INFORMATION SYSTEM AUDIT

Chapter 9: Audit Evidence and IS Forensic

9.1 Audit Evidence
Audit evidence is all the information used by the auditor in arriving at the conclusions on which the
audit opinion is based and includes the information contained in the accounting records underlying
the financial statements and other information. Audit evidence is all the information, whether
obtained from audit procedures or other sources, that is used by the auditor in arriving at the
conclusions on which the auditor's opinion is based. Audit evidence consists of both information
that supports and corroborates management's assertions regarding the financial statements or
internal control over financial reporting and information that contradicts such assertions.

9.2 Characteristics of Audit Evidence

Audit evidence should have the following characteristics;
1) Sufficient: Sufficiency is the measure of the quantity of audit evidence. Sufficient information
is factual, adequate, and convincing so that a prudent, informed person would reach the same
conclusions as the auditor. There should be enough of it to support the auditor’s findings.
2) Competent: Competent information is reliable and the best attainable through the use of
appropriate engagement techniques such as statistical sampling and analytical audit procedures.
Information is more competent if it is
a) obtained from an independent source,
b) corroborated by other information,
c) obtained directly by the auditor, such as through personal observation,
d) documented, and
e) an original document rather than a copy.
3) Appropriate: Appropriateness is the measure of the quality of audit evidence, that is, its
relevance and its reliability in providing support for, or detecting misstatements in, the classes
of transactions, account balances, and disclosures and related assertions. Relevant information
supports engagement observations and recommendations and is consistent with the objectives
for the engagement. Relevant information should have a logical, sensible relationship with the
associated audit finding.
4) Useful: should be useful for the purpose and meets the IS Audit Objectives/ IS Audit process
goals.

The auditor should consider the sufficiency and appropriateness of audit evidence to be obtained
when assessing risks and designing further audit procedures.

9.3. Techniques of Audit Evidence Collection

Various techniques may be used by the information systems auditor to gather audit evidence,
including the following five methods:
1) Reviewing organization structure, documentation, standards, and practices.
2) Interviewing appropriate personnel and observing processing and operations.
3) Using audit documentation techniques such as flowcharts, questionnaires, system narratives,
decision trees, decision tables, and control grids.
4) Applying analytical review procedures and sampling techniques.

Chapter 9: Audit Evidence and IS Forensic Page 1

5) Using software tools to analyze logs and audit trails built into the system.

9.4. Categories / Source of Audit Evidence

An information systems auditor may select the appropriate methodology for collection of evidence
from the 10 categories listed below:
1) Physical examination: Physical inspection for presence of tangible information systems assets.
The information systems auditor may physically count and inspect for the presence of kinds of
computer equipment, such as terminals, printers, and so forth.
2) Confirmation: A response from an independent third party, mostly written and provided at the
request of the auditor, verifying a fact or the accuracy of information.
3) Documentation: Examination of documents and records to substantiate information, especially
those involving the designing and functioning of software and network. For example, a review
of service agreements will substantiate the service entitlement claims made by the auditee.
4) Observation: This involves observing the conduct of specific activities. For example the auditor
may verify whether a particular operation is performed under dual control. Observations usually
require corroborative evidence to be substantiated.
5) Inquiry: Herein evidences are created through obtaining written and oral information from the
auditee against specific queries. Additional corroborating evidence is required since the
responding person is not an independent entity.
6) Processing accuracy: Processing accuracy involves rechecking a sample of activities performed
by the auditee for confirming processing accuracy. For example, an information systems auditor
can test processing accuracy of computations with use of appropriate software, observing logs,
or by reviewing data in certain fields in the object data file.
7) Screenshots: The auditor may take screenshots of errors that are observed during the audit.
Various operating systems provide different methodologies to obtain the screenshot.
8) Log files: Access logs, transaction logs, fault logs, and other audit trails provide corroborative
evidence to errors.
9) Testing software results: Where software has been used for testing, for example, network
security testing, the output reports generated by such software provide evidence of errors in the
system.
10) Analytical procedures: These involve the use of comparisons and relationships to determine the
reasonableness of the processes and activities being audited. For example, an information
systems auditor may examine the number of times during two audit periods that accounts were
locked out because of inaccurate passwords and form an opinion on whether there has been an
increased attempt of access violation.

9.5. Audit Evidence Life cycle

IS Audit Evidence lifer cycle has the following phases;
1) Initial discovery
2) Identification
3) Collection
4) Preservation Storage
5) Analysis
6) Post Analysis storage
7) Presentation
Chapter 9: Audit Evidence and IS Forensic Page 2
8) Return to the Owner

9.6. Effect of Computers on Audit Evidence

To cope with the new technology usage in an enterprise the Auditor is to be competent to provide
independent evaluation as to whether the business process activities are recorded and reported
according to established standards or criteria. There are key areas that computers have had an effect
with regard to evidence collection, and management

1) Changes to Evidence Collection; and

2) Changes to Evidence Evaluation.

9.6.1. Changes to Evidence Collection

The changes includes;
a) Data retention and storage: A client’s storage capabilities may restrict the amount of historical
data that can be retained “on-line” and readily accessible to the auditor. If the client has
insufficient data retention capacities the auditor may not be able to review a whole reporting
period’s transactions on the computer system.

If the client uses a computerized financial system all, or part of the audit trail may only exist in
a machine readable form. Where this is the case, the auditor may have to obtain and use
specialized audit tools and techniques which allow the data to be converted and interrogated.
When a client gives the auditor a magnetic tape containing transaction details, the data is not
readily accessible. Unlike receiving a printed transaction listing, the auditor cannot just pick up
a magnetic tape and read off the transactions. The data on the disk or tape may be in a different
format and hence may require conversion and translation. Once the data has been uploaded onto
the auditor’s machine audit software may be required to interrogate the information.
b) Absence of input documents: Transaction data may be entered into the computer directly
without the presence of supporting documentation e.g. input of telephone orders into a telesales

Chapter 9: Audit Evidence and IS Forensic Page 3

 system. The increasing use of EDI will result in less paperwork being available for audit
examination
c) Lack of a visible audit trail: The audit trails in some computer systems may exist for only a
short period of time. The absence of an audit trail will make the auditor’s job very difficult and
may call for an audit approach which involves auditing around the computer system by seeking
other sources of evidence to provide assurance that the computer input has been correctly
processed and output.
d) Lack of visible output: The results of transaction processing may not produce a hard copy form
of output, i.e. a printed record. In the absence of physical output it may be necessary for the
auditor to directly access the electronic data retained on the client’s computer. This is normally
achieved by having the client provide a computer terminal and being granted “read” access to
the required data files.
e) Lack of Audit evidence. Certain transactions may be generated automatically by the computer
system. For example, a fixed asset system may automatically calculate depreciation on assets at
the end of each calendar month. The depreciation charge may be automatically transferred
(journalized) from the fixed assets register to the depreciation account and hence to the client’s
income and expenditure account.

Where transactions are system generated, the process of formal transaction authorization may
not have been explicitly provided in the same way as in a manual environment, i.e. each
transaction is not supported by the signature of a manager, supervisor or budget holder. This
may alter the risk that transactions may be irregular or ultra vires. Where human intervention is
required to approve transactions the use of judgment is normally required. Judgment is a feature
which computers are generally not programmed to demonstrate.
f) Legal issues: The use of computers to carry out trading activities is also increasing. More
organizations in both the public and private sector intend to make use of EDI and electronic
trading over the Internet. This can create problems with contracts, e.g. when is the contract
made, where is it made (legal jurisdiction), what are the terms of the contract and are the parties
to the contract.
g) The admissibility of the evidence provided by a client’s computer system may need special
consideration. The laws regarding the admissibility of computer evidence varies from one
country to another. Within a country laws may even vary between one state and another. If the
auditor intends to gather evidence for use in a court, s(he) should firstly find out what the local
or national laws stipulate on the subject.

9.6.2. Changes to Evidence Evaluation:

Evaluation of audit trail and evidence is to trace consequences of control strength and weakness
through the system. The evidence evaluation function of information systems leads to identify
periodic and deterministic errors.
Key challenges arises as a result of the following;
1) System generated transactions: System generated transaction may cause problems to the
Auditor. Financial systems may have the ability to initiate, approve and record financial
transactions. It might be difficult to trace source, objective and goals. This is likely to become
increasingly common as more organizations begin to install expert systems and electronic data
interchange (EDI) trading systems. The main reason clients are starting to use these types of
Chapter 9: Audit Evidence and IS Forensic Page 4
 system is because they can increase processing efficiency ( for example, if a computer system
can generate transactions automatically there will be no need to employ someone to do it
manually, and hence lower staff costs)
2) Automated transaction processing systems can cause the auditor problems. For example when
gaining assurance that a transaction was properly authorized or in accordance with delegated
authorities. The auditor may need to look at the application’s programming to determine if the
programmed levels of authority are appropriate.
3) Automated transaction generation systems are frequently used in ‘just in time’ (JIT) inventory
and stock control systems : When a stock level falls below a certain number, the system
automatically generates a purchase order and sends it to the supplier (perhaps using EDI
technology)
4) Systematic Error: Computers are designed to carry out processing on a consistent basis. Given
the same inputs and programming, they invariably produce the same output. This consistency
can be viewed in both a positive and a negative manner.

9.7. Computer Forensics/ IS Forensic

Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic
science pertaining to legal evidence found in computers and digital storage media.
Definition;
1) Computer forensics is the process of extracting information and data from digital storage
media using court validated tools and technology and proven forensic best practices to
establish its accuracy and reliability for the purpose of reporting on the same as evidence.
(ISACA guidelines)
2) Computer forensics as the discipline that combines elements of law and computer science to
collect and analyze data from computer systems, networks, wireless communications, and
storage devices in a way that is admissible as evidence in a court of law.

The goal of computer forensics is to examine digital media in a forensically sound manner with the
aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the
information. Computer forensics involves the preservation, identification, extraction,
documentation and interpretation of computer data. The three main steps in any computer forensic
investigation are;
1) Acquiring: Acquiring the data mainly involves creating a bit-by-bit copy of the hard drive.
2) Authenticating: Authentication is the ensuring that the copy used to perform the investigation is
an exact replica of the contents of the original hard drive by comparing the checksums of the
copy and the original
3) Analyzing: Analysis of the data is the most important part of the investigation since this is
where incriminating evidence may be found.

9.7.1. Forensic Investigations

Computer forensics is the application of analytical techniques on digital media after a computer
security incident has occurred. Its goal is to identify exactly what happened on a digital system and
who was responsible through a structured, investigative approach. Forensic investigations cover all
areas of computer misuse, including fraud, Internet and e-mail abuse, entry to pornographic Web
sites, and hacking, as well as accidental deletions or alterations of data.
Chapter 9: Audit Evidence and IS Forensic Page 5
During the forensic investigation, evidence may be obtained in a variety of ways, including
affidavits, search warrants, depositions, and expert testimony. Regardless of the means used to
obtain data, examination of a computer or other device must be done thoroughly, carefully, and
without changing anything. This ensures that the integrity of the original data and the evidence's
validity are maintained. Evidence from computer forensics investigations is usually subjected to the
same guidelines and practices of other digital evidence.

9.7.2. Importance of Computer Forensic

1) Ensure the overall integrity and survivability of your network infrastructure.
2) Understanding the legal and technical aspects of computer forensics will help you capture vital
information if your network is compromised and will help you prosecute the case if the intruder
is caught.

9.7.3. Type of data collected

Two basic types of data are collected in computer forensics.
1) Persistent data is the data that is stored on a local hard drive (or another medium) and is
preserved when the computer is turned off.
2) Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the
computer loses power or is turned off. Volatile data resides in registries, cache, and random
access memory (RAM). Since volatile data is ephemeral, it is essential an investigator knows
reliable ways to capture it.

9.7.4. Characteristics of Computer Forensic Evidence

Computer forensic evidence should be
1) Admissible: Don’t collect anything, which would not be allowed in court
2) Authentic: The evidence should be tied to the incident
3) Complete: Not only the “damaging” parts, but all of it. Don’t suppress or ignore anything else
– If in doubt, collect too much and ignore it later in evaluation!
4) Reliable: Collection, handling, and evaluation should ensure veracity and authenticity
5) Believable: Should be believable and understandable in court and for laymen too (accused,
jury, ...)

9.7.5. Principles of Digital Evidence

The four main principles from this guide (with references to law enforcement removed) are as
follows:
1) No action should change data held on a computer or storage media which may be subsequently
relied upon in court.
2) In circumstances where a person finds it necessary to access original data held on a computer or
storage media, that person must be competent to do so and be able to give evidence explaining
the relevance and the implications of their actions.
3) An audit trail or other record of all processes applied to computer-based electronic evidence
should be created and preserved. An independent third-party should be able to examine those
processes and achieve the same result.

Chapter 9: Audit Evidence and IS Forensic Page 6

4) The person in charge of the investigation has overall responsibility for ensuring that the law and
these principles are adhered to.

9.7.6. Benefits of Computer Forensic

Organizations can use computer forensics to their benefit in a variety of cases such as;
1) Intellectual Property theft
2) Industrial espionage
3) Employment disputes
4) Fraud investigations
5) Forgeries
6) Bankruptcy investigations
7) Inappropriate email and internet use in the work place
8) Regulatory compliance

9.7.7. Computer Forensic Guidelines

The four main principles from this guide (with references to law enforcement removed) are as
follows:
1) No action should change data held on a computer or storage media which may be subsequently
relied upon in court.
2) In circumstances where a person finds it necessary to access original data held on a computer or
storage media, that person must be competent to do so and be able to give evidence explaining
the relevance and the implications of their actions.
3) An audit trail or other record of all processes applied to computer-based electronic evidence
should be created and preserved. An independent third-party should be able to examine those
processes and achieve the same result.
4) The person in charge of the investigation has overall responsibility for ensuring that the law and
these principles are adhered to.

9.7.8. Issues/ Challenges facing computer forensics

The issues facing computer forensics examiners can be broken down into three broad categories:
technical, legal and administrative.
1). Technical issues
a) Encryption – Encrypted data can be impossible to view without the correct key or password.
Examiners should consider that the key or password may be stored elsewhere on the
computer or on another computer which the suspect has had access to. It could also reside in
the volatile memory of a computer (RAM) which is usually lost on computer shut-down;
another reason to consider using live acquisition techniques.
b) Increasing storage space – Storage media hold ever greater amounts of data, which for the
examiner means that their analysis computers need to have sufficient processing power and
available storage capacity to efficiently deal with searching and analysing large amounts of
data.
c) New technologies – Computing is a continually evolving field, with new hardware, software
and operating systems emerging constantly. No single computer forensic examiner can be
an expert on all areas, though they may frequently be expected to analyse something which
they haven’t previously encountered. In order to deal with this situation, the examiner

Chapter 9: Audit Evidence and IS Forensic Page 7

 should be prepared and able to test and experiment with the behaviour of new technologies.
Networking and sharing knowledge with other computer forensic examiners is very useful
in this respect as it’s likely someone else has already come across the same issue.
d) Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic
analysis. This may include encryption, the over-writing of data to make it unrecoverable,
the modification of files’ metadata and file obfuscation (disguising files). As with
encryption, the evidence that such methods have been used may be stored elsewhere on the
computer or on another computer which the suspect has had access to. In our experience, it
is very rare to see anti-forensics tools used correctly and frequently enough to totally
obscure either their presence or the presence of the evidence that they were used to hide.
2). Legal issues
Legal issues may confuse or distract from a computer examiner’s findings. A lawyer may be able to
argue that actions on a computer were not carried out by a user but were automated by a Trojan
without the user’s knowledge; such a Trojan Defence has been successfully used even when no
trace of a Trojan or other malicious code was found on the suspect’s computer. In such cases, a
competent opposing lawyer, supplied with evidence from a competent computer forensic analyst,
should be able to dismiss such an argument.
3). Administrative issues
a) Accepted standards – There are a plethora of standards and guidelines in computer
forensics, few of which appear to be universally accepted. The reasons for this include:
standard-setting bodies being tied to particular legislations; standards being aimed either at
law enforcement or commercial forensics but not at both; the authors of such standards not
being accepted by their peers; or high joining fees for professional bodies dissuading
practitioners from participating.
b) Fit to practice – In many jurisdictions there is no qualifying body to check the competence
and integrity of computer forensics professionals. In such cases anyone may present
themselves as a computer forensic expert, which may result in computer forensic
examinations of questionable quality and a negative view of the profession as a whole.

9.8. Auditing Challenges with Cloud Computing

A disruptive technology, like cloud computing, can impact “how” to audit
1) Understanding the scope of the cloud computing environment
a) Do you use the same matrix for public clouds as for private clouds? (internal vs external)
b) The concept of a perimeter in a multi-tenant environment doesn’t make sense anymore
c) Where does the cloud start and stop?
2) Can your current risk assessment capture the risks correctly?
3) Sample selection
a) What is the universal population from which to pick a sample from?
b) What would your sample selection methodology be in a highly dynamic environment?
c) A snapshot in time may depend if it’s a high or low peak point in time
4) Audit trails – How do you “test” historical data if there was no audit trail?
5) Other
a) Educating the audit committee
b) Overcoming internal barriers restricting the early involvement of internal audit as a ‘risk
advisor’ to the business and IT
Chapter 9: Audit Evidence and IS Forensic Page 8