Professional Documents
Culture Documents
Chapter 9 IS Audit Evidence and IS Forensic
Chapter 9 IS Audit Evidence and IS Forensic
The auditor should consider the sufficiency and appropriateness of audit evidence to be obtained
when assessing risks and designing further audit procedures.
If the client uses a computerized financial system all, or part of the audit trail may only exist in
a machine readable form. Where this is the case, the auditor may have to obtain and use
specialized audit tools and techniques which allow the data to be converted and interrogated.
When a client gives the auditor a magnetic tape containing transaction details, the data is not
readily accessible. Unlike receiving a printed transaction listing, the auditor cannot just pick up
a magnetic tape and read off the transactions. The data on the disk or tape may be in a different
format and hence may require conversion and translation. Once the data has been uploaded onto
the auditor’s machine audit software may be required to interrogate the information.
b) Absence of input documents: Transaction data may be entered into the computer directly
without the presence of supporting documentation e.g. input of telephone orders into a telesales
Where transactions are system generated, the process of formal transaction authorization may
not have been explicitly provided in the same way as in a manual environment, i.e. each
transaction is not supported by the signature of a manager, supervisor or budget holder. This
may alter the risk that transactions may be irregular or ultra vires. Where human intervention is
required to approve transactions the use of judgment is normally required. Judgment is a feature
which computers are generally not programmed to demonstrate.
f) Legal issues: The use of computers to carry out trading activities is also increasing. More
organizations in both the public and private sector intend to make use of EDI and electronic
trading over the Internet. This can create problems with contracts, e.g. when is the contract
made, where is it made (legal jurisdiction), what are the terms of the contract and are the parties
to the contract.
g) The admissibility of the evidence provided by a client’s computer system may need special
consideration. The laws regarding the admissibility of computer evidence varies from one
country to another. Within a country laws may even vary between one state and another. If the
auditor intends to gather evidence for use in a court, s(he) should firstly find out what the local
or national laws stipulate on the subject.
The goal of computer forensics is to examine digital media in a forensically sound manner with the
aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the
information. Computer forensics involves the preservation, identification, extraction,
documentation and interpretation of computer data. The three main steps in any computer forensic
investigation are;
1) Acquiring: Acquiring the data mainly involves creating a bit-by-bit copy of the hard drive.
2) Authenticating: Authentication is the ensuring that the copy used to perform the investigation is
an exact replica of the contents of the original hard drive by comparing the checksums of the
copy and the original
3) Analyzing: Analysis of the data is the most important part of the investigation since this is
where incriminating evidence may be found.