◦ Reconciliation of system balances to general ledger
control accounts
◦ Periodic review of processing schedule and reports
Access to the personal computer and its files:
◦ Placement within the sight of the individual who
controls access to it
◦ Use of security cables on computer and terminals
◦ Use of passwords on microcomputer’s programs
and data files
◦ Restriction on use of utility programs
Use of third-party software:
◦ Review of application software prior to purchasing
including functions, capacity and controls
◦ Adequate testing of the software and
modifications prior to use
◦ Ongoing assessment of the adequacy of the
software to meet user requirements
Effect on On-line Computer Systems on
Audit Procedures (PAPS 1002)

Authorization, completeness and

accuracy of on-line transactions
Integrity of records and processing due to
many users and programmers
Changes in the performance including use
of CAATs due to:
◦ Need for auditors with technical skills in on-line
computer systems
◦ Effect of on-line computer system on the timing
of audit procedures
◦ Lack of visible transaction trails
Procedures carried out during the audit planning
stage:
◦ Participation on the audit team of individuals with
technical proficiency in on-line computer systems and
related controls
◦ Preliminary determination during the risk assessment
process of the impact of the system on the audit
procedures.
Audit procedures performed concurrently
with on-line processing:
◦ Compliance testing of the controls over the
on-line applications
Procedures performed after processing
has taken place:
◦ Compliance testing of controls over
transactions logged by the on-line system for
authorization, completeness and accuracy
◦ Substantive tests of transactions and processing
results rather than tests of controls where former
may be more cost-effective or where system is
not well-designed or controlled
◦ Re-processing transactions as either a
compliance or substantive procedure
 Benefits of on-line computer systems
Makes it more effective to perform a pre-
implementation review of new on-line
accounting applications than to review them
after installation
Provides auditor with opportunity to request
more functions
Also provides sufficient time to develop and
test audit procedures in advance
 The Effect of Database on Audit
Procedures (PAPS 1003)

DBMS and significant accounting

applications using database
Standards and procedures for development
and maintenance of application programs
using database
Database administration function
Job descriptions, standards and procedures
for those individuals responsible for
technical support, design, administration and
operation of database
Procedures used to ensure the integrity,
security and completeness of financial
information contained in database
Availability of audit facilities within
DBMS
Where auditor compliance or substantive tests related
to database system, DBMS may be used to:
o Generate test data
o Provide audit trail
o Check integrity of database
o Provide access to database or copy of relevant parts
o Obtain necessary information for the audit
Where auditor determines that controls in the
database system cannot be relied upon, he
should consider whether performing
additional substantive tests on all
significant accounting applications would
achieve his audit objective
Effect of E-commerce/electronic Records
on Audit Evidence and Procedures (PAPS
1013)
Auditor should consider whether the
entity’s security of information policies
and security controls are adequate to
prevent unauthorized changes to the
system or records
Auditor may test automated controls
Auditor may also consider the need to
perform additional procedures depending
on his/her assessment of the controls