Auditing Information Technology

Chapter 14

14– 1
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Learning Objective 1

Distinguish between auditing

through the computer and auditing
with a computer.

14 – 2
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Information Systems Auditing
Concepts
 Auditing involves the process in which the
auditor provides assurances regarding
representations or assertions.
 Information systems auditing – describes
two different types of IT-related activity:
 Auditing through the computer
 Auditing with the computer

14– 3
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Structure of a Financial
Statement Audit
 The primary objective and responsibility
of the external auditor is to attest to the
fairness of a firm’s financial reports.
 The external auditor serves outsiders.
 The internal auditor serves a firm’s
management.

14– 4
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Structure of a Financial
Statement Audit

14– 5
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Auditing Around the Computer
Accountin
g System

Output

Processin
g Input
 In the around-the-computer approach, the
processing portion is ignored.
14– 6
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Auditing Around the Computer
 Totals are accumulated for accepted and
rejected records.
 Auditors emphasize control over rejected
transactions, their correction, and then
resubmission.
 Given advances in information technology
(IT), the around-the- computer approach is
no longer widely used.
14– 7
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Auditing Through the Computer
 Auditing through the computer may be
defined as the verification of controls in
a computerized system.
 General controls
 Application controls

14– 8
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Control Framework in IT
Environment

14– 9
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Auditing With the Computer
 Auditing with the computer is the process of
using IT in auditing.
 The use of IT by auditors is no longer
optional, it is essential.
 Most of the data that auditors must evaluate is
already in electronic format.
 The use of IT is essential to increase the
effectiveness and efficiency of auditing.

14– 10
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Auditing With the Computer
 Potential benefits of using IT in an audit:
 Computer-generated working papers
 Eliminate manual routines and calculations
 Accuracy of calculations and comparisons
 Analytical review calculations improved
 Project information generated more easily
 Standardized audit correspondence easily
modified
 Morale and productivity improved
 Increased cost effectiveness
 Increased independence from IS personnel
14– 11
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Risk-Based Auditing
 Risk-based auditing (RBA) provides assurances
relating to the effectiveness of the organization’s
enterprise risk management (ERM) processes.
 Risks are managed within the organization’s risk
appetite.
 RBA evaluates whether management has effective
processes for identifying, classifying, scoring, and
treating important risks with internal controls.

14– 12
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Risk-Based Auditing
 The Public Company Accounting Oversight
Board (PCAOB) encourages a risk-based
approach to testing the effectiveness of internal
controls as they relate to financial audits.
 Top-down, sequential identification of controls:
 Company-level controls
 Accounts
 Processes
 Risks
 Controls

14– 13
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Learning Objective 2

Describe and evaluate alternative

information systems audit
technologies.

14 – 14
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Information Systems Auditing
Technology
 Information systems auditing
technology has evolved along with
computer systems development.
 There is no one overall auditing
technology.
 There are a number of tools and techniques
that may be used to accomplish audit
objectives.
14– 15
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Test Data
 Test data are auditor-prepared input
containing both valid and invalid data.
 The auditor compares test output with
expected results.
 Limitations:
 Run on specific program at a point in time
 Test data may become obsolete
 Use of test data announced so cannot ensure
regular program is used
 Cannot cover all conditions
14– 16
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Test Data Approach

14– 17
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Integrated-Test-Facility
Approach
 Integrated test facility (ITF) involves the use
of test data and also the creation of fictitious
entities (vendors, employees, products, or
accounts) on the master files of a computer
system.
 Test data are processed concurrently with real
transactions against live master files.
 Test data are identified by special codes.
 Fictitious data must be excluded from normal
output reports.
14– 18
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Integrated-Test-Facility
Approach

14– 19
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Parallel Simulation
 Parallel simulation processes real data
through test or audit programs.
 The simulated output and the regular output
are compared for control purposes.
 The amount of redundant processing is
usually limited to sections of major interest to
the audit.
 Audit program used is typically generalized
audit software.
14– 20
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Parallel Simulation

14– 21
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Audit Software
 Audit software includes computer programs
that permit the computer to be used as an
auditing tool.
 The computer is programmed to read, select,
extract, and process sample data.
 Generalized Audit Software (GAS) is software
specifically designed to facilitate the use of IT
in auditing.
 ACL Software
14– 22
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Embedded Audit Routines
 Embedded audit routines are an audit
technology that involves modification of
computer programs for audit purposes.
 Special auditing routines are built into regular
production programs so that transaction data can
be subject to audit analysis.
 Embedded audit data collection uses specially
programmed modules embedded as in-line code to
select and record data for analysis and evaluation.

14– 23
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Embedded Audit Data
Collection

14– 24
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Embedded Audit Routines
 Audit criteria for selecting and recording
transactions by the embedded modules must
be supplied by the auditor.
 System control audit review file
 Audit hooks
 Sample audit review file

14– 25
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Extended Records Technique
 Extended records involve the modification
of computer programs to provide a
comprehensive audit trail for selected
transactions.
 Specific transactions are tagged
 Identified by special codes, selected
randomly, or selected as exceptions to edit
tests
14– 26
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Snapshot Technique
 Snapshot attempts to provide a
comprehensive picture of the working of a
program at a particular point in time.
 Addition of program code to cause the
program to print the contents of selected
memory

14– 27
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Tracing Technique
 Tracing provides a detailed audit trail of
the instructions executed during the
program’s operation.
 Useful to verify that internal controls
within an application program are
executed as the program processes live or
test data.

14– 28
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Review-of-Systems Documentation
 Review-of-systems documentation such as
narrative descriptions, flowcharts, and
program listings is oldest audit technique,
but still widely used.
 Particularly appropriate in initial phases of the
audit
 Programs desk checked by the auditor;
manually processes test or real data through
program logic
14– 29
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Control Flowcharting
 Control flowcharting – specific
documentation for auditing purposes is
reviewed and developed to show the
nature of application controls in a system.
 Analytic flowcharts, system flowcharts,
and other graphic techniques are used to
describe the controls in a system.

14– 30
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Mapping Technique
 Mapping – special software is used to
monitor the execution of a program.
 The software counts the number of times
each program statement is executed and
provides summary statistics concerning
resource use.
 Used effectively in conjunction with test
data technique

14– 31
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Learning Objective 3

Characterize various types of

information system audits.

14 – 32
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 General Approach to an
Information Systems Audit
 Three-phase structure:
1. Initial review and evaluation of the area
to be audited and audit plan preparation
2. Detailed review and evaluation of
controls
3. Compliance testing and analysis and
results

14– 33
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 General Approach to an
Information Systems Audit
 The initial review phase determines the
course of action the audit will take:
 Decisions concerning specific areas to be
investigated
 Deployment of audit labor
 Audit technology to be used
 Development of a time and/or cost budget
for the audit.

14– 34
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 General Approach to an
Information Systems Audit
 An audit program is a detailed list of the
audit procedures to be applied on a
particular audit.
 Standardized audit programs for particular
audit areas have been developed and are
common in all types of auditing.

14– 35
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 General Approach to an
Information Systems Audit
 The second general phase of an
information systems audit is detailed
review and evaluation.
 Focused on fact finding
 Documentation of the application area is
reviewed
 Data concerning the operation of the
system are collected

14– 36
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 General Approach to an
Information Systems Audit
 The third phase of the audit is testing.
 Produces evidence of compliance with
procedures.
 Compliance tests are undertaken to
provide reasonable assurance that internal
controls exist and operate as prescribed in
systems documentation.

14– 37
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Information Systems Application
Audits
 Application controls are divided into
three general areas:
 Input
 Processing
 Output

14– 38
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Application Systems Development
Audit
 System development audits are
directed at the activities of systems
analysts and programmers.
 Controls governing the systems
development process directly affect the
reliability of the applications programs
that are developed.

14– 39
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Application Systems Development
Audit
 Three general areas of audit concern in
the systems development process:
 Systems development standards
 Project management
 Program change control

14– 40
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Computer Service Center Audits
 Normally, an audit of the computer
service center is undertaken before any
application audits to ensure the general
integrity of the environment in which
applications will function.
 Audits of computer service center
operations require a high degree of
technical training.
14– 41
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Auditing Service-Oriented
Architecture
 SOA is composed of many individual
services connected together in different
ways depending on the day.
 The different services will exchange
messages (that contain privileged data)
with each other.
 No single, clearly defined, fixed
application that can be tested, so
additional internal control is needed.
14– 42
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Learning Objective 4

Describe IT governance and the

COBIT standard for auditing
information technology.

14 – 43
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 IT Governance
IT governance encompasses elements that interact to
provide IT services within an organization. Elements
include:
 Communication  IT users and staff
 Business  Suppliers
 Legal  Auditors
 Management  Other parties

Enhance and ensure the efficient application of IT

resources as a critical success factor.
14– 44
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 COBIT
 Control Objectives for Information and related
Technology (COBIT) is an open standard for
control over IT.
 Helps management “bridge the gap” between
business risks, control needs, and technical
issues
 Provides “good practices” across a domain and
process framework
 Provides a generally applicable and accepted
standard for IT security and control practices
14– 45
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 COBIT
 34 high-level COBIT objectives
organized into four domains:
 Plan and Organize
 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate

14– 46
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 COBIT
COBIT is designed for use by:
 Management
 Users
 Auditors

14– 47
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Maturity Models
 Used to evaluate an organization’s relative
level of achievement of IT governance.
 Defined levels:
 0: Nonexistent
 1: Initial/Ad Hoc
 2: Repeatable but Intuitive
 3: Defined Process
 4: Managed and Measurable
 5: Optimized

14– 48
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Management Guidelines
 Consists of detailed inputs, outputs,
activities, goals, and metrics for the 34
COBIT processes.
 Inputs and outputs illustrate what
processes require from other processes
and what the processes typically deliver.
 Activities and associated responsibilities
are also provided.

14– 49
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 RACI Chart
 Documentation and assignment of
activities are shown in a RACI chart.
 A RACI chart identifies who is
Responsible, Accountable, Consulted,
and/or Informed.

14– 50
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Performance Measurement
Goals and metrics are defined in
COBIT at three levels:
 IT
 Process
 Activity

14– 51
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 COBIT and Sarbanes-Oxley
Compliance
 IT Control Objectives for Sarbanes-Oxley
is a product for governance, assurance,
control, and security professionals.
 Provides guidance on how to ensure
compliance with the IT environment based
on COBIT

14– 52
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 Professional Certifications
Relating to IT Governance
 Certified Information Systems Auditor
(CISA)
 Certified Information Security Manager
(CISM)
 Certified in the Governance of
Enterprise IT (CGEIT)

14– 53
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
 End of Chapter 14

14 – 54
 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood