INFORMATION TECHNOLOGY AUDITING

THE AUDIT FUNCTION

To audit is to examine and assure. The nature of auditing differs according to the subject under examination.
This section discusses internal, external, and IT auditing.

Internal versus External Auditing

An internal audit involve evaluation of (1) employee compliance with organizational policies and procedures,
(2) effectiveness of operations, (3) compliance with external law and regulations, (4) reliability of financial reports,
and (5) internal controls. It is relatively broad in scope, including activities such as auditing for fraud and ensuring
that employees are not copying software program illegally. Internal auditor can provide assurance to a company's
top management and the board of director about the efficiency and effectiveness of almost any aspect of its
organization.

In contrast to the broad perspective of internal auditors, the chief purpose of an external audit is the attest
function-that is giving an opinion on the accuracy and fairness of financial statements. This fairness evaluation is
conducted in the context of generally accepted accounting principles (GAAP) and requires application of generally
accepted auditing standard (GAAS). In the past few years, the external auditor' role has expanded with respect to
auditing for fraud. Statement on Auditing Standards (SAS) No. 99 Consideration of Fraud in a Financial Statement
Audit requires auditors working for public a counting firm to undertake a number of specific actions to ensure that
an organization' financial statements are free of erroneous or fraudulent material misstatement. Similarly, AS5
emphasize the importance of evaluating control designed to prevent fraud.

Information Technology Auditing

IT auditing involve evaluating IT's role in achieving audit and control objectives. The assurance aspect of IT
auditing involves ensuring that data and information are reliable, confidential, secure, and available as needed.
Traditional financial audit objectives are also present in information technology auditing. These include attest
objectives such as the safeguarding of assets and data integrity, and management objectives such as operational
effectiveness.

Typically, an auditor will find enough computer-based control in place to warrant further examination. In this
situation, an auditor will want to make a more detailed analysis of both general and application controls (discussed
in Chapter 10). After examining these controls in some detail, the auditors will perform compliance testing to
ensure that the controls are in place and working as prescribed. This may entail using some computer-assisted
audit techniques (CAATs) to audit the computerized AIS. These involve the use of computer processes or controls
to perform audit functions, such sorting data to detect duplicate accounts payable invoice numbers. Finally, the
auditor will need to substantively test some account balance.

THE INFORMATION TECHNOLOGY AUDITOR'S TOOLKIT

Auditing Software

Auditors can use a variety of software when auditing with the computer. Examples include general-use
software (such as word processing programs, spreadsheet software, and database management systems). Other
software that we discuss, such as generalized audit software (GAS) and automated workpaper software, are more
specifically oriented toward auditor tasks.

JB EMANUEL DE GUZMAN, CPA 1

General-Use Software. Auditors employ general-use software as productivity tools that can improve their work.
For instance, word processing programs improve effectiveness when writing report because built-in spell checks
can significantly reduce spelling errors.

Generalized Audit Software. Generalized audit software (GAS) packages enable auditors to review computer files
without continually rewriting processing programs. Large CPA firms have developed some of these packages in-
house, and many other programs are available from various software suppliers. GAS packages are available to run
on microcomputers, minicomputers, or mainframe. GAS programs are capable of the basic data manipulation task
that spreadsheet or DBMS software might also perform. These include mathematical computations, cross footing
categorizing, summarizing, merging files, sorting record, statistical sampling, and printing reports. One advantage
GAS packages have over other software is that these programs are specifically tailored to audit tasks. Auditors can
use GAS program in a variety of ways in specific application areas, such as accounts receivable, inventory, and
account payable.

Automated Workpapers. Automated workpapers allow internal and external auditors to automate and
standardize specific audit tests and audit documentation. Some of the capabilities of automated workpapers are to
(1) generate trial balances, (2) make adjusting entries, (3) perform consolidations, (4) conduct analytical
procedures, and (5) document audit procedures and conclusions.

AUDITING COMPUTERIZED ACCOUNTING INFORMATION SYSTEMS

When computers were first used for accounting data processing functions, the typical auditor knew very
little about automated data processing. The basic auditing approach, therefore, was to follow the audit trail up to
the point at which accounting data entered the computer and to pick these data up again when they reappeared in
processed form as computer output. This is called auditing around the computer.

When auditing a computerized AlS, an auditor should follow the audit trail through the internal computer
operations phase of automated data processing. This approach, auditing through the computer, attempts to verify
that the processing controls involved in the AlS programs are functioning properly.

Testing Computer Programs

In testing computer programs, the objective is to ensure that the programs accomplish their goals, and that
the data are input and processed accurately. Three techniques that auditors may employ to test computer programs
are (1) test data, (2) integrated test facilities, and (3) parallel simulation.

Test Data. It is the auditor's responsibility to develop a set of transactions that tests, as completely as possible, the
range of exception situations that might occur. Conventionally, these transactions are called test data. Possible
exception situations for
a payroll application, for example, include out-of-sequence payroll checks, duplicate timecards, negative hours
worked, invalid employee numbers, invalid dates, invalid pay rates, invalid deduction codes, and use of alphabetic
data in numeric codes.

Integrated Test Facility. Although test data work well in validating an application's input controls, they are not as
effective for evaluating integrated online systems or complex programming logic. In these situations, it may be
better to use a more comprehensive test technique such as an integrated test facility (ITF). The purpose of an ITF is
to audit an AIS in an operational setting. This involves (1) establishing a fictitious entity such as a department,
branch, customer, or employee; (2) entering transactions for that entity; and (3) observing how the e transactions
are processed.

JB EMANUEL DE GUZMAN, CPA 2

Parallel Simulation. With parallel simulation, the auditor creates a second system that duplicates a portion of the
client's system. The auditor's system runs at the same time as the client's system, and the auditor processes live
data, rather than test data. The auditor can compare the processing and outputs from their own system to the
client's system. Differences between the processing and outputs of the client system, relative to the auditor's
duplicate (or parallel) system, indicate problems with the client's system.

Continuous Auditing

Some audit tools can be installed within an information system itself to achieve continuous auditing or real-
time assurance. Continuous auditing is increasingly important as we move toward real-time financial reporting.
There is also increasing pressure to reduce the time span between the production of financial information and the
audit of the information, known as the audit cycle. Stakeholders want audited information quickly. Many'
businesses report their financial information over the Internet, and many more are likely to do so as XBRL enhances
this form of reporting.

INFORMATION TECHNOLOGY AUDITING TODAY

IT auditing is actually a component of information technology (IT) governance. These include the use of
technology to deter fraud, the effects of the Sarbanes-Oxley Act of 2002 and AS5 on IT auditing, and third-party and
systems reliability assurance.

Information Technology Governance

Information technology (IT) governance is the process of using IT resources effectively to meet organizational
objectives. It includes using IT efficiently, responsibly, and strategically. The IT Governance Institute, an affiliation
of the Information Systems Audit and Control Association (ISACA), was created to help organizations ensure that IT
resources are properly allocated, that IT risks are mitigated, and that IT delivers value to the organization.

Auditing Standard No. 5 (AS5)

As a result of the substantial burden created by section 404 and the uncertainty surrounding the specific
requirement of Section 404, the Public Company Accounting Oversight Board provided guidance in Auditing
Standard no. 5 (AS5) that helps internal and external auditors reduce control testing and focus on the most critical
control.

JB EMANUEL DE GUZMAN, CPA 3