COMPUTERISED

INFORMATION SYSTEM
NURUL AZIRAH BINTI MOHD WAZIR
Department of Accounting & Finance (DAF)

Information Technology Auditing

involves evaluating the computers role in achieving

audit objectives and
control objectives

means proving data and information are

reliable,
confidential,
secure, and
available as needed

includes attest objectives like

safeguarding of assets and data integrity,
operational effectiveness.

The IT Audit
The IT audit function encompasses

Objectives of an Information
Systems Audit
In an IT audit, auditors should meet the following
objectives
Checking security provisions, which protect
computer equipment, programs, communications,
and data from unauthorized access, modification, or
destruction.
Program development and acquisition are performed
in accordance with managements authorization.
Program modifications have authorization and
approval from management.

Objectives of an Information
Systems Audit
Processing of transactions, files, reports, and
other computer records is accurate and
complete.
Source data that are inaccurate or improperly
authorized are identified and handled according
to prescribed managerial policies.
Computer data files are accurate, complete, and
confidential.

Effectiveness of Information
Systems Controls
An external auditors objectives are
to evaluate the risks
to the integrity of accounting data

to make recommendations
to managers
to improve these controls.

Risk Assessment
A risk-based audit approach involves
Determining the threats facing the AIS
errors and irregularities
Identifying the control procedures
to prevent or detect the errors
and irregularities

Risk Assessment
Evaluating the control procedures within the AIS
observing system operations,
inspecting documents, records, and reports,
checking samples of system inputs and outputs,
and
tracing transactions through the system

Evaluating weaknesses
identifying control deficiencies
determining compensating controls
to make up for the deficiency

Information Systems Risk

Assessment
Information Systems Risk Assessment evaluates
desirability of IT controls for an aspect of business risk.
disaster recovery or business continuity plan

Auditors and managers must answer each of the

following questions:
What assets or information does the company have that
unauthorized individuals would want?
What is the value of these identified assets of information?
How can unauthorized individuals obtain valuable assets or
information?
What are the chances of unauthorized individuals obtaining
valuable assets or information?

FACTORS

relating to the
CONTROL ENVIRONMENT AND
CONTROL PROCEDURES that are
affected by IT.

10

Skills and competencies of audit staff

regarding the use of computerized system

Lack of knowledge of audit staff may lead to

loss of audit trail

Communication and enforcement of integrity

and ethical values

Human resource policies and practices

Participation of those charged with governance

such as BOD and audit committee

The link between computerized and manual test

11

The Information
Technology Audit Process
Computer-assisted audit techniques
(CAATs) are used:
when controls are weak for substantive
testing of
transactions and
account balances.

when controls are strong for compliance

testing to ensure controls are
in place and
working as prescribed.

Types of CAATs

GAS
Program that allow the auditor to perform
tests on computer files and database.
Auditor would be able to conduct similar
CAATs in different IT environment.
Example of GAS program is ACL (Audit
Command Language)

GAS
For example, GAS permits an auditor to
select and prepare accounts receivable
confirmations from variety of computer system.
This type of software provides a high-level
computer language that allows the auditor to
easily perform various functions on a clients
computer files and database.

ADVANTAGES/DISADVANTAGES
ADVANTAGES
Easy to use

DISADVANTAGE
Involves auditing after the client has
processed the data rather than while
the data is being processed

Limited IT expertise of It provides a limited ability to verify

programming skills are programming logic because its
required
application is usually directed to
testing data files or database
The time required to It is limited to audit procedures that
develop the application is can be conducted on data available in
usually short
electronic form

CAS
Generally, written by auditors for specific
audit tasks.
It is more efficient to prepare custom
programs if they will be used in future audits of
the entity
It is also efficient of the same programme use
on similar engagement.

CAS
Example is inventory observation.
Supposed, a client maintains computerized
perpetual inventory records that are updated by the
sales and purchasing system.
Further, when the client conduct a physical inventory
count, the client will updated the description in the
special computer forms created.
From the system, later on auditor will easier to do an
inventory auditing by checking the system provided.

DISADVANTAGES
DISADVANTAGES OF CAS
It is expensive to develop since it required
specific application tools
It requires a long development time
It requires extensive modification if the entity
changes
its
accounting
application
programme

TEST DATA
The auditor uses test data for testing the application
controls in the clients computer program.
Examples application control are
1- Data capture controls
2- Data validation controls
3- Processing controls
4- Output controls
5- Error control
Objective of test data method is to ensure the
accuracy of the computer processing of transactions.

FUNCTION TEST DATA

Used in conducting audit procedures by entering
data into the entitys computer system and
comparing the results obtained with predetermined
results
Used to test the controls to gain unauthorized
entry. Any missing data can be refer to master files