Core Concepts of

ACCOUNTING INFORMATION SYSTEMS

Moscove, Simkin & Bagranoff

Developed by:
S. Bhattacharya, Ph.D.
Florida Atlantic University

John Wiley & Sons, Inc.

 Chapter 14
Auditing Computerized Accounting
Information Systems

• Introduction
• The Audit Function
• Auditing Through the Computer
• The IT Auditor’s Toolkit
• Information Technology Auditing Today
 The Audit Function

• To audit is to examine and to assure.

• The nature of auditing differs according
to the subject under examination.
• Audits can be internal,
external, and audits of
information systems.
 Internal versus External
Auditing
• In an internal audit a company’s own accounting
employees perform the audit.
• Accountants working for an independent
CPA firm normally perform the external
audit.
• The chief purpose of the external audit is the
attest function.
• The fairness evaluation of
financial statements in an external audit is
conducted according to GAAP.
• Fraud auditors specialize in investigating fraud.
 Information Technology
Auditing

• Information technology auditing or electronic

data processing (EDP) auditing involves
evaluating the computer’s role in achieving
audit and control objectives.
• The AIS components of a computer-based AIS
are people, procedures, hardware, data
communications, software and databases.
• These components are a system of interacting
elements that auditors examine to accomplish
the purposes of their audits.
The Information Technology
Audit Process

• If computer controls are weak or nonexistent,

auditors will need to do more substantive
testing, or detailed tests of transactions and
account balances.
• Compliance testing is performed to ensure that
the controls are in place and working as
prescribed.
– This may entail using computer-assisted
audit techniques (CAATs) to audit through
the computer.
 The Six Components of a
Computer-Based AIS Examined
in an IT Audit

Procedures Hardware

Information Data
Technology
People Audit
Communications
Function

Databases Software
 Careers in Information
Systems Auditing

• Information systems auditors may choose to

obtain professional certification as a Certified
Information Systems Auditor (CISA).
• Applicants must pass an examination given by
the Information Systems Audit and Control
Association (ISACA).
• Specialized skills and broad-based set of
technical knowledge needed.
 Risk Assessment

• An external auditor’s main objective in

reviewing information systems control
procedures is to evaluate the risks to the
integrity of accounting data presented in
financial reports.
• A secondary objective is to make
recommendations to managers
about improving these
controls.
 Risk-Based Audit Approach

• Determine threats facing the AIS.

• Identify the control procedures that should be
in place to minimize threats.
• Evaluate the control procedures within the AIS
(systems review).
• Evaluate weaknesses within the
AIS to ascertain their effect
on auditing procedures.
 Information Systems Risk
Assessment

• Information Systems Risk Assessment evaluates the

desirability of IT-related controls for a particular aspect
of business risk.
• Auditors and managers must answer each of the
following questions:
– What assets or information does the company have that
unauthorized individuals would want?
– What is the value of these identified assets of information?
– How can unauthorized individuals obtain valuable assets or
information?
– What are the chances of unauthorized individuals obtaining
valuable assets or information?
 Guidance in Reviewing and
Evaluating IT Controls

• Systems Auditability and Control (SAC) report

identifies important information technologies
and the specific risks related to these
technologies.
• Control Objectives for Information and
Related Technology (COBIT) provides auditors
with guidance in assessing and controlling for
business risk associated with IT environments.
Objectives of an Information
Systems Audit
• As part of the process of performing an IT audit, auditors
should determine that the following objectives are met:
– Security provisions protect computer equipment, programs,
communications, and data from unauthorized access, modification, or
destruction.
– Program development and acquisition are performed in accordance
with management’s authorization.
– Program modifications have authorization and approval from
management.
– Processing of transactions, files, reports, and other computer records is
accurate and complete.
– Source data that are inaccurate or improperly authorized are
identified and handled according to prescribed managerial policies.
– Computer data files are accurate, complete, and confidential.
 Auditing Computerized AIS
-Auditing Around the Computer

• Auditing around the computer assumes that

the presence of accurate output verifies proper
processing operations.
• This type of auditing pays little or no attention
to the control procedures within the IT
environment.
• Generally not an effective approach
to auditing a computerized
environment.
 Auditing Computerized AIS-
Auditing Through the Computer

• When auditing through the computer, an

auditor follows the audit trail through the
internal computer operations phase of
automated data processing.
• Through-the-computer auditing attempts
to verify the processing controls involved
in the AIS programs.
 Approaches to Auditing
through the Computer

Primary approaches to auditing

through the computer using CAAT are:
1.testing programs
2.validating computer programs
3.reviewing systems software
4.continuous auditing.
Testing Computer Programs -
Test Data

• The test data approach uses a set of

hypothetical transactions to test the edit
checks in programs.
• Auditor should use as many different
exception situations as possible.
• Auditor can also use software programs called
test data generators to develop a set of test
data.
 Testing Computer Programs
-Integrated Test Facility
• An Integrated Test Facility (ITF) is effective in
evaluating integrated online systems and complex
programming logic.
• Its purpose is to audit an AIS in an operational
setting.
• The auditor’s role is to examine results of transaction
processing to find out how
well the AIS does the tasks required of it.
• An auditor will introduce artificial transactions
into the data processing stream of the AIS.
 Testing Computer Programs
-Parallel Simulation

• With Parallel Simulation, the auditor uses live

input data, rather than test data, in a program
written or controlled by the auditor.
• The auditor’s program simulates all or some of
the operations of the real program that is
actually in use.
• Auditors need complete understanding of client
system and sufficient technical knowledge.
• Parallel simulation eliminates the need to
prepare a set of test data.
 Validating Computer
Programs

• Auditors must validate any program

presented to them.
• Procedures that assist in program
validation are 1) tests of program change
control, 2) program comparison, and 3)
surprise audits and surprise use of
programs.
 Tests of Program
Change Control
• Program change control is a set of
internal controls developed to ensure
against unauthorized program changes.
• Requires documentation of every request
for application program changes.
• Test begins with inspection of
documentation maintained by
information processing subsystem.
 Program Comparison

• To guard against unauthorized program

tampering, a test of length control total can be
performed.
• A comparison program can compare code line-
by-line to ensure consistency between
authorized version and version
being used.
• Both tests can detect Trojan horse
computer programs.
 Surprise Audits and Surprise
Use of Programs

• The Surprise audit approach involves

examining application programs unexpectedly.
• With the Surprise use approach, an auditor
visits the computer center unannounced
and requests that previously obtained
authorized programs be used for the
required data processing.
 Review of Systems Software

• Systems software includes 1) operating system

software, 2) utility programs, 3) program
library software, and 4) access control
software.
• Auditors should review systems software
documentation.
• Systems software can generate incident reports,
which are reports listing events encountered by
the system that are unusual or interrupt
operations.
 Continuous Approach

• Audit tools can be installed within an

information system to achieve continuous
auditing.
• This is particularly effective when most of an
application’s data is in electronic form.
• Examples: 1) embedded audit modules,
2) exception reporting, 3) transaction
tagging, and 4) snapshot technique.
 Auditing with the Computer

• Auditing with the Computer entails using computer-

assisted audit techniques (CAATs) to help in various
auditing tasks.
• This approach is virtually mandatory since data are
stored on computer media and manual access is
impossible.
• CAATs is effective and saves time.
 General-Use Software

• Auditors use general-use software such as

spreadsheets and database management
systems as productivity tools to improve their
work.
• Auditors use structured query
language (SQL) to retrieve a
client’s data and display these
data in a variety of formats
for audit purposes.
Generalized Audit Software

• Generalized audit software (GAS) packages

enable auditors to review computer files
without continually rewriting processing
programs.
• GAS programs are specifically
tailored to auditor tasks.
• Audit Command Language (ACL)
and Interactive Data Extraction
and Analysis (IDEA) are examples
of GAS.
 Automated Workpaper
Software

• Automated workpaper software is

similar to general ledger software but is
much more flexible.
• Features include: 1) generated trial
balances, 2) adjusting entries, 3)
consolidations,and 4) analytical
procedures.
 Auditing in the Information
Age

• Software can control audit

• Audit tools stored on CD-ROM
• Electronic spreadsheets
• Third party assurance services
• Systems reliability assurance
 Auditing Electronic
Spreadsheets

• Building auditing models in spreadsheets

• Auditing spreadsheet data and formulas
• Display formulas
• Use data validation rules
• Excel’s audit toolbar
• Specialized spreadsheet audit software
 Third-Party Assurance

• TRUSTe
• BBBOnline
• WebTrust
• Betterweb
 Information Systems
Reliability Assurance

• SAS 78
• SysTrust
 Information Technology
Auditing Today

• Information Technology Governance

• Auditing for Fraud – Statement on
Auditing Standards No. 99
• The Sarbanes-Oxley Act of 2002
• Third-Party and Information Systems
Reliability Assurances
 Summary of the Key Provisions of
the Sarbanes-Oxley Act of 2002

• Section 201: Services outside the scope of

practice of auditors; prohibited activities
• Section 302: Corporate responsibility for
financial reports
• Section 404: Management assessment of
internal controls
 Copyright

Copyright 2005 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser may
make backup copies for his/her own use only and not for distribution
or resale. The Publisher assumes no responsibility for errors,
omissions, or damages, caused by the use of these programs or from
the use of the information contained herein.
Chapter 14