Chapter 12Information Technology Auditing • Introduction • The Audit Function • The IT Auditor’s Toolkit • Auditing the Computerized AIS • Information Technology Auditing Today
The Audit Function The function of an audit • is to examine and to give assurance. • will differ according to the subject under examination. • can be internal, or external • always involves the accounting information systems Information technology auditing discusses • internal auditing, • External auditing, and • IT auditing.
Internal Auditing An internal audit, which preserves its objectivity • is carried out by company personnel reporting to • the Audit Committee of the Board of Directors (preferable) • Top management (on departmental efficiency audits) • is external to the corporate department ordivision being audited • concerns compliance to company policies & procedures • involves an evaluation of internal controls and fraud • tests for efficiency, effectiveness and economy Cynthia Cooper – WorldCom internal auditor and whistleblower
External Auditing The external audit • is carried out by independent accountants • has the attest function as its chief purpose confirming • the fairness of financial statements in all material respects • Has a secondary purpose - to test that internal controls are strong and can be relied on to catch errors and fraud (the stronger the controls, the smaller the audit risk, and the less work an auditor has to do).
A raised eyebrow indicates professional skepticism The Attest Function Auditor ? ? ? Information Management Stakeholders
The IT Audit The IT audit function encompasses
Careers in Information Systems Auditing The demand for IT auditors is growing • increasing use of computer-based AISs • systems becoming more technologically complex • passing of the Sarbanes-Oxley bill IT auditing requires a variety of skills, combining • accounting and • information systems or computer science skills.
The Information Technology Auditor’s Toolkit IT auditors need to have • the technical skills to understand the vulnerabilities in • hardware and software • use of appropriate software to do their jobs • general-use software such as • word processing programs, • spreadsheet software, and • database management systems. • generalized audit software (GAS), and • automated workpaper software.
The Information Technology Auditor’s Toolkit • people skills • to work as a team • to interact with clients and other auditors, • to interview many people constantly for evaluation • can’t just be a technical nerd!
Careers in Information Systems Auditing Information systems auditors • may be internal or external • can obtain professional certification as a Certified Information Systems Auditor (CISA) • Pass exam • Five years of experience (some exceptions) • 40 hours of CPE/year • can also acquire certification as Certified Information Security Managers (CISM)
General-Use Software Auditors use general-use software as productivity tools to improve their work such as • spreadsheets and • database management systems (e.g. Access) Auditors often use structured query language (SQL) • to retrieve a client’s data and • display these data for audit purposes.
Generalized Audit Software Generalized audit software (GAS) packages • are specifically tailored to auditor tasks • have been developed in-house in large firms, or • are available from various software suppliers • automates working papers and trial balances • Examples of GAS are • Audit Command Language (ACL) • Interactive Data Extraction Analysis (IDEA) • FAST! (Financial Audit Systems Technology)
Auditing Computerized AIS-Auditing Around the Computer Auditing around the computer • Compares output with input; assumes that accurate output verifies proper processing operations • pays little or no attention to the controlprocedures within the IT environment • is generally not an effective approach toauditing in a computerized environment. CPTR
Auditing Computerized AIS-Auditing Through the Computer CPTR Five techniques to audit a computerized AIS are: • use of test data, integrated test facility, and parallelsimulation to test programs, • use of audit techniques to validate computer programs, • use of logs and specialized control software toreview systems software, • use of documentation and CAATs to validateuser accounts and access privileges, and • use of embedded audit modules to achievecontinuous auditing.
Testing ComputerPrograms - Test Data (test deck) CPTR The auditor’s responsibility is to • develop test data (or test deck from deck of cards) • that tests the range of exception situations • arrange the data in preparation for processing • compare output with a predetermined set of answers • investigate further if the results do not agree Test data (or test deck, named from punch card days) • can check if program edit test controls are in place and working • can be developed using software programs called test data generators • But may contaminate real data with fake data
Testing Computer Programs -Integrated Test Facility CPTR An integrated test facility (ITF) • establishes a fictitious entity such as a department, branch, customer, or employee, • enters transactions for that entity, and • observes how these transactions are processed. • is effective in evaluating integrated onlinesystems and complex programming logic, and • aims to audit an AIS in an operational setting. • May contaminate real data with fake data
Testing Computer Programs -Parallel Simulation CPTR In parallel simulation, the auditor • uses live input data, rather than test data, in aseparate program, which • is written or controlled by the auditor • simulates all or some of the operations ofthe real program that is actually in use. • needs to understand the client system, • should possess sufficient technical knowledge, and • should know how to predict the results CPTR
Testing Computer Programs -Parallel Simulation Parallel simulation • eliminates the need to prepare aset of test data, • can be very time-consuming andthus cost-prohibitive • usually involves replicating onlycertain critical functions of a program • But reduces the chance of contaminating real data with fake data CPTR CPTR
Validating Computer Programs Auditors • must validate any program presented to them • to thwart a clever programmer’s dishonest program Procedures that assist in program validation are 1. tests of program change control • begins with an inspection of the documentation • includes program authorization forms to be filled • ensures accountability and adequate supervisory controls 2. program comparison • guards against unauthorized program tampering • performs certain control total tests of program authenticity • using a test of length • using a comparison program
Review of Systems Software Systems software includes • operating system software, • utility programs, • program library software, and • access control software.
Review of Systems Software • Auditors should first review systems software documentation. • Next, auditors should review incident reports, which list events that are • unusual or interrupt operations • security violations (such as unauthorized access attempts), • hardware failures, and • software failures
Validating Users and Access Privileges The IT auditor • needs to verify that the software parameters are set appropriately • must make sure that IT staff are using them appropriately • needs to make sure that all users • are valid and • each has access privileges appropriate to their job There are a variety of auditor software tools which can scan settings and access logs
Continuous Approach Continuous auditing can be achieved by • embedded audit modules or audit hooks • application subroutines capture data for audit purposes • exception reporting • mechanisms reject certain transactionsthat fall outside preset limits • transaction tagging • tags transactions with a special identifiers • snapshot technique • Examines how transactions are processed (e.g. macro, step-by-step)
The Sarbanes-Oxley Act of 2002 In 2002, Congress passed the Sarbanes-Oxley Act, which was response to the accounting scandals of Enron, Worldcom, etc. As Congress studied these frauds, it realized that one of the big problems was a weakness in internal controls. Sen. Paul Sarbanes Representative Mike Oxley
The Sarbanes-Oxley Act of 2002 Some important provisions of SOX for auditors are • Section 201 – prohibits public accounting firms from offering most nonaudit services to clients at the same time they are conducting audits (conflict of interest). • Section 302 – requiring CFOs and CEOs to certify that their company’s financial statements are accurate and complete • Section 404 –requiring both the CEO and CFO to attest to their organization’s internal controls over financial reporting
Continuous Auditing – Spreadsheet Errors Sleuthing With Excel Excel 2010 and 2012 • Formula Auditing: On the top menu of Excel, go to Formulas, see Formula Auditing section. Perform the error checking function to find and correct the formula errors. You can also display Precedent and Dependent arrows to show the formula pattern among the cells. • Data Validation: On the top menu of Excel, go to Data and then under the Data Tools section, go to Data Validation. Use the validation tool to verify data as it is being entered. For example, highlight the payrate range and set the data validation decimal feature between $7.50 and $40.00. From this point on, any data entered in the payrate range that does not fall between these two values will be flagged.
Benford’s Law Physicist Frank Benford figured out the probability that certain digits form part of financial numbers. For example, the numeral 1 should occur as the first digit in any multiple-digit number about 31% of the time, while 9 should occur as the first digit only 5% of the time. As you can see below, the numbers in digit 1,2,5,6 & 7 are suspicious.
Third-Party Assurance Internet systems and web sites • are a source of risk for many companies, • need specialized audits of these systems, • have created a market for third-party assurance services, which • is limited to data privacy.
Third-Party Assurance The AICPA introduced Trust Services an assurance service. The principles of Trust Services are • security, • availability, • processing integrity, • online privacy, and • confidentiality.