Auditing Information
Technology
Chapter 13
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 1
Learning Objective 1
Distinguish between “auditing
through the computer” and
“auditing with the computer.”
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 2
Information Systems
Auditing Concepts
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 3
Structure of a Financial
Statement Audit
The primary objective and responsibility
of the external auditor is to attest to the
fairness of a firm’s financial reports.
The external auditor serves outsiders.
The internal auditor serves
a firm’s management.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 4
Structure of a Financial
Statement Audit
Transactions
Accounting
system
Financial
reports

Compliance testing
Interim audit
Cash
Bank
Receivables
Customers

Confirm balances

Substantive testing
Financial statement audit
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 5
Auditing Around the Computer
Accounting system
Input
Processing
Output
In the around-the-computer approach,
the processing portion is ignored.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 6
Auditing Around the Computer
Totals are accumulated for
accepted and rejected records.
Auditors emphasize control over
rejected transactions, their correction,
and then resubmission.
The around-the-computer approach
is no longer widely used.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 7
Auditing Through the Computer
Auditing through the computer may
be defined as the verification of
controls in a computerized system.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 8
Control Framework
in IT Environment
Applications
controls
Computer
application
systems and
programs
Application
systems
development
Internal
controls
General
controls
Computer
service
center
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 9
Auditing With the Computer
Auditing with the computer is the process
of using information technology in auditing.
The use of information technology
is no longer optional.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 10
Auditing With the Computer
What are some of the potential benefits
of using information systems
technology in an audit?
1. Computer-generated working papers are
generally more legible and consistent.
2. Time may be saved by eliminating
manual footing, cross footing,
and other routine calculations.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 11
Auditing With the Computer
3. Calculations, comparisons, and other
data manipulations are more
accurately performed.
4. Analytical review calculations may
be more efficiently performed.
5. Project information may be more
easily generated and analyzed.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 12
Auditing With the Computer
6. Standardized audit correspondence
may be stored and easily modified.
7. Morale and productivity may
be improved by reducing the
time spent on clerical tasks.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 13
Auditing With the Computer
8. Increased cost-effectiveness is obtained
by reusing and extending existing electronic
audit applications to subsequent audits.
9. Increased independence from information
systems personnel is obtained.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 14
Learning Objective 2
Describe and evaluate
alternative information
systems audit technologies.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 15
Information Systems
Auditing Technology
Information system audit technology
has evolved along with computer
system development.
There is no one overall auditing technology.
Rather, there is a variety of tools
and techniques that may be used
to accomplish an audit’s objective.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 16
Test Data Technique
Test data are input containing
both valid and invalid data.
Payroll transactions for fictitious employees
are processed concurrently with valid
payroll transactions.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 17
Test Data Approach
Test data
hypothetical
transactions
Computer processing
using master program
Error listing
Compare
Auditor’s
expected
output
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 18
Integrated-Test-Facility Technique
ITF involves both the use of test data and the
creation of fictitious records (vendors, employees)
on the master files of a computer system.
Payroll transactions for fictitious employees
are processed concurrently with
valid payroll transactions.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 19
Integrated-Test-Facility Approach
Transactions
ITF
transactions
Computer
application
system
Reports
without
ITF data
Data files
ITF data
Reports
containing
ITF information
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 20
Parallel Simulation Technique
Processing real data through audit programs.
The simulated output and the regular
output are then compared.
Depreciation calculations are verified
by processing the fixed-asset master
file with an audit program.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 21
Parallel Simulation
Transactions
Computer
application
system
Parallel
simulation
program
Function to
be verified
Report
Compare
Simulation
report
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 22
Audit Software Technique
Computer programs that permit the
computer to be used as an auditing tool.
An auditor uses a computer program to
extract data records from a master file.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 23
Generalized Audit Software
(GAS) Technique
GAS is audit software that has been specifically
designed to allow auditors to perform
audit-related data processing functions.
An auditor uses GAS to search
computer files for unusual items.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 24
PC Software Technique
Software that allows the auditor
to use a PC to perform audit tasks.
A PC spreadsheet package is used to maintain
audit working papers and audit schedules.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 25
Embedded Audit Routines
Technique
Special auditing routines included in regular
computer programs so that transaction
data can be subjected to audit analysis.
Data items that are exceptions to auditorspecified edit tests included in a program
are written to a special audit file.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 26
Embedded Audit Data Collection
Production
transactions
Production
computer
application
system
Production
reports
Embedded
audit data
collection
module
Audit
reports
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 27
Extended Records Technique
Modification of programs to collect
and store data of audit interest.
A payroll program is modified to collect
data pertaining to overtime pay.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 28
Snapshot Technique
Modifications of programs to
output data of audit interest.
A payroll program is modified to
output data pertaining to overtime pay.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 29
Tracing Technique
Tracing provides a detailed audit trail of the
instructions executed during the program’s operation.
A payroll program is traced to determine if
certain edit tests are performed in the correct order.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 30
Review of System
Documentation Technique
Existing system documentation as program
flowcharts are reviewed for audit purposes.
An auditor desk checks the processing
logic of a payroll program.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 31
Control Flowcharting Technique
Analytic flowcharts or other graphic techniques
are used to describe the controls in a system.
An auditor prepares an analytic flowchart to
review controls in the payroll application system.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 32
Mapping Technique
Special software is used to monitor
the execution of a program.
The execution of a program with test data as
input is mapped to indicate how extensively
the input tested compares with individual
program statements.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 33
Learning Objective 3
Characterize various types of
information systems audits.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 34
General Approach to an
Information Systems Audit
Initial review and evaluation of the area
to be audited and audit plan preparation.
Detailed review and
evaluation of controls.
Compliance testing which is followed
by analysis and reporting of results.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 35
General Approach to an
Information Systems Audit
The initial review phase determines
the course of action the audit will take.
Decisions concerning specific
areas to be investigated
Deployment of audit labor
Audit technology to be used
Development of a time and/or
cost budget for the audit
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 36
General Approach to an
Information Systems Audit
What is an audit program?
It is a detailed list of the audit procedures
to be applied on a particular audit.
Standardized audit programs for particular
audit areas have been developed and
are common in all types of auditing.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 37
General Approach to an
Information Systems Audit
In the second general phase of the audit,
is detailed review and evaluation.
Documentation of the application
area is reviewed.
Data concerning the operation
of the system are reviewed.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 38
General Approach to an
Information Systems Audit
The third phase of the audit is testing.
This phase produces evidence
of compliance with procedures.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 39
Information Systems
Application Audits
Application controls are divided
into three general areas.
Input
Output
Processing
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 40
Application Systems
Development Audits
Systems development audits are
directed at the activities of systems
analysts and programmers.
Controls governing the systems
development process directly
affect the reliability of the
application programs
that are developed.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 41
Application Systems
Development Audits
There are three general areas of audit concern
in the systems development process.
Systems development standards
Project management
Program change control
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 42
Systems Development Standards
Systems development standards are the
documentation governing the design,
development, and implementation
of application systems.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 43
Project Management
What is project management?
It consists of project planning
and project supervision.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 44
Program Change Controls
What is the objective of
program change controls?
It is to prevent unauthorized and potentially
fraudulent changes from being introduced
into previously tested and accepted programs.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 45
Computer Service Center Audits
Normally, an audit of the computer service
center is undertaken before any application
audits to ensure the general integrity of the
environment in which the application will function.
Audits might be undertaken in several areas.
What are some examples?
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 46
Computer Service Center Audits
Environmental controls
Physical security of the center
Data release, reports, and computer programs
Management controls
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 47
Computer Service Center Audits
Audits of computer service center operations
require a high degree of technical training
and familiarity with systems operations.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 48
End of Chapter 13
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
13 – 49