Chapter 12
Information Technology Auditing
 Introduction
 The Audit Function
 The IT Auditor’s Toolkit
 Auditing the Computerized AIS
 Information Technology Auditing Today
The Audit Function
The function of an audit
 is to attest to some criteria by examining and
providing assurance
 always involves the accounting information system
 can be internal, or external
A raised eyebrow
indicates
professional
skepticism
The Attest
Function
Root of “audit”
means to hear
(e.g. auditorium,
auditory, audio,
etc.)
Auditor
?
Management
? ?
Stakeholders
Information Risk
4
Internal Auditing
An internal audit
Cynthia Cooper
WorldCom internal auditor and whistleblower
 is internal because performed by company employees
but external to the dept. or division being audited
 Internal auditors report to:


the Audit Committee of the Board of Directors
(especially for audits that concern top management)
Top management (on departmental efficiency audits)
 Involves compliance and operational audits
 compliance with policies & procedures
 The efficiency, effectiveness, and economy of operations
 involves an evaluation of internal controls and fraud
External Auditing
The external audit
 is carried out by independent accountants
 chief purpose is to attest to the fairness of the financial statements
in all material respects
 a secondary purpose - to test that internal controls are strong and
can be relied on to catch errors and fraud (the stronger the controls,
the smaller the audit risk, and the less work an auditor has to do).
The IT Audit
The IT audit function encompasses
Careers in Information Systems
Auditing
The demand for IT auditors is growing
 increasing use of computer-based AISs
 systems becoming more technologically complex
 Compliance with Sarbanes-Oxley Act
The Information Technology
Auditor’s Toolkit
IT auditors need to have
 technical skills to understand
 Accounting systems, auditing, and internal controls
 hardware and software
 use of appropriate software to do their jobs
 general-use software such as





word processing programs,
spreadsheet software, and
database management systems.
generalized audit software (GAS), and
automated working paper software.
The Information Technology
Auditor’s Toolkit
 people skills

to work as a team

to interact with clients and other auditors,

to interview many people constantly for evaluation

can’t just be a technical nerd!
Careers in Information Systems
Auditing
Information systems auditors
 may be internal or external
 can obtain professional certification as a Certified
Information Systems Auditor (CISA)



Pass exam
Five years of experience (some exceptions)
40 hours of CPE/year
 can also acquire certification as Certified
Information Security Managers (CISM)
General-Use Software
Auditors use general-use software as productivity tools
to improve their work such as
 spreadsheets and
 database management systems (e.g. Access)
Auditors often use structured query language (SQL)
 to retrieve a client’s data and
 display these data for audit purposes.
Generalized Audit Software
Generalized audit software (GAS) packages
 are specifically tailored to auditor tasks
 have been developed in-house in large firms, or
 are available from various software suppliers
 automates working papers, trial balances, and statistical
sampling and analysis
 Examples of GAS are



Audit Command Language (ACL)
Interactive Data Extraction Analysis (IDEA)
FAST! (Financial Audit Systems Technology)
Auditing Computerized AISAuditing Around the Computer
CPTR
Auditing around the computer
 Compares output with input; assumes that accurate
output verifies proper processing operations
 pays little or no attention to the control
procedures within the IT environment
 is generally not an effective approach to
auditing in a computerized environment.
Auditing Computerized AISAuditing Through the Computer
CPTR
Five techniques to audit a computerized AIS are:
 use of test data (or deck), integrated test facility, and




parallel simulation to test programs,
use of audit techniques to validate computer programs,
use of logs and specialized control software to
review systems software,
use of documentation and CAATs to validate
user accounts and access privileges, and
use of embedded audit modules to achieve
continuous auditing.
Testing Computer
Programs - Test Data (test deck)
The auditor’s responsibility is to
CPTR
 develop test data (or test deck from deck of cards)

that tests the range of exception situations
 arrange the data in preparation for processing
 compare output with a predetermined set of answers
 investigate further if the results do not agree
Test data (or test deck, named from punch card days)
 can check if program edit test controls are in place and
working
 can be developed using software
programs called test data generators
 But may contaminate real data with fake data
Testing Computer Programs Integrated Test Facility
An integrated test facility (ITF)
CPTR
 establishes a fictitious entity such as a





department, branch, customer, or employee,
enters transactions for that entity, and
observes how these transactions are processed.
is effective in evaluating integrated online
systems and complex programming logic, and
aims to audit an AIS in an operational setting.
May contaminate real data with fake data.
Testing Computer Programs Parallel Simulation
CPTR
In parallel simulation, the auditor
CPTR
 uses live input data, rather than test data, in a
separate program, which


is written or controlled by the auditor
simulates all or some of the operations of
the real program that is actually in use.
 needs to understand the client system,
 should possess sufficient technical knowledge, and
 should know how to predict the results
Testing Computer Programs Parallel Simulation
Parallel simulation
CPTR
 eliminates the need to prepare a
CPTR
set of test data,
 can be very time-consuming and costly
 usually involves replicating only
certain critical functions of a program
 But reduces the chance of contaminating real data
with fake data
Validating Computer Programs
Auditors
 must validate any program presented to them

to thwart a clever programmer’s dishonest program
Procedures that assist in program validation are
1. tests of program change control
 begins with an inspection of the documentation
 includes program authorization forms to be filled
 ensures accountability and adequate supervisory controls
2. program comparison


guards against unauthorized program tampering
performs certain control total tests of program
authenticity


using a test of length
using a comparison program
Review of Systems Software
Systems software includes
 operating system software (e.g. Windows, Linux)
 utility programs,
 program library software, and
 access control software.
Review of Systems Software
Auditors should first review systems software
documentation.
Next, auditors should review incident reports,
which list events that are
 unusual



or interrupt operations
security violations (such as unauthorized access attempts),
hardware failures, and
software failures
Validating Users and Access
Privileges
The IT auditor
 needs to verify that the software parameters are set
appropriately (passwords, etc.)
 must make sure that IT staff are using them appropriately
 needs to ensure all users


are valid and
have access privileges appropriate to their jobs
There are a variety of auditor software tools which can
scan settings and access logs
Password Parameters
Continuous Approach
Continuous auditing can be achieved by
 embedded audit modules or audit hooks
 application subroutines capture data for audit purposes
 exception reporting
 mechanisms reject certain transactions
that fall outside preset limits
 transaction tagging
 tags transactions with a special identifiers
 snapshot technique
 Examines how transactions are processed
(e.g. macro, step-by-step)
Continuous Auditing – Spreadsheet
Errors
Continuous Auditing – Spreadsheet
Errors
Sleuthing With Excel
Excel 2010 and newer
 Formula Auditing: On the top menu of Excel, go to Formulas, see Formula
Auditing section. Perform the error checking function to find and correct the
formula errors. You can also display Precedent and Dependent arrows to show
the formula pattern among the cells.
 Data Validation: On the top menu of Excel, go to Data and then under the Data
Tools section, go to Data Validation. Use the validation tool to verify data as it
is being entered. For example, highlight the payrate range and set the data
validation decimal feature between $7.50 and $40.00. From this point on, any
data entered in the payrate range that does not fall between these two values
will be flagged.
Benford’s Law
Physicist Frank Benford figured out the probability that
certain digits form part of financial numbers. For example,
the numeral 1 should occur as the first digit in any multipledigit number about 31% of the time, while 9 should occur
as the first digit only 5% of the time. As you can see below,
the numbers in digit 1,2,5,6 & 7 are suspicious.
The Sarbanes-Oxley Act of 2002
In 2002, Congress passed the Sarbanes-Oxley Act,
which was response to the accounting scandals of
Enron, Worldcom, etc. As Congress studied these
frauds, it realized that one of the big problems was a
weakness in internal controls.
Sen. Paul
Sarbanes
Representative
Mike Oxley
The Sarbanes-Oxley Act of 2002
Some important provisions of SOX for auditors are
 Section 201 – prohibits public accounting firms from
offering most nonaudit services to clients at the same time
they are conducting audits (conflict of interest).
 Section 302 – requiring CFOs and CEOs to certify that
their company’s financial statements are accurate and
complete
 Section 404 – requiring both the CEO and CFO to attest to
their organization’s internal controls over financial reporting
Third-Party Assurance
Internet systems and web sites
 are a source of risk for many companies,
 need specialized audits of these systems,
 have created a market for third-party assurance
services, which

is limited to data privacy.
Third-Party Assurance
The AICPA introduced Trust Services an
assurance service.
The principles of Trust Services are
 security,
 availability,
 processing integrity,
 online privacy, and
 confidentiality.
Privacy Issues
 Have a privacy policy for your website
 Have an audit done by professionals who
provide a privacy seal
Truste
 BBB Online
 Webtrust
