Auditing Information Technology

Mwamba Ally Jingu: FCPA; PhD

1
Information Technology (IT) has revolutionized and dramatically
changed the manner in which the business is conducted today.
Computerization has a significant effect on organization control,
flow of document information processing and so on.
However, auditing IT has not changed the fundamental nature of
auditing. The objective of an audit is still
“to obtain reasonable assurance about whether the financial
statements as a whole are free from material misstatement,
whether due to fraud or error,
OR to express an opinion on whether the financial statements
have been prepared, in all material respects, in accordance with
an
2 applicable financial reporting framework
 Auditing Information Technology
There are several names for an audit in an Information
Technology (IT) system. They include:

An audit in an Electronic Data processing (EDP)

environment;
An audit in a Computerized Information System (CIS)
Environment; and
Computer Audit
3
 Audit Approaches in an IT Environment
There are two audit approaches in an IT environment:
1 Audit around the computer (black box approach)
2. Audit through the computer (white box approach)

In the black box approach or auditing around the computer the

auditor concentrates on the input controls and output controls and
ignores the specific of how the computer processes the data of
transactions
If input matches the output the auditor assumes that the
processing of data or transactions must have been correct
4
 The comparison of inputs and outputs may be done manually with the
assistance of the computer.
In simple words evidence is drawn and conclusions are reached without
considering how inputs are being processed to provide outputs.
5
Black Box Approach continued
Most often the black box approach is used either because:
• processing done by the computer is too simple e.g. casting, sorting etc
• auditor is already aware of the software’s reliability. This is the case
with most of off-the-shelf software used by client without any in-house
alteration and thus need not to be checked.
• auditor has no mean to gain understanding of the computer system
and thus resorts with this approach. This situation can arise out of
circumstances including:
o lack of appropriate system documentation
o auditor lacks expertise or skills to understand or use the computer
system for auditing purposes.
o auditor is not given access to computer system at the level
6 required
 Audit around the computer is used in situations when auditor is of the
opinion that computer system is reliable and often comparison of
inputs to outputs is enough.

In other the auditor will not assess whether required controls are in
place and if they are working operating effectively while inputs are
processed.

However,, relying too much on this approach is not recommended for

important aspects of the audit especially where assessed risk is high
as this may result in ineffective audit and ultimately inappropriate audit
opinion being expressed by the auditor.
As mentioned earlier that auditor will bypass computer system and will
not check for existence and/or operating effectiveness of controls in
7 processing data.
 Auditing through the computer
In this approach the processes and controls surrounding the
application are also subject to audit
-In order to help the auditor to gain access to these processes
computer audit software may be used.
The technique is referred to as computer assisted audit technique
(CAATS).
-It is obvious that to follow this approach the auditor needs to have
sufficient knowledge of computer plans, direct supervise and review the
work performed.
-The areas covered in the audit will concentrate on the following
controls: Input control; processing control; storage control; output
8
control; and data transition controls
Auditing through the computer continued
When auditing through the computer auditors follow the
audit trail through the internal computer operations in
order to verify that the processing controls are functioning
properly

Additionally, it attempts to validate the accounting data

being processed. The auditor assumes that the CPU and
additional hardware are functioning properly.

As the computer processing is paperless and not visible

by human eyes the auditors use Computer Assisted
Auditing Techniques (CAATs) in auditing through the
computer
9
 Computer Assisted Auditing Techniques
CAATs use a computer to assist the auditor in testing
during the audit procedures. There are 2 categories
of CAATs:
1. Test Data and 2.
2. Audit Software

10
 Advantages of CAATs to the Auditor
• Test programmed controls: in a computer based accounting system,
there are large volume of transactions which the auditor will have to
audit.
The auditor will have to check if the programmed controls are functioning
correctly. The only effective way of testing programmed controls is through
CAAT.
• Test on large volume of data: CAAT enable auditors to test large amount
of data quickly and accurately and therefore increase the confidence they
have in their opinion.
• Test on source location of data: CAAT enables auditors to test the
accounting systems and its records (e.g. disk files) at its source location
rather than testing the printouts of what they believe to be a copy of
those records.
11
 Advantages of CAATs to the Auditor Continued

• Cost effective: once set up CAAT are likely to be cost effective

way of obtaining audit evidence year after year provided that the
client does not change the accounting system regularly.

• Comparison: allows results from using CAAT to be compared to

traditional testing. Where the two results agree this increase the
overall audit confidence.

12
 Disadvantages of using CAATS
• CAATs can be expensive and time consuming to set up, the software
must either be purchased or designed (in which case specialist IT staff
will be needed);
• Client permission and cooperation may be difficult to obtain;
• Potential incompatibility with the client's computer system;
• The audit team may not have sufficient IT skills and knowledge to create
the complex data extracts and programming required;
• The audit team may not have the knowledge or training needed to
understand the results of the CAATs; and
• Data may be corrupted or lost during the application of CAATs.
13
 Test Data
One of the Two Types of CAATs is Test Data
Test data involves the auditor submitting “dummy” data into
the client’s computer system to ensure that the system
correctly processes it and that it prevents or detects and
corrects misstatements.
The objective of this is to test the operations of application
controls within the system

14
 Test Data Continued
To be successful test data should include data with errors built into it
and data without errors. Examples include:
• Codes that do not exist, e.g., customers, suppliers and employees
• Transactions above predetermined limits, e.g., salaries above
contracted amounts, credits above limits agreed with customers
• Invoices with arithmetical errors and
• Submitting data with incorrect control totals
Data may be processed during a normal operational cycle (live test
data) or during a special run at a point in time outside the normal
operational cycle (dead test).
Both have their advantages and disadvantages

15
 Live data could interfere with the normal operations of the system
or corrupt master file or standing data.
The auditor prepares input containing both valid and invalid data.
Prior to processing the test data, the input is manually processed
to determine what the output should look like.
The auditor then compares the computer-processed output with
the manually processed results
Note that, Test data involves the auditor submitting 'dummy' data
into the client's system to ensure that the system correctly
processes it and that it prevents or detects and corrects
misstatements.
16
Test Data Summary

1. Contents of the Test Data

-Test data involves auditor preparation of a set of fictitious
(dummy) data:
-The set of fictitious data is divided into two categories. One
category consists of valid (correct) data and the other category
invalid (incorrect) data.
-.For example, a customer sales order record contains the
following data: Quantity 10, sales price 20 shillings, for a valid
data, the total value of the sale should be calculated to 200
-But if the calculated value is 2000 then the application controls
should detect the error because the data is invalid
17
Test Data Summary
2. How the Test Data is used by the auditor

-Prior to processing the test data, the input is manually processed

to determine what the output should look like.
-The auditor then enters the test data through the client’s
application programs.
-If the input data is entered into the system, the auditor will expect
an input rejection. Conversely, the valid data should be processed
without problems
- Results of input procedures are compared with expected
behavior of application in order to determine whether input
controls are in place
18
19
20
 03 When an auditor tests a computerized accounting system,
which of the following is true of the test data approach?
A Test data must consist of all possible valid and invalid
conditions..
B The program tested is different from the program used
throughout the year by the client
C Several transactions of each type must be tested..
D Test data are processed by the client’s computer
programs under the auditor’s control
D. Test data are processed by the client’s computer
programs under the auditor’s control.
It is not possible to test all valid and invalid
conditions, only one transaction of each type need be
tested, and the simulated client data must be processed
through the client's system as it is used by the client
throughout the year.
21
 04 When an auditor tests the internal controls of a
computerized accounting system, which of the following is
true of the test data approach?
A Test data are coded to a dummy subsidiary so they can
be extracted from the system under actual operating
conditions.
B Test data programs need not be tailor-made by the
auditor for each client’s computer applications.
C Test data programs usually consist of all possible valid
and invalid conditions regarding compliance with internal
controls..
D Test data are processed with the client’s computer and
the results are compared with the auditor’s
predetermined results
d) Test data are processed with the client’s computer and
the results are compared with the auditor’s predetermined
results.

Test data are auditor-created simulations of client data. Test

data is run through the client's computer applications and
22
not a separate program and cannot include all possible valid
and invalid conditions.
 05 When testing a computerized accounting system, which of
the following is not true of the test data approach?
A The test data need consist of only those valid and invalid
conditions in which the auditor is interested.
B Only one transaction of each type need be tested..
C Test data are processed by the client’s computer
programs under the auditor’s control
D The test data must consist of all possible valid and
invalid conditions

D The test data must consist of all possible valid and invalid
conditions.

Test data is auditor-created data designed to simulate client

data. The data is then run through the client's computer
systems, as they normally operate throughout the year, but
under the auditor's control. The test data should include
transactions with the valid and invalid conditions for each
item the auditor is interested in testing. However, it is not
23 possible to include all potential valid and invalid conditions
 Audit Software
Audit software: comprises computer programs used for
audit purposes to process data audit significance from
the client accounting system.

It is used by the auditor to examine the entity:

• computer files and may be used during both test of
control and substantive testing of transactions and

• balances as the program can scrutinize large volume

of data and extract information,
24
 Types of audit programs are:

• Generalized packaged programs: however they need to be

tailored to each specific case by defining the format of the files
to be interrogated by specifying the parameters required and
the form of that output.
•
• Purpose written programs: these are specially written
programs where it is not possible to adapt a package program
because of the type of machine, processing or file organization
used.

• Utility programs used by the client: used by the entity to

perform data processing functions such as sorting and printing
25 of files e.g. excel.
The uses of audit software are:
• Calculation checks: e.g. program gives the total amount of individual
entries in purchases day book in a particular period. Auditor then agree this
total amount to the amount posted in purchases ledger control a/c.
• Detecting system violation rule: e.g. program checks that no customer
has balance above specified credit limit.
• Detecting unreasonable items: programs checks that no customer has
discount of 50% or debtors balance is more than the amount of sales made
to that customer.

• New calculation and analysis: e.g. statistical analysis of inventory

movements to identify slow moving items.
• Selecting items for audit testing: e.g. obtaining a stratified sample of
sales ledger balances
• Completeness checks: e.g. checking continuity of sales invoices to ensure
26
that they are all accounted for.
 difficulties in using audit software
• Set up cost is high: set up cost is high as initially client procedures need
to be investigated and understood thoroughly prior to the audit software
can be used to access and interrogate those files.

• Changes are costly: if there are changes to client system, this will require
costly alterations to the audit software.

• Not suitable for small installations: there may be no suitable audit

software for use on mini or micro computer installations.
Client accounting system documentation may be incomplete so that it is
difficult to identify all procedures.

The cost of writing specific audit software to test those systems may be
difficult to justify against the possible benefit on the audit or possibility of
recovering the cost of the software.
27
briefly explain the difficulties of using audit software.
• Set up cost is high: set up cost is high as initially client procedures need
to be investigated and understood prior to the audit software
• Changes are costly: if there are changes to client system,
• Not suitable for small installations: there may be no suitable audit
software for use on mini or micro computer installations.
• Over elaboration: tendency to produce over elaborate enquiry programs
which are expensive to develop, time consuming in processing and
reviewing. Hence audit cost goes up and its difficult to justify its use.
• Quantities of output: it may arise that output is too large either due to
poor design of the software
• Live database: the audit program need to be run on the live database (i.e.
actual files) of the client because the auditor is testing the actual system of
28 the client.
EXAM QUESTION
Orange Juice Company (Orange Co.) is a manufacturer of Orange juice in Tanga,
The company operates from a large production facility, where it undertakes
continuous production 24 hours a day, seven days a week. At this production facility
there are two warehouses, where the company’s finished goods and raw materials are
stored. Orange Co.’s finished goods consist of Orange juice packed in boxes, and the
raw materials consists orange fruits, sugar, and flavours. Orange Co.’s year end is 31
December.
Orange Co. is finalising the arrangements for the year-end inventory count, which is
to be undertaken on 31 December 2020. The finished Orange juice is stored within
20 lanes of the first warehouse. The second warehouse is for the raw materials. The
following arrangements have been made for the inventory count: The warehouse
manager will supervise the count as he is most familiar with the inventory.
There will be ten teams of counters and each team will comprise two members of
staff. None of the warehouse staff, other than the manager, will be involved in the
count. The level of work-in-progress in the manufacturing plant is to be assessed by
the warehouse manager. It is likely that this will be an immaterial balance.
29
You are the audit manager of Gift & Najma audit firm, and your audit
partner wishes to utilise Computer-Assisted Audit Techniques (CAATs)
for the first time for controls and substantive testing in auditing Orange
Co.’s inventory.
Required
While you understand that, computer assisted audit techniques
(CAATs) are the methods of using a computer to assist the auditor in
the performance of the computer audit:
(i) Briefly explain any five (5) potential advantages of using CAATs
in an audit (5 Marks)
(ii) Briefly explain any five (5) potential challenges of using
CAATs in an audit (5 Marks)
(iii) Briefly explain the two approaches to EDP audit: The black box
30 approach and the white box approach (6 Marks)
SOLUTION FOUR

(i) Advantages of using CAATS

– CAATs enable the audit team to test a large volume of inventory data accurately
and quickly.
– If CAATs are utilised on the audit of Gift & Najma audit firm , then as long as they
do not change their inventory systems, they can be cost effective after set-up.
– CAATs can test program controls within the inventory system as well as general IT
controls, such as passwords.
– Allows the team to test the actual inventory system and records rather than printouts
from the system which could be incorrect.
– CAATs reduce the level of human error in testing and hence provide a better
quality of audit evidence.
– CAATs results can be compared with traditional audit testing; if these two sources
agree, then overall audit confidence will increase.
– The use of CAATs can free up audit team members to focus on judgemental and
31
high risk areas, rather than number crunching.
(ii) Challenges/Disadvantages of using CAATS

– The cost of using CAATs in this first year will be high as there will be significant set-up costs,
it will also be a time-consuming process which increases costs.

– As this is the first time that CAATs will be used on Gift & Najma audit firm’s audit, then the
team may require training on the specific CAATs to be utilised.

– Gift & Najma audit firm inventory system is likely to change in the foreseeable future, then
costly revisions may be required to the designed CAATs.

– The inventory system may not be compatible with the audit firm’s CAATs, in which case
bespoke CAATs may be required, which will increase the audit costs.

– If testing is performed over the live inventory system, then there is a risk that the data could
be corrupted or lost.

– If testing is performed using copy files rather than live data, then there is the risk that these
files are not genuine copies of the actual files.

– In order to perform CAATs, there must be adequate systems documentation. otherwise it will
32 difficult to devise CAATs due to a lack of understanding of the inventory system.
be
(b) The two approaches to IT Audit
1: A black box approach i.e., Auditing around the computer, or
2: A white box approach i.e., Auditing through the computer

1: The Black Box (around the computer) Approach

-In the black box approach the computer, the auditor concentrates
on the inputs and outputs and ignores how data or transactions
are processed by the computer.

-If input matches the outputs, the auditor assumes that the
processing of data and transactions must have been correct and
therefore the application controls are effective
33
Most Often this Approach is Used (Suitable) either because:
• Processing done by the computer is too simple e.g., sorting,
simple calculations etc
• The auditor believes that the software used by the client is
reliable. This is the case with most of off-the-shelf software
used by client without any in-house change.
• Auditor has no means of gaining understanding of the
computer system and therefore, resorts to this approach. This
situation may result from a number of reasons including: lack
of appropriate system documentation; auditor lacks expertise
or skills use the computer system for auditing purposes;
auditor is not given access to computer system at the level
34
required
2: The White Box (through the computer) Approach
In this approach the processes and controls surrounding the
application are also subject to audit
• In order to help the auditor to gain access to these processes
computer audit software may be used. The technique is
referred to as computer assisted audit technique (CAATS).
• It is obvious that to follow this approach the auditor needs to
have sufficient knowledge of computer plans, direct supervise
and review the work performed.
• The audit will focus on all application controls including storage
control; and data transition control
• The auditor would also need to satisfy himself / herself that
there are adequate general controls, such as, the prevention of
unauthorized access to the computer and the computer
35
database