Auditing Information Technology Chapter 13  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Learning Objective Distinguish between “auditing through the computer” and “auditing with the computer.”  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Information Systems Auditing Concepts  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Structure of a Financial Statement Audit The primary objective and responsibility of the external auditor is to attest to the fairness of a firm’s financial reports The external auditor serves outsiders The internal auditor serves a firm’s management  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Structure of a Financial Statement Audit Transactions Accounting system Financial reports ● Compliance testing Interim audit Cash Bank Receivables Customers ● Confirm balances ● Substantive testing Financial statement audit  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Auditing Around the Computer Accounting system Input Processing Output In the around-the-computer approach, the processing portion is ignored  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Auditing Around the Computer Totals are accumulated for accepted and rejected records Auditors emphasize control over rejected transactions, their correction, and then resubmission The around-the-computer approach is no longer widely used  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Auditing Through the Computer Auditing through the computer may be defined as the verification of controls in a computerized system  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Control Framework in IT Environment Applications controls Computer application systems and programs Application systems development Internal controls General controls Computer service center  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Auditing With the Computer Auditing with the computer is the process of using information technology in auditing The use of information technology is no longer optional  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – General Approach to an Information Systems Audit Initial review and evaluation of the area to be audited and audit plan preparation Detailed review and evaluation of controls Compliance testing which is followed by analysis and reporting of results  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – General Approach to an Information Systems Audit The initial review phase determines the course of action the audit will take Decisions concerning specific areas to be investigated Deployment of audit labor Audit technology to be used Development of a time and/or cost budget for the audit  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – General Approach to an Information Systems Audit What is an audit program? It is a detailed list of the audit procedures to be applied on a particular audit Standardized audit programs for particular audit areas have been developed and are common in all types of auditing  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – General Approach to an Information Systems Audit In the second general phase of the audit, is detailed review and evaluation Documentation of the application area is reviewed Data concerning the operation of the system are reviewed  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – General Approach to an Information Systems Audit The third phase of the audit is testing This phase produces evidence of compliance with procedures  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Information Systems Application Audits Application controls are divided into three general areas Input Output Processing  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Application Systems Development Audits Systems development audits are directed at the activities of systems analysts and programmers Controls governing the systems development process directly affect the reliability of the application programs that are developed  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Application Systems Development Audits There are three general areas of audit concern in the systems development process Systems development standards Project management Program change control  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Systems Development Standards Systems development standards are the documentation governing the design, development, and implementation of application systems  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Project Management What is project management? It consists of project planning and project supervision  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Program Change Controls What is the objective of program change controls? It is to prevent unauthorized and potentially fraudulent changes from being introduced into previously tested and accepted programs  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Computer Service Center Audits Normally, an audit of the computer service center is undertaken before any application audits to ensure the general integrity of the environment in which the application will function Audits might be undertaken in several areas What are some examples?  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Computer Service Center Audits Environmental controls Physical security of the center Data release, reports, and computer programs Management controls  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – Computer Service Center Audits Audits of computer service center operations require a high degree of technical training and familiarity with systems operations  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – End of Chapter 13  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 49 ... alternative information systems audit technologies  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/ Hopwood 13 – Information Systems Auditing Technology Information. .. Project information may be more easily generated and analyzed  2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/ Hopwood 13 – Auditing With the Computer Standardized... Bodnar/ Hopwood 13 – Structure of a Financial Statement Audit Transactions Accounting system Financial reports ● Compliance testing Interim audit Cash Bank Receivables Customers ● Confirm balances ● Substantive