Chapter 12

Information Technology Auditing

Discussion Questions
12-1.
As noted in the text, an internal auditor is an individual working for the company
being audited while the external auditor works for an outside organization, typically a CPA firm.
Thus, the responsibility of the internal auditor is to report to the staff supervisor conducting the
audit while the responsibility of the external auditor is to report to external parties. Whereas the
activities of both the internal and external auditors are governed by generally accepted
accounting principles or GAAP, the external auditors procedures are also affected by federal
and state laws that specifically define the relationship between the external auditor and client,
and how this relationship is to be implemented during the course of an audit.
The chief concern of the external auditor is that the financial condition of the organizational
entity be accurately and fairly represented in its financial statements. In this sense the external
auditor is limited to the attest function. Among the matters that may have more interest to the
internal auditor are:
Inventory records that have no financial implications
Personnel records that have no financial implications
Production or marketing records that have no financial implications
Inefficiencies in reporting that affect the timing, rather than the accuracy, of monetary
variables
Minor discrepancies in financial accounts (immaterial)
Organizational procedures that are primarily a matter of policy and do not involve assets
or liabilities
The moral, motivation, and productivity of individual departments or work groups
Preferences vary. Many accounting graduates begin their career as external auditors and then
move into internal auditing.
12-2.
The primary objective of a financial audit is to attest to the reliability of financial
statements. The audit process includes an evaluation of internal controls (now mandated).
Some of these controls are present in all processing environments, while others are unique to
computerized data processing. The financial auditor may lack the expertise needed to evaluate
the computer-type controls. In this event, the information systems auditor is called in. The
information systems auditors primary objective is to evaluate internal controls and risks
associated with the computerized data processing system (general and application controls).
The information systems auditor may also become engaged in assisting a client to improve
security over the computerized system environment.
Financial auditors should possess technical accounting skills, knowledge of accounting and
business processes, a certain amount of skepticism, knowledge of the audit process, internal
control expertise, knowledge of financial audit standards, communication skills, and
interpersonal skills. Information systems auditors should possess an understanding of technical
information systems security, internal control expertise, knowledge of information systems audit
standards, computer expertise, communication skills, a certain amount of skepticism, and
interpersonal skills. It would be best if financial auditors possessed knowledge of information
systems audit standards and technical information systems security knowledge, and computer
SM 12.1

expertise. It would also be best if information systems auditors possessed technical accounting
skills, knowledge of accounting and business processes, and knowledge of the financial audit
process.
The reality is that it is difficult for one individual to possess all skills in both realms. This reality
has led to a shortage of information systems auditors with a solid foundation in accounting.
Because of this, it may be difficult for financial auditors to know how to use the work of the
information systems auditor. Likewise, it may be hard for the information systems auditor to
understand which accounting areas are high risk and particularly vulnerable. Courses in AIS
help to bridge the gap in knowledge.
12-3.
General-use software is software that has a wide range of applicability. This
software may be used by auditors, managers, accountants, system designers, and others. It
includes word processing, spreadsheet, database, presentation, and communication software.
Generalized audit software is software that has been developed specifically for use by auditors.
Spreadsheet software is most useful when computations are required. Recalculating totals for
fixed assets or depreciation schedules can be facilitated with spreadsheet software. Database
software might be used to keep track of fixed assets and repairs and maintenance to these
assets. An auditor might use word processing software to communicate with the client about
audit issues related to fixed assets. Word processing software can also generate letters
verifying the existence of fixed assets.
12-4.
Interviewing is one of the most important functions performed by auditors.
Interestingly, auditing and accounting curricula do not always work on these skills with students.
Some techniques and skills that would be helpful to an interviewer would include: session
planning, interview structuring, understanding the use of various question formats, options for
controlling and documenting an interview, and, perhaps most important how to listen.
Interviewers need to understand the need to plan for an interview session. This includes
structuring the interview a priority, informing the person to be questioned of the interview,
deciding on how much time will be needed, researching the interview subject, and deciding on
messages the interviewer wants to convey. Interviews may be structured in a variety of ways to
maximize information gathering. A common technique is to ask innocuous questions first in
order to relax the subject of the interview. Both general and specific questions are useful but
each has advantages and disadvantages. The interviewer needs to know when to use which
and also must decide how open-ended the questions should be. A skilled interviewer is always
in control of the session and knows how to bring a subject back on track. Each approach to
documenting an interview (i.e., note-taking, recording, or having an observer) has advantages
and disadvantages. The interviewer should be familiar with these and decide on the best
approach for documentation. Finally, an effective interview is one where the subject does most
of the talking rather than the questioner. A good listener is the best interviewer.
12-5.
With an integrated test facility, it is necessary to observe the complete cycle of
activities. Thus, a set of fictitious purchase transactions would be introduced to the transaction
stream representing hypothetical business activity with one or more bogus companies. These
transactions would be designed to test the processing efficiency of the company and also, the
ability of the companys system to handle exceptions conditions. For example, one important
test would be to see how the system handles a fictitious account. Another test would be to see
how effectively the system pays debt in time to take advantage of time-dependent discounts.
Yet a third test would be to see whether or not the system will pay an outside company for
SM 12.2

goods which in fact have not been received, or for goods which have been received in damaged
condition.
With the passage of time, the auditor would observe the systems response to these and other
such tests and compare his findings with those as expected from documentation outlines and
interviews with company officials. Discrepancies would be noted and the auditor would prepare
a final report, complete with recommendations, to top management.
12-6.
The recommendations to use certain controls or not is ultimately dependent upon the
organizations attitude towards risk. More often than not, a collective group is likely to be
conservative and avoid risks. In such instances, it would only take a very small probability of
hazards before any given control for it would be desirable. Individuals may sometimes exhibit
less risk aversion than groups, as for example, when an individual gambles. Thus, in such
cases, a larger probability of occurrence is required before a given accounting control becomes
cost effective.
For the case at hand, we are not told who the decision maker might be or the organizations
attitude toward risk. Thus, it would seem prudent for Mr. Rodriguez to present an analysis of his
findings with neither a positive recommendation nor a negative recommendation for controls
which are not determined to be cost effective. This is a decision for management rather than
the auditor.
12-7.
The Better Business Bureau offers a BBB Online Trustmark that symbolizes
compliance with a variety of standards and rules of practice. These include privacy and security
standards, as well as advertising and other business policies. CPA WebTrust provides
assurance that a Certified Public Accountant has examined a site and finds it to meet the
standards set by the AICPA for a particular set of criteria, such as that over privacy or security.
The TRUSTe seal has two forms. One provides assurance with respect to privacy and the other
is for email.
Several accounting firms and other organizations offer their own assurance. These may rely on
the brand of the company offering the assurance, rather than on a generic assurance label.
Another website seal is the Good Housekeeping website seal. This capitalizes on the brand of
the offline seal of approval program that has existed for decades.

SM 12.3

Problems
12-8.
a.
Hazard

Equipment failure
Software failure
Vandalism
Embezzlement
Brownout
Power surge
Flood
Fire

Probability
that
loss will occur
.08
.10
.65
.05
.40
.40
.15
.10

Expected Losses

Estimated

Low

High

Control Costs

$ 4,000
400
650
150
340
340
37,500
15,000

$12,000
1,800
9,750
450
800
800
75,000
30,000

$ 2,000
1,400
8,000
1,000
250
300
2,500
4,000

b. Comparing the expected losses with the hazard control costs would result in the following
decisions:
1) The hazard controls should be implemented for equipment failure, brownout, power
surge, flood, and fire. The costs of implementing these controls are outweighed by the
expected savings.
2) The hazard control for embezzlement should not be implemented as its cost exceeds
any potential benefit.
3) The implementation of hazard controls for software failure and vandalism fall in the grey
area of the decision process. The control costs exceed the low expected loss estimate
but are less than the high expected loss estimate. These findings should simply be
reported for managers decisions.
12-9. The purpose of certification is to get recognized as an expert in your profession. With a
globally accepted and recognized ISACA certification, you hold the power to move ahead in your
career, increase your earning potential, enhance your credibility and prove to employers that
you have what it takes to add value to their enterprise.
The types of auditing CISAs perform are further described in the various credentials available:
CISM:
Certified Information Security Manager
CGEIT:
Certified in the Governance of Enterprise IT
CRISC:
Certified in Risk and Information Systems Control
12-10.
Simply by searching on the term computer security, students will be able to identify
many resources that would be helpful in auditing an information system. There are also a few
guides or indices available that classify audit advisories, tools, and security techniques. An
example of a site that issues security advisories is Carnegie Mellons Computer Emergency
Response Team at . An example of help available is the Department of Defenses online guide
to selecting effective passwords.
12-11.
By searching on the phrase continuous auditing examples, a student should be
able to find many instances of organizational use of continuous auditing (CA) techniques. As an
SM 12.4

example, I found a health care company that used CA for efficiency. They were typically only
auditing various parts of the organization every three or four years but by adopting CA
techniques, they could have more confidence in their systems on an ongoing basis, freeing
resources for other analyses.

Case Analyses
12-12

Basic Requirements (Systems Reliability Assurance)

1. There are many security, availability, and privacy risks faced by Basic Requirements due to
their online business. (Comprehensive lists of general risks may be found in the AICPAs
Trust Services document, which describes principles and criteria for trust services.) Security
risks concern unauthorized physical and/or logical access. For Basic Requirements, some
specific security risks would include hacker access to the web site, student access to the
computer (while in the store), and unauthorized access to accounts or passwords by student
customers. Availability of the web site is important to a retail business as downtime may
mean lost sales and lack of credibility. For Kara and Scott, availability risks include
hardware and software malfunctions that make the website inoperable for any period of
time, problems with software that disallow customers from accessing their order status, and
failure of logon procedures for accounts. Privacy is particularly important for online
customers. Basic Requirements needs to take many actions to ensure that customer
information is kept private. This means ensuring that hackers cannot steal mailing lists
and that there is no unauthorized access to customer accounts. A small business such as
Basic Requirements will have difficulty in segregating duties to ensure that there are multiple
controls over access to information. Store workers need to be carefully monitored and
cautioned over discussion or dissemination of customer information.
2.
Risk
Hacker access to web site
Student access to computers (physical)

Student access to accounts or passwords

(logical)

Hardware and software malfunctions

Failure of logon procedures

SM 12.5

Control
Maintain anti-virus software
Use acceptable length passwords
Do not leave student customers in
store alone
Do not use group logons for access
in office
Use a hierarchy of passwords and
logons to secure sections of the
system
Change default passwords of
system administrators
Maintain anti-virus software
Maintain proper environmental
conditions over hardware
Have backup and contingency
plans and test them
Provide quick response to online
customers experiencing difficulties
with logon or forgotten passwords
Be sure to describe logon

Student workers compromising privacy

procedures fully to online

customers, including case
sensitivity of passwords. Possibly
maintain a system for forgotten
passwords where a private question
is used to authenticate (e.g.,
mothers maiden name)
Check student references
Convey policies and privacy
warnings to workers

3. To be effective, an internal control must be auditable. This means that the auditor must be
able to inspect it. For example, Kara might tell the auditor that she always checks
references of student workers. However, if she doesnt maintain documentation showing
this was done, the auditor has no way to verify her assertion. The IT auditor could check all
of the controls described in Part 2 in a variety of ways, providing that Basic Requirements
kept evidence of those controls. Some specific examples are:
The IT auditor would check that the system uses current versions of anti-virus
software and that there is a subscription that allows for continuous updates
The IT auditor will check the access control software to view the requirements for
passwords with respect to length
The IT auditor will check the user listing for the system to ensure that there are no
group passwords (e.g., STUCSTMR)
The IT auditor will ask to see evidence that management has checked references of
workers (e.g., reference letters, logs of phone interviews)
The IT auditor will test the system to see if the described logon procedures actually
work
12-13.

Tiffany Martin, CPA (Information Technology Audit Skills)

1. Unfortunately, Dick's approach is a typical one. Small accounting firms, in particular, lack
personnel with information systems audit expertise. The inability of a financial auditor to
understand risks associated with computerized processing pose a threat to the validity of the
audit process.
Expanding the scope of an audit to 100% of all transactions is one way to reduce risk.
However, it is inefficient as significantly increased substantive testing is costly. It is also not
as beneficial to the client as a controls review would be. If errors are found, the sources of
the errors will still be unknown with increased transaction testing. A controls review would
show where potential problems are and the scope of the audit could be adjusted
accordingly.
2. Tiffany should suggest calling in personnel who are experienced in information systems
auditing for a controls review. If the firm does not employ these personnel, this stage of the
audit should be subcontracted. The firm might decide in future hiring to take on some
personnel with accounting information systems or management information systems
backgrounds.

SM 12.6

3. Public accounting firms are faced with a dilemma. The nature of auditing is changing rapidly
due to computerized information systems. Many firms are moving towards the concept of
providing "assurance" rather than "audit" services to clients. These call for different training
for personnel and non-traditional hiring practices. Hiring a certain number of accounting
majors and a certain number of management information systems majors will not solve the
problem. Accountants and systems staff need to be cross-trained. Without the ability for
financial and information systems auditors to communicate with each other, the audit will be
both inefficient and ineffective. For instance, financial auditors might be told to call in
information systems auditors for engagements where the information systems processing
has a certain level of complexity. The information systems auditors may then evaluate the
general and application controls associated with computerized processing and deliver a
report detailing this evaluation to the financial auditors. Unless the financial auditors
understand what lies behind the report, they are likely to disregard it and expand the scope
of the audit to a conservative level with respect to risk.
4. Tiffany needs to call in information systems auditors for this particular engagement. She
should also work with them so that she understands what they are doing. In addition, the
firm should provide her with some formal training in information systems technology and
information systems controls. One thing an accounting firm can do to facilitate crossunderstanding between financial auditors and information systems auditors is to have
individual members of each group work in the other groups area for a certain period of time
each year.
12-14.

Consolidated Company (Audit Program for Access Controls)

1. There are many risks associated with a lack of controls to restrict logical access to programs
and data. These include posting of erroneous or fraudulent transactions allowed by
bypassing approval levels and segregation of duties controls.
2. It is important to include an audit of User IDs and passwords in order to evaluate the levels
of access allowed and the potential for breaching access controls. This evaluation might
also allow the auditor to consider what mitigating controls could be used to protect data.
Any breach in logical access makes all assets of an organization, including information and
data, at risk.
3. There are many different control procedures that Jason could use to ensure that only
authorized users access the system. Some of them are:
Unique IDs - each user is assigned their own unique ID and a system setting exists
to prevent the same ID being used twice
Preloaded IDs - the passwords for preloaded IDs are changed or these are
locked/deleted
Groups - groups are established within the application according to SoD
determinations and group rights are reviewed periodically
Periodic review - individual rights and access is reviewed regularly by appropriate
management
Automated removal - when a user is terminated they are automatically removed from
having ERP access or a strong manual process is in place
Job changes - a process is in place to change user rights when a user's job title
changes
Passwords are of a certain length, complex, rotating, and an indefinite lockout exists
SM 12.7

Process to add users requires documented authorization from management

SM 12.8