Auditing Computer-Based Information
Systems
Chapter 11

Copyright © 2015 Pearson Education, Inc.

11-1


Learning Objectives
• Describe the nature, scope, and objectives of audit work, and identify the major steps
in the audit process.
• Identify the six objectives of an information system audit, and describe how the riskbased audit approach can be used to accomplish these objectives.
• Describe the different tools and techniques auditors use to test software programs
and program logic.
• Describe computer audit software, and explain how it is used in the audit of an AIS.
• Describe the nature and scope of an operational audit.
Copyright © 2015 Pearson Education, Inc.

11-2


Auditing
• The process of obtaining and evaluating evidence regarding
assertions about economic actions and events in order to
determine how well they correspond with established criteria

Copyright © 2015 Pearson Education, Inc.

11-3

Major Steps in the Auditing Process
• Audit planning
▫ Why, how, when, and who
▫ Establish scope and objectives of the audit; identify risk

• Collection of audit evidence
• Evaluation of evidence
• Communication of results

Copyright © 2015 Pearson Education, Inc.

11-4


Risk-Based Framework
• Identify fraud and errors (threats) that can occur that threaten
each objective
• Identify control procedures (prevent, detect, correct the threats)
• Evaluate control procedures
▫ Review to see if control exists and is in place
▫ Test controls to see if they work as intended

• Determine effect of control weaknesses
▫ Compensating controls
Copyright © 2015 Pearson Education, Inc.

11-5



Information Systems Audit
• Using the risk-based framework for an information systems audit
allows the auditor to review and evaluate internal controls that
protect the system to meet each of the following objectives:
▫ Protect overall system security (includes computer equipment,
programs, and data)
▫ Program development and acquisition occur under management
authorization
▫ Program modifications occur under management authorization
▫ Accurate and complete processing of transactions, records, files, and
reports
▫ Prevent, detect, or correct inaccurate or unauthorized source data
Copyright ©▫2015
Pearson Education,complete,
Inc.
Accurate,
and confidential data files
11-6


1. Protect Overall System Security
Threats

• Theft of hardware
• Damage of hardware (accidental and
intentional)
• Loss, theft, unauthorized access to
▫ Programs
▫ Data
• Unauthorized modification or use of

programs and data files
• Unauthorized disclosure of confidential
data
• Interruption of crucial business activities

Copyright © 2015 Pearson Education, Inc.

Controls

• Limit physical access to computer
equipment
• Use authentication and authorization
controls
• Data storage and transmission controls
• Virus protection and firewalls
• File backup and recovery procedures
• Disaster recovery plan
• Preventive maintenance
11-7
• Insurance


2. Program Development and Acquisition Occur
under Management Authorization
Threat

Controls

• Inadvertent programming errors
• Unauthorized program code


Copyright © 2015 Pearson Education, Inc.

• Review software license agreements
• Management authorization for:
▫ Program development
▫ Software acquisition
• Management and user approval of
programming specifications
• Testing and user acceptance of new
programs
• Systems documentation

11-8


3. Program Development and Acquisition Occur
under Management Authorization
Threat

Controls

• Inadvertent programming errors
• Unauthorized program code

Copyright © 2015 Pearson Education, Inc.

• List program components to be modified
• Management authorization and approval
for modifications

• User approval for modifications
• Test changes to program
• System documentation of changes
11-9
• Logical access controls


4. Accurate and Complete Processing of Transactions,
Records, Files, and Reports
Threats

• Failure to detect incorrect, incomplete, or
unauthorized input data
• Failure to correct errors identified from
data editing procedures
• Errors in files or databases during
updating
• Improper distribution of output
• Inaccuracies in reporting

Copyright © 2015 Pearson Education, Inc.

Controls

•
•
•
•
•


Data editing routines
Reconciliation of batch totals
Error correction procedures
Understandable documentation
Competent supervision
11-10


5. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data

Threat

Controls

• Inaccurate source data
• Unauthorized source data

Copyright © 2015 Pearson Education, Inc.

• User authorization of source data input
• Batch control totals
• Log receipt, movement, and disposition of
source data input
• Turnaround documents
• Check digit and key verification
11-11
• Data editing routines


6. Accurate, Complete, and Confidential Data Files


Threats

• Destruction of stored data from
▫ Errors
▫ Hardware and software malfunctions
▫ Sabotage
• Unauthorized modification or disclosure
of stored data

Copyright © 2015 Pearson Education, Inc.

Controls

• Secure storage of data and restrict physical
access
• Logical access controls
• Write-protection and proper file labels
• Concurrent update controls
• Data encryption
• Virus protection
• Backup of data files (offsite)
11-12
• System recovery procedures


Audit Techniques Used to Test Programs
• Integrated Test Facility
▫ Uses fictitious inputs


• Snapshot Technique
▫ Master files before and after update are stored for specially marked
transactions

• System Control Audit Review File (SCARF)
▫ Continuous monitoring and storing of transactions that meet prespecifications

• Audit Hooks
▫ Notify auditors of questionable transactions

• Continuous and Intermittent Simulation
▫ Similar to SCARF for DBMS

Copyright © 2015 Pearson Education, Inc.

11-13


Software Tools Used to Test Program Logic
• Automated flowcharting program
▫ Interprets source code and generates flowchart

• Automated decision table program
▫ Interprets source code and generates a decision table

• Scanning routines
▫ Searches program for specified items

• Mapping programs
▫ Identifies unexecuted code


• Program tracing
▫ Prints program steps with regular output to observe sequence of
Copyright © 2015
Pearson Education,
Inc.
program
execution
events

11-14


Computer Audit Software
• Computer assisted audit software that can perform audit tasks on
a copy of a company’s data. Can be used to:
▫
▫
▫
▫
▫
▫
▫

Query data files and retrieve records based upon specified criteria
Create, update, compare, download, and merge files
Summarize, sort, and filter data
Access data in different formats and convert to common format
Select records using statistical sampling techniques
Perform analytical tests

Perform calculations and statistical tests

Copyright © 2015 Pearson Education, Inc.

11-15


Operational Audits
• Purpose is to evaluate effectiveness, efficiency, and goal
achievement. Although the basic audit steps are the same, the
specific activities of evidence collection are focused toward
operations such as:
▫
▫
▫
▫
▫
▫

Review operating policies and documentation
Confirm procedures with management and operating personnel
Observe operating functions and activities
Examine financial and operating plans and reports
Test accuracy of operating information
Test operational controls

Copyright © 2015 Pearson Education, Inc.

11-16



Key Terms
•
•
•
•
•
•
•
•
•
•
•
•
•
•

Auditing
Internal auditing
Financial audit
Information systems audit
Operational audit
Compliance audit
Investigative audit
Inherent risk
Control risk
Detection risk
Confirmation
Reperformance
Vouching

Analytical review

Copyright © 2015 Pearson Education, Inc.

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

Materiality
Reasonable assurance
Systems review
Test of controls
Compensating controls
Source code comparison program
Reprocessing
Parallel simulation
Test data generator
Concurrent audit techniques

Embedded audit modules
Integrated test facility (ITF)
Snapshot technique
System control audit review file (SCARF)
Audit log
11-17


Key Terms (continued)
• Audit hooks
• Continuous and intermittent simulation
(CIS)
• Automated flowcharting program
• Automated decision table program
• Scanning routines
• Mapping programs
• Program tracing

Copyright © 2015 Pearson Education, Inc.

• Input controls matrix
• Computer-assisted audit techniques
(CAAT)
• Generalized audit software (GAS)

11-18