CHAPTER 8

INTERNAL AUDIT TOOLS

AND TECHNIQUES

1
Learning Objectives
After going through this chapter, you should be able
to:
 Describe the Information Technology (IT) audit.
 Identify technology risks and challenges to internal auditing.
 Discuss the evaluation of general and application controls.
 Define and discuss the audit of the System Development
Life Cycle (SDLC).
 Define and discuss the audit of e-commerce and its
challenges to Internal Auditors.
 Understand the idea of computer-assisted audit technique
(CAATs) in performing an audit procedure.

2
 Introduction
 Heavy reliance on computers for processing have
increase the requirement for conducting Information
Technology (IT) auditing
 IT auditing is a branch of general auditing, but the
focus on governance of information and
communications technologies
 There are unlimited area of IT auditing, but this
chapter focus on general & application controls,
System Development Life Cycle project, e-commerce
environment and using of Computer-Assisted Audit
Tools and Techniques (CAATs).

3
IT AUDIT
 Use and Impact of Technology
• Business becomes more and more dependent on
IT
• Set of skills required by business– technical skill
& business process knowledge
• But, with IT – more risks faced by the business,
and at the same time greater earning capacity
• Entity dependent on IT must b evaluated from
going concern aspect using IT perspective

5
5
 Technology Risks & Challenges to
IA
 Issues surrounding modification of system
 Poor IS management
 Unstable system and confidence erosion
 Extra cost and time to correct system
 Business loses credibility
 Authority intervention
 Compromised control that could result in fraud
 Poor database management, data integrity
 Threat to asset security
 Systems and process confusion – result in fraud
6
6
 IA Function in an IT Business Environment

 IA – knowledgeable about computers,

comfortable and confident with technology
 IA must be able to visualise impact of technology
on business – good and bad
 Impact of technology on business going concern
 Specialised field – IS auditors
 Standards issued by IIA– Guide to Assessment of
IT General Controls Scope Based on Risk

7
7
 Definition IT Audit
 IT audit focuses on the evaluation of an organization's
computer systems and network to ensure:
 the effectiveness of control procedures in minimizing related
technology risks; and
 the compliance with international or Malaysia’s standard
operating practice, policies, procedures and related law or
regulations of the regulatory body.

8
 Main Types of IT Audit
 Operational computer system audits
 IT application audits
 Developing system audit
 IT management audit
 IT process audit
 Information security and control audit
 Disaster contingency or disaster recovery audit
 IT strategy audit

9
9
Information Security Audit
 Purpose – to provide assurance that an
appropriate level of control over the
confidentiality, integrity and availability of
information within e-commerce operation
 E-commerce is opened to threat (e.g. virus
attack), vulnerability of system (e.g. product
flaw) and associated risk
 Business need to have information security
policy
 Network environment – e-commerce websites
reside
 Sources of threats to network environment:
network segment, application software, system
software, process integrity and physical security
10
10
 Elements of IT Audit
 Physical and environmental review
 System administration review
 Application software review
 Network security review
 Business continuity review
 Data integrity review

11
 Guide to Conduct an IT audit
1. The GAIT Methodology B-head
 a guideline to assess the scope of IT general controls using a
top-down and risk based approach.
 helps the management to identify any deficiencies in key IT
general controls that may result in material errors in financial
statements.
 It include four principles that form the basis for this guideline
2. GAIT for IT General Control Deficiency Assessment
 a guideline to evaluate any IT general controls deficiencies
identified during assessment
3. GAIT for Business and IT Risk
 a guideline to help identify the IT controls that are critical to
12
achieve business goals and objectives.
 Scope & Objectives of IT Audit
No. Scope Of Audit Objectives Of Audit
1. Security Controls To ensure the establishment of appropriately defined IT
Management structure with a clear framework of
authorities and responsibilities
2. Logical access controls To ensure that the access controls are reviewed to
determine safeguards are in place to prevent unauthorized
acquisition of data resources.
3. Physical Security To prevent unauthorised access to computer related
Controls equipment & ensure an adequate protection on
computer related equipment against natural hazards.
4. Installation Controls To ensure consistent control of software and
hardware management in its operation of applications
system.
5. Local area To prevent any unauthorized access to local
network controls area of network .

13
 Steps To Perform IT Audit
Establish the Perform Issue the
Terms of the Audit Audit
Engagement Procedures Report

Preliminary
Consider
Internal
Review
Control

Establish
Materiality and Plan the
Assess Risks Audit

14
 IT Related Risks
 System application error
 Hardware failure
 Computer crime

15
 Issues In IT Audit
 Security
 Confidentiality
 Privacy
 Processing integrity
 Availability

16
 Evaluation of
General & Application Controls
 General controls
 Applicable to all aspects of IT functions, for example the
administration of IT function, hardware or software acquisition
and maintenance and physical and security control over
hardware
 Application controls
 Include control of usage of individual transactions specific to
certain software application. For example, controls over the
processing of sales

17
 General Controls

Categories Of Control Purpose Of Control

Administration of IT To ensure proper administration of people

function and resources of the department

Physical access To ensure proper control in place for

control physical access IT department and its
critical areas.
Logical access control To ensure a proper control in place for
infrastructure, applications and data.

18
 General Controls

Categories Of Control Purpose Of Control

Backup and To ensure a proper backup and contingency

plan is in place for unexpected emergencies
contingency plan such as fire, virus attack, power failure or
natural disaster.

19
 Application Controls
Categories
Purpose Of Control
Of Control
Input control To check the integrity of data entered into an
organization application.
Processing To ensure proper control for data processing so that
control the process is complete, accurate and authorized.

Output To ensure output results similar with input data. To

control ensure computer output is not interrupted by or
shown to unauthorized users.

20
SDLC
 Auditing Of System Development
 System Development Life Cycle (SDLC)
 a series of steps used to identify the phases of an
information system development project
 Process centric approach to develop and implement
system - set of defined goals and timelines that sets
out the completion date and associated deliverables
within each phases of the life cycle
 Each phase (plan, analyse, design, implement)
sequentially executed – allow proper evaluation
and resolution of problems within each phase

22
22
 The SDLC Process

Systems Systems Conceptual Systems

Planning Analysis Design Selection

Programming
Detail Systems
and Testing
Design Implementation
Systems

23
 SDLC – Life Cycle
 IA involvement in each phase of SDLC provides
assurance to management that appropriate
controls are in place
 Phases of life cycle:
 Plan – Who build the system
 Analyse – Who, what, when and where will the system
be
 Design – How will the system work
 Implement – When, where, how will the system be
delivered
 Support - **not within SDLC – post-implementation
phase (but need to be reviewed by IA as well)
24
24
 IA Involvement in SDLC
 Proactive auditor’s involvement
 On-the-spot advice for all phases – not wait till the end

 Advisory role to the project team

 Independently monitor progress of project and make recommendations
 + Independent post-implementation review

 Gaining better understanding about the system

 Better position to understand the system if involved in the development
process
 Would assist in subsequent IT audit; or in using IT for audit (e.g CAAT)

 Independence of internal auditors

 Professional relationship from consultant perspective – advisory capacity
only
 Better risk management
 Provider of assurance and advisory services only
 Better identification of risk from independent perspective
25
25
 Risk Factors in SDLC
 New system does not meet business
requirements
 Failure to develop adequate/complete user
requirements, poor understanding about the project,
lack of user involvement, requirements and
specifications keep changing
 Poor project management/SDLC methodology
 Planned financial resources exceeded, late completion
of individual task, missed deadlines, pressure to agree
to impossible schedules
 Inadequate change management control
 Lack of systems and process to manage change
 Who has made the changes, what changes are
made, when they are made

26
26
 Auditing E-Commerce
 What is E-commerce
 Literally, doing business electronically (through internet
technologies)
 Use of electronic data transmission to implement or
enhance business processes
 Concern with increasing number of security
incidences – security implications affect the trust of
businesses (malicious attacks on company
websites) and consumers (e.g. unauthorised usage
of credit card for online transactions)
 IA involvement – Advisory service during system
development and system/network/software/
information security/system monitoring & recovery

27
27
Issues in E-commerce Environment
 Business continuity
 Information security and privacy
 The lack of audit trails
 Record retention
 Segregation of duties
 Legal liability

28
28
 E-commerce Environment
 Electronic commerce (e-commerce) is the process by which
organisations conduct their business over electronic systems
such as the Internet and other computer networks with their
customers, suppliers and other external business partners.
 Threats to e-commerce environments include virus
infections, hacking, cybercrime and failure of the system and
infrastructure.

29
 Reason for Audit e-Commerce
 To assess the effectiveness of the infrastructure and
security measures of an e-commerce.
 To evaluate compliance of e-commerce business
operations with an organisation’s IT security policies as
well as with the industry good practices.
 To evaluate the readiness of IT functions in the event of a
major failure in e-commerce business transactions.
 To identify other security issues that may affect the
current infrastructure of an e-commerce model.

30
CAATs
Computer-Assisted Audit Tools (CAATs)
 Computer-assisted audit techniques (CAATs) or Computer-
assisted audit tools and techniques (CAATTs) is an approach of
auditing using computers.
 It offers various tools or utilities, which help the auditor to select,
gather, analyze and report audit findings.
 Tools/utilities to help auditor to select, gather, analyse and report
audit findings
 CAATs can be classified:
 Electronic working papers
 Information retrieval and analysis
 Fraud detection
 Network security
 Electronic commerce and internet security
 Continuous monitoring
 Audit reporting
32
32
 CAATs and Its Functions
 Information retrieval and analysis
 Fraud detection tool
 Audit reporting function

33
 Advantages of CAATs
 CAATs are suitable to audit large volume of transactions. It is
valuable to organisations with complex processes, distributed
operations and high transaction volumes.
 the use of CAATs is important for auditors to gain access into
audited data in a much effecient way. A direct access to an
organisation’s data will eventually reduce the time and effort
spent in performing audit procedures with assured accuracy.

34
 Advantages of CAATs
 Using CAATs in performing substative testing will provide total
assurance to the area being audited. It allows auditors to point
out errors or fraud easily in order to provide effective
recommendations.
 CAATs provides a standard uniform practice and user-friendly
interface for auditors. It allows auditors to perform various tasks,
irrespective of data format or the underlying operating system of
an organisation.
 Data could be examined faster and more accurate
 Practical to scrutiny large volume data
 Improve effectiveness and efficiency of audit
 Continuous in usage once the software is available
 Flexible as the parameters can be varies

35
 Disadvantages of CAATs
 Audit software incompatible with other softwares
 May require considerable computer resources/capacity
 Give rise to question cost vs. benefits
 Modifications to systems may render vendor’s warranty void
 Security and validity of the system can be compromised –
especially in using dummy data
 The issue of cost outweighs the benefit of purchasing CAATs?
Costs included
 Cost of puchasing and installing the software;
 Cost of training the staff in using the software;
 Cost for maintaining the software; and
36
 Cost for to contact the service centre.
 Disadvantages of CAATTs
 Compitability issues with the existing software applications
used by a company.
 Installation process require various computer resources or
facility, for examples the type of processor, size of memory
and storage required.
 Sensitive business data such as customers’ detail, business
plan and strategy could be compromised by irresponsible
persons, if not handled properly.
 Too many software available – may need software specialist
to support the system

37
 Conclusion
 The audit of IT environment is very challenging as it involves
reviewing and reporting very technical matters
 To excellent in the audit, internal auditor should posses
adequate IT knowledge, technical skills and experiences.

38
END CHAPTER 8