Chapter Auditing Information

16 Technology

What is auditing through the computer?

It is the process of reviewing and evaluating the
internal controls in an electronic data processing
system.
What is auditing with the computer?
It is the utilization of the computer by an auditor
to perform some audit work that otherwise would
have to be done manually.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 1
 Structure of Financial
Statement Audit

The primary objective and responsibility

of the external auditor is to attest to the
fairness of a firms financial reports.
The external auditor serves the firms
stockholders, the government, and the
general public.
The internal auditor serves a firms
management.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 2
 Structure of Financial
Statement Audit

Various types of professional certifications

are applicable to auditing.
What are these?
CPA (certified public accountant)
CISA (certified information systems auditor)
CIA (certified internal auditor)
Audits are almost universally divided into
two components.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 3
 Structure of Financial
Statement Audit

Accounting Financial
Transactions
System Reports

Cash Bank
Compliance Testing Receivables Customers
Interim Audit (Confirm balances)

Substantive Testing
Financial Statement Audit
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 4
 Auditing Around the Computer

An accounting system is comprised of input,

processing, and output.
In the around-the-computer approach, the
processing portion is ignored.
Auditing through the computer may be defined as
the verification of controls in a computerized system.
Auditing with the computer is the process of
using information technology in auditing.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 5
 Control Framework
in IT Environment
Computer
Applications Application
Controls Systems and
Programs

Application
Internal
Systems
Controls
Development

Computer
General Service
Controls Center

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 6
 Auditing with the Computer

What are some of the potential benefits

of using information systems technology
in an audit?
1 Computer-generated working papers are
generally more legible and consistent.
2 Time may be saved by eliminating manual
footing, cross footing, and other routine
calculations.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 7
 Auditing with the Computer

3 Calculations, comparisons, and other data

manipulations are more accurately performed.
4 Analytical review calculations may be more
efficiently performed.
5 Project information may be more easily
generated and analyzed.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 8
 Auditing with the Computer

6 Standardized audit correspondence may be

stored and easily modified.
7 Morale and productivity may be improved by
reducing the time spent on clerical tasks.
8 Increased cost-effectiveness is obtained by reusing
and extending existing electronic audit
applications to subsequent audits.
9 Increased independence from information systems
personnel is obtained.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 9
 Information Systems
Auditing Technology

Technique: Test data

Description: Test data are input containing both
valid and invalid data.
Example: Payroll transactions for fictitious
employees are processed
concurrently with valid payroll
transactions.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 10
 Information Systems
Auditing Technology
Test Data
Hypothetical
Transactions

Computer Processing
Using Master Program

Compare Auditors
Error Listing Expected
Output
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 11
 Information Systems
Auditing Technology
Technique: Integrated test facility (ITF)
Description: ITF involves both the use of test
data and the creation of fictitious
records (vendors, employees) on
the master files of a computer
system.
Example: Payroll transactions for fictitious
employees are processed
concurrently with valid payroll
transactions.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 12
 Information Systems
Auditing Technology

ITF
Transactions Transactions

Computer Data Files

Application
System ITF Data

Reports Reports
Without Containing
ITF Data ITF Information

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 13
 Information Systems
Auditing Technology

Technique: Parallel simulation

Description: Processing real data through audit
programs. The simulated output
and the regular output are then
compared.
Example: Depreciation calculations are
verified by processing the fixed-
asset master file with an audit
program.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 14
 Information Systems
Auditing Technology

Computer
Application Transactions
System
Parallel
Simulation
Program
Function to
Be Verified

Compare Simulation
Report
Report

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 15
 Information Systems
Auditing Technology

Technique: Audit software

Description: Computer programs that permit
the computer to be used as an
auditing tool.
Example: An auditor uses a computer
program to extract data records
from a master file.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 16
 Information Systems
Auditing Technology

Technique: Generalized audit software (GAS)

Description: GAS is audit software that has
been specifically designed to allow
auditors to perform audit-related
data processing functions.
Example: An auditor uses GAS to search
computer files for unusual items.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 17
 Information Systems
Auditing Technology

Technique: PC software
Description: Software that allows the auditor to
use a PC to perform audit tasks.
Example: A PC spreadsheet package is used
to maintain audit working papers
and audit schedules.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 18
 Information Systems
Auditing Technology
Deloitte & Touche AuditSystem/2
Smart Audit
Work Support Access to
Papers Information
Document
Manager
Trial File
Balance Multilocation Interrogation
Support
MS MS MS Lotus Folio Other
Word Excel Access cc:mail ACL VIEWS Applications
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 19
 Information Systems
Auditing Technology

Technique: Embedded audit routines

Description: Special auditing routines included
in regular computer programs so
that transaction data can be
subjected to audit analysis.
Example: Data items that are exceptions to
auditor-specified edit tests
included in a program are written
to a special audit file.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 20
 Information Systems
Auditing Technology
Production
Transactions

Production
Computer
Application
System

Production Embedded Audit

Reports Audit Data Reports
Collection
Module
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 21
 Information Systems
Auditing Technology

Technique: Extended records

Description: Modification of programs to
collect and store data of audit
interest.
Example: A payroll program is modified to
collect data pertaining to overtime
pay.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 22
 Information Systems
Auditing Technology

Technique: Snapshot
Description: Modifications of programs to
output data of audit interest.
Example: A payroll program is modified to
output data pertaining to overtime
pay.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 23
 Information Systems
Auditing Technology

Technique: Tracing
Description: Tracing provides a detailed audit
trail of the instructions executed
during the programs operation.
Example: A payroll program is traced to
determine if certain edit tests are
performed in the correct order.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 24
 Information Systems
Auditing Technology

Technique: Review of system documentation

Description: Existing system documentation
such as program flowcharts are
reviewed for audit purposes.
Example: An auditor desk checks the
processing logic of a payroll
program.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 25
 Information Systems
Auditing Technology

Technique: Control flowcharting

Description: Analytic flowcharts or other
graphic techniques are used to
describe the controls in a system.
Example: An auditor prepares an analytic
flowchart to review controls in
the payroll application system.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 26
 Information Systems
Auditing Technology

Technique: Mapping
Description: Special software is used to monitor
the execution of a program.
Example: The execution of a program with
test data as input is mapped to
indicate how extensively the input
tested compares with individual
program statements.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 27
 General Approach to an
Information Systems Audit

Most approaches to an information systems

audit follow some variation of a three-phase
structure.
The first phase consists of an initial review
and evaluation of the area to be audited and
audit plan preparation.
The second phase is a detailed review and
evaluation of controls.
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 28
 General Approach to an
Information Systems Audit

The third phase involves compliance testing

and is followed by analysis and reporting of
results.
The initial review phase determines the
course of action the audit will take.
It includes the following:
decisions concerning specific areas to be
investigated
2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 29
 General Approach to an
Information Systems Audit

the deployment of audit labor

the audit technology to be used
the development of time and/or cost budget
for the audit
The primary control over the conduct of an
information systems audit centers on
documentation and review of performance.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 30
 General Approach to an
Information Systems Audit

What is an audit program?

It is a detailed list of the audit procedures
to be applied on a particular audit.
Standardized audit programs for particular
audit areas have been developed and are
common in all types of auditing.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 31
 General Approach to an
Information Systems Audit

In the second general phase of the audit,

effort is focused on fact-finding in the
area(s) selected for audit.
Documentation of the application area
is reviewed.
Data concerning the operation of the system
are reviewed.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 32
 General Approach to an
Information Systems Audit

In the third phase of the audit, compliance

tests are undertaken to provide reasonable
assurance that internal controls exist and
operate as prescribed.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 33
 Information Systems Application
Audits

Application controls are divided into three

general areas.
What are these areas?
1 Input
2 Processing
3 Output

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 34
 Application Systems
Development Audits

There are three general areas of audit

concern in the systems development process.
They are:
1 Systems development standards
2 Project management
3 Program change control
What are systems development standards?

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 35
 Application Systems
Development Audits

Systems development standards are the

documentation governing the design,
development, and implementation of
application systems.
What is project management?
It consists of project planning and project
supervision.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 36
 Application Systems
Development Audits
What is the objective of program change controls?
It is to prevent unauthorized and potentially
fraudulent changes from being introduced into
previously tested and accepted programs.
Normally, an audit of the computer service center
is undertaken before any application audits to
ensure the general integrity of the environment in
which the application will function.

2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood 16 - 37