Chapter2

ConductinganInformationSystemsAudit

Introduction
It is a sobering experience to be in charge of the information systems audit of an
organization that has several hundred programmers and analysts, many computers,
and thousands of files. Obviously, all organizations are not this size. Except for the
smallest organizations,however,auditorsusuallycannotperformadetailedcheckof
all the data processing carried out within the information systems function. Instead,
they must rely on a sample of data to determine whether the objectives of
informationsystemauditingarebeingachieved.
How, then, can we perform information systems audit so that we obtain reasonable
assurance that an organization safeguards itsdataprocessingassets,maintainsdata
integrity,andachievessystemeffectivenessandefficiency?
We start by examining the nature of controls and discussing some techniques for
simplifying and providing order to the complexity encountered when making
evaluationjudgmentsoncomputerbasedinformationsystems.
Next we consider some of the basic risks auditors face, how these risks affect the
overall approach to an audit and the types of audit procedures used to assess or
controltheleveltheserisks.
We then consider the basic steps to be undertaken in the conduct of an information
systems audit. Finally, we examine a major decision auditors must make when
planning and conducting an information systems audit namely, how much do they
need to know about the internal workings of a computerbased information system
beforeaneffectiveauditcanbeconducted?

TheNatureofControls:

Information systems auditors ultimately are concerned with evaluating the

reliability or operating effectiveness of controls. It is important, therefore, that we
understandwhatismeantbyacontrol.
A control is a system that prevents, detects, or corrects unlawful events. There are
threekeyaspectstothisdefinition.
First, a control is a system. In other words, it comprises a set of interrelated
componentsthatfunctiontogethertoachievesomeoverallpurpose.
Second, the focus of controls is unlawful events. An unlawful event can arise if
unauthorized inaccurate, incomplete, redundant, ineffective or inefficient input enters
the system. F or example, a dataentry clerk might key incomplete data into the
system. An unlawful event can also arise if the system transforms the input in an
unauthorized,inaccurate,incomplete,redundant,ineffectiveorinefficientway.
Third, controls are used to prevent, detect, or correct unlawful events. Consider
someexamples:
Preventive control: Instructions are placed on a sourcedocumenttoprevent
clerks from filling it out incorrectly. Note that the control works only if the
instructions are sufficiently clear and the clerk is sufficiently well trained to
understand the instructions. Thus, both the clerk and the instructions are
components of the system that constitutes the control. The instructions by
themselvesarenotthecontrol.
2. Detective control: An input program identifies incorrect data entered into a
system via a terminal. Again, the control is a system because various parts of
theprogrammustworktogethertopinpointerrors.
1.


3.

Corrective control: A program uses special codes that enable it to correct

data corrupted because of noise on a communications line. Once more, the
control is a system because various parts of the program must work together
inconjunctionwiththeerrorcorrectingcodestorectifytheerror.

The auditor's task is to determine whether controls are in place and working to
prevent the unlawful events that might occur within a system. Auditors must be
concerned to see that at least one control exists to cover each unlawful event that
might occur. Usually,someunlawfuleventsinasystemwillnotbecoveredbecausea
costeffective control cannot be found. Even if an unlawful event is covered by a
control,however,auditorsmustevaluatewhetherthecontrolisoperatingeffectively.
DealingwithComplexity:
Conducting an information systems audit is an exercise in dealing with complexity.
Because complexityisarootcauseoftheproblemsfacedbymanyprofessionals(e.g.
engineers, architects), researchers have attempted to developguidelinesthatreduce
complexity. In the following subsections we consider two major guide lines that
underlietheapproachtakenwhenconductinganinformationsystemsaudit:
1. Given the purposes of the information systems audit, factor the system to be
evaluatedintosubsystems.
2. Determine the reliability of each subsystem and the implications of each
subsystem'slevelofreliabilityfortheoveralllevelofreliabilityinthesystem.

SubsystemF actoring:
The first step in understandingacomplexsystemisbreakingitupintosubsystems.A
subsystem is a component of a system that performs some basicfunctionneededby
the overall system to enable it to attain its fundamental objectives. Subsystems are
logical components rather than physical, components, In other words, you cannot
"touch" a subsystem. It exists only in the eye of the beholder. For example, we
cannot see the input subsystem in a computer system. Instead, we see such things
as terminals and dataentry clerks that function to get data into the system, hut
thesethingsarecomponentsoftheinputsubsystemandnotthesubsystemitself.

Second, each subsystem shouldbeinternallycohesive.Alltheactivitiesperformedby

the subsystem should be directed toward accomplishing a single function. If this
objective can be achieved, it will be easier for auditors to understand and evaluate
theactivitiescarriedoutbythesubsystem
An understanding of complex systems can only be obtained if each of their partscan
be studied relatively independently and the activities performed by each part are
clear. When we decompose a system into subsystems, therefore,weshouldevaluate
the extent of coupling and cohesion in the subsystems we choose.Ifthesubsystems
are not loosely coupled and internally cohesive, we should attempt a different
factoring. If no factoring seems to delineate subsystems that possess these
characteristics, we will have difficulty evaluating thereliabilityofthesystembecause
its activities are too convoluted. Indeed, auditors have long recognized that some
systems cannot be audited. The theory of coupling and cohesion provides the
underlyingrationaleforthisconclusionwhensuchsystemsareencountered.
AssessingSubsystemReliability:
After we have identified the lowestlevel subsystems in our level structure of
subsystems, we can evaluate the reliability of controls. Beginning with the
lowestlevel subsystems, we first attempt to identify all the different typesofevents
that might occur in these subsystems. We must bemindfulofboththelawfulevents

andtheunlawfuleventsthatcanoccur.

A basis for identifying lawful and unlawful events in management subsystems, we

focus on the major functions each subsystem performs. We consider how each
function should be undertakenandthenevaluatehowwellasubsystemcomplieswith
ournormativeviews.

To identify all the events that might arise in an application system as a result of a
transaction, we must understand how the system is likelytoprocessthetransaction.
Historically, auditors haveusedwalkthroughtechniquestoaccomplishthisobjective.
They consider a particular transaction, identify the particular components in the
system that process the transaction and then trytounderstandeachprocessingstep
that each component executes. They also consider any errors or irregularities
(unlawfulevents)thatmightoccuralongtheway.

The evaluation of reliability proceeds upwards in the level structure of a system.

Lowerlevel subsystems are components of higherlevelsystems.Whenthereliability
of a lowerlevel system hasbeenassessed,itsimpactonthenatureofandfrequency
of unlawful events in higherlevelsystemscanbeevaluated.Theevaluationproceeds
until the highestlevel system (the entire system) has been considered. For every
system at every level in the level structure, the evaluation steps are the same. The
transactions that might enter the system are first identified. The lawful and unlawful
events that can occur as a result are then considered. Finally, the reliability of the
controlsthatcovertheunlawfuleventsisassessed.
Auditors must take substantial care with evidencecollection processes and
evaluation judgments, especially as they begin to fix evaluation judgments in lower
levelsubsystemsandmovetohigherlevelsubsystemsandsystems.

StepsinInformationSystemAudit:

1. EstablishtheTermsoftheEngagement:
This will allow the auditor to set thescopeandobjectivesoftherelationshipbetween
the auditor and the organization. The engagement letter should address the
responsibility (scope, independence, deliverables), authority (right of access to
information), and accountability (auditee rights, agreed completion date) of the
auditor.

2. PreliminaryReview:
This phase of the audit allows the auditor to gather organizational information as a
basis for creating their audit plan. The preliminary review will identify an
organizations strategy and responsibilities for managing and controlling computer
applications. An auditor can provide an in depth overview of an organizations
accounting system to establish which applications are financially significant at this
phase. Obtaining general data about the company, identifying financial application
areas,andpreparinganauditplancanachievethis.

3. Obtainunderstandingofcontrolstructure:
Understanding control structure in an organization involves examining both
management controls and application controls. An internal control system should be
designed and operated to provide reasonable assurance that an organizations
objectives are being achievedinthefollowingcategories:effectivenessandefficiency
of operations, reliability of financial reporting, and compliance with applicable laws
andregulations.
To develop their understanding of internal controls, the auditor should consider

information from previous audits, the assessment of inherent risk, judgments about
materiality,andthecomplexityoftheorganizationsoperationsandsystems.
Once the auditor develops their understanding of an organizations internal controls,
they will be abletoassesstheleveloftheircontrolrisk(theriskamaterialweakness
willnotbepreventedordetectedbyinternalcontrols).

4. Assesscontrolrisk:
After obtaining satisfactory understanding of internal controls, auditor must assess
the level of control risk. Auditors assess control risk intermsofeachmajorassertion
that management should be prepared to make about material items in financial
statements

Existence
Assets,liabilitiesincludedinfinancialstatementsactuallyexist
Occurrence
Alltransactionsrepresenteventsthathaveactuallyoccurred
Completeness
Alltransitionshavebeenrecordedandpresented
Rightsandobligations Assets are rights and liabilities are obligations of the
organizationatbalancesheetdate
Valuationorallocation Asset, liabilities, equity, reserves are been recorded at correct
amount
Presentation
and All items of financial statements have been properly classified
disclosure
describedanddisclosed

After auditors obtain understanding of internal controls they must determine control
riskinrelationtoeachassertion.
1. If auditors assess controls at less than maximum level, they go to next step
andtestthecontrolstoevaluatewhethertheyareoperatingeffectively.
2. If auditors assess control risk at higher than maximum level, they willnottest
controlsatall,andcarryoutdetailedsubstantivecheckprocedures.

5. Testofcontrols:
In this step the auditors will test controls to ascertain whether they are operating
effectively or not. Auditors will carry out testing of both applicationandmanagement
controls. This phase usually begins by focusing on management controls. If testing
shows that control to expectations, management controls are not operating reliably,
there may be little point in testing application controls, in such case auditors may
qualifytheiropinionorcarryoutsubstantivetestsindetail.

6. Reassesscontrols:
After auditors have completed tests of controls,theyagainassessthecontrolrisk.In
light of test results, they might revise the anticipated control risk upward or
downward. In other words auditor may conclude thatinternalcontrolsarestrongeror
weaker than anticipated. They may also conclude that it is worthwhile to perform
moreteststofurtherreducesubstantivetesting.

7. Completionofaudit:
In the final phase of audit, Audit procedures are developed based on the auditor
understands of the organization and its environment. A substantive auditapproachis
usedwhenauditinganorganizationsinformationsystem.Onceauditprocedureshave
been performed and results have been evaluated, the auditor will issue either an
unqualifiedorqualifiedauditreportbasedontheirfindings.


Auditrisks:
We know that information systemsauditorsareconcernedwithfourobjectives:asset
safeguarding,dataintegrity,systemeffectivenessandsystemefficiency.
Both external and internal auditorsareconcernedwithwhethererrorsorirregularities
cause material Josses to an organization or material misstatements in the financial
information preparedbytheorganization.Ifyouareaninternalauditor,itislikelyyou
will also be concerned with materiallossesthathaveoccurredormightoccurthrough
ineffective or inefficient operations. External auditors, too, might be concerned when
ineffective or inefficient operations threaten to undermine the organization.
Moreover~ many external auditors report such problems as part of their professional
servicestothemanagementofanorganization.
To assess whether an organization achieves the asset safeguarding, data integrity,
system effectiveness, and system efficiency objectives, auditors collect evidence.
Because of the test nature of auditing, auditors might fail to detect real or potential
material losses or account misstatements. The risk of anauditorfailingtodetect
actual or potential material losses or account misstatements at the
conclusion of the audit is called the audit risk. Auditors choose an audit
approach and design audit procedures in an attempt to reduce this risk to a level
deemedacceptable.

As a basis for determining the level of desired audit risk,someprofessionalbodiesof

auditorshaveadoptedthefollowingauditriskmodelfortheexternalauditfunction:
DAR=IRXCRXDR
Inthismodel,DARisthedesiredauditrisk.
IR is the inherent risk, which reflects the likelihood that a material loss or account
misstatement exists in some segment of the audit before the reliability of internal
controlsisconsidered.
CR is the control risk, which reflects the likelihood that internal controls in some
segment of the audit will not prevent, detect, or correct material losses or account
misstatementsthatarise.
DR is the detection risk, which reflects that the audit procedures used in some
segmentoftheauditwillfailtodetectmateriallossesoraccountmisstatements.

To apply the model, auditors first choose their level of desired audit risk. In
addition, they assess the short and longrun consequences for their organizations if
they fail to detect real or potential material losses from ineffective or inefficient
operations.
Next auditors consider the level of inherent risk. Initially auditors consider general
factors such as the nature of the organization (e.g. Is it a high flyer?), the nature of
industry in which it operates (e.g. Is the industry subject to rapid change?), the
characteristics of management (e.g. Is management aggressive and autocratic?).
Auditors then consider the inherent risk associated with different segments of the
audit.
To assess the level of control risk associated with a segment of the audit, auditors
consider the reliability of both management & and application controls, Auditors
Management controls constitute protective layers of "onion skins" around
applications. Forces that erode asset safeguarding, data integrity, system
effectiveness and system efficiency must penetrate each layer to undermine a lower
layer. To the extent the outer layers ofcontrolsareintacttheinnerlayersofcontrols
aremorelikelytobeintact.

Next auditors calculate the level of detection risk they must attain to achieve their
desired audit risk. They then design evidence collection procedures in an attempt to
achievethislevelofdetectionrisk.
In summary, the whole point to our considering the audit risk model is that audit
efforts should be focused where they will have the highest payoffs. In most cases
auditors cannot collectevidencetotheextenttheywouldlike.Accordingly,theymust
be astute in terms of where they apply their audit proceduresandhowtheyinterpret
the evidence they collect. Throughout the audit they must continuously make
decisions on what to do next.Theirnotionsofmaterialityandauditriskguidethemin
makingthisdecision.

TypesofAuditProcedures:
When external auditors gather evidence to det6rmine whether material losses have
occurred orfinancialinformationhasbeenmateriallymisstated,theyusefivetypesof
procedures:
1.

2.

3.

4.

5.

Procedures to obtain an understanding of controls:Inquiries,inspections,

and observations call be used to gain all understanding of what controls
supposedly exist, bow well they have been designed and whether they have
beenplacedinoperation.
Tests of controls: Inquiries, inspections, observations, andreperformanceof
control procedures can he used to evaluate whether controls are operating
effectively.
Substantive tests of details of transactions: These tests are designed to
detect dollar errors or irregularities in transactions that would affect the
financial statements. For example, an external auditor might verify that
purchase and disbursement transactions are correctly recorded in journals and
ledgers.
Substantive rests of detailsofaccountbalances:Thesetestsfocusonthe
ending general ledger balances in the balance sheet andincomestatementFor
example, an external auditor might circularize a sample of customers to test
theexistenceandvaluationofthedebtorsbalance.
Analytical review procedures: These tests focus on relationships among
data items with the objective of identifying areas that require further audit
work. For example, an external auditor might examine the level of sales
revenue across time to determine whether a material fluctuation that requires
furtherinvestigationhasoccurredinthecurrentyear.

AuditingAroundorThroughtheComputer:
When auditors come to the controls testing phase of an information systems audit,
one of the major decisions they must make is whether to test controls by auditing
aroundorthroughthecomputer.Thephrases"auditingaroundthecomputer"and
"auditing through the computer" are carryovers from the past. Theyaroseduring
the period when auditors were debating how much technical knowledge was required
to audit computer systems. Some argued that little knowledge was needed because
auditors could evaluate computer systems
simply by checking their input and
output. Others contended audits could not be conducted properly unless the internal
workings of computer systems were examined and evaluated. Unfortunately, the
arguments of the former group were sometimes motivated by their lack of technical
knowledge about computers. Today we recognize that thetwoapproacheseachhave

their merits and limitations and that each mustbeconsideredcarefullyinthecontext

ofplanningandexecutingthemostcosteffectiveaudit.
AuditingAroundtheComputer:
Auditing around the computer involves arriving at anauditopinionthroughexamining
and evaluating management controls and then input and output only for application
systems. Based on the quality of an application system's input and output, auditors
infer the quality of the application system's processing. The application system's
processing is not examined directly. Instead, auditors view the computer as a black
box.
Auditors should audit around the computer when it is the most costeffective way to
undertake the audit. This circumstance often arises when an application system has
threecharacteristics.
First,thesystemissimpleandbatchoriented.
Second, often it is costeffective to audit around the computer when an application
system uses a generalized package as itssoftwareplatform.Ifthepackagehasbeen
provided by a reputablevendor,hasreceivedwidespreaduse,andappearserrorfree,
auditors might decide not to test the processing aspects of the system directly.
Instead they might seek to ensure (1) theorganizationhasnotmodifiedthepackage
in any way (2) adequate controls exist over the source code, object code and
documentation to prevent unauthorized modification of the package and (3)
highqualitycontrolsexistoverinputtoandoutputfromthepackage.
Third, auditors might audit around the computer when a high reliance is placed on
user rather than computer controls to safeguard assets, maintain data integrity and
attain effectiveness and efficiencyobjectives.Intesting,thefocusisonthereliability
ofusercontrolsratherthanthereliabilityofcomputercontrols.
Usually auditing around thecomputerisasimpleapproachtotheconductoftheaudit
and it can be performed by auditors who have little technical knowledge of
computers. The audit shouldbemanaged,however,bysomeonewhohasexpertisein
informationsystemsauditing.
The approach has two major limitations. F irst, the type of computer system in
which it is applicable is very restricted. It should not be used when systems are
complex. Otherwise, auditors might fail to understand some aspect of a system that
could have a significant effect on the audit approach. Second, it does not provide
information about the system's ability to copewithchange.Systemscanbedesigned
and programs can be written in certain ways to inhibit their degradation when user
requirementschange.
AuditingThroughtheComputer:
While auditing through the computer, the auditors use the computer to test (1) the
processing logic and controls existingwithinthesystemand(2)therecordsproduced
by the system. Depending on the complexity of the application system, the task of
auditing through the computer might be fairly simple or it might require extensive
technicalcompetenceonthepartoftheauditor.
Auditingthroughthecomputermustbeusedinthefollowingcases:
Theinherentriskassociatedwiththeapplicationsystemishigh.
The application system processes large volumes of input and produces large
volumes of output that make extensive, direct examination of the validity of
inputandoutputdifficulttoundertake.
3. Significant parts of the internal control system are embodied in the computer
system, For example, in an online banking system, a computer program might
batch transactions for individual tellers to provide control totals for
1.
2.

reconciliationattheendoftheday'sprocessing.
The processing logic embedded within the application system is complex.
Moreover, large portions of system code are intended to facilitate use of the
systemorefficientprocessing.
5. Because of costbenefit considerations, substantial gaps in the visible audit
trailarecommoninthesystem.
4.

The primary advantage of auditing through the computer is that auditors have
increased power to test anapplicationsystemeffectively.Theycanexpandtherange
and capability of tests they can perform and thus increase their confidence in the
reliability of the evidence collection and evaluation. Furthermore, by directly
examining the processing logic embedded within an application system, auditors are
better able to assess the system's ability to cope with change and the likelihood of
lossesoraccountmisstatementsarisinginthefuture.
The approach has two disadvantages. F irst, it can sometimesbecostly,especially
in terms of the labor hours that must be expended to understand the internal
workings of an application system. Second, in some cases we will need extensive
technicalexpertise,ifwearetounderstandhowthesystemworks.