Auditing Computerized

Accounting Information Systems

 Introduction
 The Audit Function
 Auditing Computerized Accounting Information Systems
 Auditing with the Computer
 Auditing in the Information Age
 The Audit Function

 The audit is to examine and to assure.

 The nature of auditing differs according to the subject
under examination.
 Audits can be internal, external, and audits of
information systems.
Internal versus External
Auditing
 In an internal audit a company’s own
accounting employees perform the audit.
 Accountants working for an
independent CPA firm normally
perform the external audit.
 The chief purpose of the external
audit is the attest function.
 The fairness evaluation of
financial statements in an external
audit is conducted according to GAAP.
 Fraud auditors specialize in investigating fraud.
Information Systems
Auditing
 Information systems auditing or electronic
data processing (EDP) auditing involves
evaluating the computer’s role in achieving
audit and control objectives.
 The AIS components of a computer-based
AIS are people, procedures, hardware, data
communications, software and databases.
 These components are a system of
interacting elements that auditors examine
to accomplish the purposes of their audits.
The Information Systems
Audit Process

 Ifcomputer controls are weak or

nonexistent, auditors will need to do
more substantive testing, or detailed
tests of transactions and account
balances.
 Compliance testing is performed to
ensure that the controls are in place and
working as prescribed.
 This may entail using computer-assisted audit techniques
(CAATs) to audit through the computer.
Careers in Information
Systems Auditing
 Information systems auditors may
choose to obtain professional
certification as a Certified Information
Systems Auditor (CISA).
 Applicantsmust pass an examination
given by the Information Systems Audit
and Control Association (ISACA).
 Specializedskills and broad-based set of
technical knowledge needed.
Risk Assessment

 Anexternal auditor’s main objective in

reviewing information systems control
procedures is to evaluate the risks to
the integrity of accounting data
presented in financial reports.
A secondary objective is to make
recommendations to managers
about improving these
controls.
 Risk-Based Audit Approach

 Determine threats facing the AIS.

 Identifythe control procedures that should
be in place to minimize threats.
 Evaluate the control procedures within the
AIS (systems review).
 Evaluate
weaknesses within the
AIS to ascertain their effect
on auditing
procedures.
Information Systems Risk
Assessment
 Information Systems Risk Assessment evaluates the
desirability of IT-related controls for a particular
aspect of business risk.
 Auditors and managers must answer each of the
following questions:
 What assets or information does the company have
that unauthorized individuals would want?
 What is the value of these identified assets of
information?
 How can unauthorized individuals obtain valuable
assets or information?
 What are the chances of unauthorized individuals
obtaining valuable assets or information?
Guidance in Reviewing
and Evaluating IT Controls
 Systems Auditability and Control (SAC)
report identifies important information
technologies and the specific risks
related to these technologies.
 Control Objectives for Information and
Related Technology (COBIT) provides
auditors with guidance in assessing and
controlling for business risk associated
with IT environments.
Objectives of an Information
Systems Audit
 As part of the process of performing an IT audit, auditors
should determine that the following objectives are met:
 Security provisions protect computer equipment, programs,
communications, and data from unauthorized access,
modification, or destruction.
 Program development and acquisition are performed in
accordance with management’s authorization.
 Program modifications have authorization and approval from
management.
 Processing of transactions, files, reports, and other computer
records is accurate and complete.
 Source data that are inaccurate or improperly authorized are
identified and handled according to prescribed managerial
policies.
 Computer data files are accurate, complete, and confidential.
Auditing Computerized AIS
-Auditing Around the Computer

 Auditing around the computer assumes

that the presence of accurate output
verifies proper processing operations.
 Thistype of auditing pays little or no
attention to the control procedures
within the IT environment.
 Generally not an effective approach
to auditing a computerized
environment.
Auditing Computerized AIS-
Auditing Through the Computer

 When auditing through the computer, an auditor follows

the audit trail through the internal computer operations
phase of automated data processing.
 Through-the-computer auditing attempts to verify the
processing controls involved in the AIS programs.
Approaches to Auditing
through the Computer
Primary approaches to auditing through the computer
using CAAT are:
1.testing programs
2.validating computer programs
3.reviewing systems software
4.continuous auditing.
Testing Computer Programs -
Test Data

 The test data approach uses a set of

hypothetical transactions to test the
edit checks in programs.
 Auditor should use as many different
exception situations as possible.
 Auditor can also use software programs
called test data generators to develop
a set of test data.
Testing Computer Programs -
Integrated Test Facility
 An Integrated Test Facility (ITF) is effective in
evaluating integrated online systems and
complex programming logic.
 Its purpose is to audit an AIS in an operational
setting.
 The auditor’s role is to examine results of
transaction processing to find out how
well the AIS does
the tasks required of it.
 An auditor will introduce artificial transactions
into the data processing stream of the AIS.
Testing Computer Programs -
Parallel Simulation

 With Parallel Simulation, the auditor uses live

input data, rather than test data, in a
program written or controlled by the auditor.
 The auditor’s program simulates all or some
of the operations of the real program that is
actually in use.
 Auditors need complete understanding of
client system and sufficient technical
knowledge.
 Parallel simulation eliminates the need to
prepare a set of test data.
Validating Computer
Programs
 Auditors must validate any program presented to them.
 Procedures that assist in program validation are 1) tests
of program change control, 2) program comparison, and
3) surprise audits and surprise use of programs.
Tests of Program
Change Control
 Program change control is a set of internal controls
developed to ensure against unauthorized program
changes.
 Requires documentation of every request for application
program changes.
 Test begins with inspection of documentation
maintained by information processing subsystem.
Program Comparison

 To
guard against unauthorized program
tampering, a test of length control total
can be performed.
A comparison program can compare
code line-by-line to ensure consistency
between authorized version and version
being used.
 Both tests can detect Trojan horse
computer programs.
 Surprise Audits and
Surprise Use of
Programs
The Surprise audit approach involves
examining application programs
unexpectedly.
 Withthe Surprise use approach, an
auditor visits the computer center
unannounced and requests that
previously obtained authorized
programs be used for the required data
processing.
Review of Systems
Software
 Systems software includes 1) operating
system software, 2) utility programs, 3)
program library software, and 4) access
control software.
 Auditors should review systems
software documentation.
 Systems software can generate incident
reports, which are reports listing events
encountered by the system that are
unusual or interrupt operations.
Continuous Approach

 Audittools can be installed within an

information system to achieve
continuous auditing.
 This
is particularly effective when most of
an application’s data is in electronic form.
 Examples: 1) embedded audit modules,
2) exception reporting, 3)
transaction tagging, and 4)
snapshot technique.
Auditing with the
Computer
 Auditing with the Computer entails using
computer-assisted audit techniques (CAATs)
to help in various auditing tasks.
 This
approach is virtually mandatory since
data are stored on computer media and
manual access is impossible.
 CAATs is effective and saves time.
General-Use Software
 Auditors use general-use software such as spreadsheets and
database management systems as productivity tools to improve
their work.
 Auditors use structured query language (SQL) to retrieve a
client’s data and display these data in a variety of
formats for audit purposes.
 Generalized Audit
Software
 Generalized audit software (GAS) packages enable
auditors to review computer files without continually
rewriting processing programs.
 GAS programs are specifically tailored to auditor tasks.
 Audit Command Language (ACL) and Interactive Data
Extraction and Analysis (IDEA) are examples
of GAS.
Automated Workpaper
Software
 Automated workpaper software is similar to general
ledger software but is much more flexible.
 Features include: 1) generated trial balances, 2)
adjusting entries, 3) consolidations,and 4) analytical
procedures.
Auditing in the
Information Age
 Software can control audit
 Audit tools stored on CD-ROM
 Electronic spreadsheets
 Client/server systems
 PSA 401 Auditing on a Computerized
Accounting System
 PAPS 1001 Stand Alone Computers
 PAPS 1002 CIS Environments – On-Line
Computer Systems
 PAPS 1003 Database Systems
 PAPS 1008 Risk Assessment and Internal
Control CIS Characteristics and Considerations
 PAPS 1009 Computer Assisted Audit Techniques
(CAATs)