Conducting an

Information Systems
Audit

OVERVIEW
When computers first became part of the information processing systems, many
auditors felt that they would have little impact on the audit process. Hence, the auditors would
continue to audit around the computer by reviewing and examining source documents or input
and checking the final output based on those documents. However, as computer systems
became more “fully integrated” and the volume of transactions increased, it became
increasingly difficult to audit around the computer because much of the audit trail was lost
within the computer. Consequently, auditors learned more about computer systems and their
emphasis switched to audit through the computer. An information systems audit is generally
divided into four phases, namely: audit planning, tests of controls, substantive testing and
issuance of audit report.

In this module, we will study and understand the steps involve and complexities in
conducting an information systems audit. We will also go through the various audit techniques
using computers and be familiar with the effect of e-commerce on the audit of financial
statements.

LEARNING OUTCOMES
At the end of this module, you should be able to:

• Understand the effects of computers on the audit process.

• Know how audit planning is done in a CIS environment.
• Understand the basic audit procedures applied in evaluating the internal control and
substantive testing in a CIS environment.
• Be familiar with the various audit techniques using computers.
• Be familiar with PAPS 1013, Electronic Commerce – Effect on the Audit of Financial
Statements.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Introduction
When computers first became part of the information processing systems, many
auditors felt that they would have little impact on the audit process. Hence, the auditors would
continue to audit around the computer by reviewing and examining source documents or input
and checking the final output based on those documents. However, as computer systems
became more “fully integrated” and the volume of transactions increased, it became
increasingly difficult to audit around the computer because much of the audit trail was lost
within the computer. Consequently, auditors learned more about computer systems and their
emphasis switched to audit through the computer.
 AUDIT APPROACH IN A CIS ENVIRONMENT

The auditor will

use the
Computer
Assisted Audit
techniques
(CAATs)

Auditing Through the Computer – an auditor focuses upon all EDP functions, particularly
the controls over input, processing and output.
This means that the auditor investigates the data processing system by feeding the computer
with hypothetical transactions covering all types of situation in which he is instructed and
ascertaining the answers produced are correct and wrong data are rejected.
If the system is satisfactorily controlled, the auditor relies upon the system and infers that the
financial accounting information processed by the system is correct. This indicate that the
audit process has changed to adapt to the increasing computer environment.
✓ When auditing in an CIS environment an auditor focuses upon the adequacy of controls
over transactions, not upon the transactions themselves, as in manual systems.

Effects of Computers on the Audit Process

The overall objective and scope of an audit does not change in a CIS environment.
However, the use of a computer changes the processing, storage and communication of
financial information and may affect the accounting and internal control systems employed
by the entity.
Accordingly, a CIS environment may affect:
1. The procedures followed by the auditor in obtaining a sufficient understanding of
the accounting and internal control systems.
2. The consideration of inherent risk and control risk through which the auditor arrives
at the risk assessment.
3. The auditor’s design and performance of tests of control and substantive
procedures appropriate to meet the audit objective
Auditor should have sufficient knowledge of the CIS to plan, direct, supervise and review
the work performed.
 The auditor should consider whether Specialized CIS skills are needed in an audit

If specialized skills are needed, the auditor would seek the assistance of a professional
possessing such skills, who may be either auditor’s staff or outside professional

If the use of such a professional is planned, the auditor should obtain sufficient
appropriate audit evidence that such work is adequate for the purposes of the audit, In
accordance with PSA 620 “Using the work of an Expert”

Planning
In accordance with PSA 315 (Clarified), “Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement,”

The auditor should obtain an understanding of the accounting and internal control systems
sufficient to plan the audit and develop an effective audit approach.

In planning the portions of the audit which may be affected by the client’s CIS environment,

The auditor should obtain an understanding of the significance and complexity of the CIS
activities and the availability of data for use in the audit.
• Significance relates to Materiality of the financial statement assertions affected by the
computer processing.
• An application may be considered to be complex when:
Example:
-Volume of transactions is such that users would find it difficult to identify and correct
errors in processing.
-The computer automatically generates material transactions or entries directly to
another application.

The organization structure of the client’s CIS activities and the extent of concentration or
distribution of computer processing throughout the entity, “segregation of duties”

The availability of data. Source documents, certain computer files and other evidential
matter that may be required by the auditor may exist for only a short period or only in
machine-readable form.

The auditor should also obtain an understanding of CIS environment and whether it may
influence the assessment of inherent and control risks. The nature of the risks and the
internal control characteristics in CIS environments include the following
❖ Lack of transaction trails
❖ Uniform processing of transactions
❖ Lack of segregation of functions
❖ Potential for errors and irregularities
Decreased human involvement in handling transactions processed by CIS can reduce
errors and irregularities
 Errors and irregularities during design of application programs or systems software can
remain undetected for long periods of time

➢ Initiation or execution of transactions

➢ Dependence of other controls over computer processing
➢ Potential for increased management supervision
➢ Potential for the use of computer-assisted audit techniques

Assessment of Risk

▪ The inherent risks and control risks in a CIS environment may have both a pervasive
effect and an account-specific effect
▪ The risks may increase the potential for errors or fraudulent activities in specific
application, in specific data bases or master files.
CIS technologies employed by clients to build increasingly complex computer systems
▪ internet/extranet
▪ intranet technologies
▪ distributed data bases
▪ Feed information directly into the accounting systems.
▪ Increase overall complexity
▪ May increase risk and require further consideration

Audit Clients Using Computer Information Systems (CIS)

▪ The auditor’s specific audit objectives do not change whether accounting data is
processed manually or by computer.
▪ Methods of applying audit procedures to gather evidence may be influenced by the
methods of computer processing.

AUDIT PROCEDURES applicable to evaluating the internal controls in CIS systems are:

A. Review of the system

✓ The auditor must be capable of understanding the entire system to evaluate the client’s
internal control.
✓ Determine whether the system provides reasonable assurance that errors and
irregularities have been and will prevented or detected on a timely basis by employees in
the course of their normal activities.

B. Tests of compliance
After reviewing the CIS controls, the auditor attempts to gather evidence to provide reasonable
assurance that the prescribed controls are functioning properly.
Depending upon:
❑ The EDP equipment
❑ The nature of the system
❑ The adequacy of the audit trail
 ❑ The audit objectives

The auditor chooses either to:

1) Audit around the computer - means the auditor does not use the computer to
perform tests, select samples, etc. if there is an adequate audit trail, the auditor
can do the following:
a. Examine for evidence of controls i.e. error logs, batch control records, etc.
b. Trace transactions using printouts to follow input documents through to final
report.
c. Process sample transactions manually, process a batch of transaction and
compare with the printouts.

2) Audit through the computer (with the use of) computer. Computers are useful in
performing the audit. The auditor can use computer program (provided by the client
or prepared by the auditor) to examine data files and perform many of the clerical
tasks previously performed by a junior auditor.

Because of the speed of the computer these tests can sometimes be performed for an
entire file rather than for only a sample of transactions. Many auditors have generalized
computer audit packages which will run on most computers and perform many audit
tasks.

C. Substantive Testing of Computer-based Records

Substantive testing like compliance testing can be performed either with or without
the use of computer.
1. Substantive testing without using the computer
Printouts are used to test the correctness of accounts and as a basis from
which samples will be selected for further testing or confirmation.
2. Substantive testing with the use of (through) a computer
Auditor uses a program written to gain access to the computer-based records.

AUDIT TECHNIQUES USING COMPUTERS

a. Audit Software – the auditor may use various types of software. ☺

1. Generalized audit software – is used most frequently because it allows the
auditor to access various client’s computer files.
Ex: testing client calculations, making additional calculations, examining
records which meet criteria specified by the auditor (property acquisitions in
excess of P10,000) etc.
2. System utility software
3. Customized (written specially for one client) audit programs ☺

b. Test Data – A set of dummy transactions is developed by the auditor and processed
by the client’s computer programs to determine whether the controls which the
auditor intends to rely on are functioning as expected.
 Several possible problems associated with test data:
(1) Make certain the test data is not included in the client’s accounting records.
(2) Determine that the program tested is actually used by the client to process
data.
(3) Devote the necessary time to develop adequate data to test key controls.

c. Concurrent Audit Techniques – these techniques collect evidence as transactions are

processed, immediately reporting information requested by the auditor or storing it for
later access.
Three concurrent techniques:
1. Integrated Test Facility (ITF) – This method introduces dummy transactions
into a system in the midst of live transactions and is usually built into the system during
the original design.
2. Snapshots – auditors embed software routines at different points within an
application to capture and report images called snapshots of a selected transaction
as it is processed at preselected points in a program.☺
3. System Control Audit Review File (SCARF) – this uses audit software
embedded in the client’s system, called an embedded audit module, to gather
information at predetermined points in a system.

d. Parallel Simulation – (Also known as controlled processing/reprocessing) This

method processes actual client data through an auditor’s software program (and
frequently, although not necessarily, the auditor’s computer). After processing the
data, the auditor compares the output obtained with output obtained from the client.☺
e. Code Comparison – an auditor examines two versions of a program to determine
whether they are identical. One version of the program, called the blueprint is known
to be the appropriate program. The other version of the program is the one in current
use by the client.
f. Audit Workstation – the auditor extracts the necessary data from the client’s files and
performs the desired tests directly on the microcomputer (dependence on audit
software programs run on a mainframe by using an audit workstation.
Steps:
(1) Determine data needed (5) Perform analysis
(2) Write extract routine (6) Prepare report
(3) Run extract program (7) Workpapers
(4) Download extracted file

Microcomputer-based Systems

A number of auditors use commercially available software, often referred to as data

manager to download client data to the auditor’s microcomputer. After the client data
have been downloaded, the auditor uses commercially available software to perform
specific audit procedures.

Specialized Audit Programs and Additional Techniques

Tagging and Tracing Transactions – this process involves tagging or specifically

marking or highlighting certain transactions by the auditor at the time of their input.
Electronic Commerce – Effect on the Audit of Financial Statements (PAPS 1013)

The purpose of PAPS 1013 is to provide guidance to assist auditors of financial

statements where an entity engages in commercial activity that takes place by means
of connected computers over a public network such as the internet (e-commerce).

distinction:
e-commerce refers to solely to transactional activities (such as the buying and
selling of goods and services)
e-business refer to all business activities, both transactional and non-transactional
(customer relations and communications)

Skills and knowledge

The level of skills and knowledge required to understand the effect of e-commerce on
the audit will vary with the complexity of the entity’s e-commerce activities.

Knowledge of the Business

PSA 315 (Clarified) requires that the auditor obtain a knowledge of the business sufficient to
enable the auditor to identify and understand the events, transactions and practices that may
have significant effect on the financial statements or on the audit report.
❑ The entity’s business activities and industry
❑ The entity’s e-commerce strategy
❑ The extent of the entity’s e-commerce activities
❑ The entity’s outsourcing arrangements.

PSA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements”

Requires that when planning and performing audit procedures and in evaluating and
reporting the results thereof, the auditor recognize that noncompliance by the entity
with laws and regulations may materially affect the financial statements.

Internal Control Considerations

The auditor considers the control environment and control procedures the entity has
applied to its e-commerce activities to the extent they are relevant to the financial
statement assertions.
▪ Security
▪ Transaction Integrity
▪ Process Alignment

Effect of Electronic Records on Audit Evidence

There may not be any paper records for e-commerce transactions, and electronic
records may be more easily destroyed or altered than paper records without leaving
evidence of such destruction or alteration.
 The auditor considers whether the entity’s security of information policies, and security
controls as implemented, are adequate to prevent unauthorized changes to the
accounting system or records, or to systems that provide data to the accounting
system.

The Effect of Electronic Records on Audit Evidence

Depending on the auditor’s assessment of these controls, the auditor may also
consider the need to perform additional procedures such as confirming transaction
details or account balances with third parties. Refers PSA 505, “External
Confirmations”

SUMMARY

This module provided you with the audit approach and the audit techniques in a CIS
environment.

The objective of auditing, do not undergo a change in a CIS environment. Auditor must
provide a competent, independent opinion as to whether the financial statements records and
report a true and fair view of the state of affairs of an entity. However, computer systems have
affected how auditors need to collect and evaluate evidence.

The process of auditing is not a straight forward flow of work from start to finish to be
completed by satisfying oneself against a standard checklist or a list of questions. It involves
exposure, experiences and application of knowledge and expertise to differing circumstances.
No two information system is same. From the viewpoint of analysis of computerized
information system, the auditors need not only have adequacy on knowledge regarding
information requirement, they must also get exposed to system analysis and design so as to
facilitate post implementation audit.

Reference: Cabrera, M. E. (2019). Auditing Theory

ASSESSMENT TASK: Based on the discussion/description provided in this module, as well
as your own judgment, indicate the figure below whether it is a Black box or White-box
approach. Support your answer.

Figure 1

Figure 2

- End-