You are on page 1of 19

Auditing Computer-

Based Information
Systems
Learning Objectives
Describe the nature, scope, and objectives of audit
work, and identify the major steps in the audit process.
Identify the six objectives of an information system
audit, and describe how the risk-based audit approach
can be used to accomplish these objectives.
Describe the different tools and techniques auditors
use to test software programs and program logic.
Describe computer audit software, and explain how it is
used in the audit of an AIS.
Describe the nature and scope of an operational audit.
Introduction
Seattle Paper Products (SPP) is modifying its
sales department payroll system to change the
way it calculates sales commissions.
Jason Scott was assigned to use the audit
software to write a parallel simulation test
program to calculate sales commissions.
Jasons calculations were $5,000 less than
those produced by SPPs new program.
Introduction
He selected a salesperson for whom there
was a discrepancy and recalculated the
commission by hand.
The result agreed with his program.
Jason is now convinced that his program is
correct and that the error lies with the new
program.
Auditing

The process of obtaining and evaluating


evidence regarding assertions about economic
actions and events in order to determine how
well they correspond with established criteria
Major Steps in the Auditing Process
Audit planning
Why, how, when, and who
Establish scope and objectives of the audit;
identify risk
Collection of audit evidence
Evaluation of evidence
Communication of results
Risk-Based Framework
Identify fraud and errors (threats) that can occur that
threaten each objective
Identify control procedures (prevent, detect, correct the
threats)
Evaluate control procedures
Review to see if control exists and is in place
Test controls to see if they work as intended
Determine effect of control weaknesses
Compensating controls
Information Systems Audit

Using the risk-based framework for an


information systems audit allows the auditor to
review and evaluate internal controls that
protect the system to meet six objectives.
Six objectives of Information
Systems Audit
1. Protect overall system security (includes computer
equipment, programs, and data)
2. Program development and acquisition occur under
management authorization
3. Program modifications occur under management
authorization
4. Accurate and complete processing of transactions,
records, files, and reports
5. Prevent, detect, or correct inaccurate or unauthorized
source data
6. Accurate, complete, and confidential data files
1. Protect Overall System Security
Threats Controls
Limit physical access to
Theft of hardware computer equipment
Damage of hardware (accidental Use authentication and
and intentional) authorization controls
Loss, theft, unauthorized access to
Data storage and transmission
Programs
Data controls
Unauthorized modification or use Virus protection and firewalls
of programs and data files File backup and recovery
Unauthorized disclosure of procedures
confidential data Disaster recovery plan
Interruption of crucial business Preventive maintenance
activities
Insurance
2. Program Development and Acquisition Occur
under Management Authorization
Review software license
Threat Controls
agreements
Management authorization
for:
Program development
Inadvertent
Software acquisition
programming errors
Management and user
Unauthorized program
approval of programming
code
specifications
Testing and user acceptance
of new programs
Systems documentation
3. Program Development and Acquisition
Occur under Management Authorization
List program components to
Threat Controls
be modified
Management authorization
and approval for
Inadvertent modifications
programming errors User approval for
Unauthorized program modifications
code Test changes to program
System documentation of
changes
Logical access controls
4. Accurate and Complete Processing of Transactions,
Records, Files, and Reports
Failure to detect incorrect,
Threats Controls
incomplete, or
Data editing routines
unauthorized input data
Reconciliation of batch
Failure to correct errors
totals
identified from data
editing procedures Error correction
procedures
Errors in files or databases
during updating Understandable
documentation
Improper distribution of
output Competent supervision
Inaccuracies in reporting
5. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data

Threat Controls
User authorization of source
data input
Batch control totals
Log receipt, movement, and
Inaccurate source data
disposition of source data
Unauthorized source input
data
Turnaround documents
Check digit and key
verification
Data editing routines
6. Accurate, Complete, and Confidential Data Files

Threats Secure
Controlsstorage of data and
restrict physical access
Destruction of stored
data from Logical access controls
Errors Write-protection and proper file
Hardware and software labels
malfunctions Concurrent update controls
Sabotage Data encryption
Unauthorized Virus protection
modification or
Backup of data files (offsite)
disclosure of stored data
System recovery procedures
Audit Techniques Used to Test
Programs
Integrated Test Facility
Uses fictitious inputs
Snapshot Technique
Master files before and after update are stored for specially
marked transactions
System Control Audit Review File (SCARF)
Continuous monitoring and storing of transactions that meet
pre-specifications
Audit Hooks
Notify auditors of questionable transactions
Continuous and Intermittent Simulation
Similar to SCARF for DBMS
Software Tools Used to Test Program
Logic
Automated flowcharting program
Interprets source code and generates flowchart
Automated decision table program
Interprets source code and generates a decision table
Scanning routines
Searches program for specified items
Mapping programs
Identifies unexecuted code
Program tracing
Prints program steps with regular output to observe
sequence of program execution events
Computer Audit Software
Computer assisted audit software that can perform audit
tasks on a copy of a companys data. Can be used to:
Query data files and retrieve records based upon
specified criteria
Create, update, compare, download, and merge files
Summarize, sort, and filter data
Access data in different formats and convert to common
format
Select records using statistical sampling techniques
Perform analytical tests
Perform calculations and statistical tests
Operational Audits
Purpose is to evaluate effectiveness, efficiency, and goal
achievement. Although the basic audit steps are the
same, the specific activities of evidence collection are
focused toward operations such as:
Review operating policies and documentation
Confirm procedures with management and operating
personnel
Observe operating functions and activities
Examine financial and operating plans and reports
Test accuracy of operating information

You might also like