AIS ch09
AIS ch09
AIS ch09
HAPTER 9
Auditing Computer-based
Information Systems
Romney/Steinbart
1 of 151
INTRODUCTION
Questions to be addressed in this chapter
include:
What are the scope and objectives of audit work, and
what major steps take place in the audit process?
What are the objectives of an information systems
audit, and what is the four-step approach for meeting
those objectives?
How can a plan be designed to study and evaluate
internal controls in an AIS?
How can computer audit software be useful in the
audit of an AIS?
What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing
Romney/Steinbart
2 of 151
INTRODUCTION
This chapter focuses on the concepts and techniques
used in auditing an AIS.
Auditors are employed for a wide range of tasks and
responsibilities:
Organizations employ internal auditors to evaluate company
operations.
The GAO and state governments employ auditors to evaluate
management performance and compliance with legislative
intent.
The Defense Department employs auditors to review financial
records of defense contractors.
Publicly-held corporations hire external auditors to provide an
independent review of their financial statements.
Romney/Steinbart
3 of 151
INTRODUCTION
This chapter is written primarily from the
perspective of an internal auditor.
They are directly responsible for helping management
improve organizational efficiency and effectiveness.
They assist in designing and implementing an AIS
that contributes to the entitys goals.
Romney/Steinbart
4 of 151
INTRODUCTION
Questions to be addressed in this chapter
include:
What are the scope and objectives of audit work,
and what major steps take place in the audit
process?
What are the objectives of an information systems
audit, and what is the four-step approach for meeting
those objectives?
How can a plan be designed to study and evaluate
internal controls in an AIS?
How can computer audit software be useful in the
audit of an AIS?
What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing
Romney/Steinbart
5 of 151
Romney/Steinbart
6 of 151
Romney/Steinbart
7 of 151
Romney/Steinbart
8 of 151
INTRODUCTION
Questions to be addressed in this chapter
include:
What are the scope and objectives of audit work, and
what major steps take place in the audit process?
What are the objectives of an information systems
audit, and what is the four-step approach for
meeting those objectives?
How can a plan be designed to study and evaluate
internal controls in an AIS?
How can computer audit software be useful in the
audit of an AIS?
What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing
Romney/Steinbart
9 of 151
Romney/Steinbart
10 of 151
Romney/Steinbart
11 of 151
Romney/Steinbart
12 of 151
Romney/Steinbart
13 of 151
Romney/Steinbart
14 of 151
Romney/Steinbart
15 of 151
Romney/Steinbart
16 of 151
An overview of the
auditing process
All audits follow a similar
sequence of activities and
may be divided into four
stages:
Planning
Romney/Steinbart
17 of 151
Collecting
Evidence
An overview of the
auditing process
All audits follow a similar
sequence of activities and
may be divided into four
stages:
Planning
Collecting Evidence
Romney/Steinbart
18 of 151
Collecting
Evidence
Evaluating
Evidence
An overview of the
auditing process
All audits follow a similar
sequence of activities and
may be divided into four
stages:
Planning
Collecting evidence
Evaluating evidence
Romney/Steinbart
19 of 151
Collecting
Evidence
Evaluating
Evidence
Communicating
Audit Results
2008 Prentice Hall Business Publishing
An overview of the
auditing process
All audits follow a similar
sequence of activities and
may be divided into four
stages:
Planning
Collecting evidence
Evaluating evidence
Communicating audit
results
Romney/Steinbart
20 of 151
Collecting
Evidence
Evaluating
Evidence
Communicating
Audit Results
2008 Prentice Hall Business Publishing
Audit planning
Purpose: Determine why, how, when, and
by whom the audit will be performed.
The first step in audit planning is to
establish the scope and objectives of the
audit.
An audit team with the necessary
experience and expertise is formed.
Team members become familiar with the
auditee by:
Romney/Steinbart
21 of 151
Romney/Steinbart
22 of 151
Control risk
Romney/Steinbart
23 of 151
Romney/Steinbart
24 of 151
Romney/Steinbart
25 of 151
Collecting
Evidence
Collection of audit
evidence
Much audit effort is
spent collecting
evidence.
Evaluating
Evidence
Communicating
Audit Results
2008 Prentice Hall Business Publishing
Romney/Steinbart
26 of 151
Romney/Steinbart
27 of 151
Romney/Steinbart
28 of 151
Romney/Steinbart
29 of 151
Observation
Review of documentation
Discussions
Physical examination
Examine quantity and/or condition of tangible
assets, such as equipment, inventory, or cash.
Romney/Steinbart
30 of 151
Observation
Review of documentation
Discussions
Physical examination
Confirmation
Communicate with third parties to check the
accuracy of information such as customer
account balances.
Romney/Steinbart
31 of 151
Observation
Review of documentation
Discussions
Physical examination
Confirmation
Re-performance
Repeat a calculation to verify quantitative
information on records and reports.
Romney/Steinbart
32 of 151
Observation
Review of documentation
Discussions
Physical examination
Examine supporting documents to ensure the
Confirmation
validity of the transaction.
Re-performance
Vouching
Romney/Steinbart
33 of 151
Observation
Romney/Steinbart
34 of 151
Romney/Steinbart
35 of 151
Observation
Review of documentation
Discussions
Re-performance
Physical examination
Confirmation
Vouching
Analytical review
Re-performance
Romney/Steinbart
36 of 151
Collecting
Evidence
Evaluating
Evidence
Communicating
Audit Results
2008 Prentice Hall Business Publishing
Romney/Steinbart
37 of 151
Reasonable
assurance is somewhat of a
THE NATURE
OF AUDITING
Planning
Collecting
Evidence
Evaluating
Evidence
cost-benefit notion.
It is prohibitively expensive for the
Evaluation
auditor to seek
of Audit
complete
Evidence
assurance that
material
exists,
he must
no
The
auditor error
evaluates
theso
evidence
accept
risk
audit
conclusion
gathered
in that
light the
of the
specific
audit is
objective and decides if it supports a
incorrect.
favorable or
conclusion.
Therefore
heunfavorable
seeks reasonable
assurance,
If inconclusive,
the auditor
and
as opposed
toplans
absolute
executes additional procedures until
assurance.
sufficient evidence is obtained.
Note that when inherent or control risk is
Two important factors when deciding
high,
the auditor
mustisobtain
greater
how much
audit work
necessary
and
assurance
to
offset
the
greater
in evaluating audit evidence are:
uncertainty
and risks.
Materiality
Reasonable assurance
Communicating
Audit Results
2008 Prentice Hall Business Publishing
Romney/Steinbart
38 of 151
Romney/Steinbart
39 of 151
Collecting
Evidence
Evaluating
Evidence
Communicating
Audit Results
2008 Prentice Hall Business Publishing
Romney/Steinbart
40 of 151
Romney/Steinbart
41 of 151
Romney/Steinbart
42 of 151
THE NATURE
OF
AUDITING
Perform a systems review to determine if
Romney/Steinbart
43 of 151
Romney/Steinbart
44 of 151
Romney/Steinbart
45 of 151
INTRODUCTION
Questions to be addressed in this chapter
include:
What are the scope and objectives of audit work, and
what major steps take place in the audit process?
What are the objectives of an information systems
audit, and what is the four-step approach for meeting
those objectives?
How can a plan be designed to study and evaluate
internal controls in an AIS?
How can computer audit software be useful in the
audit of an AIS?
What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing
Romney/Steinbart
46 of 151
Romney/Steinbart
47 of 151
Romney/Steinbart
48 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
49 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
50 of 151
Romney/Steinbart
51 of 151
Romney/Steinbart
52 of 151
Romney/Steinbart
53 of 151
Romney/Steinbart
54 of 151
Romney/Steinbart
55 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
56 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
57 of 151
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
Types of errors and fraud:
Two things can go wrong in program
development:
Inadvertent errors due to careless programming or
misunderstanding specifications; or
Deliberate insertion of unauthorized instructions
into the programs.
Romney/Steinbart
58 of 151
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
Control procedures:
The preceding problems can be controlled by
requiring:
Management and user authorization and approval
Thorough testing
Proper documentation
Romney/Steinbart
59 of 151
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
Audit procedures: Systems review
The auditors role in systems development should be
limited to an independent review of system
development activities.
To maintain necessary objectivity for performing an
independent evaluation, the auditor should not be involved in
system development.
During the systems review, the auditor should gain an
understanding of development procedures by discussing
them with management, users, and IS personnel.
Should also review policies, procedures, standards, and
documentation for systems and programs.
Romney/Steinbart
60 of 151
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
Audit procedures: Tests of controls
To test systems development controls, auditors
should:
Romney/Steinbart
61 of 151
OBJECTIVE 2: PROGRAM
DEVELOPMENT AND ACQUISITION
Compensating controls
Strong processing controls can sometimes
compensate for inadequate development
controls.
If auditors rely on compensatory processing
controls, they should obtain persuasive evidence
of compliance.
Use techniques such as independent processing of test
data to do so.
Romney/Steinbart
62 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
63 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
64 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Types of errors and fraud
Same that can occur during program
development:
Inadvertent programming errors
Unauthorized programming code
Romney/Steinbart
65 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Control procedures
When a program change is submitted for approval, a list of all
required updates should be compiled by management and
program users.
Changes should be thoroughly tested and documented.
During the change process, the developmental version of the
program must be kept separate from the production version.
When the amended program has received final approval, it
should replace the production version.
Changes should be implemented by personnel independent of
users or programmers.
Logical access controls should be employed at all times.
Romney/Steinbart
66 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Audit procedures: System review
During systems review, auditors should:
Gain an understanding of the change process by discussing
it with management and user personnel.
Examine the policies, procedures, and standards for
approving, modifying, testing, and documenting the changes.
Review a complete set of final documentation materials for
recent program changes, including test procedures and
results.
Review the procedures used to restrict logical access to the
developmental version of the program.
Romney/Steinbart
67 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Audit procedures: Tests of controls
An important part of these tests is to verify that program changes
were identified, listed, approved, tested, and documented.
Requires that the auditor observe how changes are implemented
to verify that:
Separate development and production programs are
maintained; and
Changes are implemented by someone independent of the
user and programming functions.
The auditor should review the development programs access
control table to verify that only those users assigned to carry out
modification had access to the system.
Romney/Steinbart
68 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
To test for unauthorized program changes,
auditors can use a source code comparison
program to compare the current version of the
program with the original source code.
Any unauthorized differences should result in an
investigation.
If the difference represents an authorized change,
the auditor can refer to the program change
specifications to ensure that the changes were
authorized and correctly incorporated.
Romney/Steinbart
69 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Two additional techniques detect
unauthorized program changes:
Reprocessing
On a surprise basis, the auditor uses a verified copy of
the source code to reprocess data and compare that
output with the companys data.
Discrepancies are investigated.
Parallel simulation
Similar to reprocessing except that the auditor writes his
own program instead of using verified source code.
Can be used to test a program during the implementation
process.
2008 Prentice Hall Business Publishing
Romney/Steinbart
70 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Auditors should observe testing and implementation,
review related authorizations, and, if necessary,
perform independent tests for each major program
change.
If this step is skipped and program change controls
are subsequently deemed inadequate, it may not be
possible to rely on program outputs.
Auditors should always test programs on a surprise
basis to protect against unauthorized changes being
inserted after the examination is completed and then
removed prior to scheduled audits.
Romney/Steinbart
71 of 151
OBJECTIVE 3: PROGRAM
MODIFICATION
Compensating controls
If internal controls over program changes are
deficient, compensation controls are:
Source code comparison;
Reprocessing; and/or
Parallel simulation.
Romney/Steinbart
72 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
73 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
74 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Types of errors and fraud
During computer processing, the system may:
Romney/Steinbart
75 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Control procedures
Romney/Steinbart
76 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Audit procedures: Systems review
Review administrative documentation for processing
control standards.
Review systems documentation for data editing and
other processing controls.
Review operating documentation for completeness
and clarity.
Review copies of error listings, batch total reports,
and file change lists.
Observe computer operations and data control
functions.
Discuss processing and output controls with
operations and IS supervisory personnel.
2008 Prentice Hall Business Publishing
Romney/Steinbart
77 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Audit procedures: Tests of controls
Evaluate adequacy of processing control standards and
procedures.
Evaluate adequacy and completeness of data editing controls.
Verify adherence to processing control procedures by observing
computer operations and the data control function.
Verify that selected application system output is properly
distributed.
Reconcile a sample of batch totals, and follow up on
discrepancies.
Trace disposition of a sample of errors flagged by data edit
routines to ensure proper handling.
Verify processing accuracy for a sample of sensitive
transactions.
2008 Prentice Hall Business Publishing
Romney/Steinbart
78 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Verify processing accuracy for selected computer-generated
transactions.
Search for erroneous or unauthorized code via analysis of
program logic.
Check accuracy and completeness of processing controls using
test data.
Monitor online processing systems using concurrent audit
techniques.
Recreate selected reports to test for accuracy and
completeness.
Romney/Steinbart
79 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Compensating controls
Auditors must periodically re-evaluate
processing controls to ensure their continued
reliability.
If controls are unsatisfactory, user and source data
controls may be strong enough to compensate.
If not, a material weakness exists and steps should
be taken to eliminate the control deficiencies.
Romney/Steinbart
80 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The purpose of the preceding audit procedures is to gain
an understanding of the controls, evaluate their
adequacy, and observe operations for evidence that the
controls are in use.
Several specialized techniques allow the auditor to use
the computer to test processing controls:
Processing test data.
Using concurrent audit techniques.
Analyzing program logic.
Romney/Steinbart
81 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The purpose of the preceding audit procedures is to gain
an understanding of the controls, evaluate their
adequacy, and observe operations for evidence that the
controls are in use.
Several specialized techniques allow the auditor to use
the computer to test processing controls:
Processing test data.
Using concurrent audit techniques.
Analyzing program logic.
Romney/Steinbart
82 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Processing test data
Involves testing a program by processing a
hypothetical series of valid and invalid transactions.
The program should:
Process all the valid transactions correctly.
Identify and reject the invalid ones.
Romney/Steinbart
83 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The following resources are helpful when
preparing test data:
A listing of actual transactions.
The transactions that the programmer used to test the
program.
A test data generator program, which automatically
prepares test data based on program specifications.
Romney/Steinbart
84 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
In a batch processing system, the companys program
and a copy of relevant files are used to process the test
data.
Results are compared with the predetermined correct output.
Discrepancies indicate processing errors or control deficiencies
that should be investigated.
Romney/Steinbart
85 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Although processing test transactions is usually
effective, it has the following disadvantages:
The auditor must spend considerable time
understanding the system and preparing an adequate
set of test transactions.
Care must be taken to ensure test data do not affect
the companys files and databases.
The auditor can reverse the effects of the test transactions or
process them in a separate run, using a copy of the file or
database.
Reversal procedures may reveal the existence and
nature of the auditors test to key personnel.
A separate run removes some of the authenticity.
2008 Prentice Hall Business Publishing
Romney/Steinbart
86 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The purpose of the preceding audit procedures is to gain
an understanding of the controls, evaluate their
adequacy, and observe operations for evidence that the
controls are in use.
Several specialized techniques allow the auditor to use
the computer to test processing controls:
Processing test data.
Using concurrent audit techniques.
Analyzing program logic.
Romney/Steinbart
87 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Concurrent audit techniques
Millions of dollars of transactions can be processed in
an online system without leaving a satisfactory audit
trail.
In such cases, evidence gathered after data
processing is insufficient for audit purposes.
Also, because many online systems process
transactions continuously, it is difficult or impossible to
stop the system to perform audit tests.
Consequently, auditors use concurrent audit
techniques to continually monitor the system and
collect audit evidence while live data are processed
during regular operating hours.
Romney/Steinbart
88 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Concurrent audit techniques use
embedded audit modules.
These are segments of program code that:
Perform audit functions;
Report test results to the auditor; and
Store collected evidence for auditor review.
Romney/Steinbart
89 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Auditors commonly use five concurrent
audit techniques:
An integrated test facility (ITF) technique.
A snapshot technique.
A system control audit review file (SCARF).
Audit hooks.
Continuous and intermittent simulation (CIS).
Romney/Steinbart
90 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Auditors commonly use five concurrent
audit techniques:
An integrated test facility (ITF) technique.
A snapshot technique.
A system control audit review file (SCARF).
Audit hooks.
Continuous and intermittent simulation (CIS).
Romney/Steinbart
91 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
An ITF technique places a small set of
fictitious records in the master files:
May represent a fictitious division,
department, office, customer, or supplier.
Processing test transactions to update these
dummy records will not affect actual records.
Because real and fictitious transactions are
processed together, company employees
dont know the testing is taking place.
2008 Prentice Hall Business Publishing
Romney/Steinbart
92 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The system must:
Distinguish ITF from actual records;
Collect information on the effects of test
transactions; and
Report the results.
Romney/Steinbart
93 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
In a batch processing system, the ITF technique
Eliminates the need to reverse test transactions
Is easily concealed from operating employees because test
transactions dont need to be reversed.
Romney/Steinbart
94 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Auditors commonly use five concurrent
audit techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)
Romney/Steinbart
95 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The snapshot technique examines the
way transactions are processed.
Selected transactions are marked with a
special code that triggers the snapshot
process.
Audit modules in the program record these
transactions and their master file records
before and after processing.
The selected data are recorded in a special
file and reviewed by the auditor to verify that
all processing steps were properly executed.
2008 Prentice Hall Business Publishing
Romney/Steinbart
96 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Auditors commonly use five concurrent
audit techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)
Romney/Steinbart
97 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The system control audit review file (SCARF) uses
embedded audit modules to continuously monitor
transaction activity and collect data on transactions
with special audit significance.
Data recorded in a SCARF file or audit log include
transactions that:
Romney/Steinbart
98 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Auditors commonly use five concurrent
audit techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)
Romney/Steinbart
99 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Audit hooks are audit routines that flag
suspicious transactions.
Example: State Farm Life Insurance looking for
policyholders who change their name or address
and then subsequently withdraw funds.
When audit hooks are used, auditors can be
informed of questionable transactions as they
occur via real-time notification, which displays
a message on the auditors terminal.
Romney/Steinbart
100 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Auditors commonly use five concurrent
audit techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation
(CIS)
Romney/Steinbart
101 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Continuous and intermittent simulation (CIS) embeds
an audit module in a database management system.
The module examines all transactions that update the
DBMS using criteria similar to those of SCARF.
When a transaction has audit significance, the module:
Processes the data independently (similar to parallel simulation);
Records the results; and
Compares results with those obtained by the DBMS.
Romney/Steinbart
102 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Analysis of program logic
If an auditor suspects that a particular program
contains unauthorized code or serious errors, a
detailed analysis of the program logic may be
necessary.
Done only as a last resort because:
Its time-consuming
Requires programming language proficiency
Romney/Steinbart
103 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The following software packages can
help:
Automated flowcharting programs
Interpret program source code and
generate a corresponding flowchart.
Romney/Steinbart
104 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The following software packages can
help:
Automated flowcharting programs
Automated decision table programs
Romney/Steinbart
105 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The following software packages can
help:
Automated flowcharting programs
Automated decision table programs
Scanning routines
Romney/Steinbart
106 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
The following software packages can
help:
Automated flowcharting programs
Automated decision table programs
Scanning routines
Mapping programs
Identify unexecuted program code.
Romney/Steinbart
107 of 151
OBJECTIVE 4: COMPUTER
PROCESSING
Program tracing
Romney/Steinbart
108 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
109 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
110 of 151
Romney/Steinbart
111 of 151
Romney/Steinbart
112 of 151
Romney/Steinbart
113 of 151
Romney/Steinbart
114 of 151
Romney/Steinbart
115 of 151
Romney/Steinbart
116 of 151
Record Name
Field
Names
Employee Weekly
Time Report
Romney/Steinbart
117 of 151
Romney/Steinbart
118 of 151
Data preparation
Batch control totals
Edit programs
Physical and logical access restrictions
Error handling procedures
Romney/Steinbart
119 of 151
Romney/Steinbart
120 of 151
Romney/Steinbart
121 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
122 of 151
Source
Data
Data
Entry
Objective 2:
Program Development
and Acquisition
Source
Data
Processing
Programs
Files
Output
Objective 3:
Program Modification
Objective 6:
Data Files
Romney/Steinbart
123 of 151
Romney/Steinbart
124 of 151
Romney/Steinbart
125 of 151
Romney/Steinbart
126 of 151
Romney/Steinbart
127 of 151
Romney/Steinbart
128 of 151
Romney/Steinbart
129 of 151
Romney/Steinbart
130 of 151
Romney/Steinbart
131 of 151
Romney/Steinbart
132 of 151
INTRODUCTION
Questions to be addressed in this chapter
include:
What are the scope and objectives of audit work, and
what major steps take place in the audit process?
What are the objectives of an information systems
audit, and what is the four-step approach for meeting
those objectives?
How can a plan be designed to study and evaluate
internal controls in an AIS?
How can computer audit software be useful in the
audit of an AIS?
What is the nature and scope of an operational audit?
2008 Prentice Hall Business Publishing
Romney/Steinbart
133 of 151
COMPUTER SOFTWARE
Computer audit software (CAS) or generalized audit
software (GAS) are computer programs that have been
written especially for auditors.
Two of the most popular:
Audit Control Language (ACL)
IDEA
Romney/Steinbart
134 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
Converting data into a different format or
structure to facilitate testing.
Romney/Steinbart
135 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Sorting records or merging records from
different files.
Romney/Steinbart
136 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Calculation
Romney/Steinbart
137 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Calculation
Data selection
Romney/Steinbart
138 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Calculation
Data selection
Data analysis
Romney/Steinbart
139 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Calculation
Data selection
Data analysis
File processing
Programming to create, update, and
download files to a personal computer.
Romney/Steinbart
140 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Calculation
Data selection
Data analysis
File processing
Stratifying file records on various criteria,
selecting statistical samples, and analyzing
Statistics
statistical results.
Romney/Steinbart
141 of 151
COMPUTER SOFTWARE
CAS functions include:
Reformatting
File manipulation
Calculation
Data selection
Data analysis
File processing
Formatting and printing reports and
Statistics
documents.
Report generation
2008 Prentice Hall Business Publishing
Romney/Steinbart
142 of 151
COMPUTER SOFTWARE
How CAS is used:
The auditor:
Romney/Steinbart
143 of 151
COMPUTER SOFTWARE
The primary purpose of CAS is to assist the auditor in
reviewing and retrieving information.
When the auditor receives the CAS reports, most of the
audit work still needs to be done.
Items on exception reports must be investigated.
File totals must be verified against other sources.
Audit samples must be examined and evaluated.
Romney/Steinbart
144 of 151
INTRODUCTION
Questions to be addressed in this chapter
include:
What are the scope and objectives of audit work, and
what major steps take place in the audit process?
What are the objectives of an information systems
audit, and what is the four-step approach for meeting
those objectives?
How can a plan be designed to study and evaluate
internal controls in an AIS?
How can computer audit software be useful in the
audit of an AIS?
What is the nature and scope of an operational
audit?
2008 Prentice Hall Business Publishing
Romney/Steinbart
145 of 151
Romney/Steinbart
146 of 151
Romney/Steinbart
147 of 151
Romney/Steinbart
148 of 151
Romney/Steinbart
149 of 151
Romney/Steinbart
150 of 151
SUMMARY
In this chapter, youve learned about the scope and
objectives of audit work and the major steps that take
place in the audit process.
Youve also learned about the objectives of an
information systems audit and the four-step approach for
meeting those objectives.
Youve learned how a plan can be designed to study and
evaluate internal controls in an AIS and how computer
audit software can be useful in the audit of an AIS.
Finally, youve learned about the nature and scope of an
operational audit.
Romney/Steinbart
151 of 151