Chapter IX.

Auditing Computer-Based Information Systems

Learning Objectives

• Describe the nature, scope, and objectives of audit work, and identify the major steps in the
audit process.

• Identify the six objectives of an information system audit, and describe how the risk-based
audit approach can be used to accomplish these objectives.

• Describe the different tools and techniques auditors use to test software programs and
program logic.

• Describe computer audit software, and explain how it is used in the audit of an AIS.

• Describe the nature and scope of an operational audit.

A. Major Step in The Audit Process
a. Audit planning
i. Why, how, when, and who
ii. Establish scope and objectives of the audit; identify risk
b. Collection of audit evidence
c. Evaluation of evidence
d. Communication of results

B. Risk Based Framework

a. Identify fraud and errors (threats) that can occur that threaten each objective
b. Identify control procedures (prevent, detect, correct the threats)
c. Evaluate control procedures
i. Review to see if control exists and is in place
ii. Test controls to see if they work as intended
d. Determine effect of control weaknesses
i. Compensating controls
C. Information Audit System
a. Using the risk-based framework for an information systems audit allows the auditor
to review and evaluate internal controls that protect the system to meet each of the
following objectives:
i. Protect overall system security (includes computer equipment, programs,
and data)
ii. Program development and acquisition occur under management
authorization
iii. Program modifications occur under management authorization
iv. Accurate and complete processing of transactions, records, files, and reports
v. Prevent, detect, or correct inaccurate or unauthorized source data
vi. Accurate, complete, and confidential data files
D. Protect Overall System Security

Threats

• Theft of hardware

• Damage of hardware (accidental and intentional)

• Loss, theft, unauthorized access to

▫ Programs

▫ Data

• Unauthorized modification or use of programs and data files

• Unauthorized disclosure of confidential data

• Interruption of crucial business activities

Controls

• Limit physical access to computer equipment

• Use authentication and authorization controls

• Data storage and transmission controls

• Virus protection and firewalls

• File backup and recovery procedures

• Disaster recovery plan

• Preventive maintenance

• Insurance

E. Program Development and Acquisition Occur under Management Authorization

Threats
• Inadvertent programming errors
• Unauthorized program code

Controls
• Review software license agreements
• Management authorization for:
▫ Program development
▫ Software acquisition
• Management and user approval of programming specifications
• Testing and user acceptance of new programs
• Systems documentation
• List program components to be modified
 • Management authorization and approval for modifications
• User approval for modifications
• Test changes to program
• System documentation of changes
• Logical access controls

F. Accurate and Complete Processing of Transactions, Records, Files, and Reports

Threats
• Failure to detect incorrect, incomplete, or unauthorized input data
• Failure to correct errors identified from data editing procedures
• Errors in files or databases during updating
• Improper distribution of output
• Inaccuracies in reporting

Controls
• Data editing routines
• Reconciliation of batch totals
• Error correction procedures
• Understandable documentation
Competent supervision
G. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data
Threats
• Inaccurate source data
• Unauthorized source data

Controls
• User authorization of source data input
• Batch control totals
• Log receipt, movement, and disposition of source data input
• Turnaround documents
• Check digit and key verification
• Data editing routines

H. Accurate, Complete, and Confidential Data Files

Threats
• Destruction of stored data from
▫ Errors
▫ Hardware and software malfunctions
▫ Sabotage
• Unauthorized modification or disclosure of stored data

Controls
• Secure storage of data and restrict physical access
• Logical access controls
• Write-protection and proper file labels
 • Concurrent update controls
• Data encryption
• Virus protection
• Backup of data files (offsite)
System recovery procedures
I. Audit Techniques Used to Test Programs
a. Integrated Test Facility
i. Uses fictitious inputs
b. Snapshot Technique
i. Master files before and after update are stored for specially marked
transactions
c. System Control Audit Review File (SCARF)
i. Continuous monitoring and storing of transactions that meet pre-
specifications
d. Audit Hooks
i. Notify auditors of questionable transactions
e. Continuous and Intermittent Simulation
i. Similar to SCARF for DBMS

J. Software Tools Used to Test Program Logic

a. Automated flowcharting program
i. Interprets source code and generates flowchart
b. Automated decision table program
i. Interprets source code and generates a decision table
c. Scanning routines
i. Searches program for specified items
d. Mapping programs
i. Identifies unexecuted code
e. Program tracing
i. Prints program steps with regular output to observe sequence of program
execution events
K. Computer Audit Software
a. Computer assisted audit software that can perform audit tasks on a copy of a
company’s data. Can be used to:
i. Query data files and retrieve records based upon specified criteria
ii. Create, update, compare, download, and merge files
iii. Summarize, sort, and filter data
iv. Access data in different formats and convert to common format
v. Select records using statistical sampling techniques
vi. Perform analytical tests
vii. Perform calculations and statistical tests
L. Operational Audit
a. Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the
basic audit steps are the same, the specific activities of evidence collection are
focused toward operations such as:
 i. Review operating policies and documentation
ii. Confirm procedures with management and operating personnel
iii. Observe operating functions and activities
iv. Examine financial and operating plans and reports
v. Test accuracy of operating information
vi. Test operational controls

Assignment

We were learned about audit system information. Now i ask you with your group to make a video
how to do audit procedure. Begin from step by step audit procedure. Assume all of you have
function in each division with in company. I give you one week to finish it!