CHAPTER 11

AUDITING COMPUTER-BASED INFORMATION SYSTEMS

Learning Objectives:
1. Describe the scope and objectives of audit work, and identify the
major steps in the audit process.
2. Identify the objectives of an information system audit, and
describe the four-step approach necessary for meeting these
objectives.
3. Design a plan for the study and evaluation of internal control in
an AIS.
4. Describe computer audit software, and explain how it is used in
the audit of an AIS.
5. Describe the nature and scope of an operational audit.
Questions to be addressed in this chapter include:
1. How could a programming error of this significance be overlooked
by experienced programmers who thoroughly reviewed and tested the
new system?
2. Is this an inadvertent error, or could it be a fraud?
3. What can be done to find the error in the program?

Introduction
This chapter focuses on the concepts and techniques used in
auditing an accounting information system.
This chapter will also concentrate on internal auditors, whom work
for the organization.
The chapter will first provide a general overview of auditing, the
scope and objectives of internal audit work, and the steps in the
auditing process.

The Nature of Auditing

Auditing is a systematic process of objectively obtaining and
evaluating evidence regarding assertions about economic actions
and events to ascertain the degree of correspondence between those
assertions and established criteria and communicating the results
to interested users.
Auditors used to audit around the computer and ignore the computer
and its programs.

Page 1 of 10

Internal Auditing Standards

1. Review the reliability and integrity of operating and
financial information and how it is identified, measured,
classified, and reported.
2. Determine if the systems designed to comply with operating
and reporting policies, plans, procedures, laws, and
regulations are actually being followed.
3. Review how assets are safeguarded and verify the existence
of assets as appropriate.
4. Examine company resources to determine how effectively and
efficiently they are used.
5. Review company operations and programs to determine if they
are being carried out as planned and if they are meeting
their objectives.

Types of Internal Auditing Work

Three types of audits:
1. Financial audit
2. Information systems, or internal control audit
3. Operational, or management audit

An Overview of the Auditing Process

Figure 11-1 on page 305 provides an overview of the auditing
process
Four auditing stages and activities:
1. Auditing Planning
The purpose of audit planning is to determine why,
how, when, and by whom the audit will be performed.
Three types of risk when conducting an audit:

Inherent Risk. This is the susceptibility to

material risk in the absence of controls.

Control Risk. This is the risk that a

material misstatement will get through the
internal control structure and into the
financial statements.

Detection Risk. This is the risk that

auditors and their audit procedures will not
detect a material error or misstatement.

Page 2 of 10

2. Collection of Audit Evidence

Observation of the activities being audited

Review of documentation to understand how a

particular accounting information system or
internal control system is supposed to
function

Discussions with employees about their jobs

and how they carry out certain procedures

Questionnaires that gather data about the

system

Physical examination of the quantity or

condition of tangible assets such as
equipment, inventory, or cash

Confirmation of the accuracy of certain

information, such as customer account
balances, through communication with
independent third parties

Reperformance of selected calculations to

verify quantitative information on records
and reports

Vouching for the validity of a transaction by

examining all supporting documents

Analytical review of relationships and trends

among information to detect items that should
be further investigated

3. Evaluation of Audit Evidence

Materiality and reasonable assurance are important
when deciding how much audit work is necessary and
when to evaluate the evidence.
Determining materiality, what is and is not
important in a given set of circumstances, is
primarily a matter of judgment.
The auditor seeks reasonable assurance that no
material error exists in the information or
process audited.
Reasonable assurance is not a guarantee
4. Communication of Audit Results (the audit report)
The auditor prepares a written (and sometimes oral)
report summarizing the audit findings and
recommendations.

Page 3 of 10

The Risk-Based Audit Approach

Logical framework for carrying out an audit:
1. Determine the threats (fraud and errors)
facing the accounting information system.
2. Identify the control procedures implemented
to minimize each threat by preventing or
detecting the fraud and errors.
3. Evaluate internal control procedures.
Reviewing system documentation and
interviewing appropriate personnel to
determine if the necessary procedures are in
place is called a systems review. Then tests
of controls are conducted to determine if
these procedures are satisfactorily followed.
4. Evaluate weaknesses to determine their effect
on the nature, timing, or extent of auditing
procedures and client suggestions.
5. Compensating controls that compensate for the
internal control weakness deficiency.

Information Systems Audits

The purpose of an information systems audit is to review and
evaluate the internal controls that protect the system.
In conducting accounting information system audits, auditors
should determine if the following objectives are met:
1. Security provisions protect computer equipment, programs,
communications, and data from unauthorized access,
modification, or destruction.
2. Program development and acquisition are performed in
accordance with managements general and specific
authorization.
3. Program modifications have managements authorization and
approval.
4. Processing of transactions, files, reports, and other
computer records is accurate and complete.
5. Source data that are inaccurate or improperly authorized
are identified and handled according to prescribed
managerial policies.
6. Computer data files are accurate, complete, and
confidential.
Figure 9-2 on page 335 depicts the relationship among these
six objectives and information systems components.

Page 4 of 10

Objective 1: Overall Security

Table 11-1 on page 308 contains a framework for auditing
computer security; showing the following:
1. Types of security errors and fraud faced by
companies
2. Control procedures to minimize security errors and
fraud
3. Systems review audit procedures
4. Tests of controls audit procedures
5. Compensating controls

Objective 2: Program Development and Acquisition

Two things can go wrong in program development:
1. Inadvertent errors due to misunderstanding of
system specifications or careless programming
2. Unauthorized instructions deliberately inserted
into the programs
The auditors role in systems development should be
limited to an independent review of systems
development activities.
Auditors should also review the policies, procedures,
standards, and documentation listed in Table 11-2 on
page 309.
This table provides a framework for reviewing
and evaluating the program development process.

Objective 3: Program Modification

Table 11-3 on page 310 presents a framework for auditing
application programs and system software changes.
When a program change is submitted for approval, a list of
all required updates should be compiled and approved by
management and program users.
During systems review, auditors should gain an understanding
of the change process by discussing it with management and
user personnel.
An important part of an auditors tests of controls is to
verify that program changes were identified, listed,
approved, tested, and documented.

Page 5 of 10

To test for unauthorized program changes, auditors can use a

source code comparison program.
Two additional techniques detect unauthorized program
changes:
The reprocessing technique also uses a verified copy
of the source code. On a surprise basis, the auditor
uses the program to reprocess data and compare that
output with the companys data.
Parallel simulation is similar to reprocessing except
that the auditor writes a program instead of saving a
verified copy of the source code. The auditors
results are compared with the companys results and
any differences are investigated.

Objective 4: Computer Processing

Table 11-4 on page 312 provides a framework for auditing
computer processing controls. The focus of the fourth
objective is the processing of transactions, files, and
related computer records to update files and databases and
to generate reports.
Processing Test Data
One way to test a program is to process a hypothetical
series of valid and invalid transactions
The following resources are helpful when
preparing test data:
1. A listing of actual transactions
2. The test transactions the programmer used
to test the program
3. A test data generator program, which
automatically prepares test data based on
program specifications
Disadvantages of processing test transactions:
1. The auditor must spend considerable time
developing an understanding of the system
and preparing an adequate set of test
transactions.
2. Care must be taken to ensure that test
data do not affect the companys files and
databases.
Concurrent Audit Techniques

Page 6 of 10

Millions of dollars of transactions can be processed

in an online system without leaving a satisfactory
audit trail.
The auditor uses concurrent audit techniques to
continually monitor the system and collect audit
evidence while live data are processed during regular
operating hours.
Concurrent audit techniques use embedded audit
modules, which are segments of program code that
perform audit functions.
Auditors normally use five concurrent audit
techniques:
1.

An integrated test facility (ITF) technique

places a small set of fictitious records in the
master files.
The auditor compares processing with
expected results to verify that the system
and its controls are operating correctly.

2.

The snapshot technique examines the way

transactions are processed. Selected
transactions are marked with a special code
that triggers the snapshot process.

3.

System control audit review file (SCARF) uses

embedded audit modules to continuously monitor
transaction activity and collect data on
transactions with special audit significance.

4.

Audit hooks are audit routines that flag

suspicious transactions.
This approach is known as real-time
notification, which displays a message on
the auditors terminal as these questionable
transactions occur.
Focus 11-1 on page 314 State Farm Life Insurance
Company
In the regional offices, more than 1,500
terminals and personnel computer are used to
update almost 4 million individual
policyholder records in the host computer.
The system processes more than 30 million
transactions per year and keeps track of
policy funds valued at more than $6.7
billion.
Anyone with access and knowledge of the
system could commit fraud.

Page 7 of 10

The auditors were given the challenge of

identifying all the ways fraud was possible.
To do this the auditors came up with all the
possible ways to defraud the system.
Auditors had 33 embedded audit hooks to
monitor 42 different types of transactions.
The auditors were successful using audit
hooks as they did catch an employee
fraudulently obtaining cash by processing a
loan on her brothers life insurance policy.
She then forged her brothers signature and
cashed the check.
To cover up she had to repay the loan before
the annual report was sent to her brother.
She used a series of fictitious transactions
involving a transfer account.
She was investigated and the employee was
terminated.
5.

Continuous and intermittent simulation (CIS)

embeds an audit module in a database management
system (DBMS). The CIS module examines all
transactions that update the database using
criteria similar to those of SCARF.

Analysis of Program Logic

If an auditor suspects that a particular application
program contains unauthorized code or serious errors,
then a detailed analysis of the program logic may be
necessary.
1. Automated flowcharting programs, which interpret
program source code and generate a corresponding
program flowchart
2. Automated decision table programs, which generate a
decision table representing the program logic
3. Scanning routines, which search a program for
occurrences of a specified variable name or other
character combinations
4. Mapping programs, which identify unexecuted program
code
5. Program tracing, which sequentially prints all
application program steps executed during a program
run.

Page 8 of 10

Objective 5: Source Data

Auditors use an input controls matrix, such as the one shown
in Figure 11-3 on page 315.
The matrix shows the control procedures applied to each
field of an input record.
Table 11-5 on page 315 shows the internal controls that
prevent, detect, and correct inaccurate or unauthorized
source data.
Types of Errors and fraud
Control Procedures
Audit Procedures: System Review
Audit Procedures: Tests of Controls
Compensating Controls

Objective 6: Data Files

The sixth objective concerns the accuracy, integrity, and
security of data stored in machine-readable files.
Table 9-6 on page 347 summarizes the errors, controls, and
audit procedures for this objective.
An integrated test facility technique
a. examines the way transactions are processed
b. places a small set of fictitious records in the master files
c. uses embedded audit modules to continuously monitor transaction
activity and collect data on transactions with special audit
significance
d. searches a program for occurrences of a specified variable name or
other character combinations

Computer Software
A number of computer programs, called computer audit software
(CAS) or generalized audit software (GAS), have been written
especially for auditors.
General Audit Software is software designed to read, process, and
write data with the help of functions performing specific audit
routines and with self-made macros. It is a tool in applying
Computer Assisted Auditing Techniques. A function of generalized
audit software includes importing computerized data; thereafter
other functions can be applied.
Two of the most popular are Audit Control Language (ACL) and IDEA.
Audit Control Language is a data interrogation tool used by
auditors to view, explore, and analyze data efficiently and cost

Page 9 of 10

effectively. ACL enables auditors to access data in diverse

formats and on various types of storage devices.
IDEA (Interactive Data Extraction and Analysis) is a Generalized
Audit Software. It is able to import a wide range of different
types of data files. During the import an IDEA file and its field
statistics are created.
The auditors first step is to decide on audit objectives,
learn about the files and databases to be audited, design
the audit reports, and determine how to produce them.
The primary purpose of CAS is to assist the auditor in reviewing
and retrieving information in computer files.
CAS cannot replace the auditors judgment or free the auditor from
other phases of the audit.

Operational Audits of an Accounting Information System

The techniques and procedures used in operational audits are
similar to audits of information systems and financial statements.
The basic difference is that the scope of the information systems
audit is confined to internal controls, whereas the scope of the
financial audit is limited to systems output. In contrast, the
scope of the operational audit is much broader, encompassing all
aspects of information systems management.
The evidence collection, during the audit preliminary survey,
includes the following activities:
1. Reviewing operating policies and documentation
2. Confirming procedures with management and operating
personnel
3. Observing operating functions and activities
4. Examining financial and operating plans and reports
5. Testing the accuracy of operating information
6. Testing controls

Page 10 of 10