2. Accounting Information Systems, 1st Edition
Auditing Information Technology-Based Processes
Accounting Information Systems, 1st Edition

3. Study Objectives An introduction to auditing IT processes
The various types of audits and auditors
Information risk and IT-enhanced internal control
Authoritative literature used in auditing
Management assertions used in the auditing process and the related audit objectives
The phases of an IT audit
The use of computers in audits
Tests of controls
Tests of transactions and tests of balances
Audit Completion/Reporting
Other audit considerations
Ethical issues related to auditing
1. On the topic, “Challenges Facing Financial Accounting,” what did the AICPA Special Committee on Financial Reporting suggest should be included in future financial statements?
Non-financial Measurements (customer satisfaction indexes, backlog information, and reject rates on goods purchases).
Forward-looking Information
Soft Assets (a company’s know-how, market dominance, marketing setup, well-trained employees, and brand image).
Timeliness (no real time financial information)

4. Introduction to Auditing IT Processes
Accounting services that improve the quality of information are called assurance services.
An audit is the most common type of assurance service.
SO 1 An introduction to auditing IT processes

5. Types of Audits and Auditors
Main purpose of the audit is to assure users of financial information about the accuracy and completeness of the information.
Three primary types of audits include
compliance audits,
operational audits, and
financial statement audits.
SO 2 The various types of audits and auditors

6. Types of Audits and Auditors
Audits are typically conducted by accountants.
Certified public accountants (CPAs)
Internal auditor
IT auditors
Government auditors
SO 2 The various types of audits and auditors

7. Types of Audits and Auditors
IT environment plays a key role in how auditors conduct their work in the following areas:
Consideration of risk
Audit procedures used to obtain knowledge of accounting and internal control systems
Design and performance of audit tests
SO 2 The various types of audits and auditors

8. Types of Audits and Auditors
Concept Check
Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings?
a. Financial statement audits
b. Operational audits
c. Regulatory audits
d. Compliance audits
SO 2 The various types of audits and auditors

9. Types of Audits and Auditors
Concept Check
Financial statement audits are required to be performed by
a. government auditors.
b. CPAs.
c. internal auditors.
d. IT auditors.
SO 2 The various types of audits and auditors

10. Risk and IT-Enhanced Internal Control
Information risk is the chance that information used by decision makers may be inaccurate.
Following are some causes of information risk:
Remoteness of information
Volume and complexity of underlying data
Motive of the preparer
SO 3 Information risk and IT-enhanced internal control

11. Authoritative Literature Used in Auditing
Sources of authoritative literature
Generally accepted auditing standards (GAAS)
Public Company Accounting Oversight Board (PCAOB)
Auditing Standards Board (ASB)
International Audit Practices Committee (IAPC)
Information Systems Audit and Control Association (ISACA).
SO 4 Authoritative literature used in auditing

12. Authoritative Literature Used in Auditing
Concept Check
Which of the following is not a part of generally accepted auditing standards?
a. general standards
b. standards of fieldwork
c. standards of information systems
d. standards of reporting
SO 4 Authoritative literature used in auditing

13. Authoritative Literature Used in Auditing
Concept Check
Which of the following best describes what is meant by the term “generally accepted auditing standards”?
a. Procedures used to gather evidence to support the accuracy of a client’s financial statements
b. Measures of the quality of an auditor’s conduct
c. Professional pronouncements issued by the Auditing Standards Board
d. Rules acknowledged by the accounting profession because of their widespread application
SO 4 Authoritative literature used in auditing

14. Authoritative Literature Used in Auditing
Concept Check
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to
a. document the auditor’s understanding of the client company’s internal controls.
b. search for weaknesses in the operation of the client company’s internal controls.
c. perform tests of controls to evaluate the effectiveness of the client company’s internal controls.
d. determine whether controls are appropriately designed to prevent or detect material misstatements.
SO 4 Authoritative literature used in auditing

15. Management Assertions and Audit Objectives
Responsibility for the preparation of financial statements lies with management
Management assertions are claims regarding the financial condition and results of operations.
Existence/occurrence
Valuation and Allocation
Accuracy, Classification, Cutoff
Completeness
Rights and Obligations
Presentation and Disclosure
Audit tests developed for an audit client are documented in an audit program.
SO 5 Management assertions used in the auditing process and the related audit objectives

16. Management Assertions and Audit Objectives
Concept Check
Auditors should design a written audit program so that
a. all material transactions will be included in substantive testing.
b. substantive testing performed prior to year end will be minimized.
c. the procedures will achieve specific audit objectives related to specific management assertions.
d. each account balance will be tested under either a substantive test or a test of controls.
SO 5 Management assertions used in the auditing process and the related audit objectives

17. Management Assertions and Audit Objectives
Concept Check
Which of the following audit objectives relates to the management assertion of existence?
a. A transaction is recorded in the proper period.
b. A transaction actually occurred (i.e., it is real).
c. A transaction is properly presented in the financial statements.
d. A transaction is supported by detailed evidence.
SO 5 Management assertions used in the auditing process and the related audit objectives

18. Phases of an IT Audit There are four primary phases to an IT audit:
planning,
tests of controls,
substantive tests, and
audit completion/reporting.
SO 6 The phases of an IT audit

19. Phases of an IT Audit SO 6 The phases of an IT audit Exhibit 7-4
Process Map of Phases of an Audit
SO 6 The phases of an IT audit

20. Phases of an IT Audit
Audit evidence is proof of the fairness of financial information. Techniques for gathering evidence:
physically examining or inspecting assets or supporting documentation
obtaining written confirmations
rechecking or recalculating information
observing the underlying activities
making inquiries of client personnel
analyzing financial relationships and comparisons
SO 6 The phases of an IT audit

21. Phases of an IT Audit Audit Planning
Auditors review and assess the risks and controls, establish materiality guidelines, and develop relevant tests addressing the objectives.
SO 6 The phases of an IT audit

22. Phases of an IT Audit Audit Planning SO 6 The phases of an IT audit
Exhibit 7-5
Audit Planning Phase Process Map
SO 6 The phases of an IT audit

23. Concept Check Phases of an IT Audit
Risk assessment is a process designed to
a. identify possible events that may effect the business.
b. establish policies and procedures to carry out internal controls.
c. identify and capture information in a timely manner.
d. test the internal controls throughout the year.
SO 6 The phases of an IT audit

24. Concept Check Phases of an IT Audit
Which of the following audit procedures is most likely to be performed during the planning phase of the audit?
a. Obtain an understanding of the client’s risk assessment process.
b. Identify specific internal control activities that are designed to prevent fraud.
c. Evaluate the reasonableness of the client’s accounting estimates.
d. Test the timely cutoff of cash payments and collections.
SO 6 The phases of an IT audit

25. Use of Computers in Audits
Auditing around the computer
Auditing through the computer
Auditing with the computer
Computer-assisted audit techniques (CAATs)
SO 7 The use of computers in audits

26. Use of Computers in Audits
Concept Check
Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer?
a. The time involved in testing processing controls is significant.
b. The cost involved in testing processing controls is significant.
c. A portion of the audit trail is not tested.
d. The technical expertise required to test processing controls is extensive.
SO 7 The use of computers in audits

27. Tests of Controls
Exhibit 7-6
Control Testing Phase Process Map
Tests of controls involve audit procedures designed to evaluate both general controls and application controls.
SO 8 Test of controls

28. Tests of Controls General Controls
Two broad categories of general controls that relate to IT systems:
IT administration and related operating systems development and maintenance processes
Security controls and related access issues
SO 8 Test of controls

29. Tests of Controls General Controls IT Administration
Audit tests include review for the existence and communication of company policies regarding:
personal accountability and segregation of incompatible responsibilities
job descriptions and clear lines of authority
computer security and virus protection
IT systems documentation
SO 8 Test of controls

30. Tests of Controls General Controls Security Controls
To test external access controls, auditors may perform:
Authenticity tests.
Penetration tests
Vulnerability assessments
Review access logs to identify unauthorized users or failed access attempts
SO 8 Test of controls

31. Tests of Controls Application Controls
Computerized controls over application programs.
Auditors should test
Systems documentation
Main functions of the computer applications
input,
processing, and
output.
SO 8 Test of controls

32. Tests of Controls Application Controls Input Controls Financial totals
Hash totals
Completeness or redundancy tests
Limit tests
Validation checks
Field checks
SO 8 Test of controls

33. Tests of Controls Application Controls
Processing Controls, techniques for testing
Test data method
Program tracing
Integrated test facility
Parallel simulation
Embedded audit modules
SO 8 Test of controls

34. Tests of Controls Application Controls Output Controls
Reasonableness tests
Audit trail tests
Rounding errors tests
SO 8 Test of controls

35. Concept Check Tests of Controls
The primary objective of compliance testing in a financial statement audit is to determine whether
a. procedures have been updated regularly.
b. financial statement amounts are accurately stated.
c. internal controls are functioning as designed.
d. collusion is taking place.
SO 8 Test of controls

36. Concept Check Tests of Controls
Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor’s control to periodically test controls in the client’s computer system?
a. Test data method
b. Embedded audit module
c. Integrated test facility
d. Parallel simulation
SO 8 Test of controls

37. Concept Check Tests of Controls
Which of the following is a general control to test for external access to a client’s computerized systems?
a. Penetration tests
b. Hash totals
c. Field checks
d. Program tracing
SO 8 Test of controls

38. Tests of Transactions and Balances
Substantive Testing - tests of accuracy of monetary amounts of transactions and account balances.
Computerized auditing tools make it possible for more efficient audit tests such as:
mathematical and statistical calculations
data queries
identification of missing items in a sequence
stratification and comparison of data items
selection of items of interest from the data files
summarization of testing results into a useful format for decision making
SO 9 Test of transactions and tests of balances

39. Tests of Transactions and Balances
Exhibit 7-9
Substantive Testing Phase Process Map
SO 9 Test of transactions and tests of balances

40. Tests of Transactions and Balances
Concept Check
Generalized audit software can be used to
a. examine the consistency of data maintained on computer files.
b. perform audit tests of multiple computer files concurrently.
c. verify the processing logic of operating system software.
d. process test data against master files that contain both real and fictitious data.
SO 9 Test of transactions and tests of balances

41. Audit Completion/Reporting
Four basic types of reports:
Unqualified opinion
Qualified opinion
Adverse opinion
Disclaimer
The most important task is obtaining a letter of representations from client management.
SO 10 Audit Completion/Reporting

42. Audit Completion/Reporting
Exhibit 7-10
Audit Completion/Reporting Phase Process Map
SO 10 Audit Completion/Reporting

43. Other Audit Considerations
Different IT Environments
Using PCs, companies may use IT environments that involve
networks,
database management systems, and/or
e-commerce systems.
SO 11 Other audit considerations

44. Other Audit Considerations
Changes in a Client’s IT Environment
Auditors must consider whether additional audit testing is needed.
Specific audit tests include verification of:
Assessment of user needs
Authorization for new projects and program changes
Adequate feasibility study and cost–benefit analysis
Proper design documentation
Proper user instructions
Adequate testing before system is put into use
SO 11 Other audit considerations

45. Other Audit Considerations
Sampling
Test a limited number of items or transactions and then draw conclusions about the balance as a whole on the basis of the results.
SO 11 Other audit considerations

46. Other Audit Considerations
Concept Check
Independent auditors are generally actively involved in each of the following tasks except:
a. Preparation of a client’s financial statements and accompanying notes
b. Advising client management as to the applicability of a new accounting standard
c. Proposing adjustments to a client’s financial statements
d. Advising client management about the presentation of the financial statements
SO 11 Other audit considerations

47. Other Audit Considerations
Concept Check
Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions?
a. Due professional care
b. Competence
c. Independence
d. A complex underlying body of professional knowledge
SO 11 Other audit considerations

48. Other Audit Considerations
Concept Check
Which of the following terms is not associated with the auditor’s requirement to maintain independence?
a. Objectivity
b. Neutrality
c. Professional skepticism
d. Competence
SO 11 Other audit considerations

49. Ethical Issues Related to Auditing
AICPA Code of Professional Conduct
Six principles of the code:
Responsibilities.
The Public Interest.
Integrity.
Objectivity and Independence. CPAs
Due Care
Scope and Nature of Services
Auditors must practice professional skepticism
SO 12 Ethical issues related to auditing

50. Copyright
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

51. Overview of ERP Systems
Concept Check
Manufacturing companies implement ERP systems for the primary purpose of
a. Increasing productivity.
b. Reducing inventory quantities.
c. Sharing information.
d. Reducing investments.
SO 1 The overview of an ERP system