Chapter 12

Information Technology Auditing

Introduction

The Audit Function

The IT Auditor’s Toolkit

Auditing the Computerized AIS

Information Technology Auditing Today

 The Audit Function
The function of an audit
 is to examine and to give assurance.
 will differ according to the subject under examination.
 can be internal, or external
 always involves the accounting information systems
Information technology auditing discusses
 internal auditing,
 External auditing, and
 IT auditing.
 Internal Auditing

An internal audit, which preserves its objectivity

is carried out by company personnel reporting to
 the Audit Committee of the Board of Directors
(preferable)
 Top management (on departmental efficiency audits)
is external to the corporate department or
division being audited
concerns compliance to company policies & procedures
involves an evaluation of internal controls and fraud
tests for efficiency, effectiveness and economy
Cynthia Cooper – WorldCom internal auditor and whistleblower
 External Auditing
The external audit
 is carried out by independent
accountants
 has the attest function as its
chief purpose confirming
 the fairness of financial
statements in all material respects
 Has a secondary purpose - to
test that internal controls are
strong and can be relied on to
catch errors and fraud (the
stronger the controls, the
smaller the audit risk, and the
less work an auditor has to do).
 A raised eyebrow
The Attest indicates
professional

Function
skepticism

Auditor

? ?
Info
rm
?
ation

Management

Stakeholders
Information Risk

6
 The IT Audit
The IT audit function encompasses
 Careers in Information Systems
Auditing

The demand for IT auditors is growing

 increasing use of computer-based AISs
 systems becoming more technologically complex
 passing of the Sarbanes-Oxley bill

IT auditing requires a variety of skills, combining

 accounting and
 information systems or computer science skills.
 The Information Technology
Auditor’s Toolkit

IT auditors need to have

the technical skills to understand the vulnerabilities in
 hardware and software
 use of appropriate software to do their jobs
 general-use software such as
 word processing programs,
 spreadsheet software, and
 database management systems.
 generalized audit software (GAS), and
 automated workpaper software.
 The Information Technology
Auditor’s Toolkit

people skills
 to work as a team
 to interact with clients and other auditors,
 to interview many people constantly for evaluation
 can’t just be a technical nerd!
 Careers in Information Systems
Auditing

Information systems auditors

may be internal or external
can obtain professional certification as a Certified
Information Systems Auditor (CISA)
 Pass exam
 Five years of experience (some exceptions)
 40 hours of CPE/year
can also acquire certification as Certified
Information Security Managers (CISM)
 General-Use Software
Auditors use general-use software as productivity tools
to improve their work such as
 spreadsheets and
 database management systems (e.g. Access)

Auditors often use structured query language (SQL)

 to retrieve a client’s data and
 display these data for audit purposes.
 Generalized Audit Software

Generalized audit software (GAS) packages

 are specifically tailored to auditor tasks
 have been developed in-house in large firms, or
 are available from various software suppliers
 automates working papers, trial balances, and statistical
sampling and analysis
 Examples of GAS are
 Audit Command Language (ACL)
 Interactive Data Extraction Analysis (IDEA)
 FAST! (Financial Audit Systems Technology)
 Auditing Computerized AIS-
Auditing Around the Computer

CPTR
Auditing around the computer
 Compares output with input; assumes that accurate
output verifies proper processing operations
 pays little or no attention to the control
procedures within the IT environment
 is generally not an effective approach to
auditing in a computerized environment.
 Auditing Computerized AIS-
Auditing Through the Computer
CPTR

Five techniques to audit a computerized AIS are:

 use of test data (or deck), integrated test facility, and
parallel simulation to test programs,
 use of audit techniques to validate computer programs,
 use of logs and specialized control software to
review systems software,
 use of documentation and CAATs to validate
user accounts and access privileges, and
 use of embedded audit modules to achieve
continuous auditing.
 Testing Computer
Programs - Test Data (test deck)
The auditor’s responsibility is to CPTR
 develop test data (or test deck from deck of cards)
 that tests the range of exception situations
 arrange the data in preparation for processing
 compare output with a predetermined set of answers
 investigate further if the results do not agree

Test data (or test deck, named from punch card days)
 can check if program edit test controls are in place and
working
 can be developed using software
programs called test data generators
 But may contaminate real data with fake data
 Testing Computer Programs
-Integrated Test Facility
CPTR
An integrated test facility (ITF)
establishes a fictitious entity such as a
department, branch, customer, or employee,
enters transactions for that entity, and
observes how these transactions are processed.
is effective in evaluating integrated online
systems and complex programming logic, and
aims to audit an AIS in an operational setting.
May contaminate real data with fake data.
 Testing Computer Programs
-Parallel Simulation CPTR

In parallel simulation, the auditor CPTR

uses live input data, rather than test data, in a
separate program, which
 is written or controlled by the auditor
 simulates all or some of the operations of
the real program that is actually in use.
needs to understand the client system,
should possess sufficient technical knowledge, and
should know how to predict the results
 Testing Computer Programs
-Parallel Simulation
Parallel simulation CPTR
eliminates the need to prepare a
CPTR
set of test data,
can be very time-consuming and costly
usually involves replicating only
certain critical functions of a program
But reduces the chance of contaminating real data
with fake data
 Validating Computer Programs
Auditors
 must validate any program presented to them
 to thwart a clever programmer’s dishonest program
Procedures that assist in program validation are
1. tests of program change control
 begins with an inspection of the documentation
 includes program authorization forms to be filled
 ensures accountability and adequate supervisory controls

2. program comparison
 guards against unauthorized program tampering
 performs certain control total tests of program
authenticity
 using a test of length
 using a comparison program
 Review of Systems Software

Systems software includes

operating system software (e.g. Windows, Linux)
utility programs,
program library software, and
access control software.
 Review of Systems Software

Auditors should first review systems software

documentation.
Next, auditors should review incident reports,
which list events that are
 unusual or interrupt operations
 security violations (such as unauthorized access attempts),
 hardware failures, and
 software failures
 Validating Users and Access
Privileges
The IT auditor
 needs to verify that the software parameters are set
appropriately (passwords, etc.)
 must make sure that IT staff are using them appropriately
 needs to ensure all users
 are valid and
 have access privileges appropriate to their jobs
There are a variety of auditor software tools which can
scan settings and access logs
Password Parameters
 Continuous Approach
Continuous auditing can be achieved by
 embedded audit modules or audit hooks
 application subroutines capture data for audit purposes

 exception reporting
 mechanisms reject certain transactions
that fall outside preset limits
 transaction tagging
 tags transactions with a special identifiers

 snapshot technique
 Examines how transactions are processed
(e.g. macro, step-by-step)
Continuous Auditing – Spreadsheet
Errors
 Continuous Auditing – Spreadsheet
Errors
Sleuthing With Excel

Excel 2010 and newer

Formula Auditing: On the top menu of Excel, go to Formulas, see Formula
Auditing section. Perform the error checking function to find and correct the
formula errors. You can also display Precedent and Dependent arrows to show
the formula pattern among the cells.

Data Validation: On the top menu of Excel, go to Data and then under the Data
Tools section, go to Data Validation. Use the validation tool to verify data as it is
being entered. For example, highlight the payrate range and set the data
validation decimal feature between $7.50 and $40.00. From this point on, any
data entered in the payrate range that does not fall between these two values will
be flagged.
 Benford’s Law
Physicist Frank Benford figured out the probability that
certain digits form part of financial numbers. For example,
the numeral 1 should occur as the first digit in any multiple-
digit number about 31% of the time, while 9 should occur
as the first digit only 5% of the time. As you can see below,
the numbers in digit 1,2,5,6 & 7 are suspicious.
 The Sarbanes-Oxley Act of 2002

In 2002, Congress passed the Sarbanes-Oxley Act,

which was response to the accounting scandals of
Enron, Worldcom, etc. As Congress studied these
frauds, it realized that one of the big problems was a
weakness in internal controls.

Sen. Paul Representative

Sarbanes Mike Oxley
 The Sarbanes-Oxley Act of 2002

Some important provisions of SOX for auditors are

 Section 201 – prohibits public accounting firms from
offering most nonaudit services to clients at the same time
they are conducting audits (conflict of interest).
 Section 302 – requiring CFOs and CEOs to certify that
their company’s financial statements are accurate and
complete
 Section 404 – requiring both the CEO and CFO to attest to
their organization’s internal controls over financial reporting
 Third-Party Assurance

Internet systems and web sites

are a source of risk for many companies,
need specialized audits of these systems,
have created a market for third-party assurance
services, which
 is limited to data privacy.
 Third-Party Assurance

The AICPA introduced Trust Services an

assurance service.
The principles of Trust Services are
 security,
 availability,
 processing integrity,
 online privacy, and
 confidentiality.
 Privacy Issues
Have a privacy policy for your website
Have an audit done by professionals who
provide a privacy seal
 Truste
 BBB Online

 Webtrust