Chapter 13

Auditing Information Technology

 Presentation Outline
I. Concepts in Information Systems
Auditing
II. Auditing Technology for Information
Systems
 I. Concepts in Information
Systems Auditing

A. The Phases to the Information Systems

Audit
B. Structure of the Financial Statement Audit
C. Auditing Around the Computer
D. Auditing With the Computer
E. Auditing Through the Computer
 A. Phases of the Information
Systems Audit
1. Initial review and
evaluation of the area to
be audited, and the audit
plan preparation
2. Detailed review and
evaluation of controls
3. Compliance testing
4. Analysis and reporting of
results
 B. Structure of the Financial
Statement Audit
Transactions Accounting
Accounting Financial
Financial
Transactions
System
System Reports
Reports

Financial
Interim Audit Statement Audit
Substantive
Compliance Testing
Testing
 B1. Compliance Testing

Auditors perform tests of controls to determine

that the control policies, practices, and
procedures established by management are
functioning as planned. This is known as
compliance testing.
 B2. Substantive Testing
Substantive testing is the direct verification of
financial statement figures. Examples would
include reconciling a bank account and
confirming accounts receivable.
Audit Confirmation
To ABC Co. Customer:
Please confirm that the
balance of your account
on Dec. 31 is _____ .
 C. Auditing Around the
Computer
The auditor ignores computer processing.
Instead, the auditor selects source documents that
have been input into the system and summarizes
them manually to see if they match the output of
computer processing.

Processing
 D. Auditing With The Computer
The utilization of the computer by an auditor to
perform some audit work that would otherwise
have to be done manually.
 E. Auditing Through the
Computer
The process of reviewing and evaluating the
internal controls in an electronic data
processing system.

Audit
II. Auditing Technology for
Information Systems
A. Review of Systems Documentation
B. Test Data
C. Integrated-Test-Facility (ITF) Approach
D. Parallel Simulation
E. Audit Software
F. Embedded Audit Routines
G. Mapping
H. Extended Records and Snapshots
 A. Review of Systems
Documentation
The auditor reviews documentation such as
narrative descriptions, flowcharts, and program
listings. In desk checking the auditor processes
test or real data through the program logic.
 B. Test Data
The auditor prepares input containing both valid
and invalid data. Prior to processing the test
data, the input is manually processed to
determine what the output should look like.
The auditor then compares the computer-
processed output with the manually processed
results.
 Illustration of Test Data
Approach
Computer Operations Auditors
PrepareTest
Prepare Test
Transaction
Transaction Transactions
Transactions
TestData
Test Data
AndResults
And Results
Computer
Computer
Application
Application
System
System

Manually
Manually
Computer
Computer Auditor Compares Processed
Processed
Output
Output Results
Results
 C. Integrated Test Facility (ITF)
Approach
A common form of an ITF is as follows:
1. A dummy ITF center is created for the auditors.
2. Auditors create transactions for controls they
want to test.
3. Working papers are created to show expected
results from manually processed information.
4. Auditor transactions are run with actual
transactions.
5. Auditors compare ITF results to working papers.
 Illustration of ITF Approach
Computer Operations Auditors

Actual ITF PrepareITF

Prepare ITF
Actual ITF Transactions
Transactions
Transactions Transactions
Transactions Transactions
AndResults
And Results

Computer
Computer
Application
Application DataFiles
Data Files
System
System ITF Data

Reports
Reports Reports
Reports Manually
Manually
WithOnly
With Only WithOnly
With Only Auditor Processed
Processed
ActualData
Actual Data ITFData
ITF Data Results
Results
Compares
 D. Parallel Simulation
The test data and ITF methods both process test
data through real programs. With parallel
simulation, the auditor processes real client data
on an audit program similar to some aspect of the
client’s program. The auditor compares the
results of this processing with the results of the
processing done by the client’s program.
Illustration of Parallel Simulation
Computer Operations Auditors

Actual
Actual
Transactions
Transactions

Computer
Computer Auditor’s
Auditor’s
Application
Application Simulation
Simulation
System
System Program
Program

Auditor Compares Auditor

Auditor
ActualClient
Actual Client
Simulation
Simulation
Report
Report Report
Report
 E. Audit Software
Computer programs that permit computers to be
used as auditing tools include:
1. Generalized audit software
Perform tasks such as selecting sample data
from file, checking computations, and
searching files for unusual items.
2. P.C. Software
Allows auditors to analyze data from
notebook computers in the field.
 F. Embedded Audit Routines
1. In-line Code – Application program performs
audit data collection while it processes data
for normal production purposes.
2. System Control Audit
Review File (SCARF)–
The Auditor
Edit tests for audit
transaction analysis are
included in program.
Exceptions are written
to a file for audit review.
 G. Mapping

Special software counts the number of times each

program statement in a program executes.
Helps identify code that is bypassed when the
bypass is not readily apparent in the program code
and/or documentation.
 H. Extended Records and
Snapshots
Extended Records Snapshot
Specific transactions are A snapshot is similar to
tagged, and the an extended record
intervening processing except that the
steps that normally snapshot is a printed
would not be saved are
added to the extended audit trail.
record, permitting the
audit trail to be
reconstructed for these
transactions.
 Summary
Compliance and Substantive Testing
Auditing Around the Computer
Auditing with the Computer
Auditing Through the Computer
Testing Approaches Through the Computer