Chapter 13 Auditing Information Technology Presentation Outline I

Chapter 13 Auditing Information Technology

Presentation Outline I. II. Concepts in Information Systems Auditing Technology for Information Systems

I. Concepts in Information Systems Auditing A. The Phases to the Information Systems Audit B. Structure of the Financial Statement Audit C. Auditing Around the Computer D. Auditing With the Computer E. Auditing Through the Computer

A. Phases of the Information Systems Audit 1. Initial review and evaluation of the area to be audited, and the audit plan preparation 2. Detailed review and evaluation of controls 3. Compliance testing 4. Analysis and reporting of results

B. Structure of the Financial Statement Audit Transactions Accounting System Interim Audit Compliance Testing Financial Reports Financial Statement Audit Substantive Testing

B 1. Compliance Testing Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned. This is known as compliance testing.

B 2. Substantive Testing Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable. Audit Confirmation To ABC Co. Customer: Please confirm that the balance of your account on Dec. 31 is _____.

C. Auditing Around the Computer The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing. Processing

D. Auditing With The Computer The utilization of the computer by an auditor to perform some audit work that would otherwise have to be done manually.

E. Auditing Through the Computer The process of reviewing and evaluating the internal controls in an electronic data processing system. Audit

II. Auditing Technology for Information Systems A. Review of Systems Documentation B. Test Data C. Integrated-Test-Facility (ITF) Approach D. Parallel Simulation E. Audit Software F. Embedded Audit Routines G. Mapping H. Extended Records and Snapshots

A. Review of Systems Documentation The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes test or real data through the program logic.

B. Test Data The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results.

Illustration of Test Data Approach Computer Operations Auditors Prepare Test Transactions And Results Transaction Test Data Computer Application System Computer Output Auditor Compares Manually Processed Results

C. Integrated Test Facility (ITF) Approach A common form of an ITF is as follows: 1. A dummy ITF center is created for the auditors. 2. Auditors create transactions for controls they want to test. 3. Working papers are created to show expected results from manually processed information. 4. Auditor transactions are run with actual transactions. 5. Auditors compare ITF results to working papers.

Illustration of ITF Approach Computer Operations Actual Transactions Prepare ITF Transactions And Results ITF Transactions Computer Application System Reports With Only Actual Data Auditors Data Files ITF Data Reports With Only ITF Data Auditor Compares Manually Processed Results

D. Parallel Simulation The test data and ITF methods both process test data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program.

Illustration of Parallel Simulation Computer Operations Auditors Actual Transactions Computer Application System Actual Client Report Auditor’s Simulation Program Auditor Compares Auditor Simulation Report

E. Audit Software Computer programs that permit computers to be used as auditing tools include: 1. Generalized audit software Perform tasks such as selecting sample data from file, checking computations, and searching files for unusual items. 2. P. C. Software Allows auditors to analyze data from notebook computers in the field.

F. Embedded Audit Routines 1. In-line Code – Application program performs audit data collection while it processes data for normal production purposes. 2. System Control Audit Review File (SCARF)– The Auditor Edit tests for audit transaction analysis are included in program. Exceptions are written to a file for audit review.

G. Mapping v. Special software counts the number of times each program statement in a program executes. v. Helps identify code that is bypassed when the bypass is not readily apparent in the program code and/or documentation.

H. Extended Records and Snapshots Extended Records Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions. Snapshot A snapshot is similar to an extended record except that the snapshot is a printed audit trail.

Summary q. Compliance and Substantive Testing q. Auditing Around the Computer q. Auditing with the Computer q. Auditing Through the Computer q. Testing Approaches Through the Computer