Accounting Information System

Chapter 11

Auditing Computer-Based
Information System
 Learning Objectives
After studying this chapter, you should be able to:
1.Describe the nature, scope, and objectives of audit work, and identify the
major steps in the audit process.
2.Identify the six objectives of an information system audit, and describe how
the risk-based audit approach can be used to accomplish these objectives.
3.Describe the different tools and techniques auditors use to test software
programs and program logic.
4.Describe computer audit software, and explain how it is used in the audit of
an AIS.
5.Describe the nature and scope of an operational audit.
 Introduction
Auditing is the systematic process of obtaining and evaluating
evidence regarding assertions about economic actions and
events in order to determine how well they correspond with
established criteria. The results of the audit are then
communicated to interested users.
 Introduction
This chapter is written from the perspective of an internal
auditor.
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve
organizational effectiveness and efficiency, including assisting in
the design and implementation of an AIS. It helps an
organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness
of risk management, control, and governance processes.
 Overview of the Audit Process

All audits follow a similar sequence of activities. Audits may be

divided into four stages: planning, collecting evidence,
evaluating evidence, and communicating audit results.
Overview of Audit Planning Process
 Information Systems Audit
The purpose of an information systems audit is to review and evaluate the
internal controls that protect the system. When performing an information
systems audit, auditors should ascertain that the following six objectives are
met:
1. Security provisions protect computer equipment, programs, communications, and
data from unauthorized access, modification, or destruction.
2. Program development and acquisition are performed in accordance with
management’s general and specific authorization.
3. Program modifications have management’s authorization and approval.
4. Processing of transactions, files, reports, and other computer records is accurate
and complete.
5. Source data that are inaccurate or improperly authorized are identified and
handled according to prescribed managerial policies.
6. Computer data files are accurate, complete, and confidential.
Information Systems Components and Related Audit
Objectives
Framework for Audit of Overall Computer Security
Framework for Audit of Computer Processing Controls
Framework for Audit of Source Data Controls
 Operational Audit of an AIS
• The techniques and procedures used in operational audits are
similar to audits of information systems and financial
statements. The basic difference is audit scope.
• An information systems audit is confined to internal controls
and a financial audit to systems output, whereas an operational
audit encompasses all aspects of systems management. In
addition, objectives of an operational audit include evaluating
effectiveness, efficiency, and goal achievement.
 Operational Audit of an AIS
Audit Planning
The first step in an operational audit is audit planning, during which the
scope and objectives of the audit are established, a preliminary system
review is performed, and a tentative audit program is prepared.

Evidence Collection
The next step, evidence collection, includes the following
activities:
● Reviewing operating policies and documentation
● Confirming procedures with management and operating personnel
● Observing operating functions and activities
● Examining financial and operating plans and reports
● Testing the accuracy of operating information
● Testing controls
 Operational Audit of an AIS
Evidence Evaluation
At the evidence evaluation stage, the auditor measures the system
against one that follows the best systems management principles. One
important consideration is that the results of management policies and
practices are more significant than the policies and practices themselves.
That is, if good results are achieved through policies and practices that are
theoretically deficient, then the auditor must carefully consider whether
recommended improvements would substantially improve results.
Auditors document their findings and conclusions and communicate them
to management.
 Operational Audit of an AIS
The ideal operational auditor has audit training and experience
as well as a few years experience in a managerial position.
Auditors with strong auditing backgrounds but weak
management experience often lack the perspective necessary to
understand the management process.
Source: Accounting Information System 2013 Edition by Romney Steinbart