Notes: Chapter 9 (Romney & Steinbart)

Auditing Computer-based Information Systems

(Many of the terms introduced and explained in the chapters are also defined in the text’s glossaryon pp. 773-
795. Note also that key terms for each chapter are listed at the end of the chapter withpage references back to
each term to facilitate your review.)
INTRODUCTION
•Questions to be addressed in this chapter include:
What are the scope and objectives of audit work, and what major steps take placein the audit process?
What are the objectives of an information systems audit, and what is the four-step approach for meeting those
objectives?
 
How can a plan be designed to study and evaluate internal controls in an AIS?
 
How can computer audit software be useful in the audit of an AIS?
 
What is the nature and scope of an operational audit?
•Auditors are employed for a wide range of tasks and responsibilities. This chapter Is written primarily from the
perspective of an internal auditor, since they have a direct responsibility for designing and implementing an
effective AIS.
NATURE OF AUDITING
•The American Accounting Association (AAA) defines auditing as a systematic process of objectively
obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain
the degree of correspondence between those assertions and established criteria and communicate the results to
interested users
•Auditing requires a step-by-step approach which includes planning the audit, collecting and reviewing
information, and developing recommendations. Auditors used to audit around the computer but now audit
through it.
•According to the Institute of Internal Auditors (IIA), the purpose of an internal audit is t oevaluate the
adequacy and effectiveness of a company’s internal control system and determine the extent to which assigned
responsibilities are carried out. The IIA’s five audit scope standards outline the internal auditor’s
responsibilities
 
Review the reliability and integrity of operating and financial information and how it is identified, measured,
classified, and reported.
 
Determine if the systems designed to comply with these policies, plans, procedures, laws, and regulations are
being followed.
 
Review how assets are safeguarded, and verify their existence
 
Examine company resources to determine how effectively and efficiently they are used.
 
Review company operations and programs to determine if they are being carried out as planned and if they are
meeting their objectives.
•Because most organizations use computerized AISs, computer expertise is essential tothese tasks.
•The three different types of audits commonly performed are:
 financial audits
 to examine the reliability and integrity of accounting records;
 compliance audits
 to assess compliance with and effectiveness of AIS controls; and
 operational or management  audits
 to determine whether resources are being used economically and efficiently.
•All audits follow a similar sequence of activities and can be divided into four stages
Planning
—The purpose of planning is to determine why, how, when, and by whom the audit will be performed. The
audit should be planned so that the greatest amount of audit work focuses on areas with the highest risk
factors. The three types of risks to consider when conducting an audit are
inherent risk
 (how susceptible the area would be with no controls);
 control risk
 (the risk that a material misstatement will get through the control structure); and
 detection risk
 (the risk that auditors and their procedures will miss a material error or misstatement).
 
Collecting Evidence
—Audit collection methods include observation, review of documentation, discussions, physical examination,
confirmation, re-performance, vouching, and analytical review. Audit tests are often performed on a sample
basis. A typical audit will include a mix of procedures. An audit of AIS interna lcontrols would make greater
use of observation, review of documentation, discussions, and re-performance. An audit of financial
information would focuson physical examination, confirmation, vouching, analytical review, and re-
performance.–

 Evaluating Evidence
--The auditor evaluates the evidence gathered in light of thespecific audit objective and decides if it supports
a favorable or unfavorableconclusion. If inconclusive, the auditor plans and executes additional proceduresuntil
sufficient evidence is obtained. Two important factors when deciding howmuch audit work is necessary and in
evaluating audit evidence are
 materiality
 (the potential impact of the item on decision-making); and
 reasonable assurance
 (the balance between costs and benefits of procedures). Conclusions should becarefully documented in working
papers.–
Communicating Audit Results
--The auditor prepares a written (and sometime soral) report summarizing audit findings and recommendations,
with references to supporting evidence in the working papers. The report is presented to management, the audit
committee, the board of directors, and other appropriate parties. After results are communicated, auditors often
perform a follow-upstudy to see if recommendations have been implemented.
•A risk-based audit approach is a four-step approach to internal control evaluation thatprovides a logical
framework for carrying out an audit. Steps are (1) determine thethreats (errors and irregularities) facing the AIS;
(2) identify control proceduresimplemented to minimize each threat by preventing or detecting such errors
andirregularities; (3) evaluate the control procedures; and (4) evaluate weaknesses (errorsand irregularities not
covered by control procedures) to determine their effect on thenature, timing, or extent of auditing procedures
and client suggestions. Thisunderstanding provides a basis for developing recommendations to management on
howthe AIS control system should be improved.
INFORMATION SYSTEMS AUDITS
•The purpose of an information systems audit is to review and evaluate the internalcontrols that protect the
system. When performing an information system audit, auditorsshould ascertain that the following objectives
are met:–
OBJECTIVE 1: Security provisions protect computer equipment, programs,communications, and data from
unauthorized access, modification, ordestruction.–
OBJECTIVE 2: Program development and acquisition are performed inaccordance with management’s general
and specific authorization
OBJECTIVE 3: Program modifications have management’s authorization andapproval.–
OBJECTIVE 4: Processing of transactions, files, reports, and other computerrecords is accurate and complete.–
OBJECTIVE 5: Source data that are inaccurate or improperly authorized areidentified and handled according to
prescribed managerial policies.–
OBJECTIVE 6: Computer data files are accurate, complete, and confidential.
OBJECTIVE 1: OVERALL SECURITY
•Types of errors and fraud include damage to system assets; unauthorized access, disclosure, or modification of
data and programs; theft; and business interruption
•Control procedures include developing an IS protection plan; restricting physical and logical access; encrypting
data; using virus protection; using data transmission controls; and preventing or recovering from system
failures or disasters.
•Audit procedures include inspecting sites; interviewing personnel; reviewing policies and procedures; and
examining access logs, insurance policies, and disaster recovery plans.
•Tests of control include observation; verifying controls are in place and work as intended; investigating error
handling; and examining tests performed previously.
•Compensating controls may include sound personnel policies, segregation of duties, and effective user
controls.
OBJECTIVE 2: PROGRAM DEVELOPMENT AND ACQUISITION

•Types of errors and fraud include inadvertent programming errors or deliberate insertion of unauthorized
instructions.
•Control procedures include appropriate authorizations; thorough testing; and proper documentation.
•Audit procedures include an independent review of system activity, including development procedures,
policies, standards, and documentation, as well as tests of systems development controls. Strong
processing controls can sometimes compensate for inadequate development controls.
OBJECTIVE 3: PROGRAM MODIFICATION
•Types of errors and fraud include the same events that occur during program development, i.e., inadvertent
programming errors and unauthorized code.
•Control procedures include documentation and testing of updates; separation of development version from
production version of program; replacement of production version after approval; implementation by personnel
independent of users or programmers; and logical access controls.
•Audit procedures for systems review include gleaning understanding of change process from management;
examining policies, procedures, and standards for program changes; reviewing final documentation; and
reviewing procedures to restrict logical access.
•Audit procedures for tests of controls include verification that program changes went through required steps;
observation of implementation process; review of access control table; use of source code comparison to test for
unauthorized changes; and reprocessing; and parallel simulation.
OBJECTIVE 4: COMPUTER PROCESSING 
•Types of errors and fraud include failure to detect erroneous inputs; improperly correcting input errors;
processing erroneous input; or improperly distributing or disclosing output.
•Control procedures include computer data editing routines; use of internal and external file labels;
reconciliation of batch totals; error correction procedures; operating documentation; competent supervision;
handling of data input and output by data control personnel; file change listings; and maintenance of proper
environmental conditions in computer facility.
•Audit procedures for systems review include review of administrative, systems, and operating documentation,
as well as error listings; observations of computer operations and data control; and discussion of processing and
output controls with IS supervisors.
•Audit procedures for tests of controls include evaluating adequacy of processing control standards and
data editing controls; verifying adherence by observation; verifying that output is properly distributed;
reconciling batch totals; tracing errors; verifying processing accuracy for samples; searching for erroneous
or unauthorized code; using concurrent audit techniques to monitor online processing; and recreating selected
reports.
•Specialized techniques for testing processing controls include:
 Processing test data
—Involves testing a hypothetical series of valid and invalid transactions. This process is time consuming and
requires care not to contaminate the company’s actual data with test data. 

Using concurrent audit techniques

Uses
embedded audit modules
, i.e., segments of code that perform audit functions, report results to the auditor, and store
collected evidence. These include:
 An integrated test facility (ITF) technique
—places a small set of test records in the master files, e.g., a fictitious division.
 A snapshot technique
—selected transactions are marked with a special code that triggers the snapshot process, and audit modules
record the transactions and their master file records before and after processing.
 A system control audit review file (SCARF)
--uses embedded audit modules to continuously monitor transaction activity and collect data on transactions
with special audit significance.
 
 Audit hooks
—provide routines that flag suspicious transactions and provide real-time notification.
Continuous and intermittent simulation (CIS)
--embeds an audit module in a database management system. The module examines all transactions that update
the DBMS using criteria similar to those of SCARF. When a transaction has audit significance, the module
processes the data independently (similar to parallel simulation); records the results; and compares results with
those obtained by the DBMS. If there are discrepancies, details are written to an audit log for subsequent
investigation. Serious discrepancies may prevent the DBMS from executing the update.
 Analyzing program logic
—Used as a last resort if an auditor suspects a program has code that is unauthorized or has serious errors. The
auditor references program flowcharts, documentation, and source code. May use software packages that do
automated flowcharts, automated decision tables, scanning routines, mapping, or program tracing.
OBJECTIVE 5: SOURCE DATA
Types of errors and fraud include inaccurate or unauthorized source data.
•Control procedures include effective handling of source data by data control personnel; user authorizations;
batch totals; activity logging; check digit verification; key verification; turnaround documents; data editing
routines; file change listings; and effective procedures for correction and resubmission.
•Audit procedures for systems review include reviewing documentation of data control responsibilities,
standards, and processing steps; reviewing authorization methods and the input control matrix; and discussing
procedures with data control personnel, users, and management.
•Audit procedures for tests of controls include observing data control procedures; verifying maintenance of data
control log; evaluating error handling; sampling for source data authorizations; reconciling batch totals; and
tracing errors flagged by data edit routines.
•Compensations include strong user and processing controls.
OBJECTIVE 6: DATA FILES
•Types of errors and fraud include destruction, unauthorized modification, or unauthorized disclosure of stored
data.
•Control procedures include physical and logical access controls; use of file labels and write protection;
concurrent update controls; encryption; virus protection; and backup on and off site.
•Audit procedures for systems review include review of operating documentation; physical and logical access
controls, systems documentation and disaster recovery plan, as well as discussions with systems managers
and operators.
•Audit procedures for tests of controls include observation of library operations, file-handling procedures, back-
up activities, and file conversion; review of password assignment records; verification of virus protection,
concurrent update controls, encryption, completeness, currency, and testing of disaster recovery
plan; reconciliation of master file totals with independent control totals.
•Compensations include strong user or processing controls and effective computer security controls.

COMPUTER SOFTWARE
•Computer audit software (CAS)
 or
 generalized audit software (GAS)are computer programs that have been written especially for auditors. Two of
the most popular are Audit Control Language (ACL) and IDEA. CAS generates programs that perform the audit
function and is ideally suited for examination of large data files to identify records needing further audit
scrutiny.
•CAS functions include: reformatting, file manipulation, calculation, data selection, data analysis, file
processing, statistics, and report generation.
•To use CAS, the auditor decides on audit objectives; learns about the files and databases to be audited;
designs the audit reports; and determines how to produce them. The program creates specification records used
to produce auditing programs. The auditing programs process the source files and produce specified audit
reports. When the auditor receives the CAS reports, most of the audit work still needs to be done. Advantages of
CAS are numerous, but it does not replace the auditor’s judgment or free the auditor from other phases of the
audit
OPERATIONAL AUDITS OF AN ACCOUNTING INFO SYSTEM
 
•Techniques and procedures in operational audits are similar to audits of information systems and financial
statement audits. However, the scope of the operational audit is much broader and encompasses all aspects of
information systems management. The objectives are also different in that operational audit objectives include
evaluating factors such as effectiveness, efficiency, and goal achievement. The steps include audit planning,
evidence collection, evidence evaluation, and documentation and communication of conclusions.
•The ideal operational auditor is a person with audit training and some managerial experience