Chapter 11

Auditing Computer-Based Information Systems

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall
11-1
Learning Objectives
Describe the scope and objectives of audit work, and
identify the major steps in the audit process.
Identify the objectives of an information system audit,
and describe the four-step approach necessary for
meeting these objectives.
Design a plan for the study and evaluation of internal
control in an AIS.
Describe computer audit software, and explain how it is
used in the audit of an AIS
Describe the nature and scope of an operational audit.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-2
Auditing
The systematic process of obtaining and evaluating
evidence regarding assertions about economic actions
and events in order to determine how well they
correspond with established criteria
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-3
Types of Audits
Financial
Examines the reliability and integrity of:
Financial transactions, accounting records, and financial statements.
Information System
Reviews the controls of an AIS to assess compliance with:
Internal control policies and procedures and effectiveness in
safeguarding assets
Operational
Economical and efficient use of resources and the accomplishment of
established goals and objectives
Compliance
Determines whether entities are complying with:
Applicable laws, regulations, policies, and procedures
Investigative
Incidents of possible fraud, misappropriation of assets, waste and abuse, or
improper governmental activities.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall
11-4
The Audit Process
Planning
Collecting Evidence
Evaluating Evidence
Communicating Audit Results
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-5
Planning the Audit
Why, when, how, whom
Work targeted to area with greatest risk:
Inherent
Chance of risk in the absence of controls
Control
Risk a misstatement will not be caught by the internal
control system
Detection
Chance a misstatement will not be caught by auditors or
their procedures

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-6
Collection of Audit Evidence
Not everything can be
examined so samples are
collected
Observation activates to
be audited
Review of documentation
Gain understanding of
process or control
Discussions
Questionnaires
Physical examination
Confirmations
Testing balances with
external 3
rd
parties
Re-performance
Recalculations to test
values
Vouching
Examination of
supporting documents
Analytical review
Examining relationships
and trends

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-7
Evaluation of Audit Evidence
Does evidence support favorable or unfavorable
conclusion?
Materiality
How significant is the impact of the evidence?
Reasonable Assurance
Some risk remains that the audit conclusion is incorrect.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-8
Communication of Audit
Conclusion
Written report summarizing audit findings and
recommendations:
To management
The audit committee
The board of directors
Other appropriate parties
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-9
Risk-Based Audit
Determine the threats (fraud and errors) facing the company.
Accidental or intentional abuse and damage to which the system is
exposed
Identify the control procedures that prevent, detect, or correct the
threats.
These are all the controls that management has put into place and that
auditors should review and test, to minimize the threats
Evaluate control procedures.
A systems review
Are control procedures in place
Tests of controls
Are existing controls working
Evaluate control weaknesses to determine their effect on the
nature, timing, or extent of auditing procedures.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-10
Information Systems Audit
Purpose:
To review and evaluate the internal controls that protect the
system
Objectives:
1. Overall information security
2. Program development and acquisition
3. Program modification
4. Computer processing
5. Source files
6. Data files
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-11
1. Information System Threats
Accidental or intentional damage to system assets
Unauthorized access, disclosure, or modification of data
and programs
Theft
Interruption of crucial business activities
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-12
2. Program Development and
Acquisition
Inadvertent programming errors due to misunderstanding
system specifications or careless programming
Unauthorized instructions deliberately inserted into the
programs
Controls:
Management and user authorization and approval, thorough
testing, and proper documentation
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-13
3. Program Modification
Three ways to test unautorized program:
Source Code Comparison
Compares current program against source code for any
discrepancies
Reprocessing
Use of source code to re-run program and compare for
discrepancies
Parallel Simulation
Auditor-created program is run and used to compare
against source code
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-14
4. Computer Processing
System fails to detect:
Erroneous input
Improper correction of input errors
Process erroneous input
Improperly distribute or disclose output
Concurrent audit techniques
Continuous system monitoring while live data are processed
during regular operating hours
Using embedded audit modules
Program code segments that perform audit functions,
report test results, and store the evidence collected for
auditor review
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-15
Types of Concurrent Audits
Integrated Test Facility
Uses fictitious inputs
Snapshot Technique
Memeriksa cara transaksi diproses, transaksi yang dipilih ditandai dengan kode khusus.
Data snapshot dicatat kedalam file khusus untuk divertifikasi oleh editor.
System Control Audit Review File (SCARF)
menggunakan modul audit melekat untuk mengawasi transaksi dan mengumpulkan
data transaksi yang akan di audit kemudian dicatat dalam file SCRAF(audit log). Data
yang dicatat adalah data yang berisi penurunan nilai aset. Data diserahkan ke auditor
secara periodik untuk diselidiki.
Audit Hooks
Menandai Transaksi yang mencurigakan. Ketika audit hooks digunakan, auditor dapat
diinformasikan mengenai transaksi yang mencurigakan begitu transaksi tersebut terjadi.
Pendekatan ini disebut Peringatan real-time (real-time notification).
Continuous and Intermittent Simulation
Melekatkan modul audit pada sistem manajemen data base. Modul CIS akan
memeriksa transaksi yang memperbarui DBMS dengan kriteria sama dengan SCRAF.
Apabila ada transaksi memiliki nilai untuk diaudit. Untuk DBMS.
11-16
5. Source Data and
6. Data Files
Accuracy
Integrity
Security of data
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-17
Audit SOftware
Computer assisted audit techniques (CAATS) refer to
audit software that often called as Generalized Audir
Software (GAS).
Interactive data extraction and analysis (IDEA)
Audit Control Language (ACL)

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall 11-18