1. Advanced Accounting Information Systems
Day 16
IT Auditing
September 30, 2009

2. Announcements Assignment 3 – due Friday Use query results in new query
Calculate charges per userID
Calculate total charges
Check number is $306.21
Typical of problems in ‘real world’ – i.e., more than one way to solve problem
May need to work ‘backwards’ similar to systems design
userID, from Invoiceline (monthly access, minutecharge, totalcharge), calculate (monthlyaccess, minutecharge, totalcharge), chargedifferences

3. Announcements Assignment 3 – due Friday Weekday function Taxrate
Most recent contract date
May use UNION
May need RIGHT JOIN

4. Objectives Identify differences between external and internal auditing
Understand the information technology audit process and types of careers in information technology auditing
Understand the software and people skills needed by information technology auditors
Know how to determine the effectiveness of internal controls over specific information systems
Be familiar with various techniques auditors use to evaluate computerized information systems
Understand that IT governance is not just about security
Understand how auditors can use IT to prevent and discover fraudulent activities
Know how SOX influences the role of IT auditors
Be familiar with various types of third assurance services related to IT

5. Questions for today
Problems 4-6 on page

6. Question for today
What is IT auditing?

7. Question for today
Why is IT auditing important?

8. IT Auditing
Involves evaluating the computer’s role in achieving audit and control objectives
Assurance aspect – providing assurance that data and information are reliable, confidential, secure, and available as needed
Traditional FS audit objectives
Safeguard assets and data integrity
Traditional management objectives
Operational effectiveness

9. IS/IT Auditor Accountant who specializes in auditing computerized AISs
Complements rather than repeats the coverage by financial auditors (in general)

10. Internal vs external auditing
Employer
Scope of audit
Emphasis on controls; process improvements
Both require specialized IT knowledge

11. Components of computer-based AIS
People
Procedures
Hardware
Data communications
Software
databases

12. Presence of internal controls
Directly influences scope of audit
Weak or nonexistent computer controls
Auditors need to perform more substantive testing (detailed tests of transactions and account balances)

13. Flowchart of IT audit process
Preliminary review of IS controls
Rely on IT controls
NO – audit around computer
YES
Review general and application controls
Perform compliance tests of computer controls
Perform substantive test of account balances

14. Use of CAATs Used to perform compliance tests of computer controls
Substantive tests of account balances
Used more by larger firms (see Janvrin, Bierstaker, and Lowe work)

15. Careers in IT Auditing SOX increased need for IT auditors
Skills include both accounting and information systems background
CISA
CISM
both granted by Information Systems Audit and Control Association (ISACA)

16. Evaluating the Effectiveness of Information Systems Controls
Risk-based approach
Determine threats (errors / irregularities) facing the AIS
Identify control procedures in place to reduce these threats
Evaluate control procedures within the AIS
Evaluate weaknesses (i.e. errors and irregularities note covered by control procedures) – control risks
Guidance for designing and evaluating IT controls
COBIT

17. CAATs Tools to help auditors in various audit tasks
General use software
Word processing
Spreadsheet software
DBMS
Generalized audit software
Enable auditors to review computer files without continually rewriting processing programs
See figure 11-4 on page 392
IDEA, ACL
Automated workpaper software
Similar to general ledger software because it can generate trial balances
Generate trial balances, adjusting entries, consolidations, analytical procedures

18. Testing Computer Programs
Test data
Integrated test facility
Parallel simulation

19. Validating Computer Programs
Tests of programs change controls
responsibility system of computer program development and maintenance
Program comparison
Control total tests
Review of systems software
Operating system software
Utility programs that do basic ‘housekeeping’ chores such as sorting and copying
Program library software that controls and monitors storage of programs
Access control software that controls logical access to programs and data files
Validating users and access privileges
Continuous auditing
Embedded audit modules or audit hooks (SCARF)
Exception reporting
Transaction tagging
Snapshot technique
Continuous and intermittent simulation

20. IT Auditing Today Component of IT governance
Process of using IT resources effectively to meet organizational objectives
Two objectives
Focus on use of IT strategically to fulfill the organizational mission and to compete effectively
Making sure that organization’s IT resources are managed effectively and that management controls IT related risks

21. Fraud triangle (SAS 99) Incentive / pressure Opportunity
rationalization

22. SOX Section 201 – services outside scope of practice of auditors
Section 302 – corporate responsibility for financial reports
Section 404 – management assessment of IC

23. Third party and information systems reliability assurances
Conflict of interest
CPA Webtrust
SysTrust
Trust Services
IA 404 review

24. Questions for Friday
What is the difference between general IT controls and application IT controls?
What is the difference between IT threats and IT control procedures?