AUDCIS 2022 Module 5 Tools and Techniques in IT Audit PDF

Summary

This document is a past paper for AUDCIS Module 5, covering tools and techniques used in IT audits. It details audit productivity tools, system documentation techniques, and computer-assisted audit techniques (CAATs).

Full Transcript

Tools and
Techniques
Used in
Auditing IT
AUDCIS Module 5
Tools and techniques used in IT audits

Audit productivity tools—software that helps auditors reduce the amount of time
spent on administrative tasks by automating the audit function and integrating
information gathered as part of the audit process.

System documentation techniques—methods, such as flowcharting, data flow
diagram, and business process diagrams applied to document and test application
systems, IT processes, and their integration within the IT environment.

Computer-assisted audit techniques (CAATs)—software that helps auditors
evaluate application controls, and select and analyze computerized data for
substantive audit tests.
Audit Productivity Tools

Audit planning and tracking
Documentation and presentations
Communication
Data management, electronic working papers, and groupware
Resource management
Audit planning and tracking

Necessary tasks in any audit planning:
Developing an audit universe with all of the potential audit areas within the
organization,
a risk assessment prioritizing these audit areas,
an audit schedule, and
a budget to track audit progress
Solutions such as spreadsheets, database software, and/or project
management software
Example: MS Excel, MS Access, Google Sheets
Documentation and presentations

Microsoft Office Suite – creation and presentation of documents
Video conferencing, video capture software
Communication

Required computer hardware, media hardware, protocol handlers,
desired terminal software emulator and high-speed wired or wireless
connectivity
Electronic connectivity through portals
Video conferencing capabilities – Zoom, Cisco WebEx, Citrix GoTo
Meetings and Adobe Connect
Data Management, Electronic Working
Papers and Group Ware

Database as central data repository
archive of historical risk, audit schedule and budget data
monitor and have immediate access to critical activity such as audit schedule
status, field audit status, fraud or shortage activity and training and
development progress
Electronic Working Papers (EWP)
Creating, documenting, reviewing and storing audit work
Groupware or collaborative software – specialized tool or assembly
of compatible tools that allows collaborative work
System Documentation Techniques

To understand the relationship of each application to the conduct of
the organization’s or client’s business, and to document such
understanding.
Entity-relationship diagrams (ERD)
Data flow diagram (DFD)
Business process diagram
Flowchart
Sample entity-relationship diagram (ERD)
Sample data flow diagram (DFD)
Sample business process diagram
Sample flowchart
Flowcharting as an Audit Analysis Tool

Auditors prepare flowcharts using standard symbols and techniques to
represent application systems, workflows, or processes.
Represent a method for identifying and evaluating control strengths and
weaknesses within a financial application system under examination.
Flowcharting process leads to evaluation of:
Quality of system documentation
Adequacy of manual or automated controls over documents
Effectiveness of processing by computer programs (i.e., whether the processing is
necessary or redundant and whether the processing sequence is proper)
Usefulness of outputs, including reports and stored files
Common flowchart symbols
Understanding How Applications Process
Data

Reviewing corporate documentation, including system
documentation files, input preparation instructions, and user manuals
Interviewing organization personnel, including users, systems
analysts, and programmers
Inspecting, comparing, and analyzing corporate records
Identifying Documents and Their Flow
through the System

Sources and source document(s), by title and identification number, with copies of the forms
attached
Point of origin for each source document
Each operating unit or office through which data are processed
Destination of each copy of the source document(s)
Actions taken by each unit or office in which the data are processed (e.g., prepared, recorded,
posted, filed, etc.)
Controls over the transfer of source documents between units or offices to assure that no
documents are lost, added, or changed (e.g., verifications, approvals, record counts, control
totals, arithmetic totals of important data, etc.)
Recipients of computer outputs
Defining Data Elements

The organization’s data element dictionary is a good source for such
definitions.
If a data dictionary is not available, a record layout may contain the
needed definitions.
Developing Flowchart Diagrams

Narrative descriptions of all major application systems
All manually prepared source documents that affect application processing
as well as corresponding coding sheets and instructions for data
transcription
Record layouts for all major computer input and output records, computer
master files, and work files (such as update or file maintenance tapes and
computation tapes)
All major outputs produced by the application system
Lists of standard codes, constants, and tables used by the application
Evaluating the Quality of
System Documentation

There are two basic questions to answer:
Is the documentation accurate?
Is the documentation complete?
Assessing Controls over Documents

Control points on the flowcharts should be identified and evaluated.
The auditor can
determine whether controls have been used and if so,
highlight gaps, strengths, and weaknesses within the system.

Identified controls, including automated and IT dependent
application controls, should be adequately designed and
implemented in order to mitigate risks.
Determining the Effectiveness of
Data Processing

The audit staff should determine how effective data processing is by
identifying problem areas, such as the ones below, in the processing
cycle:
Redundant processing of data or other forms of duplication
Bottleneck points that delay or congest processing
Points in the operating cycle at which clerks do not have enough time to review
output reports and make corrections
Evaluating the Accuracy, Completeness, and
Usefulness of Reports

The audit staff should review key or major outputs (e.g., edit listings,
error listings, control of hour listings, etc.) of the financial application
system and determine if the outputs are accurate, complete, and
useful as intended.
The auditor should confirm the accuracy, completeness, and
usefulness of the generated reports by interviewing appropriate
users.
Computer-Assisted Audit Techniques
(CAATs)

CAATs can be used by both IT or financial auditors in a variety of ways
to evaluate the integrity of an application,
determine compliance with procedures, and
continuously monitor processing results.
Review applications to gain an understanding of the controls in place to ensure the
accuracy and completeness of the information generated.
When adequate application controls are identified, the IT auditor performs tests to
verify their design and effectiveness.
When controls are not adequate, IT auditors perform extensive testing to verify the
integrity of the data. To perform tests of applications and data, the auditor may
use CAATs.
Common CAATs

ACL and Interactive Data Extraction and Analysis (IDEA)
can be used to select a sample, analyze the characteristics of a data file, identify trends in
data, and evaluate data integrity.
Microsoft Access and Microsoft Excel.
Microsoft Access can be used to analyze data, create reports, and query data files.
Microsoft Excel also analyzes data, generates samples, creates graphs, and performs
regression or trend analysis.
SAP Audit Management
SAP Audit Management facilitates the documentation of evidence, organization of working
papers, and creation of audit reports. This technique also provides analytical capabilities to
shift the focus of audits from basic assurance to providing insight and advice.
Broad Categories of
Computer Auditing Functions

Three broad categories of computer auditing functions can be
identified:
Items of audit interest
Audit mathematics
Data analysis
Items of Audit Interest

The auditor can use the computer to select items of interest, such as
material items, unusual items, or statistical samples of items by, for
instance, stipulating specific criteria for the selection of sample
items, or by stating relative criteria and let the computer do the
selection.
Audit Mathematics

Performing extensions or footings
Although it can be programmed to make many logical comparisons
and tests, the computer cannot supplant human judgment in
examining items to be tested.
Data Analysis

Data analysis programs use techniques such as:
Histograms
Modeling
Comparative Analysis
CAATs for Auditing Application Controls
Spreadsheet Controls

Some of the key controls that minimize the risks in spreadsheet development and
use include:
Understanding the requirements before building the spreadsheet
Source of data. Assurances that data being used are valid, reliable, and can be authenticated
to originating source
Design review. Reviews performed by peers or system professionals.
Formulas, macro commands, and any changes to the spreadsheet should be documented
externally and within the spreadsheet
Verification of logic. Reasonableness checks and comparisons with known outputs
Extent of training. Formal training in spreadsheet design, testing, and implementation
Extent of audit. Informal design reviews or formal audit procedures
Support commitment. Ongoing application maintenance and support from IT personnel
CAATs for Auditing Application Controls
Database Controls

Controls that auditors commonly expect to identify (and ultimately assess)
within client or organization-prepared databases include:
Referential integrity. Prevent deleting key values from related tables
Transaction integrity. Restore value of unsuccessful transactions
Entity integrity. Create unique record identification
Value constraints. Limit values to a selected range
Concurrent update protection. Prevent data contention
Backup and recovery protection. Ability to back up critical information and
applications and restore to continue
Testing protection. Perform tests at the systems, application, and unit level
CAATs for Operational Reviews

Specific activities in an operational review include:
Review operating policies and documentation
Confirm procedures with management and operating personnel
Observe operating functions and activities
Examine financial and operating plans and reports
Test accuracy of operating information
Test operational controls
Auditing Around the Computer Vs
Auditing Through the Computer

Auditing around the computer or “black box auditing approach”
The auditor obtains source documents that are associated with particular input
transactions and reconciles them against output results. Hence, audit supporting
documentation is drawn and conclusions are reached without considering how
inputs are being processed to provide outputs.
Auditing through the computer
The auditing through the computer approach includes a variety of techniques to
evaluate how the application and their embedded controls respond to various
types of transactions (anomalies) that can contain errors. When audits involve the
use of advanced technologies or complex applications, the IT auditor must draw
upon techniques combined with tools to successfully test and evaluate the
application.
Integrated Test Facility

Integrated test facilities are built-in test environments within a
system. This approach is used primarily with large-scale, online
systems serving multiple locations within the company or
organization. The test facility is composed of a fictitious company or
branch, set up in the application and file structure to accept or
process test transactions as though it was an actual operating entity.
Throughout the financial period, auditors can submit transactions to
test the system.
Test Data

This technique involves methods of providing test transactions to a system
for processing by existing applications. Test data provide a full spectrum of
transactions to test the processes within the application and system. Both
valid and invalid transactions should be included in the test data as the
objective is to test how the system processes both correct and erroneous
transaction input. For a consumer credit card service, such transactions
may be invalid account numbers, accounts that have been suspended or
deleted, and others. If reliance is placed on program, application, or system
testing, some form of intermittent testing is essential. Test data generators
are very good tools to support this technique but should not be relied on
entirely for extreme condition testing.
Parallel Simulation

Parallel simulation involves the separate maintenance of two presumably identical
sets of programs. The original set of programs is the production copy used in the
application under examination. The second set could be a copy secured by
auditors at the same time that the original version was placed into production. As
changes or modifications are made to the production programs, the auditors make
the same updates to their copies. If no unauthorized alteration has taken place,
using the same inputs, comparing the results from each set of programs should
yield the same results. Another way is for the auditor to develop pseudocode using
higher-level languages (Vbasic, SQL, JAVA, etc.) from the base documentation
following the process logic and requirements. For audit purposes, both software
applications (test versus actual) would utilize same inputs and generate
independent results that can be compared to validate the internal processing
steps.
Embedded Audit Module

Programmed audit module that is added to the application under
review.
Systems Control Audit Review File (SCARF)

Systems Control Audit Review File (SCARF) is another real-time
technique that can collect specific transactions or processes that
violate certain predetermined conditions or patterns. This may be
enhanced by decision support software that alerts designated
personnel (audit, security, etc.) of unusual activity or items out of the
ordinary. Computer forensic specialists can collect data to log files
for further review and examination.
Transaction Tagging

Follows a selected transaction through the application from input,
transmission, processing, and storage to its output to verify the
integrity, validity, and reliability of the application. Some applications
have a trace or debug function, which can allow one to follow the
transaction through the application. This may be a way to ensure
that the process for handling unusual transactions is followed within
the application modules and code.
Computer Forensics Tools

Computer forensics is the examination, analysis, testing, and
evaluation of computer-based material conducted to provide
relevant and valid information to a court of law.
Computer forensics tools are increasingly used to support law
enforcement, computer security, and computer audit investigations.
Questions?
End
Announcements