Auditing Information Technology

Mwamba Ally Jingu: FCPA; PhD

1
There are different name for IT Audit. They include:
― EDP Audits ( Electronic data processing audits)
― Computer Audits
― ADP Audits ( Automated data processing audits)
― Information System Audits (IS audit)
―Audit in a Computerized Information System (CIS)
Environment;
IT Audit has not changed the fundamental nature of
auditing. The objective of an audit is still
“to express an opinion on whether the financial statements
have been prepared, in all material respects, in accordance
with an applicable financial reporting framework” (e.g.
International
2
Financial Reporting Standard (IFRS)
 Audit Approaches in an IT Environment
There are two audit approaches in an IT environment:
1 Audit around the computer (black box approach)
2. Audit through the computer (white box approach)
In the black box approach or auditing around the
computer the auditor concentrates on the input controls
and output controls and ignores the specific of how the
computer processes the data of transactions
If input matches the output the auditor assumes that the
processing of data or transactions must have been correct
3
The comparison of inputs and outputs may be done
manually with the assistance of the computer.
In simple words evidence is drawn and conclusions are
reached without considering how inputs are being
processed
4 to provide outputs.
Black Box Approach continued
Most often the black box approach is used either because:
 processing done by the computer is too simple e.g. casting,
sorting etc.
 auditor is already aware of the software’s reliability. This is the
case with most of off-the-shelf software used by client without
any in-house alteration and thus need not to be checked.
 auditor has no mean to gain understanding of the computer
system and thus resorts with this approach. This situation can
arise out of circumstances including:
o lack of appropriate system documentation
o auditor lacks expertise or skills to understand or use the
computer system for auditing purposes.
o auditor is not given access to computer system at the level
5
required
Audit around the computer is used in situations when auditor is of
the opinion that computer system is reliable and often comparison
of inputs to outputs is enough. 
the auditor will not assess whether processing controls are in place
and if they are working effectively while inputs are processed.
However, relying too much on this approach is not recommended
for important aspects of the audit especially where assessed risk is
high as this may result in ineffective audit and ultimately
inappropriate audit opinion being expressed by the auditor.
As mentioned earlier that auditor will bypass computer system and
will not check for existence and/or operating effectiveness of
controls
6
in processing data.
 In this approach the processes and controls surrounding the
Auditing through the computer

application are also subject to audit

-In order to help the auditor to gain access to these processes
computer audit software may be used.
The technique is referred to as computer assisted audit technique
(CAATS).
-It is obvious that to follow this approach the auditor needs to have
sufficient knowledge of computer plans, direct supervise and
review the work performed.
-The areas covered in the audit will concentrate on the following
controls: Input control; processing control; storage control; output
control; and data transition controls
7
Auditing through the computer continued
When auditing through the computer auditors follow the
audit trail through the computer operations in order to
verify that the processing controls are functioning properly.
controls in the system are adequate to ensure complete
and correct processing of all data
Additionally, it attempts to validate the accounting data
being processed. The auditor assumes that the CPU and
additional hardware are functioning properly.
As the computer processing is paperless and not visible
by human eyes the auditors use CAATs in auditing
through the computer
8
 Computer Assisted Auditing Techniques
CAATs use a computer to assist the auditor in testing
during the audit procedures. There are 2 categories of
CAATs:
1. Test Data and 2.
2. Audit Software
Advantages
Test programmed controls: in a computer based
accounting system, there are large volume of transactions
which
9 the auditor will have to audit.
 Advantages of CAATs to the Auditor
The auditor will have to check if the programmed controls
are functioning correctly. The only effective way of testing
programmed controls is through CAAT.
―Test on large volume of data: CAAT enable auditors to
test large amount of data quickly and accurately and
therefore increase the confidence they have in their
opinion.
―Test on source location of data: CAAT enables auditors
to test the accounting systems and its records (e.g. disk
files) at its source location rather than testing the printouts
of what they believe to be a copy of those records.
10
Advantages of CAATs to the Auditor Continued

― Cost effective: once set up CAAT are likely to be cost

effective way of obtaining audit evidence year after year
provided that the client does not change the accounting
system regularly.

― Comparison: allows results from using CAAT to be

compared to traditional testing. Where the two results
agree this increase the overall audit confidence.

11
 Disadvantages of using CAATS
CAATs can be expensive and time consuming to set up, the
software must either be purchased or designed (in which
case specialist IT staff will be needed);
― Client’s permission and cooperation may be difficult to
obtain;
― Potential incompatibility with the client's computer
system;
― The audit team may not have sufficient IT skills and
knowledge to create the complex data extracts and
programming required;
― The audit team may not have the knowledge or needed
to understand the results of the CAATs; and Data may be
12
corrupted or lost during the application of CAATs.
 Test Data
One of the Two Types of CAATs is Test Data
Test data involves the auditor:
― submitting “dummy” data into the client’s computer
system to ensure that the system correctly processes it
and that it prevents or detects and corrects
misstatements.
― The objective of this is to test the operations of
application controls within the system

13
To be successful test data should include data with errors
built into it and data without errors. Examples include:
―Codes that do not exist, e.g., customers, suppliers and
employees
―Transactions above predetermined limits, e.g., salaries
above contracted amounts, credits above limits agreed
with customers
―Invoices with arithmetical errors and
―Submitting data with incorrect control totals
Data may be processed during a normal operational cycle
(live test data) or during a special run at a point in time
outside the normal operational cycle (dead test).
Both
14
have their advantages and disadvantages
Live data could interfere with the normal operations of the
system or corrupt master file or standing data.
The auditor prepares input containing both valid and invalid
data.
Prior to processing the test data, the input is manually
processed to determine what the output should look like.
The auditor then compares the computer-processed output
with the manually processed results
Note that, Test data involves the auditor submitting
'dummy' data into the client's system to ensure that the
system correctly processes it and that it prevents or
detects
15
and corrects misstatements.
Test Data Summary
1. Contents of the Test Data
-Test data involves auditor preparation of a set of fictitious
(dummy) data:
-The set of fictitious data is divided into two categories.
One category consists of valid (correct) data and the other
category invalid (incorrect) data.
-.For example, a customer sales order record contains the
following data: Quantity 10, sales price 20 shillings, for a
valid data, the total value of the sale should be calculated
to 200
-But if the calculated value is 2000 then the application
controls
16
should detect the error because the data is invalid
Test Data Summary
2. How the Test Data is used by the auditor
-Prior to processing the test data, the input is manually
processed to determine what the output should look like.
-The auditor then enters the test data through the client’s
application programs.
-If the input data is entered into the system, the auditor
will expect an input rejection. Conversely, the valid data
should be processed without problems
- Results of input procedures are compared with expected
behavior of application in order to determine whether input
controls
17 are in place
18
19
03 When an auditor tests a computerized accounting system,
which of the following is true of the test data approach?
A Test data must consist of all possible valid and invalid
conditions..
B The program tested is different from the program used
throughout the year by the client
C Several transactions of each type must be tested..
D Test data are processed by the client’s computer
programs under the auditor’s control
D. Test data are processed by the client’s computer
programs under the auditor’s control.
It is not possible to test all valid and invalid
conditions, only one transaction of each type need be
tested, and the simulated client data must be processed
through the client's system as it is used by the client
throughout the year.
20
04 When an auditor tests the internal controls of a
computerized accounting system, which of the following is
true of the test data approach?
A Test data are coded to a dummy subsidiary so they can
be extracted from the system under actual operating
conditions.
B Test data programs need not be tailor-made by the
auditor for each client’s computer applications.
C Test data programs usually consist of all possible valid
and invalid conditions regarding compliance with internal
controls..
D Test data are processed with the client’s computer and
the results are compared with the auditor’s
predetermined results
d) Test data are processed with the client’s computer and
the results are compared with the auditor’s predetermined
results.

Test data are auditor-created simulations of client data. Test

data is run through the client's computer applications and
21 not a separate program and cannot include all possible valid
and invalid conditions.
05 When testing a computerized accounting system, which of
the following is not true of the test data approach?
A The test data need consist of only those valid and invalid
conditions in which the auditor is interested.
B Only one transaction of each type need be tested..
C Test data are processed by the client’s computer
programs under the auditor’s control
D The test data must consist of all possible valid and
invalid conditions

D The test data must consist of all possible valid and invalid
conditions.

Test data is auditor-created data designed to simulate client

data. The data is then run through the client's computer
systems, as they normally operate throughout the year, but
under the auditor's control. The test data should include
transactions with the valid and invalid conditions for each
item the auditor is interested in testing. However, it is not
22
possible to include all potential valid and invalid conditions
 Audit Software
Audit software: comprises computer programs used for
audit purposes to process data audit significance from
the client accounting system.

It is used by the auditor to examine the entity:

• computer files and may be used during both test of
control and substantive testing of transactions and

• balances as the program can scrutinize large volume

of data and extract information,

23
 Types of audit programs are:
― Generalized packaged programs: however they need
to be tailored to each specific case by defining the format
of the files to be interrogated by specifying the
parameters required and the form of that output.
Purpose written programs: these are specially written
programs where it is not possible to adapt a package
program because of the type of machine, processing or
file organization used.
• Utility programs used by the client: used by the entity to
perform data processing functions such as sorting and
24 printing of files e.g. excel.
The uses of audit software are:
― Calculation checks: e.g. program gives the total amount
of individual entries in purchases day book in a particular
period.
Auditor then agree this total amount to the amount posted
in purchases ledger control a/c.
―Detecting system violation rule: e.g. program checks that
no customer has balance above specified credit limit.
―Detecting unreasonable items: programs checks that no
customer has discount of 50% or debtors balance is more
than the amount of sales made to that customer.
25
The uses of audit software continued

New calculation and analysis: e.g. statistical analysis of

inventory movements to identify slow moving items.
― Selecting items for audit testing: e.g. obtaining a
stratified sample of sales ledger balances
― Completeness checks: e.g. checking continuity of
sales invoices to ensure that they are all accounted for.

26
 difficulties in using audit software
― Set up cost is high: set up cost is high as initially client
procedures need to be investigated and understood thoroughly
prior to the audit software can be used to access and interrogate
those files.
Changes are costly: if there are changes to client system, this will
require costly alterations to the audit software.
• Not suitable for small installations: there may be no suitable
audit software for use on mini or micro computer installations.
Client accounting system documentation may be incomplete so
that it is difficult to identify all procedures.
The cost of writing specific audit software to test those systems
may be difficult to justify against the possible benefit on the audit or
possibility
27
of recovering the cost of the software.
 The Difficulties Of Using Audit Soft Ware
―Set up cost is high: set up cost is high as initially client
procedures need to be investigated and understood prior to
the audit software
―Changes are costly: if there are changes to client system,
―Not suitable for small installations: there may be no
suitable audit software for use on mini or micro computer
installations.
―Over elaboration: tendency to produce over elaborate
enquiry programs which are expensive to develop,

28
The Difficulties Of Using Audit Soft Ware Continued

―time consuming in processing and reviewing. Hence

audit cost goes up and its difficult to justify its use.
―Quantities of output: it may arise that output is too large
either due to poor design of the software
―Live database: the audit program need to be run on the
live database (i.e. actual files) of the client because the
auditor is testing the actual system of the client.
 

29
EXAM QUESTION ONE

You are the audit manager of Gift & Najma audit firm, and
your audit partner wishes to utilise Computer-Assisted
Audit Techniques (CAATs) for the first time for controls and
substantive testing in auditing Orange Co.’s inventory.
Required
(i) Briefly explain any five (5) potential advantages of
using CAATs in an audit (5 Marks)
(ii) Briefly explain any five (5) potential challenges of
using CAATs in an audit (5 Marks)
(iii) Briefly explain the two approaches to EDP audit:
The “black box” and the “white box” approach (6 Marks)
30
(i) Briefly explain any five (5) potential advantages of
using CAATs in an audit (5 Marks)
(ii) Briefly explain any five (5) potential challenges of using
CAATs in an audit (5 Marks)
(iii) Briefly explain the two approaches to EDP audit:
The black box approach and the white box approach
(6 Marks)

31
SOLUTION FOUR
(i) Advantages of using CAATS
– CAATs enable the audit team to test a large volume of
inventory data accurately and quickly.
– If CAATs are utilised on the audit of Gift & Najma audit
firm , then as long as they do not change their inventory
systems, they can be cost effective after set-up.
– CAATs can test program controls within the inventory
system as well as general IT controls, such as passwords.
– Allows the team to test the actual inventory system and
records rather than printouts from the system which could
be
32
incorrect.
 Advantages of using CAATS continued

―CAATs reduce the level of human error in testing and

hence provide a better quality of audit evidence.
– CAATs results can be compared with traditional audit
testing; if these two sources agree, then overall audit
confidence will increase.
– The use of CAATs can free up audit team members to
focus on judgemental and high risk areas, rather than
number crunching

33
(ii) Challenges/Disadvantages of using CAATS
―The cost of using CAATs in this first year will be high as
there will be significant set-up costs, it will also be a time-
consuming process which increases costs.
– As this is the first time that CAATs will be used on Gift &
Najma audit firm’s audit, then the team may require
training on the specific CAATs to be utilised.
– Gift & Najma audit firm inventory system is likely to
change in the foreseeable future, then costly revisions
may be required to the designed CAATs.
– The inventory system may not be compatible with the
audit
34
firm’s CAATs, in which case bespoke CAATs may be
required, which will increase the audit costs.
– Challenges/Disadvantages

If testing is performed over the live inventory system, then

there is a risk that the data could be corrupted or lost.
– If testing is performed using copy files rather than live
data, then there is the risk that these files are not genuine
copies of the actual files.
– In order to perform CAATs, there must be adequate
systems documentation. otherwise it will be difficult to
devise CAATs due to a lack of understanding of the
inventory system.

35
(b) The two approaches to IT Audit
1: A black box approach (Auditing around the computer)
2: A white box approach (Auditing through the computer)
 1: The Black Box (around the computer) Approach
-In the black box approach the computer, the auditor
concentrates on the inputs and outputs and ignores how
data or transactions are processed by the computer.
-If input matches the outputs, the auditor assumes that
the processing of data and transactions must have been
correct and therefore the application controls are effective
36
Most Often this Approach is Used (Suitable) either because:
―Processing done by the computer is too simple e.g., sorting,
simple calculations etc
― The auditor believes that the software used by the client is
reliable. This is the case with most of off-the-shelf software used by
client without any in-house change.
―Auditor has no means of gaining understanding of the computer
system and therefore, resorts to this approach. This situation may
result from a number of reasons including:
lack of appropriate system documentation;
auditor lacks expertise or skills use the computer system for
auditing purposes;
auditor
37
is not given access to computer system at the level
required
2: The White Box (through the computer) Approach
In this approach the processes and controls surrounding
the application are also subject to audit
―In order to help the auditor to gain access to these
processes computer audit software may be used. The
technique is referred to as computer assisted audit
technique (CAATS).
―It is obvious that to follow this approach the auditor
needs to have sufficient knowledge of computer plans,
direct supervise and review the work performed.
 ―The audit will focus on all application controls including
storage
38 control; and data transition control
The White Box Approach continued

―The auditor would also need to satisfy himself / herself

that there are adequate general controls, such as, the
prevention of unauthorized access to the computer and
the computer database

Questions & Answers

Thank you for Following

39