Prepared by Paula Funkhouser
University of Nevada, Reno
Core Concepts of Accounting Information Systems, 13th Edition
Mark G. Simkin ● Jacob M. Rose ● Carolyn S. Norman
Information
Technology
Auditing
Chapter 15
1
Chapter 15:
Information Technology Auditing
• Introduction
• The Audit Function
• The Information Technology Auditor’s Toolkit
• Auditing Computerized Accounting Information Systems
• Information Technology Auditing Today
2
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Introduction
• Audits of AISs
– Ensure controls are functioning properly
– Confirm additional controls not necessary
• Nature of Auditing
– Internal and external auditing
– IT Audit and financial audit
– Tools of an IT auditor
3
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Audit Function
• Internal versus External Auditing
• Information Technology Auditing
• Evaluating the Effectiveness of Information Systems Controls
4
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Internal Auditing
• Responsibility of Performance
– Company’s own employees
– External of the department being audited
• Evaluation of:
– Employee compliance with policies and procedures
– Effectiveness of operations
– Compliance with external laws and regulations
– Reliability of financial reports
– Internal controls
5
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
External Auditing
• Responsibility of Performance
– Those outside the organization
– Accountants working for independent CPA
• Audit Purpose
– Performance of the attest function
– Evaluate the accuracy and fairness of the financial statements
relative to GAAP
6
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Information Technology Auditing
• Function
– Evaluate computer’s role in achieving audit and control
objectives
• Assurance Provided
– Data and information are reliable, confidential, secure, and
available
– Safeguarding assets, data integrity, and operational
effectiveness
7
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The Components
of an IT Audit
8
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The IT Audit Process
• Computer-Assisted Audit Techniques (CAAT)
– Use of computer processes to perform audit functions
– Performing substantive tests
• Approaches
– Auditing through the computer
– Auditing with the computer
9
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The IT Audit Process
10
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Careers in IT Auditing
• Background
– Accounting skills
– Information systems or computer science skills
• Certified Information System Auditor (CISA)
–
–
–
–
–
Successfully complete examination
Experience requirements
Comply with Code of Professional Ethics
Continuing professional education
Comply with standards
11
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
CISA Exam Components
12
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Careers in IT Auditing
• Certified Information Security Manager (CISM)
– Business orientation
– Understand risk management and security
• CISM Knowledge
–
–
–
–
–
Information security governance
Information security program management
Risk management
Information security management
Response management
13
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Evaluating the Effectiveness of
Information Systems Controls
• Impact on Substantive Testing
– Strong controls, less substantive testing
– Weak controls, more substantive testing
• Risk Assessment
– Evaluate the risks associated with control weaknesses
– Make recommendations to improve controls
14
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Risk Assessment
• Risk-Based Audit Approach
– Determine the threats
– Identify the control procedures needed
– Evaluate the current control procedures
– Evaluate the weaknesses within the AIS
• Benefits
– Understanding of errors and irregularities
– Sound basis for recommendations
15
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Information Systems
Risk Assessment
• Method of evaluating desirability of IT controls
• Types of Risks
– Errors and accidents
– Loss of company secrets
– Unauthorized manipulation of company files
– Interrupted computer access
• Penetration Testing
16
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Study Break #1
An IT auditor:
A. Must be an external auditor
B. Must be an internal auditor
C. Can be either an internal or external auditor
D. Must be a Certified Public Accountant
17
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Study Break #2
In determining the scope of an IT audit, the auditor should pay
most attention to:
A. Threats and risks
B. The cost of the audit
C. What the IT manager asks to be evaluated
D. Listings of standard control procedures
18
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
The IT Auditor’s Toolkit
• Utilization of CAATs
– Auditing with the computer
– Manual access to data stored on computers is impossible
• Tools
– Auditing Software
– People Skills
19
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
General-Use Software
• Productivity tools that improve the auditor’s work
• Types
– Word processing programs
– Spreadsheet software
– Database management systems (DBMS)
– Structured Query Language (SQL)
20
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Generalized Audit Software
• Overview
– Allow for reviewing of files without rewriting processing
programs
– Basic data manipulation
– Tailored to auditor tasks
• Common Programs
– Audit Command Language (ACL)
– Interactive Data Extraction and Analysis (IDEA)
21
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Generalized Audit
Software - Inventory
22
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Automated Workpapers
• Overview
– Automate and standardize audit tests
– Can prepare financial statements and other financial measures
• Features
–
–
–
–
–
Generate trial balances
Make adjusting entries
Perform consolidations
Conduct analytical procedures
Document audit procedures and conclusions
23
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
People Skills
• Examples
– Working as a team
– Interact with clients and other auditors
– Interviewing clients
• Importance of Interviews
– Gain understanding of organization
– Evaluate internal controls
24
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.
Auditing Computerized AISs
• Auditing Around the Computer
– Assumes accurate output verifies proper processing
– Not effective in a computerized environment
• Auditing Through the Computer
– Follows audit trail through the computer
– Verifies proper functioning of processing controls in AIS
programs
25
Copyright © 2015. John Wiley & Sons, Inc. All rights reserved.