Chapter 11-1

Chapter 11-2

Chapter 11Information Technology Auditing

Introduction

The Audit Function

The IT Auditor’s Toolkit

Auditing the Computerized AIS

Information Technology Auditing Today

Chapter 11-3

Introduction

Audits of accounting systems ensure that controls are functioning properly

confirm that additional controls are not needed

The nature of auditing includes the distinction between internal and external auditing

the relationship between an IT audit and a financial audit

Chapter 11-4

Introduction

the tools an IT auditor uses

discussion of information technology governance,

fraud in auditing,

the impact of Sarbanes-Oxley on IT audits, and

third-party and systems reliability assurance services

Chapter 11-5

The Audit Function

The function of an auditis to examine and to assure.will differ according to the subject under examination.can be internal, or external, andconcerns information systems also.

Information technology auditing discussesinternal auditing,External auditing, andIT auditing.

Chapter 11-6

Question

An IT auditora. must be an external auditor.b. must be an internal auditor.c. can be either an internal or external auditor.d. must be a certified public accountant.

The Audit Function

Chapter 11-7

An internal audit, which preserves its objectivity

is carried out by company personnel reporting to top management and/or the Audit Committee of the Board of Directors

is external to the corporate department ordivision being audited

concerns employee adherence to company policies and procedures, evaluation

of internal controls

Internal Auditing

Chapter 11-8

Internal Auditing

is relatively broad in scope, including auditing for fraud, ensuring that employees are not

copying software programs illegally

can provide assurance to a company’stop management about the efficiency of its organization and effectiveness of its organization

Chapter 11-9

External Auditing

The external audit is carried out by independent accountants

has the attest function as its chief purpose confirming the accuracy of financial statements and fairness of financial statements.

is conducted in the context of GAAP

has expanded to check if financial statements are free of erroneous materials and do not contain fraudulent misstatements

includes a variety of assurance services now

Chapter 11-10

Information Technology Auditing

Information technology (IT) auditing involves evaluating the computer’s role in achieving audit objectives and control objectives

means proving data and information are reliable, confidential, secure, and available as needed

includes attest objectives like safeguarding of assets and data integrity, operational effectiveness.

Chapter 11-11

The IT Audit

The IT audit function encompasses

Chapter 11-12

The Information Technology Audit Process

Computer-assisted audit techniques (CAATs) are used

when controls are weak for substantive testing of transactions and account balances.

when controls are strong for compliance testing to ensure controls are

in place and working as prescribed.

Chapter 11-13

The Information Technology Audit Process

Chapter 11-14

Careers in Information Systems Auditing

The demand for IT auditors is growing

increasing use of computer-based AISs

systems becoming more technologically complex

passing of the Sarbanes-Oxley bill

IT auditing requires a variety of skills, combining

accounting and

information systems or computer science skills.

Chapter 11-15

Careers in Information Systems Auditing

Information systems auditorsmay be internal or external

can obtain professional certification as a Certified Information Systems Auditor (CISA)

can also acquire certification as Certified Information Security Managers (CISM)

Chapter 11-16

Auditors can achieve

CISA certification by completing an examination given by ISACA, meeting specific experience requirements, complying with a Code of Professional Ethics, undergoing continuing professional education, and complying with the Information Systems Auditing

Standards

Careers in Information Systems Auditing

Chapter 11-17

CISM certification, which is also granted by ISACA evaluates knowledge

in information security governance, information security program management, risk management, information security management, and response management.

Careers in Information Systems Auditing

Chapter 11-18

Effectiveness of Information Systems

Controls

An external auditor’s objectives are

to evaluate the risks to the integrity of accounting data

to make recommendations to managers to improve these controls.

Chapter 11-19

A risk-based audit approach involves

Determining the threats facing the AIS errors and irregularities

Identifying the control procedures to prevent or detect the errors

and irregularities

Risk Assessment

Chapter 11-20

Risk Assessment

Evaluating the control procedures within the AIS observing system operations, inspecting documents, records, and reports, checking samples of system inputs and outputs, and tracing transactions through the system

Evaluating weaknesses identifying control deficiencies determining compensating controls

to make up for the deficiency

Chapter 11-21

Information Systems Risk Assessment

Information Systems Risk Assessment evaluates desirability of IT controls for an aspect of business risk. disaster recovery or business continuity plan

Auditors and managers must answer each of thefollowing questions: What assets or information does the company have that

unauthorized individuals would want? What is the value of these identified assets of information? How can unauthorized individuals obtain valuable assets or

information? What are the chances of unauthorized individuals obtaining

valuable assets or information?

Chapter 11-22

Guidance in Reviewing and Evaluating IT Controls

Two guides available to IT auditors Systems Auditability and Control (SAC) report identifies important information technologies and specific risks related to these technologies recommends controls to mitigate risks and suggests audit procedures to validate these controls

Chapter 11-23

Guidance in Reviewing and Evaluating IT Controls

Control Objectives for Information and Related Technology (COBIT) provides guidance in assessing business risks, controlling for business risks, and evaluating the effectiveness of controls

Chapter 11-24

Question

COBIT isa. a control framework developed by the Institute of Internal Auditors.b. a control framework developed specifically for organizations

involved in e-business.c. an internal control model that covers both automated

and manual systems.d. an internal control framework and model that encompasses an

organization’s IT governance and information technologies.

Guidance in Reviewing and Evaluating IT Controls

Chapter 11-25

The Information Technology Auditor’s Toolkit

IT auditors need to have

the technical skills to understand the vulnerabilities in hardware and software use of appropriate software to do their jobs general-use software such as

word processing programs, spreadsheet software, and database management systems.

generalized audit software (GAS), and automated workpaper software.

Chapter 11-26

people skills to work as a team to interact with clients and other auditors, to interview many people constantly for evaluation

The Information Technology Auditor’s Toolkit

Chapter 11-27

Auditing with the Computer

Auditing with the Computer

entails using computer-assisted audit techniques(CAATs) to help in auditing tasks and hence is effective and saves time

is virtually mandatory since data are stored on computer media and manual access is impossible.

Chapter 11-28

General-Use Software

Auditors use general-use software as productivity tools to improve their work such as

spreadsheets and

database management systems.

Auditors use structured query language (SQL) to retrieve a client’s data and

display these data for audit purposes.

Chapter 11-29

Generalized Audit Software

Generalized audit software (GAS) packagesenable auditors to review computer files withoutrewriting processing programs,

are specifically tailored to auditor tasks

have been developed in-house in large firms, or

are available from various software suppliers

Examples of GAS are Audit Command Language (ACL) Interactive Data Extraction Analysis (IDEA)

Chapter 11-30

Question

Which of the following is not true with respect to generalized audit software (GAS)? a. They require auditors to rewrite processing programs frequently while reviewing computer files. b. They are specifically tailored to auditor tasks. c. They may be used for specific application areas, such as accounts receivable and inventory. d. They allow auditors to manipulate files to extractand compare data.

Generalized Audit Software

Chapter 11-31

Automated Workpaper Software

Automated workpaper software is similar to general ledger software

is much more flexible.

Its features include: generated trial balances,

adjusting entries,

consolidations, and

analytical procedures.

Chapter 11-32

People skills

The most important skills auditors need are people skills. Auditors

will find that many of the audit stepsare nontechnical

need to work in a team,

have to interact with clients and other auditors,

require strong interpersonal relationships.

will need to interview the CIO

Chapter 11-33

Many of the controls that an IT auditor needs to evaluate have more to do with human behavior than technology -

one of the best protections virusesand worms is regularly updatedantivirus software but

it is even more important to see if thesecurity administrator is checking for virusupdates and patches on a regular basis.

People skills

Chapter 11-34

Auditing the Computerized AIS

Testing Computer Programs

Validating Computer Programs

Review of Systems Software

Validating Users and Access Privileges

Continuous Auditing

Chapter 11-35

Objectives of an Information Systems

AuditIn an IT audit, auditors should meet the following objectives

Checking security provisions, which protect computer equipment, programs, communications,

and data from unauthorized access, modification, or destruction. Program development and acquisition are performed

in accordance with management’s authorization. Program modifications have authorization and

approval from management.

Chapter 11-36

Objectives of an Information Systems

Audit Processing of transactions, files, reports, and other

computer records is accurate and complete. Source data that are inaccurate or improperly

authorized are identified and handled according to prescribed managerial policies.

Computer data files are accurate, complete, and confidential.

Chapter 11-37

Auditing Computerized AIS-Auditing Around the

Computer

Auditing around the computer

assumes that accurate output verifies proper processing operations

pays little or no attention to the controlprocedures within the IT environment

is generally not an effective approach toauditing a computerized environment.

Chapter 11-38

Five techniques used to audit a computerized AIS are: use of test data, integrated test facility, and parallelsimulation to test programs,

use of audit techniques to validate computer programs,

use of logs and specialized control software toreview systems software,

use of documentation and CAATs to validateuser accounts and access privileges, and

use of embedded audit modules to achievecontinuous auditing.

Auditing Computerized AIS-Auditing Through the

Computer

Chapter 11-39

Testing ComputerPrograms - Test Data

The auditor’s responsibility is todevelop test data that tests the range of exception situations

arrange the data in preparation for computerized processingcomplete the audit test by comparing the results with a predetermined set of answers

investigate further if the results do not agreeTest data

can check if program edit test controls are in place and working can be developed using software programs called test data generators

Chapter 11-40

Testing Computer Programs -Integrated

Test Facility

An integrated test facility (ITF) establishes a fictitious entity such as a department, branch, customer, or employee,

enters transactions for that entity, and

observes how these transactions are processed.

is effective in evaluating integrated onlinesystems and complex programming logic, and

aims to audit an AIS in an operational setting.

Chapter 11-41

Testing Computer Programs -Integrated

Test Facility

The auditor’s role is to

examine the results of transaction processing

find out how well the AIS does the tasks required of it by introducing artificial transactions

into the data processing stream of the AIS.

Chapter 11-42

Testing Computer Programs -Parallel

Simulation

In Parallel Simulation, the auditoruses live input data, rather than test data, in aprogram, which is written or controlled by the auditor simulates all or some of the operations of

the real program that is actually in use.

needs to understand the client system, should possess sufficient technical knowledge, andshould know how to predict the results.

Chapter 11-43

Parallel simulation eliminates the need to prepare aset of test data,

can be very time-consuming andthus cost-prohibitive

usually involves replicating onlycertain critical functions of a program.

Testing Computer Programs -Parallel

Simulation

Chapter 11-44

Validating Computer Programs

Auditors must validate any program presented to them to thwart a clever programmer’s dishonest program

Procedures that assist in program validation are tests of program change control procedures to protect against unauthorized

program changes begins with an inspection of the documentation includes program authorization forms to be filled ensures accountability and adequate

supervisory controls

Chapter 11-45

program comparison guards against unauthorized program tampering performs certain control total tests of program

authenticity using a test of length using a comparison program

Validating Computer Programs

Chapter 11-46

Question

Which of the following is an audit technique for auditing computerized AISs? a. Parallel simulation b. Use of specialized control software c. Continuous auditing d. All of the above are techniques used to audit computerized AISs.

Validating Computer Programs

Chapter 11-47

Review of Systems Software

Systems software includes operating system software,

utility programs,

program library software, and

access control software.

Chapter 11-48

Review of Systems Software

Auditors should review systems software documentation.

Systems software

can generate incident reports, which list events that are unusual or interrupt operations

security violations (such as unauthorized access attempts), hardware failures, and software failures

Chapter 11-49

Validating Users and Access Privileges

The IT auditor needs to verify that the software parameters are set appropriately

must make sure that IT staff are using them appropriately

needs to make sure that all users are valid and each has access privileges appropriate to their job

There are a variety of auditor software tools, CAATs, which can

scan settings and databases and make the work more efficient

Chapter 11-50

Continuous Approach

Continuous auditing can be achieved by

embedded audit modules or audit hooks application subroutines capture data for audit purposes

exception reporting mechanisms reject certain transactions

that fall outside

predefined specifications prespecified criteria in a special

log called SCARF

Chapter 11-51

Continuous Approach

transaction tagging tags with a special identifier for certain transactions

snapshot technique examination of the way transactions are processed

continuous and intermittent simulation embedding of an audit module in a DBMS

Chapter 11-52

Information Technology Auditing Today

Information technology auditing today involvesInformation Technology Governance

Auditing for Fraud—Statement on AuditingStandards No. 99

The Sarbanes-Oxley Act of 2002

Third-Party Reliability Assurances

Information Systems Reliability Assurances

Chapter 11-53

Information Technology Governance

Information Technology governance is the process of using IT resources efficiently, responsibly, and strategically.

The IT Governance Institute, is affiliated to ISACAwas created in 1998

Chapter 11-54

Information Technology Governance

The objectives of IT governance are twofold:

to fulfill the organizational mission and to compete effectively

to ensure that the IT resources are managed effectively and that management controls IT related risks.

Chapter 11-55

Auditing for Fraud—Statement on Auditing

Standards No. 99

Earlier financial statement audits required auditorsto attest to the fairness of financial statements

not to detect fraudulent activities.

Financial statement audits now require auditors toattest to the fairness of financial statementsdetect fraudulent activitiesassist a fraud investigator in many ways where an audit trail needs to be reconstructed when computerized records must be retrieved

Chapter 11-56

Question

With respect to changes in IT auditing today, which of thefollowing is not true?

a. IT governance, which ties IT to organizational strategy, is increasingly important.

b. Section 404 of the Sarbanes-Oxley Act of 2002 created an increase in demand for both IT auditors and internal auditors.

c. IT auditors are concerned only with supporting financial auditors and should not investigate fraud cases.

d. Third-party assurance seals may provide some comfort to e-business customers regarding the security of online transactions.

Auditing for Fraud—Statement on Auditing

Standards No. 99

Chapter 11-57

The Sarbanes-Oxley Act of 2002

In 2002, Congress passed the Sarbanes-Oxley Act, which

limits the services that auditors can provide to their clients,

prohibits public accounting firms from offering nonauditservices to clients at the same time they are conducting audits .

The SOX has basically four groups of compliance requirements. These are

audit committee/corporate governance requirements,

issues regarding certification, disclosure, and internal controls,

rules about financial statement reporting, and

regulations governing executive reporting and conduct.

Chapter 11-58

The Sarbanes-Oxley Act of 2002

The two most important provisions of SOXfor auditors are

Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are

accurate and complete

Section 404 – requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting

Chapter 11-59

Information Systems Reliability Assurance

Auditing electronic commerce is a specialized field because of the skill level involved, of the many safeguards, inherent in non-e-commerce systems, which do not exist here,of the lack of hard-copy documents for verification, andof an electronic transaction, which does not guarantee validity or authenticity

Auditors need toattest this type of format to provide the traditional assurance by an audit report or digital signature

Chapter 11-60

Third-Party Assurance

Internet systems and web sites are a source of risk for many companies,

need specialized audits of these systems,

have created a market for third-party assurance services, which is limited to data privacy.

Chapter 11-61

Third-Party Assurance

The AICPA introduced Trust Services an assurance service.

The principles of Trust Services are security, availability, processing integrity, online privacy, and confidentiality.

Chapter 11-62

Copyright

Copyright 2005 John Wiley & Sons, Inc. All rights reserved.

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful.

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 11-63

Chapter 11