Module H - Information Systems Auditing

MODULE H
Information Systems Auditing
LEARNING OBJECTIVES

Review
Checkpoints

Exercises, Problems
and Simulations

1.

List and describe the general and application controls
in a computerized information system.

1, 2, 3, 4, 5, 6, 7, 8,
9, 10, 11, 12, 13

52, 53, 54, 55, 57, 58, 59,
60, 61, 62, 66

2.

Explain the difference between auditing around the
computer and auditing through the computer.

14, 15, 16

51, 65

3.

List several techniques auditors can use to perform
tests of controls in a computerized information
system.

17, 18, 19, 20, 21

64

4.

Describe the characteristics and control issues
associated with end-user and other computing
environments.

22, 23, 24, 25

63

26, 27, 28, 29, 30

56

5. Define and describe computer fraud and the controls
that an entity can use to prevent it.

MODH-1



Module H - Information Systems Auditing

SOLUTIONS FOR REVIEW CHECKPOINTS
H.1

Given its extensive use, auditors must consider clients’ computerized information systems technology. All
auditors should have sufficient familiarity with computers, computerized information systems, and
computer controls to be able to complete the audit of simple systems and to work with information system
auditors. More importantly, auditors must assess the control risk (and the risk of material misstatement)
regardless of the technology used for preparing the financial statements. In a computerized processing
environment, auditors must study and test information technology general and application controls.

H.2

COBIT (which stands for Control Objectives for Information and Related Technology) represents a set of
best practices for information technology management that has achieved general acceptance as the internal
control framework for information technology. COBIT’s basic principle is:
To provide the information the enterprise requires to achieve its objectives, the enterprise needs to
invest in and manage and control IT resources using a structured set of processes to provide the
services that deliver the required enterprise information.

H.3

The four domains of COBIT (along with a brief description of each) are:
1.

Plan and Organize: Summarizes how information and technology can be used within an entity to
best achieve its goals and objectives.


2.

Acquire and Implement: Focuses on identifying the related IT requirements, acquiring the
necessary technology, and implementing the technology within the entity’s business processes.

3.

Delivery and Support: Focuses on the execution of applications within the IT system.

4.

Monitor and Evaluate: Considers whether the IT system continues to meet the entity’s
objectives.

H.4

ITGC (information technology general controls) apply to all applications of a computerized information
system, while ITAC (information technology application controls) apply to specific business activities
within a computerized information system. Thus, ITGC operate at an overall entity level and ITAC operate
at a transaction level.

H.5

The five major categories of ITGC are:
1.

Hardware controls: Provide reasonable assurance that data are not altered or modified as they are
transmitted within the system.

2.


Program development: Provide reasonable assurance that (1) acquisition or development of
programs and software is properly authorized, conducted in accordance with entity policies, and
supports the entity’s financial reporting requirements; (2) appropriate users participate in the
software acquisition or program development process; (3) programs and software are tested and
validated prior to being placed into operation; and (4) all software and programs have appropriate
documentation.

3.

Program changes: Provide reasonable assurance that modifications to existing programs (1) are
properly authorized, conducted in accordance with entity policies, and support the entity’s
financial reporting requirements; (2) involve appropriate users in the program modification
process; (3) are tested and validated prior to being placed into operation; and, (4) have been
appropriately documented.

MODH-2


Module H - Information Systems Auditing
H.5

(Continued)
4.

Computer operations: Provide reasonable assurance that the processing of transactions through the
computerized information system is in accordance with the entity’s objectives and actions are
taken to facilitate the backup and recovery of important data when the need arises.

5.


Access to programs and data: Provide reasonable assurance that access to programs and data is only
granted to authorized users.

H.6

Auditors are not expected to be computer technicians with respect to hardware controls, but they should be
familiar with the terminology and the way these controls operate. This will allow auditors to identify
potential issues related to these controls and converse knowledgeably with the entity’s computer personnel.
If hardware controls fail, auditors should be primarily concerned with operator procedures in response to
this failure.

H.7

The Systems Development Life Cycle (SDLC) is the process through which the entity plans, develops, and
implements new computerized information systems or databases.
The SDLC includes the following controls related to program development and changes:
•

Ensuring that software acquisition and program development efforts are
consistent with the entity’s needs and objectives.

•

Following established entity policies and procedures for acquiring or developing
software or programs.

•

Involving users in the design of programs, selection of prepackaged software and

programs, and testing of programs.

•

Testing and validating new programs and developing proper implementation and
“back out” plans prior to placing the programs into operation.

•

Ensuring that data are converted completely and accurately for use in the new
systems.

•

Ensuring that consistent processes are followed and the most recent version of
programs are implemented.

•

Considering application controls that should be incorporated within the system to
facilitate the accurate processing of data and transactions.

•

Periodically reviewing entity policies and procedures for acquiring and developing
software or programs for continued appropriateness and modifying these
policies and procedures, as necessary.

MODH-3



Module H - Information Systems Auditing
H.8

The primary duties associated with various functions related to computerized information systems are:
•

Systems Analyst: Analyze requirements for information, evaluate the existing system, and design
new or improved computerized information systems.

•

Programmer: Flowcharts the logic of the computer programs required by the computerized
information system designed by the systems analyst.

•

Computer Operator: Operates the computer for each accounting application system according to
written operating procedures found in the computer operation instructions.

•

Data Conversion Operator: Prepares data for machine processing by converting manual data
into machine-readable form or directly entering transactions into the system using remote
terminals.

•

Librarian: Maintains control over (1) system and program documentation and (2) data files and
programs used in processing transactions.


•

Control Group: The control group receives input from user departments, logs the input and
transfers it to data conversion, reviews documentation sequence numbers, reviews and processes
error messages, monitors actual processing, compares control totals to computer output, and
distributes output.

Separation of the duties performed by systems analysts, programmers, and computer operators is important.
The general idea is that anyone who designs a computerized information system should not perform the
technical programming work, and anyone who performs either of these tasks should not be the computer
operator when “live” data are processed. Persons performing each function should not have access to each
other’s work, and only the computer operators should have access to the equipment.
H.9

ITGC are important in the auditors’ evaluation of internal control and assessment of control risk (and the
risk of material misstatement) because they are pervasive and the effectiveness of application controls relies
heavily on the effectiveness of ITGC.

H.10

The objective of input controls is to provide reasonable assurance that data received for processing by the
computer department have been properly authorized and accurately entered and converted for processing.

H.11

Record counts are tallies of the number of transaction documents submitted for data conversion. These
counts allow situations in which transactions may not have been input or may have been input more than
once to be identified.
Batch totals are mathematical totals of an important quantity or amount, such as the total of sales dollars in

a batch of invoices. Batch totals allow the following types of input errors to be detected: (1) input error for
the wrong amount; (2) transactions have not been input; and, (3) transactions have been input more than
once.
Hash totals are mathematical totals of a quantity or amount that is not meaningful, such as the total of all
invoice numbers. Like batch totals, hash totals allow the following types of input errors to be detected: (1)
input error for the wrong amount; (2) transactions have not been input; and, (3) transactions have been
input more than once.

MODH-4


Module H - Information Systems Auditing
H.12

H.13

H.14

The objective of processing controls is to provide reasonable assurance that data processing has been
performed accurately, without any omission or duplication of transactions. Examples of processing controls
include:
•

Run-to-run totals: Totals such as record counts, batch totals, and/or hash totals obtained at the
end of one processing run are distributed to the next run and compared to corresponding totals
produced at the end of the second run.

•

Control total reports: Control totals, such as record counts, batch totals, hash totals, and run-torun totals, can be calculated during processing and reconciled to input totals or totals from earlier

processing runs.

•

File and operator controls: External and internal labels ensure that the proper files are used in
applications.

•

Limit and reasonableness tests: These tests should be programmed to ensure that illogical
conditions do not occur (for example, depreciating an asset below zero or calculating a negative
inventory quantity).

The objective of output controls is to ensure that only authorized persons receive output or have access to
files produced by the system. Some common output controls include:
•

Control total reports: Compare controls totals to input and run-to-run control totals produced during
transaction processing.

•

Master file changes: Any changes to master file information should be properly authorized by the
entity and reported in detail to the user department from which the request for change originated.

•

Output distribution: Systems output should only be distributed to persons authorized to receive the
output.


The major steps in the auditors’ assessment of control risk in a computerized processing environment
include:
•

Identify specific control objectives based on the types of misstatements that
can occur in significant accounting applications.

•

Identify the points in the flow of transactions where specific types of
misstatements could occur.

•

Identify specific control procedures designed to prevent or detect these
misstatements.

•

Evaluate the design of control procedures to determine whether the design
suggests a low control risk and whether tests of controls might be costeffective.

•

Perform tests of the operating effectiveness of control procedures designed to
prevent or detect misstatements (assuming it is cost-effective to do so).

MODH-5



Module H - Information Systems Auditing
H.15

The following are points in the processing of transactions at which misstatements
may be introduced because of the use of computerized processing:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

Preparation of source data for input.
Manual summary of data (preparation of batch totals and hash totals).
Conversion of source data into computer-readable form.
Use of incorrect input files in processing.
Transfer of information from one computer program to another.
Use of incorrect computer files in processing transactions.
Inappropriate initiation of transactions by the computer.
Creation of output files are update of master files.
Changes to master files outside the normal flow of transactions within each
cycle through file maintenance procedures.
Production of output reports or files.
Correction of errors identified by control procedures.


H.16

Auditing “though the computer” refers to making use of the computer itself to test the operating
effectiveness of application controls in the program used to process transactions. When auditing “around
the computer”, auditors are only concerned with the correspondence of the input with the output and do not
specifically evaluate the effectiveness of the client’s computer controls.

H.17

Audit hooks: Client or auditors can select specific transactions of audit/control interest.
Tagging transactions: Auditors or client select and “tag” transactions to capture a computer trail of the
transaction.
SCARF (systems control audit review file): Program that selects transactions according to auditors’ or
client’s criteria (e.g. reasonableness limit).
SARF (sample audit review file): Program that randomly selects transactions for review.
Snapshot: Taking a “picture” of main memory of transactions and database elements before and after
computerized processing.
Monitoring systems activity: Computerized information system capture of activity records, such as all
passwords used during a period.
Extended records: Expanding the transaction record itself to include computer trail information, such as
snapshot information before and after processing.

H.18

The test data technique uses simulated transactions created by auditors that are processed by the client’s
actual programs at a different time from the processing of actual client transactions. The integrated test
facility technique is an extension of the test data technique, but simulated transactions for a “dummy”
department or division are intermingled with the actual client transactions and processed along with actual
client transactions.


H.19

It is true that fictitious (fake) transactions are not used by auditors when the information processing system
is manual, but in a manual system, documentary evidence is available for visual examination to audit a
client’s control activities. New techniques are necessary to gather evidence and evaluate controls with
computer programs. The client should be advised of the nature of the test data or integrated test facility and
these procedures must be carefully controlled to prevent contamination of actual client files.

MODH-6


Module H - Information Systems Auditing
H.20

Both test data and parallel simulation are audit procedures that use the computer to test computer controls.
The basic difference is that the test data procedure uses the client’s program with auditor-created
transactions, while parallel simulation uses an auditor-created program with actual client transactions. In
the test data procedure, the results from the client program are compared to auditors’ predetermined results
to determine whether the controls operate as intended. In the parallel simulation procedure, the results from
auditors’ program are compared to the results from the client’s program to determine whether the controls
operate as intended.

H.21

Controlled reprocessing is another method of obtaining evidence regarding the operating effectiveness of
the client’s computer controls through parallel simulation. In controlled reprocessing, auditors create the
“simulated system” by performing a thorough technical audit of the controls in the client’s actual program,
then maintain a copy of this program. Actual client data can later be processed using this copy of the
client’s program.


H.22

In an end-user environment, limited resources may result in a lack of separation of duties in the accounting
function (initiate and authorize source documents, enter data, operate the computer, and distribute output)
and computer functions (programming and computer operations).

H.23

Major characteristics in end-user computing environments include:
•
•
•
•

Terminals are used for transaction data entry, inquiry, and other interactive functions.
Purchased software packages are used extensively.
Portable storage devices (compact disks (CDs) and Universal Serial Bus (USB) drives) are used for file
storage.
Available system, program, operation, and user documentation is often limited or does not exist.

Control problems in end-user computing environments include:
•
•
•
•

Lack of separation of duties, both in accounting functions and computer functions.
Lack of physical security over computer hardware, programs, and data files.
Lack of documentation and testing.
Limited computer knowledge.


H.24

Control procedures an entity can use to achieve control over computer operations in an end-user computing
environment include:
•
Restricting access to input devices
•
Standard screens and computer prompting
•
On-line editing and sight verification

H.25

Control procedures an entity can use to achieve control over computerized in an end-user computing
environment include:
•
Transaction logs
•
Control totals
•
Balancing input to output
•
Audit trail

H.26

Five things used to facilitate computer fraud are (1) the computer, (2) data files, (3) computer programs, (4)
system information (documentation), and (5) time and opportunity to convert the assets to personal use.


MODH-7


Module H - Information Systems Auditing
H.27

Physical controls that can be used to protect computerized information systems from fraud include:
• Inconspicuous location
• Controlled access
• Computer room guard (after hours)
• Computer room entry log record
• Preprinted limits on documents
• Data backup storage

H.28

Technical controls that can be used to protect computerized information systems from fraud include:
• Data encryption
• Access control software and passwords
• Transaction logging reports
• Control totals (both batch totals and hash totals)
• Program source comparison
• Range checks on permitted transaction amounts
• Reasonableness check on permitted transaction amounts

H.29

Administrative controls that can be used to protect computerized information systems from fraud include:
• Security checks on personnel
• Separation of duties

• Proper review of access and execution log records
• Program testing after modification
• Rotation of computer duties
• Transaction limit amounts

H.30

Methods of limiting damages resulting from computer fraud (through damage-limiting controls) include:
•
•
•
•
•
•

Rotation of computer duties
Transaction limit amounts
Range checks on permitted transaction amounts
Preprinted limits on documents (e.g., checks)
Data backup storage
Reasonableness check on permitted transaction amounts

SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS
H.31

a.
b.
c.
d.


Incorrect
Incorrect
Incorrect
Correct

This is a software function.
This is a programmer function.
This is an input control function.
This is an automated hardware function.

H.32

a.
b.
c.
d.

Correct
Incorrect
Incorrect
Incorrect

A payroll processing program is an example of user software.
The operating system program is an example of a system program.
Data management system software is an example of a system program.
Utility programs are examples of system programs.

MODH-8



Module H - Information Systems Auditing
H.33

H.34

H.35

H.36

H.37

H.38

a.

Incorrect

b.

Correct

c.

Incorrect

d.

Incorrect

a.

b.

Incorrect
Incorrect

c.
d.

Incorrect
Correct

a.
b.

Incorrect
Incorrect

c.
d.

Incorrect
Correct

a.

Incorrect

b.

Correct


c.
d.

Incorrect
Incorrect

a.

Correct

b.

Incorrect

c.
d.

Incorrect
Incorrect

a.
b.

Incorrect
Correct

c.

Incorrect


d.

Incorrect

The computer librarian is the appropriate person to maintain these files, since
this individual has no access to the computer.
Computer operators should not have access to instructions and detailed program
lists, since they have would have enough knowledge to alter programs and run
those programs.
The control group is appropriate for distributing output, since they do not have
access to programs and computer.
Programmers are the appropriate individuals to write and debug programs, since
they have no access to data.
Employee intelligence is not necessarily greater in a computerized environment.
Due to the limitations of computer evidence (it may only exist for a very brief
time), auditors should audit the computerized information system throughout the
year.
Large dollar amounts are not unique to a computerized environment.
Due to the accessibility of large number of computer terminals, employees have
greater access to computerized information systems and computer resources in a
computerized environment.
Control totals detect input and processing errors.
Record counts are used to ensure that all transactions are entered once, and only
once.
Limit tests identify items larger than expected during input or processing.
External labels reduce the likelihood that operators will not use the incorrect
file.
Copies of client data files for controlled reprocessing should be obtained from
the client, but not extracted using CAATs.

CAATs can be used to create a parallel simulation to test the client’s computer
controls.
CAATs are not designed to perform tests of a client’s hardware controls.
Attempting to enter false passwords is the best way to test the operating
effectiveness of a client’s password access control, not the use of CAATs.
It may be appropriate to audit simple systems without testing computer
programs; essentially, the client is using this system in a manner similar to a
calculator.
The impact of computerized processing on master files would require the
computer programs to be tested.
Auditors cannot audit “around the computer” when limited output is available.
See (b) and (c).
Condensing data would not necessarily result in a more efficient audit.
Abnormal conditions inform auditors of potential issues and allow them to focus
their efforts on these issues.
Reduced tests of controls would depend upon the content of the exemption
reports (i.e., number of exceptions), not the existence of these reports.
Exception reporting is an example of an output control, not an input control.

MODH-9


Module H - Information Systems Auditing
H.39

a.
b.

Incorrect
Incorrect


c.

Correct

d.

Incorrect

H.40

d.

Correct

H.41

NOTE TO INSTRUCTOR: Since this question asks students to identify the statement that is not true, the
response labeled “correct” is not true and those labeled “correct” are true.

H.42

H.43

H.44

a.
b.

Incorrect

Incorrect

c.

Correct

d.

Incorrect

a.

Incorrect

b.

Incorrect

c.

Incorrect

d.

Correct

a.

Incorrect


b.
c.

Incorrect
Correct

d.

Incorrect

a.
b.
c.

Incorrect
Incorrect
Correct

d.

Incorrect

The use of test data evaluates computer controls, not input data.
Machine capacity can be evaluated by reference to the manufacturer’s
specifications.
Test data are used to examine the operating effectiveness of computer control
procedures.
Test data provide evidence on specific application control procedures, not
information technology general controls.
In a computerized processing environment, a sample of one transaction is

sufficient because the computer handles all transactions identically.

The test data approach does test the client’s computer programs.
Test data need to include only the transactions that test control procedures
auditors believe to be important.
Test data need to include only the transactions that test control procedures
auditors believe to be important.
One of each deviation condition is sufficient, because the computer handles each
transaction in an identical manner.
Auditors may submit test data at several different times to gain additional
assurance on the processing of transactions.
Manually comparing detail transactions to the program’s actual error messages
is a way of verifying the operation of computer control procedures.
Comparing transactions processed through a separate program to those
processed through the client’s program is a form of parallel simulation and will
test the operation of computer controls.
This is an example of auditing “around the computer” and will not test the
operation of computer control procedures.
Writing a computer program that simulates the logic of a good password control
system does not test the actual system.
A test of proper authorization is not a test of actual access to the system.
Attempting to sign onto the computer system with a false password is similar to
a test data approach. Several different types of false passwords might need to be
used.
Written representations are not direct or reliable form of evidence on a detailed
matter such as password controls.
Inquiries produce a relatively weak form of evidence.
Observation is not relevant to the performance of computer controls.
This method will test computer controls since it compares known input with
computer output.

The run manual provides information to the computer operator and does not
allow auditors to test computer controls.

MODH-10





•
•
•
•
•
•
•

•
•
•
•

•
•




•
•

•
•
•
•



•
•
•

•

•
•
•


•

•
•
•
•

•

•



•
•
•