Accounting Information Systems

Fourteenth Edition

Chapter 11
Auditing Computer-Based
Information Systems

ALWAYS LEARNING Copyright ©

Copyright © 2017,
2017, 2016,
2016, 2015
2015 Pearson
Pearson Education,
Education, Inc.
Inc. All
All Rights
Rights Reserved
Reserved
 Learning Objectives
• Describe the nature, scope, and objectives of audit work,
and identify the major steps in the audit process.
• Identify the six objectives of an information system audit,
and describe how the risk-based audit approach can be
used to accomplish these objectives.
• Describe computer audit software, and explain how it is
used in the audit of an AIS.
• Describe the nature and scope of an operational audit.

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Auditing
• The process of obtaining and evaluating evidence
regarding assertions about economic actions and events in
order to determine how well they correspond with
established criteria.

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Major Steps in the Auditing Process
• Audit planning
– Why, how, when, and who
– Establish scope and objectives of the audit; identify risk
• Collection of audit evidence
• Evaluation of evidence
• Communication of results

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Risk-Based Audit Approach
• Determine the threats (fraud and errors) facing the
company
• Identify control procedures (prevent, detect, correct the
threats)
• Evaluate control procedures
– Review to see if control exists and is in place
– Test controls to see if they work as intended
• Determine effect of control weaknesses
– Compensating controls

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Information Systems Audit
• Using the risk-based framework for an information systems
audit allows the auditor to review and evaluate internal
controls that protect the system to meet each of the
following objectives:
– Protect overall system security (includes computer equipment,
programs, and data)
– Program development and acquisition occur under management
authorization
– Program modifications occur under management authorization
– Accurate and complete processing of transactions, records, files,
and reports
– Prevent, detect, or correct inaccurate or unauthorized source data
– Accurate, complete, and confidential data files

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 1. Overall Information System Security
Threats Controls
• Theft of hardware • Information security/protection plan
• Damage of hardware (accidental and • Limit physical access to computer
intentional) equipment
• Loss, theft, unauthorized access to • Limit logical access to system using
– Programs authentication and authorization controls
– Data • Data storage and transmission controls
– Other system resources • Virus protection and firewalls
• Unauthorized modification or use of • File backup and recovery procedures
programs and data files • Fault tolerant systems design
• Loss, theft, or unauthorized disclosure of • Disaster recovery plan
confidential data • Preventive maintenance
• Interruption of crucial business activities • Firewalls
• Casualty and Business Interruption
Insurance

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 2. Program Development and Acquisition
Threats Controls
• Inadvertent programming errors • Review software license agreements
• Unauthorized program code • Management authorization for:
– Program development
– Software acquisition
• Management and user approval of
programming specifications
• Testing and user acceptance of new
programs
• Systems documentation

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 3. Program Modification
Threats Controls
• Inadvertent programming errors • List program components to be modified
• Unauthorized program code • Management authorization and approval
for modifications
• User approval for program change
specifications
• Test changes to program
• System documentation of changes
• Changes by personnel independent of
users and programmers
• Logical access controls

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 4. Computer Processing
Threats Controls
• Failure to detect incorrect, incomplete, or • Data editing routines
unauthorized input data • Proper use of internal and external file
• Failure to correct errors identified from labels
data editing procedures • Reconciliation of batch totals
• Introduction of errors into files or • Error correction procedures
databases during updating
• Understandable documentation
• Improper distribution of output
• Competent supervision
• Inaccuracies in reporting
• Effective handling of data input and
output by data control personnel
• File change listings and summaries for
user department review
• Maintenance of proper environmental
conditions in computer facility

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 5. Source Data
Threats Controls
• Inaccurate source data • User authorization of source data input
• Unauthorized source data • Batch control totals
• Log receipt, movement, and disposition of
source data input
• Turnaround documents
• Check digit and key verification
• Data editing routines
• User department review of file change
listings and summaries
• Effective procedures for correcting and
resubmitting erroneous data

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 6. Data Files
Threats Controls
• Destruction of stored data from • Secure storage of data and restrict
– Errors physical access
– Hardware and software malfunctions • Logical access controls
– Sabotage • Write-protection and proper file labels
• Unauthorized modification or disclosure of • Concurrent update controls
stored data • Data encryption
• Virus protection
• Backup of data files (offsite)
• System recovery procedures

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Audit Techniques Used to Test Programs
• Integrated Test Facility (ITF)
– Uses fictitious inputs
• Snapshot Technique
– Master files before and after update are stored for specially
marked transactions
• System Control Audit Review File (SCARF)
– Continuous monitoring and storing of transactions that meet pre-
specifications
• Audit Hooks
– Notify auditors of questionable transactions
• Continuous and Intermittent Simulation (CIS)
– Similar to SCARF for DBMS

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Software Tools Used to Test Program Logic
• Automated flowcharting program
– Interprets source code and generates flowchart
• Automated decision table program
– Interprets source code and generates a decision table
• Scanning routines
– Searches program for specified items
• Mapping programs
– Identifies unexecuted code
• Program tracing
– Prints program steps with regular output to observe sequence of
program execution events

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Computer Audit Software
• Computer assisted audit software that can perform audit
tasks on a copy of a company’s data. Can be used to:
– Query data files and retrieve records based upon specified criteria
– Create, update, compare, download, and merge files
– Summarize, sort, and filter data
– Access data in different formats and convert to common format
– Select records using statistical sampling techniques
– Perform analytical tests
– Perform calculations and statistical tests

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Operational Audits
• Purpose is to evaluate effectiveness, efficiency, and goal
achievement. Although the basic audit steps are the same,
the specific activities of evidence collection are focused
toward operations such as:
– Review operating policies and documentation
– Confirm procedures with management and operating personnel
– Observe operating functions and activities
– Examine financial and operating plans and reports
– Test accuracy of operating information
– Test operational controls

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Key Terms (1 of 2)
• Auditing • Materiality
• Internal auditing • Reasonable assurance
• Financial audit • Systems review
• Information systems (internal control) • Test of controls
audit • Compensating controls
• Operational audit • Source code comparison program
• Compliance audit • Reprocessing
• Investigative audit • Parallel simulation
• Inherent risk • Test data generator
• Control risk • Concurrent audit techniques
• Detection risk • Embedded audit modules
• Confirmation • Integrated test facility (ITF)
• Reperformance • Snapshot technique
• Vouching • System control audit review file
• Analytical review (SCARF)
• Audit log
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
 Key Terms (2 of 2)
• Audit hooks • Input controls matrix
• Continuous and intermittent • Computer-assisted audit techniques
simulation (CIS) (CAAT)
• Automated flowcharting program • Generalized audit software (GAS)
• Automated decision table program
• Scanning routines
• Mapping programs
• Program tracing

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved