INFORMATION

TECHNOLOGY
AUDITING
CHAPTER 12
After reading this chapter, you will:
1. Know how external auditing differs from internal auditing.
2. Understand the information technology audit process and types of careers in
information technology auditing.
3. Understand the software and people skills needed by information technology
auditors.
4. Know how to determine the effectiveness of internal controls over specific
information systems.
5. Be familiar with various techniques auditors use to evaluate computerized
information systems.
6. Understand that IT governance is not just about security.
7. Appreciate how auditors can use IT to prevent and discover fraudulent activities.
8. Know how the Sarbanes-Oxley Act of 2002 and AS5 influence the role of IT auditors.
9. Be familiar with various types of third party assurance services related to IT.
I. THE AUDIT FUNCTION
• To audit is to examine and assure.
• The nature of auditing differs according to the subject under
examination.
• Internal vs External Auditing
• internal audit, a company’s own accounting employees perform the audit
• whereas accountants working for an independent CPA firm conduct an
external audit
INTERNAL AUDIT
• Generally, internal auditing positions are staff positions reporting to
top management and/or the Audit Committee of the Board of
Directors.
• An internal audit involves evaluation of
• (1) employee compliance with organizational policies and procedures,
• (2) effectiveness of operations,
• (3) compliance with external laws and regulations,
• (4) reliability of financial reports, and
• (5) internal controls.
EXTERNAL AUDIT
• the chief purpose of an external audit is the attest function—that is,
giving an opinion on the accuracy and fairness of financial statements
• Today, there are specialized auditors called fraud auditors or forensic
accountants.
• These auditors specialize in investigating fraud, and they often work
closely with internal auditors and attorneys.
INFORMATION TECHNOLOGY AUDITING
THE INFORMATION TECHNOLOGY AUDIT
PROCESS
CAREERS IN INFORMATION TECHNOLOGY
AUDITING
• Certified Information System Auditor (CISA)
• Applicants achieve this certification by successfully completing an
examination given by the Information Systems Audit and Control Association
(ISACA), meeting experience requirements, complying with a Code of
Professional Ethics, undergoing continuing professional education, and
complying with the examination.
• Certified Information Security Manager (CISM)
• A CISM evaluates knowledge in information security governance, information
security program management, risk management, information security
management, and response management.
EVALUATING THE EFFECTIVENESS OF
INFORMATION SYSTEMS CONTROLS
• Risk Assessment
• An external auditor’s main objective in reviewing information systems control
procedures is to evaluate the risks (associated with any control weaknesses)
to the integrity of accounting data presented in financial reports. Control
strengths and weaknesses will affect the scope of the audit.
• A second objective of the external auditor’s review is to make
recommendations to managers about improving these controls. Improving
controls is also an objective of internal auditors
FOUR STEPS IN PERFORMING A RISK-
BASED AUDIT
1. Determine the threats (i.e., errors and irregularities) facing the AIS.
2. Identify the control procedures that should be in place to minimize each of these threats
and thereby prevent or detect the errors and irregularities.
3. Evaluate the control procedures within the AIS. The process of reviewing system
documentation and interviewing appropriate personnel to determine whether the
necessary control procedures are in place is called a systems review. In addition, auditors
investigate whether these control procedures are satisfactorily followed. The tests include
activities such as observing system operations; inspecting documents, records, and reports;
checking samples of system inputs and outputs; and tracing transactions through the
system.
4. Evaluate weaknesses (i.e., errors and irregularities not covered by control procedures)
within the AIS to determine their effect on the nature, timing, or extent of auditing
procedures. This step focuses on the control risks and on whether a company’s control
system as a whole adequately addresses the risks. If a control deficiency is identified, the
auditor should determine whether there are compensating controls or procedures that
make up for the deficiency. Control weaknesses in one area of an AIS may be acceptable if
control strengths in other areas of the AIS compensate for them
II. THE INFORMATION TECHNOLOGY
AUDITOR’S KIT
• Auditing Software
• General-Use Software
• Spreadsheet software allows both accountants and auditors to make complex
calculations automatically.
• Generalized Audit Software
• Two popular GAS packages used by auditors are Audit Command Language (ACL) and
Interactive Data Extraction and Analysis (IDEA)
• Automated workpapers
• Automated workpapers allow internal and external audi- tors to automate and
standardize specific audit tests and audit documentation
• People Skills
• Arguably the most important skills that auditors require are people skills.
After all, auditors must work as a team and be able to interact with clients
III. AUDITING COMPUTERIZED
ACCOUNTING INFORMATION SYSTEM
• When computers were first used for accounting data processing
functions, the typical auditor knew very little about automated data
processing. The basic auditing approach, therefore, was to follow the
audit trail up to the point at which accounting data entered the computer
and to pick these data up again when they reappeared in processed form
as computer output. This is called auditing around the computer.
• When auditing a computerized AIS, an auditor should follow the audit
trail through the internal computer operations phase of automated data
processing. This approach, auditing through the computer, attempts to
verify that the processing controls involved in the AIS programs are
functioning properly.
FIVE TECHNIQUES TO AUDIT A
COMPUTERIZED AIS
• (1) use of test data, integrated test facility, and parallel simulation to
test programs,
• (2) use of audit techniques to validate computer programs,
• (3) use of logs and specialized control software to review systems
software,
• (4) use of documentation and CAATs to validate user accounts and
access privileges, and
• (5) use of embedded audit modules to achieve continuous auditing.
TESTING COMPUTER PROGRAMS
• Three techniques that auditors may employ to test computer
programs are
• (1) test data,
• auditor’s responsibility to develop a set of transactions that tests, as completely as
possible, the range of exception situations that might occur
• (2) integrated test facilities, and
• The purpose of an ITF is to audit an AIS in an operational setting. This involves (1)
establishing a fictitious entity such as a department, branch, customer, or employee; (2)
entering transactions for that entity; and (3) observing how these transactions are
processed
• (3) parallel simulation.
• With parallel simulation, the auditor creates a second system that duplicates a portion
of the client’s system. The auditor’s system runs at the same time as the client’s system,
and the auditor processes live data, rather than test data. The auditor can compare the
processing and outputs from their own system to the client’s system
VALIDATING COMPUTER PROGRAMS
• Tests of Program Change Controls
• A test of program change controls begins with an inspection of the
documentation maintained by the information processing subsystem. Many
organizations create flowcharts of their change control processes
• Included on these program authorization forms should be the name of the
individual responsible for the work and the signature of the supervisor
responsible for approving the final programs.
• Program Comparison
• To guard against unauthorized program tampering, such as the insertion of
malicious code, it is possible to perform certain control total tests of program
authenticity. One is a test of length. To perform this test, an auditor obtains the
latest version of an accounting computer program to be verified and compares
the number of bytes of computer memory it requires with an entry in a security
table of length counts of all valid accounting programs
IV. INFORMATION TECHNOLOGY
AUDITING TODAY
• Information Technology Governance
• Information technology (IT) governance is the process of using IT resources
effectively to meet organizational objectives. It includes using IT efficiently,
responsibly, and strategically.
• There are two primary objectives of IT governance. The first set of objectives
focus on using IT strategically to fulfill the organizational mission and to
compete effectively. The second set of IT governance objectives involves
making sure that the organization’s IT resources are managed effectively and
that management controls IT- related risks
• Auditing for Fraud—Statement on Auditing Standards No. 99
• The financial statement audits mandated by the Securities and Exchage
Commission require auditors to attest to the fairness of a company’s financial
statements. They do not require auditors to detect fraudulent activities.
Third-Party and Information Systems Reliability
Assurances
• the risks introduced by a business’ Internet presence have created a
market for third-party assurance services. Independent third parties
may provide business users and individual consumers with some level
of comfort over their Internet transactions
• Other assurance services offer different kinds of protection.
Consumers and business partners are not only concerned about
privacy and security of data transmissions. They also worry about the
business policies of an Internet company, its ability to deliver goods
and services in a timely fashion, its billing procedures, and its integrity
in using a customer’s e-mail address.