Auditing & Information Technology

MAKANJU, T. A.
08029248172
08055821595
AUDITING

10-2
 Auditing
• an examination of the controls within an entity's
financial information for the purpose of
determine whether an organization's financial
statements and financial condition are presented
fairly in accordance with generally accepted
accounting principles (GAAP)

10-3
 Auditing
2 broad categories of audits:
1. Internal Auditing
2. External Auditing

10-4
 Internal Auditing
• Who does it? Internal employees
(outsource)

• For whom? Management

• What? employee adherence to company

policies and procedures – efficiency and
effectiveness

10-5
 Internal Auditing -Types
• Information systems: review AIS controls to
assess compliance with internal control
policies/procedures & effectiveness in
safeguarding assets
• Operational/management: reviews company
resources and operations – for efficiency,
effectiveness, as planned
• Compliance: ensure compliance with laws,
rules, and regulations
10-6
 External Auditing (FS Audit)
• Who does it? Independent, external auditors
• For whom? SEC, investors
• What?
– Examination of a client’s FS for the purpose of
deciding whether or not the FS are fairly presented
according to GAAP.
– Attest function: give an opinion on the fairness of
the FS wrt GAAP applying GAAS. Reliability
and integrity of accounting records
10-7
 5 Step Audit Process
(for all audit types)
(1) Audit Planning: Establish audit objectives, identify
risks, Audit program
(2) Collect audit evidence: interviews, examinations,
recalculations, sampling IDEA, ACL
(3) Evaluate evidence: materiality
(4) Arrive at an opinion –
FS: standard unqualified, unqualified with
explanatory paragraph, qualified, adverse, disclaimer
(5) Communicate Audit Results
FS: audit report
10-8
 Auditing Standards
• Statement on Auditing Standards (SAS) 94 “The Effect
of Information Technology on the Auditor's
Consideration of Internal Control in a Financial
Statement Audit”
– Auditor’s must have sufficient understanding (and
document) of each of the 5 components of the IC when
planning the audit
– Addresses the effects of IT on IC
– May need to design tests of controls in addition to
substantive tests (of balances)
10-9
 A. Phases of the Information
Systems Audit
1. Initial review and
evaluation of the area to
be audited, and the audit
plan preparation
2. Detailed review and
evaluation of controls
3. Compliance testing
4. Analysis and reporting of
results
 B. Structure of the Financial
Statement Audit
Transactions Accounting
Accounting Financial
Financial
Transactions
System
System Reports
Reports

Financial
Interim Audit Statement Audit
Substantive
Compliance Testing
Testing
 B1. Compliance Testing

Auditors perform tests of controls to determine

that the control policies, practices, and
procedures established by management are
functioning as planned. This is known as
compliance testing.
 B2. Substantive Testing
Substantive testing is the direct verification of
financial statement figures. Examples would
include reconciling a bank account and
confirming accounts receivable.
Audit Confirmation
To ABC Co. Customer:
Please confirm that the
balance of your account
on Dec. 31 is _____ .
 C. Auditing Around the
Computer
The auditor ignores computer processing.
Instead, the auditor selects source documents that
have been input into the system and summarizes
them manually to see if they match the output of
computer processing.

Processing
 Auditing Around the Computer
• Ignores the controls and computer processing -
assumes accurate output = proper processing
• Auditor examines, on a sample basis, inputs to the
computer and corresponding outputs
• Suitable only if the following conditions are met:
1. computer processing is relatively simple
2. Audit trail is clearly visible
3. A substantial amount of up-to-date documentation
exists about how the system works.

10-15
 Auditing With The Computer
The utilization of the computer by an auditor to
perform some audit work that would otherwise
have to be done manually.
Auditing Through the Computer
The process of reviewing and evaluating the
internal controls in an electronic data
processing system.

Audit
 Auditing Through the Computer
• Auditor follows the audit trail through the internal
computer operations; attempts to verify that the
processing controls are functioning correctly
• Directly tests the computer controls and verifies the
accuracy of computer-based processing of input data.
• Tests controls that, if functioning properly would
prevent errors from occurring.

10-18
 Test Data
The auditor prepares input containing both valid
and invalid data. Prior to processing the test
data, the input is manually processed to
determine what the output should look like.
The auditor then compares the computer-
processed output with the manually processed
results.
 Review of Systems
Documentation
The auditor reviews documentation such as
narrative descriptions, flowcharts, and program
listings. In desk checking the auditor processes
test or real data through the program logic.
 Illustration of Test Data
Approach
Computer Operations Auditors
PrepareTest
Prepare Test
Transaction
Transaction Transactions
Transactions
TestData
Test Data
AndResults
And Results
Computer
Computer
Application
Application
System
System

Manually
Manually
Computer
Computer Auditor Compares Processed
Processed
Output
Output Results
Results
 Integrated Test Facility (ITF)
Approach
A common form of an ITF is as follows:
1. A dummy ITF center is created for the auditors.
2. Auditors create transactions for controls they
want to test.
3. Working papers are created to show expected
results from manually processed information.
4. Auditor transactions are run with actual
transactions.
5. Auditors compare ITF results to working papers.
 Illustration of ITF Approach
Computer Operations Auditors

Actual ITF PrepareITF

Prepare ITF
Actual ITF Transactions
Transactions
Transactions Transactions
Transactions Transactions
AndResults
And Results

Computer
Computer
Application
Application DataFiles
Data Files
System
System ITF Data

Reports
Reports Reports
Reports Manually
Manually
WithOnly
With Only WithOnly
With Only Auditor Processed
Processed
ActualData
Actual Data ITFData
ITF Data Results
Results
Compares
 Parallel Simulation
The test data and ITF methods both process test
data through real programs. With parallel
simulation, the auditor processes real client data
on an audit program similar to some aspect of the
client’s program. The auditor compares the
results of this processing with the results of the
processing done by the client’s program.
Illustration of Parallel Simulation
Computer Operations Auditors

Actual
Actual
Transactions
Transactions

Computer
Computer Auditor’s
Auditor’s
Application
Application Simulation
Simulation
System
System Program
Program

Auditor Compares Auditor

Auditor
ActualClient
Actual Client
Simulation
Simulation
Report
Report Report
Report
 Audit Software
Computer programs that permit computers to be
used as auditing tools include:
1. Generalized audit software
Perform tasks such as selecting sample data
from file, checking computations, and
searching files for unusual items.
2. P.C. Software
Allows auditors to analyze data from
notebook computers in the field.
 General Functions of
Computer Audit Software
– reformatting - data retrieval
– file manipulation - apply edit checks
– calculation - file operations (join,
– data selection merge, sort)
– data analysis
– file processing
– statistics
– report generation
– sampling
10-27
 Embedded Audit Routines
1. In-line Code – Application program performs
audit data collection while it processes data
for normal production purposes.
2. System Control Audit
Review File (SCARF)–
The Auditor
Edit tests for audit
transaction analysis are
included in program.
Exceptions are written
to a file for audit review.
 Mapping

Special software counts the number of times each

program statement in a program executes.
Helps identify code that is bypassed when the
bypass is not readily apparent in the program code
and/or documentation.
 Extended Records and Snapshots
Extended Records Snapshot
Specific transactions are A snapshot is similar to
tagged, and the an extended record
intervening processing except that the
steps that normally
would not be saved are snapshot is a printed
added to the extended audit trail.
record, permitting the
audit trail to be
reconstructed for these
transactions.
 Audit Trail in Computer-Based
System
• Visibility of audit trail is diminished
• In relational database systems, foreign keys that link
related tables form an electronic audit trail.
• Example:
I/S Revenue

Invoice No.
Sale invoice

Customer ID
Customer Table

10-31
 Auditing Through the Computer
2. Validate Computer Programs
• Test of program change control: make sure
IC procedures exists and are followed
• Program comparison:compare production
program with archived old version (trojan
horse, salami)
• Surprise audits and surprise use of programs:
compare accounting application programs
unexpectedly with authorized version
10-32
 Auditing Through the Computer
3. Review of systems software
• Operating systems software
• Utility programs that do basic
“housekeeping” chores such as sorting and
copying
• Program library software that controls and
monitors storage of programs
• Access control software that controls logical
access to programs and data files
10-33
 Auditing Through the Computer
4. Continuous Auditing:
Audit tools installed within the IS
• Audit hooks
• Continuous and intermittent simulation
• Embedded audit modules Match these terms
• Exception reporting With their definitions
• SCARF On the next slides
• Snapshot technique
• Transaction tagging
10-34
Auditing Through the Computer
• Embedded audit modules:
Application subroutine that captures data for
audit purposes
Write to a special log file called SCARF (systems
control audit review file)
Ex: transactions affecting inactive accounts,
deviating from company policy, write-downs of
asset values

10-35
 Auditing Through the Computer

• audit hooks:
audit routine that flags suspicious transactions
(real-time notification)
• Exception reporting:
mechanisms that reject certain transactions
that fall outside predefined specifications
10-36
 Auditing Through the Computer
• Transaction tagging
Place a special identifier on transactions so that they can
be recorded as they pass through the IS.
EX: tag an employee’s transaction records, manually
calculate & compare
• Snapshot technique
audit modules record selected transactions before and
after processing. Auditor reviews to make sure all
processing steps performed properly.

10-37
 Auditing Through the Computer
• Continuous and intermittent simulation (CIS)
- audit module in DBMS
- examines all transactions that update the DBMS. If a
transaction has special audit significance, the audit
module independently processes the data, records the
results and compares them with the DBMS results. If
discrepancies, written to an audit log for subsequent
review OR may stop DBMS from executing the update
process.

10-38
 Risk-based Audit Approach
GOAL: Provide a clear understanding of the
errors and irregularities that can occur and the
related risks and exposures
1. Determine the threats (errors, irregularities)
2. Identify the needed control procedures
3. Evaluate the control procedures
4. Evaluate weaknesses to determine effect on
nature, timing, and extent of auditing
procedures. Compensating Controls?
10-39
 Risk-based Audit Approach
Evaluate Control Procedures
 System review – are procedures in place?
EX: review docs, interviews
 Tests of controls = compliance testing – are the
controls in place and working as prescribed?
Ex: observe operations, check samples of input,
verify use, trace transactions

10-40
 Audit Risk Model
• Used in audit planning:
• AR = audit risk: likelihood that the FS are
materially misstated
• AR = IR x CR x DR
Auditor can control this
Auditor Assesses general
Cannot and application controls
reduce applicable to each FS assertion;
Tests of controls =Compliance tests

10-41
 Audit Risk Model
• IR = inherent risk: susceptibility of an account or class
of transactions to material error
• CR = control risk = likelihood that the IC control
structure will fail to prevent/detect a material error
• DR = detection risk = likelihood that the auditor’s
procedures will not uncover material errors
– More auditing procedures = lower DR
– Inversely related to CR: if CR is high, then an auditor
sets DR low and performs more substantive tests (detail
tests of transactions and account balances)

10-42
 Audit Risk Model
Example
• Assume controls over the revenue cycle are
not effective and cannot be relied upon. The
auditor is worried about the correctness of
the A/R balance. To lower detection risk,
what would the auditor do?

10-43
 Audit Risk Model
Example
• Assume controls over the revenue cycle are
not effective and cannot be relied upon. The
auditor is worried about the correctness of
the A/R balance. To lower detection risk,
what would the auditor do?
• Increase substantive testing of the A/R
balance – send out lots of confirmation
letters to customers.
10-44
 AUDIT BENEFITS OF THE IT
ENVIRONMENT
• Consistent processing large volumes of transactions or data
• Enhanced information timeliness, availability, and
accuracy
• Facilitation of the additional analysis of information
• Enhanced ability to monitor the performance of activities,
policies, and procedures
• Reduction in the risk that controls will be circumvented, if
IT system controls are effective

10-45
 RISKS OF THE IT
ENVIRONMENT
• Incorrectly processing data or consistently processing inaccurate
data
• Unauthorized access to data that might be destroyed or
improperly changed
• Unauthorized changes to computer programs
• Failure to make necessary changes to computer programs
• Inappropriate manual intervention
• Potential loss of data

• Increase in potential loss resulting from computer fraud relative

to manual fraud (increase of 10X).
10-46
 Summary
Compliance and Substantive Testing
Auditing Around the Computer
Auditing with the Computer
Auditing Through the Computer
Testing Approaches Through the Computer
THANKS FOR LISTENING