Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Page 1 of 13
CHAPTER 11
AUDITING COMPUTER-BASED INFORMATION SYSTEMS
Instructor’s Manual
Learning Objectives:
1. Describe the scope and objectives of audit work, and identify the
major steps in the audit process.
2. Identify the objectives of an information system audit, and
4. Describe computer audit software, and explain how it is used in
the audit of an AIS.
5. Describe the nature and scope of an operational audit.
Questions to be addressed in this chapter include:
1. How could a programming error of this significance be overlooked
by experienced programmers who thoroughly reviewed and tested the
new system?
Introduction
This chapter focuses on the concepts and techniques used in
auditing an accounting information system.
Learning Objective One
Describe the scope and objectives of audit work
and identify the major steps in the audit
process.
Page 2 of 13
The Nature of Auditing
Auditing is a systematic process of objectively obtaining and
evaluating evidence regarding assertions about economic actions
and events to ascertain the degree of correspondence between
Internal Auditing Standards
1. Review the reliability and integrity of operating and
2. Determine if the systems designed to comply with operating
3. Review how assets are safeguarded and verify the existence
of assets as appropriate.
5. Review company operations and programs to determine if they
are being carried out as planned and if they are meeting
their objectives.
Types of Internal Auditing Work
Three types of audits:
1. Financial audit
An Overview of the Auditing Process
Figure 11-1 on page 305 provides an overview of the auditing
process
Four auditing stages and activities:
1. Auditing Planning
Page 3 of 13
▪ Inherent Risk. This is the susceptibility to
material risk in the absence of controls.
2. Collection of Audit Evidence
▪ Observation of the activities being audited
▪ Review of documentation to understand how a
particular accounting information system or
internal control system is supposed to
function
▪ Confirmation of the accuracy of certain
information, such as customer account
balances, through communication with
independent third parties
3. Evaluation of Audit Evidence
Materiality and reasonable assurance are important
when deciding how much audit work is necessary and
when to evaluate the evidence.
Page 4 of 13
4. Communication of Audit Results (the audit report)
The auditor prepares a written (and sometimes
oral) report summarizing the audit findings and
recommendations.
The Risk-Based Audit Approach
Logical framework for carrying out an audit:
1. Determine the threats (fraud and errors)
facing the accounting information system.
2. Identify the control procedures implemented
3. Evaluate internal control procedures.
Reviewing system documentation and
4. Evaluate weaknesses to determine their
5. Compensating controls that compensate for
the internal control weakness deficiency.
Multiple Choice 1
When auditors have recommendations in their report to management, they
use:
a. audit objectives
Multiple Choice 2
Which type of internal audits corresponds with the second and third IIA
audit standard?
a. financial audit
b. information systems audit
c. operational audit
Page 5 of 13
Multiple Choice 3
Which type of audit risk involves the chance that there will be a
material risk when the controls are absent?
a. external risk
b. inherent risk
Information Systems Audits
The purpose of an information systems audit is to review and
evaluate the internal controls that protect the system.
In conducting accounting information system audits, auditors
should determine if the following objectives are met:
1. Security provisions protect computer equipment,
2. Program development and acquisition are performed in
4. Processing of transactions, files, reports, and other
computer records is accurate and complete.
5. Source data that are inaccurate or improperly authorized
6. Computer data files are accurate, complete, and
confidential.
Figure 9-2 on page 335 depicts the relationship among these
six objectives and information systems components.
Multiple Choice 4
In performing an information systems audit, there are _____ audit
objectives.
Page 6 of 13
Objective 1: Overall Security
Table 11-1 on page 308 contains a framework for auditing
computer security; showing the following:
2. Control procedures to minimize security errors and
fraud
3. Systems review audit procedures
Objective 2: Program Development and Acquisition
Two things can go wrong in program development:
2. Unauthorized instructions deliberately inserted
into the programs
This table provides a framework for reviewing
and evaluating the program development process.
Objective 3: Program Modification
Table 11-3 on page 310 presents a framework for auditing
application programs and system software changes.
Page 7 of 13
An important part of an auditor’s tests of controls is to
verify that program changes were identified, listed,
approved, tested, and documented.
To test for unauthorized program changes, auditors can use
a source code comparison program.
Two additional techniques detect unauthorized program
changes:
Objective 4: Computer Processing
Table 11-4 on page 312 provides a framework for auditing
computer processing controls. The focus of the fourth
objective is the processing of transactions, files, and
related computer records to update files and databases and
to generate reports.
Processing Test Data
One way to test a program is to process a
hypothetical series of valid and invalid transactions
The following resources are helpful when
preparing test data:
1. A listing of actual transactions
Disadvantages of processing test transactions:
Page 8 of 13
Concurrent Audit Techniques
Millions of dollars of transactions can be processed
in an online system without leaving a satisfactory
audit trail.
Auditors normally use five concurrent audit
techniques:
1. An integrated test facility (ITF) technique
places a small set of fictitious records in
2. The snapshot technique examines the way
3. System control audit review file (SCARF) uses
4. Audit hooks are audit routines that flag
suspicious transactions.
This approach is known as real-time
notification, which displays a message on
the auditor’s terminal as these
questionable transactions occur.
Focus 11-1 on page 314 State Farm Life
Insurance Company
In the regional offices, more than 1,500
terminals and personnel computer are used
to update almost 4 million individual
policyholder records in the host computer.
The auditors were given the challenge of
identifying all the ways fraud was
possible.
To do this the auditors came up with all
the possible ways to defraud the system.
She then forged her brother’s signature and
cashed the check.
To cover up she had to repay the loan
before the annual report was sent to her
brother.
5. Continuous and intermittent simulation (CIS)
embeds an audit module in a database
management system (DBMS). The CIS module
examines all transactions that update the
database using criteria similar to those of
SCARF.
Analysis of Program Logic
If an auditor suspects that a particular application
program contains unauthorized code or serious errors,
then a detailed analysis of the program logic may be
necessary.
1. Automated flowcharting programs, which interpret
Page 10 of 13
2. Automated decision table programs, which generate a
decision table representing the program logic
3. Scanning routines, which search a program for
5. Program tracing, which sequentially prints all
application program steps executed during a program
run.
Objective 5: Source Data
Auditors use an input controls matrix, such as the one
shown in Figure 11-3 on page 315.
Objective 6: Data Files
The sixth objective concerns the accuracy, integrity, and
security of data stored in machine-readable files.
Table 9-6 on page 347 summarizes the errors, controls, and
audit procedures for this objective.
Multiple Choice 5
The compensating controls that compensate for an internal control
efficiency include(s)
a. information systems insurance
Page 11 of 13
Multiple Choice 6
The __________ audit procedure is used for the audit of __________.
a. examine system access logs; program development
b. review programming evaluation standards; overall computer
security
Multiple Choice 7
An integrated test facility technique
a. examines the way transactions are processed
b. places a small set of fictitious records in the master files
Multiple Choice 8
The audit technique used to catch the State Farm Life Insurance Company
employee fraudulently taking cash was
a. audit hooks
b. snapshot technique
c. program tracing
d. internal control testing
Computer Software
A number of computer programs, called computer audit software
(CAS) or generalized audit software (GAS), have been written
especially for auditors.
IDEA (Interactive Data Extraction and Analysis) is a Generalized
Audit Software. It is able to import a wide range of different
types of data files. During the import an IDEA file and its field
statistics are created.
The auditor’s first step is to decide on audit objectives,
learn about the files and databases to be audited, design
the audit reports, and determine how to produce them.
Multiple Choice 9
Two of the most popular audit software packages include:
a. ITF
b. ACL
c. CIS
d. SCARF
Operational Audits of an Accounting Information System
The techniques and procedures used in operational audits are
similar to audits of information systems and financial
statements.
The evidence collection, during the audit preliminary survey,
includes the following activities:
1. Reviewing operating policies and documentation
2. Confirming procedures with management and operating
Learning Objective Five
Describe the nature and scope of an operational
audit.
Page 13 of 13
4. Examining financial and operating plans and reports
6. Testing controls
Multiple Choice 10
The first step in an operational audit is
a. evaluating evidence
b. collecting evidence
c. communicating the results
d. none of the above
