revision for ACCG251

The audit function:

• To audit is to examine and provide assurance in relation to the reliability of the information provided by the auditee.
• The nature of auditing differs according to the subject under examination.
• Audits can be internal or external and can if appropriate include the audit of an information system.

Internal Auditing:

• It was undertaken by appropriately qualified employees of the entity concerned.

External Auditing:

• They will evaluate process for a particular client. They will undertake alternative testing if they don't trust client's internal audit process.
• They are undertaken by professional accounting firms staffed by either CPAs or Chatered accountants.
• Their purpose is providing assurance about the credibility of financial information and proof that the relevant or other information has been produced in accord with the requirements of the appropriate external regulatory framework.

Roles and responsibilities of an IT auditor:

• It involves evaluating the computer's role in achieving audit and control objectives.
• Components: People, procedures, hardware, data communications, software, and databases are a system of interacting elements that auditors examine to accomplish the purpose of their audits.

IT Governance:

• It is the process of using IT resources effectively to meet organisational objectives. It includes using IT efficiently, responsibly, and strategically.
• The objective of IT governance are twofold. The first set of objectives focuses on the use of IT strategically to fulfill the organisational mission and to compete effectively. The second set of IT governance objectives involves making sure that the organisation's IT resources are managed effectively and that management controls IT-related risks.

The Information Technology Audit Process:

• Depending on the level of controls auditors might need to undertake more substantive tests of underlying transactions and account balances.
• Compliance testing is undertaken to ensure that pre-existing controls are working as prescribed.This may entail using computer assisted audit techniques to audit through the computer.

Risk-based Audit approach:

• Determine threats facing the AIS.
• Identify the control procedures that should be in place to minimise threats.
• Evaluate weaknesses within the AIS to ascertain the desirability of IT related controls for a particular aspect of business risk. Evaluating IT Controls: Systems Auditability and Control report & Control Objectives for Information and Related Technology.

Auditing Around the Computer:

• It assumes that the presence of accurate output verifies proper processing operations.
• It pays little or no attention to the control procedures within or no attention to the control procedures within the IT environment.
• Generally not an effective approach to auditing a computerised environment.

Auditing Through the Computer:

• When doing this, an auditor follows the audit trail through the internal computer operations phase of automated data processing.
• Through-the-computer attempts to verify the processing controls involved in the AIS programs.
• Primary approaches to Auditing through the Computer using CAAT Are:Testing programs;Reviewing systems software; Continuous auditing.
• Testing Computer programs:

1. The test data approach uses a set of hypothetical transactions to test edit checks in programs.
2. Auditor should use as many different exceptions as possible.
3. Auditor can also use software programs called test data generators to develop a set of test data.

• Integrated Test Facility:

1. It is effecive in evaluating integrated online systems and complex programming logic.
2. Its purpose is to audit an AIS in an operational setting.
3. The auditor's role is to examine results of transaction processing to find out how well the AIS does the tasks required of it.
4. An auditor will introduce artificial transactions into the data processing stream of the AIS.

• Parrallel Simulation:

1. With Parallel Simulation, the auditor uses live input data in a program written or controlled by the auditor.
2. The auditor's program simulates all or some of the operations of the real program that is actually in use.
3. Auditors need complete understanding of a client's system and an adequate level of knowledge to undertake this testing.
4. It eliminates the need to prepare a set of test data.

• Validating Computer Programs:Auditor must validate any presented to them using the following test:

1. Tests of Program Change Control:

a)Program change control is a set of internal controls developed to ensure against unauthorised program changes.

b)Requires documentation of every request for application program changes

c)Test begins with inspection of documentation maintained by information processing subsystem.

1. Program Comparison: a)To guard against unauthorised program tampering a test of length control total can be performed. b) A comparison program can compare code lie-by-line to ensure consistency between authorised version an version being used. c)Both tests can detect Trojan horse computer programs.
2. Surprise Audits and Suprise Use of Programs:a)The Surprise audit approach involves examining application programs unexpectedly. b)With the Surprise use approach, an auditor visits the computer centre unannounced and request that presents that previously obtained authorised programs be used for the required data processing.

• Auditing with the computer:

1. Auditing with the Computer entails using computer assisted audit techniques.
2. This approach is virtually mandatory since data are stored on computer media and manual access is impossible.
3. CAATs are effective and save time.

Review of System software

• System software includes:

1. Operating System software
2. Utility programs
3. program library software
4. Access control software

• Auditors should review systems software documentation.
• Systems software can generate incident reports, which are reports listing events encountered by the system that are unusual or interrupt operations.