Audit through the computer:
-uses the computer to check adequacy of system
controls, data and output
-evaluates how audit strategy is affected by an
organization’s use of IT
-auditors need specialized skills to
 Determine how the audit will be affected by IT.
 Assess and evaluate IT controls
 Design and perform both tests of IT controls
and substantive tests
Information systems (Internal Control)
-This audit reviews the control of and AIS to assess
compliance with internal control policies and
procedures and the effectiveness of safeguarding assets
Information Systems Audit
Objectives
1. Security provisions protect computer equipment
programs, communications , and data from
unauthorized access, modification or destruction.
*Framework for auditing computer security
 Types of security errors and fraud found in
companies: hardware or software damage,
theft, loss or unauthorized information
disclosure, interruption of crucial business
activities.
 Control procedures to minimize security errors
and fraud: security protection plan, restrictions
on physical and logical access, password
protection, antivirus software, disaster recovery
plan, backup and recovery, fault tolerant
design.
 Systems review audit procedures: these include
inspecting sites, interviewing people, reviewing
policies and procedures, examining access logs,
disaster recovery plans.
 Test of controls – audit procedures, testing the
controls: observe site access procedures,
process for backing up files, password process,
firewalls, uninterruptible power supplies,
preventative maintenance, data transmission
controls
 Compensating controls- do these exist if the
controls are weak? Do you have sound
personnel policies? Effective user controls?
Segregation of incompatible duties?
2. Program development and acquisition are
performed in accordance with management’s general
and specific authorization
- The auditor’s role in systems development should be
limited to an independent review of systems
development activities
- Auditors should review the policies, procedures,
standards and documentation
- Audited on the process by which software is selected.
Did management approve of it? Do they have a
strategic IT plan
3. Program modifications have management’s
authorization and approval.
- Auditing applications program and system software
changes:
 When a program change is submitted for
approval, a list of all required updates should be
compiled and approved by management and
program users.
 During systems review, auditors gain an
understanding of the change process by
discussing it with management and user
personnel
 An important part of an auditor’s tests of
controls is to verify that program changes were
identified , listed, approved, tested and
documented
 To test for unauthorized program changes ,
auditors can use a source code comparison
program
Two additional techniques to detect unauthorized
program changes:
1. The reprocessing technique also uses a verified copy
of the source code. On a surprise basis, the auditor
uses the program to reprocess data and compare that
output with the company’s data.
2. Parallel simulation is similar to reprocessing except
that the auditor writes a program instead of saving a
verified copy of the source code. The auditor’s results
are compared with the company’s results and any
differences are investigated
4. Processing transactions, files , reports and other
computer records is accurate and complete
- The focus is the processing of transactions, files and
related computer records to update files and databases
and to generate reports
Options to test processing controls:
a.) Processing test data
- One way to test a program is to process a hypothetical
series of valid and invalid transactions
- The following resources are helpful when preparing
test data:
- A listing of actual transactions
- The test transactions the programmer used to test the
program
- A test data generator program, which automatically
prepares a test data based on program specifications
b.) Concurrent audit techniques
- The auditor uses concurrent audit techniques to
continually monitor the system and collect audit
evidence while live data are processed during regular
operating hours.
- Concurrent audit techniques use embedded audit
modules , which are segments of program code that
perform audit functions. These report results to the
auditors
Auditors normally use five concurrent audit techniques:
1.) Integrated test facility (ITF)
 Small set of fictitious record in the master
file and the auditor will compare processing
with the expected result to verify that the
system and controls are operating
effectively. It involves creation of dummy
entity in the application system & to audit
the processing of test data entered in
dummy entity.
2.) Snapshot technique
 examines the way the transactions are
processed. Selected transactions are
marked with special code that triggers
snapshot process. Audit module records the
transactions before & after processing.
3.) System control audit review file (SCARF)-
 It involves embedding audit software
module within host application to provide
continuous monitoring of transactions.
SCARF is like snapshot with data collection
capability.
4.) Audit Hooks
 It is used to flag the suspicious transactions.
Auditor is informed of questionable
transactions as they occur via real time
notification.
5.) Continuous and Intermittent Simulation (CIS)-
embeds an audit module in a database
management system (DBMS). The CIS module
examines all transactions that update the
database using criteria similar to those of
SCARF.
c.) Analyzing program logic
- If an auditor suspects that a particular application
program contains unauthorized code or serious errors ,
then a detailed analysis of the program logic may be
necessary.
- There are software that :
 Create automatic flowcharts
 Create automated decision tables
 Scan for occurrences of variables or
characters
 Map for unexecuted code
 Trace program steps
 Key: there is a lot of software to help
auditors
- Does the system detect erroneous input?
- Does it properly correct input errors?
- Are there examples of improper distribution or
disclosure of output
Disadvantages of processing test transactions:
- The auditor must spend considerable time
developing an understanding of the system and
preparing an adequate set of test transactions
- Care must be taken to ensure that test data do
not corrupt (affect) the company’s files and
databases
5. Source data that are inaccurate or improperly
authorized are identified and handled according to
prescribed managerial policies.
- Auditors use an input controls matrix. The matrix
shows the control procedures applied to each field of an
input record
- The internal controls that prevent, detect and correct
inaccurate or unauthorized data
- Authorization: Are there tests to prevent , detect and
correct *Flawed information? Are the transactions
complete?
- Do other controls compensate?
6. Computer data files are accurate, complete and
confidential
- Concerns with the accuracy, integrity and security of
data stored in machine-readable files
- Are they protected against unauthorized modification
destruction or disclosure of data
Computer Software Audit
- A number of computer programs, called computer
audit software (CAS) or generalized audit software
(GAS) , have been written especially for auditors
- General Audit Software is software designed to read,
process and write data with the help of functions
performing specific audit routines and with self-made
macros. It is a tool in applying Computer Assisted thereby detecting and facilitating correction of
Auditing Techniques Functions of generalized audit any errors prior to shipment
software include importing computerized data;  Cash receipts are processed more quickly,
thereafter other functions can be applied. improving cash flow.
 Reports and performance measures are
Two of the most popular software
timelier, enhancing management’s ability to
1. Audit Control Language is a data
monitor and improve efficiency and
interrogation tool used by auditors to view,
explore, and analyze data efficiently and effectiveness.
cost effectively. ACL enables auditors to Internal control in revenue cycle
access data in diverse formats and on
various types of storage devices. 1. Authorization
2. IDEA ( Interactive Data Extraction and 2. Supervision
Analysis) is a Generalized Audit Software. It 3. Segregation of duties
is able to import a wide range of different 4. Access control
types of data files. During the import a 5. Independent verification
IDEA file and its field statistics are created. 6. Accounting records

 The primary purpose of CAS is to assist Computer-based accounting systems

the auditor in reviewing and retrieving
information in computer files. CBAS technology can be viewed as a continuum with
 CAS cannot replace the auditor’s two extremes:
judgment or free the auditor from other 1. Automation – use technology to improve
phases of the audit.
efficiency and effectiveness
2. Reengineering- use technology to restructure
Audit on Revenue Cycle
business processes and firm organization
Information Processing Procedures
Levels of Automating and Reengineering Ordering
Many organizations have replaced their accounting info
1. Computer generates PR
systems with an integrated Enterprise Resource
Purchases manually generates PO
Planning (ERP) system.
2. Computer generates PO (no PR needed)
ERP key improvements are as follows: PO not sent until manually reviewed
3. Computer-generated PO is automatically sent
 Real-time order entry detects errors, such as
without manual review
missing data, as the order is being entered, and
4. Electronic Data Interchange (EDI)
when it is easiest to correct those errors.
Computer-to -computer communication
 Credit approval decisions can be made at the
without PO
time the customer places the order. If special
approval is required, the credit manager is Audit on Purchases and Disbursements Cycle
notified by e-mail or IM and can immediately
Expenditure Cycle Data Base
make that decision.
 Inventory records are more accurate and  Master files
timely, enabling sales order entry staff to - supplier
provide customers accurate information about -accounts payable
expected delivery dates. -merchandise inventory
 The warehouse shipping departments can  Transaction and Open Document Files
better plan activities to minimize the time - purchase order file
required to fill customer orders - open purchase order file
 The system compares data that the shipping - supplier’s invoice file
department entered with the sales order file, -open vouchers file
- cash disbursement file
  Other Files
- supplier reference and history file
-buyer file
-accounts payable detail file

Computer-based Purchases

 A Data Processing department performs routine

accounting tasks
 Purchasing – a computer program identifies
inventory requirements
 The following methods are used for authorizing
and ordering inventories
- the system prepares POs and sends them to
Purchases for review, signing and distributing
-the system distributes POs directly to the
vendors and internal users, bypassing Purchases
-the system uses electronic data interchange
(EDI) and electronically places the order
without POs

Computer-Based Cash Disbursements

 Tasks performed automatically by the computer

- the system scans for vouchers currently due
-prints checks for these vouchers
-records these checks in the check register
-batch totals are prepared for the general
ledger update procedure

General Internal controls

 Organization control
- segregation of duties
 Documentation
 Asset accountability controls
 Management practices
 Data center operations control
 Authorization controls
 Access controls
 Functions:
a. Data conversion – transcribes
transaction data from hard-
copy source documents into
computer-input.
b. Data operations – the electronic
files produced in data
conversion are later processed
by the central computer , which
is managed by the computer
operations groups.
c. Data library- a room adjacent to
the computer center that.
Those files could be backups or
current data files.
A data librarian, who is
Auditing IT Governance Control responsible for the receipt,
IT Governance Issues storage, retrieval and custody
of data files, controls access to
I. Organizational structure of the IT function the library.
II. Computer center operations
III. Disaster recovery planning Systems Development and System Maintenance –
the first group is responsible for analyzing user
User needs and for designing new systems to
satisfy those needs. The participants in this
I. Structure of the Information Technology function
System include systems professionals, end
users, and stakeholders.
a. Centralized data processing – all data
processing is performed by one or more Segregation of Incompatible IT Functions
1. Separate transaction authorization from
large computers housed at a central site
transaction processing
that serves users throughout the
2. Separate recordkeeping and asset custody
organization. 3. Divide transaction-processing tasks among
individuals such that short of collusion
Service areas: between two or more individuals fraud
 Database administration would be possible.
 Data processing
Functions: data conversion; data The Distributed Data Processing (DDP) – an
operations, data library alternative to the centralized model
 Systems development and - Involves
maintenance reorganizing the
central IT function
Data base administration – centrally organized into small IT units
companies maintained their data resources in a that are placed
Central location that is shared by all end users. In this under the control
shared arrangement, an independent group headed by of end users
the database Administrator is responsible for the - The IT units maybe
security and integrity of the Database. distributed
according to
Data Processing – the data group manages the business function,
computer resources used to perform the day-to-day Geographic location
Processing of transactions. or both.
 - The degree to
which the business
functions are
distributed
depends upon the
philosophy and
objectives of the
organization’s
management.
Risks associated with DDP
1. Inefficient use of resources
a) The risk of mismanagement of
organization-wide IT resources by end
users.
b) Increases the risk of operational
inefficiencies because of redundant tasks
being performed within the end user
committee
c) Risk of incompatible hardware and
software among end-user
2. Destruction of audit trails – should an end-user
inadvertently delete one of the files, the audit
trail could be destroyed and unrecoverable or
if the end user inadvertently inserts transaction
errors into an audit trail file, it could become
corrupted
3. Inadequate segregation of duties- may result in
the creation of independent units that do not
permit the desired separation of incompatible
functions
4. Hiring qualified professionals – end-user
managers may lack the IT knowledge to
evaluate the technical credentials and relevant
experience of candidates applying for IT
professional positions.
5. Lack of standards- because of the distribution
of responsibility, standards for developing and
documenting systems, choosing programming
languages, acquiring hardware and software ,
and evaluating performance may be unevenly
applied or even nonexistent
Advantages of DDP
1. Cost reductions – a) data can be edited and
entered by the end user and b) application of
complexity can be reduced , which in turn
reduces systems development and maintenance
costs.
2. Improved cost control responsibility – the
responsibility of the end-user managers for the
financial success of their operations, requires
them to be properly empowered with authority
to make decisions about resources that
influence their overall success
3. Improved user satisfaction due to a) end-users
desire to control the resources that influence
their profitability b) users want systems
professionals to be responsive to their specific
situation
d) Users want to become more actively
involved in developing and implementing
their own systems
4. Backup flexibility – ability to back up computing
facilities to protect against potential disasters
Audit Objective
To verify that the structure of the IT function is such
that individuals in incompatible areas are segregated in
accordance with the level of potential risk and in a
manner that promotes a working environment.
Audit Procedures
The following audit procedures would apply to an
organization with a centralized IT function:
1. Review relevant documentation
2. Review systems documentation and
maintenance
3. Verify that computer operators do not have
access to the operational details of system’s
internal logic. Systems documentation, such as
systems flowchart, logic flowcharts, and
program code listings, should not be part of the
operations’ documentation set.
4. Through observation, determine that
segregation policy is being followed in practice
The following are audit procedures would apply to an
organization with a distributed IT function:
1. Review the current organizational chart,
mission statement, and job descriptions for
key functions to determine if individuals or
groups are performing incompatible duties.
2. Verify that corporate policies and standards
for systems design, documentation and
hardware ad software acquisition are
published and provided to distributed IT
units.

3. Verify that compensating controls, such as
supervision and management monitoring ,
are employed when segregation of
incompatible duties is economically
4. Review systems documentation to very
application , procedure, and databases are
designed and functioning in accordance
with corporate standards.
The Computer Center
1. Physical location
2. Construction
3. Access
4. Air-conditioning
5. Fire Suppression
6. Fault tolerance – it is the ability of the system to
continue operation when part of the system
fails because of hardware failure, application
program error, or operator error
a. Redundant arrays of independent disks –
if one disk fails, the lost data are
automatically reconstructed from the
redundant components stored on the
other disks.
b. Uninterrupted power supplies - such as
voltage regulators, surge protectors,
generators and backup batteries
Audit objectives – to evaluate the controls governing
computer center security, specifically
a) Physical security controls are
adequate to reasonably protect the
organization from physical
exposures
b) Insurance coverage on equipment is
adequate to compensate the
organization for the destruction of,
or damage to, its computer center
Audit Procedures – tests of physical security controls;
such as tests for ;
1. Physical construction – solidly built with
fireproof material, adequate drainage, facility
located in an area that minimize its exposure to
fire, civil unrest and other hazards
2. Fire detection system
3. RAID- redundant array of independent disks
4. Uninterruptible power supply
5. Insurance coverage
Disaster Recovery Planning
Features:
1. Identify critical applications
2. Create a disaster recovery program
3. Provide site backup
4. Specify backup and off-site storage procedures
Audit Objective – verify that management’s disaster
recovery plan is adequate and feasible for dealing with
a catastrophe that could deprive the organization of its
computing resources.
Audit Procedures
Tests to be performed:
1. Site backup – evaluate the adequacy
2. Critical application list – ensure its
completeness
3. Software backup – verify that copies of critical
applications and operating systems are stored
off-site
4. Data backup – verify that critical data files are
backed up in accordance with DRP
5. Backup supplies, documents and
documentation – verify the that the types and
quantities of items specified in the DRP are in a
secure location
6. Disaster recovery team- verify that members of
the same team are current employees and are
aware of their assigned responsibilities
Outsourcing the IT Function
Benefits:
1. Improved core performance
2. Improved IT performance
3. Reduce IT costs
Risks inherent to IT outsourcing
1. Failure to perform
2. Vendor exploitation
3. Outsourcing costs exceed benefits
4. Reduced security
5. Loss of strategic advantage
Audit Implications of IT outsourcing
 The use of service organization does not reduce
management’s responsibility to maintain effective
internal control over financial reporting
 If an audit client firm outsource its IT function to
vendor that processes its transactions, hosts key
data, or performs other significant services , the
 auditor will need to conduct an evaluation of the
vendor organization ‘s controls, or alternatively
obtain auditor’s report from the vendor
organization.
Ch3
Learning Objectives:
1. Be able to identify the principal threats to the
operating system and the control techniques
used to minimize the possibility of actual
exposures
2. Be familiar with the principal risks associated
with commerce conducted over intranets and
the internet and understand the control
techniques used to reduce these risks
3. Be familiar with risks associated with personal
computing systems
4. Recognize the unique exposures that arise in
connection with electronic data interchange
(EDI) and understand how these exposures can
be reduced.
Operating System Control Objectives
1. Protect itself against tampering by users
2. Protect users from accessing, destroying or
corrupting another user’s programs or data
3. Safeguard users’ application modules from
destroying or corrupting other modules
4. Safeguard its own modules from destroying or
corrupting other modules
5. Protect itself from its environment including
power failures and other disasters
Operating Systems Security
1. Log-On Procedure - First line of defense against
unauthorized access consisting of user IDs and
passwords
2. Access token -Contains key information about
user which is used to approved actions
attempted during the session
3. Access Control list -Assigned to each IT resource
and used to control access to the resource
4. Discretionary Access Privileges -Allows user to
grant access to another user
Threats to Operating System Integrity
1. Accidental threats include hardware failures
and errors in user applications
2. Intentional threats are often attempts to
illegally access data or violate privacy for
financial gain
3. Growing threat is destructive programs with no
apparent gain, which come from three sources
4. Privileged personnel who abuse their authority
5. Individuals who browse the operating system to
identify and exploit security flaws
6. Individuals who insert viruses or other
destructive programs into the operating system,
either intentionally or unintentionally
Operating Systems Controls and Audit Tests
 Access Privileges
Audit Objectives: Verify that access
privileges are consistent with separation of
incompatible functions and organization policies
Audit Procedures: Review;
a. policies for separating
incompatible functions
b. a sample of user privileges,
especially access to data and
programs
c. security clearance checks of
privileged employees
d. determine if users have
formally acknowledged their
responsibility to maintain data
confidentiality
e. Users’ permitted log-on times
 Password Controls
Password is a secret code the user enters to
gain access to system or data. Most common
Common contra-security behaviors:
f. Forgetting passwords or failing
to regularly change them
g. Post-it-syndrome which puts
passwords on display
h. Simplistic passwords that are
easy for criminals to anticipate
Audit Objectives: Ensure adequacy and
effectiveness of password policies for controlling access
to the operating system
 Audit Procedures:
i. Verify passwords are required
for all users and that new users
are instructed in their use and
importance
j. Ensure controls requiring
passwords to be changed
regularly
k. Review password file for weak
passwords
l. Verify encryption of the
password file
m. Assess the adequacy of
password standards
n. Review account lockout policies
and procedures
 Controlling against malicious and destructive
programs
Organizations can reduce threats through the
following technology controls and
administrative procedures
o. Purchase software from
reputable vendors in original
packages
p. Policy pertaining to
unauthorized or illegal software
q. Examine upgrades and public-
domain software for viruses
before implementation and use
r. Implement procedures for
changing programs
s. Educate users regarding threats
t. Test all applications before
implementation
u. Make frequent backups and
limit users to read and execute
rights only whenever possible
v. Require protocols to bypass
Trojan horses and use antiviral
softwares
Audit Objectives: Verify effectiveness of procedures
to protect against programs such as viruses, worms,
back doors, logic bombs, and Trojan horses
Audit Procedures:
w. Interview to determine that
operations personnel have
been properly educated and are
aware of risks
x. Verify new software is tested
on stand alone workstations
before being implemented on
the horse or network server
y. Verify antiviral software is
current and that upgrades are
regularly downloaded to
workstations
 System Audit Trail Controls – logs that record
activity at the system, application and use level
Two types of audit logs:
z. Keystroke monitoring -involves
recording user’s keystrokes and
the system’s
response
aa. Event monitoring- summarizes
key activities related to system
resources
Audit trail Objectives:
a. Detect unauthorized access,
b. Reconstruct events
c. Promote personal accountability
Audit Objectives: Ensure established system
audit trail is adequate for preventing and
detecting abuses, reconstructing key events
and planning resource allocation
Audit Procedures
a. Verify audit trail has been activated
per common policy
b. Use data extraction tools to search
for defined conditions such as :
- unauthorized
users
- periods of
inactivity
 - periods of
activity including log-on and log-offs
times
- failed log-on
attempts and specific access

c. Sample security violation cases and

evaluate their disposition to assess
security group effectiveness