Tools and

Techniques
Used in
Auditing IT
AUDCIS Module 5
Learning Objectives

1 2 3 4 5 6

Define auditor Describe techniques Explain what Describe the various Differentiate between Describe computer
productivity tools and used to document Computer-Assisted CAATs used for “Auditing Around the forensics and sources
describe how they application systems, Audit Techniques reviewing applications, Computer” and to evaluate computer
assist the audit such as flowcharting, (CAATs) are and particularly, the audit “Auditing Through the forensic tools and
process. and how these describe the role they command language Computer.” techniques.
techniques are play in the (ACL) audit software.
developed to assist the performance of audit
audit process. work.
Tools and techniques used in IT audits

Audit productivity tools—software that helps auditors reduce the amount of time spent on
administrative tasks by automating the audit function and integrating information gathered as
part of the audit process.

System documentation techniques—methods, such as flowcharting, data flow diagram, and

business process diagrams applied to document and test application systems, IT processes, and
their integration within the IT environment.

Computer-assisted audit techniques (CAATs)—software that helps auditors evaluate

application controls, and select and analyze computerized data for substantive audit tests.
Audit Productivity Tools

• Audit planning and tracking

• Documentation and presentations
• Communication
• Data management, electronic working papers, and groupware
• Resource management
Audit planning and tracking

• Necessary tasks in any audit planning:

• Developing an audit universe with all of the potential audit areas within the organization,
• a risk assessment prioritizing these audit areas,
• an audit schedule, and
• a budget to track audit progress

• Solutions such as spreadsheets, database software, and/or project management

software
• Example: MS Excel, MS Access, Google Sheets, Asana, Trello
Documentation and presentations

• Microsoft Office Suite – creation and presentation of documents

• Video conferencing, video capture software
Communication

• Required computer hardware, media hardware, protocol handlers, desired

terminal software emulator and high-speed wired or wireless connectivity
• Electronic connectivity through portals
• Video conferencing capabilities – Zoom, Cisco WebEx, Citrix GoTo Meetings
and Adobe Connect
Data Management, Electronic Working Papers
and Group Ware

• Database as central data repository

• archive of historical risk, audit schedule and budget data
• monitor and have immediate access to critical activity such as audit schedule status, field
audit status, fraud or shortage activity and training and development progress
• Electronic Working Papers (EWP)
• Creating, documenting, reviewing and storing audit work

• Groupware or collaborative software – specialized tool or assembly of

compatible tools that allows collaborative work
System Documentation Techniques

• To understand the relationship of each application to the conduct of the

organization’s or client’s business, and to document such understanding.
• Entity-relationship diagrams (ERD)
• Data flow diagram (DFD)
• Business process diagram
• Flowchart
Sample entity-relationship diagram (ERD)
Sample data flow diagram (DFD)
Sample business process diagram
Sample flowchart
Flowcharting as an Audit Analysis Tool

• Auditors prepare flowcharts using standard symbols and techniques to represent

application systems, workflows, or processes.
• Represent a method for identifying and evaluating control strengths and weaknesses
within a financial application system under examination.
• Flowcharting process leads to evaluation of:
• Quality of system documentation
• Adequacy of manual or automated controls over documents
• Effectiveness of processing by computer programs (i.e., whether the processing is necessary or
redundant and whether the processing sequence is proper)
• Usefulness of outputs, including reports and stored files
Common flowchart symbols
Understanding How Applications Process Data

• Reviewing corporate documentation, including system documentation files,

input preparation instructions, and user manuals
• Interviewing organization personnel, including users, systems analysts, and
programmers
• Inspecting, comparing, and analyzing corporate records
Identifying Documents and Their Flow
through the System

• Sources and source document(s), by title and identification number, with copies of the forms attached
• Point of origin for each source document
• Each operating unit or office through which data are processed
• Destination of each copy of the source document(s)
• Actions taken by each unit or office in which the data are processed (e.g., prepared, recorded, posted,
filed, etc.)
• Controls over the transfer of source documents between units or offices to assure that no documents are
lost, added, or changed (e.g., verifications, approvals, record counts, control totals, arithmetic totals of
important data, etc.)
• Recipients of computer outputs
Defining Data Elements

• The organization’s data element dictionary is a good source for such

definitions.
• If a data dictionary is not available, a record layout may contain the needed
definitions.
Developing Flowchart Diagrams

• Narrative descriptions of all major application systems

• All manually prepared source documents that affect application processing as
well as corresponding coding sheets and instructions for data transcription
• Record layouts for all major computer input and output records, computer
master files, and work files (such as update or file maintenance tapes and
computation tapes)
• All major outputs produced by the application system
• Lists of standard codes, constants, and tables used by the application
Evaluating the Quality of
System Documentation

• There are two basic questions to answer:

• Is the documentation accurate?
• Is the documentation complete?
Assessing Controls over Documents

• Control points on the flowcharts should be identified and evaluated.

• The auditor can
• determine whether controls have been used and if so,
• highlight gaps, strengths, and weaknesses within the system.

• Identified controls, including automated and IT dependent application controls,

should be adequately designed and implemented in order to mitigate risks.
Determining the Effectiveness of
Data Processing

• The audit staff should determine how effective data processing is by identifying
problem areas, such as the ones below, in the processing cycle:
• Redundant processing of data or other forms of duplication
• Bottleneck points that delay or congest processing
• Points in the operating cycle at which clerks do not have enough time to review output
reports and make corrections
Evaluating the Accuracy, Completeness, and
Usefulness of Reports

• The audit staff should review key or major outputs (e.g., edit listings, error
listings, control of hour listings, etc.) of the financial application system and
determine if the outputs are accurate, complete, and useful as intended.
• The auditor should confirm the accuracy, completeness, and usefulness of the
generated reports by interviewing appropriate users.
Computer-Assisted Audit Techniques
(CAATs)

• CAATs can be used by both IT or financial auditors in a variety of ways

• to evaluate the integrity of an application,
• determine compliance with procedures, and
• continuously monitor processing results.

• Review applications to gain an understanding of the controls in place to ensure the accuracy
and completeness of the information generated.
• When adequate application controls are identified, the IT auditor performs tests to verify their
design and effectiveness.
• When controls are not adequate, IT auditors perform extensive testing to verify the integrity of
the data. To perform tests of applications and data, the auditor may use CAATs.
Common CAATs

• ACL and Interactive Data Extraction and Analysis (IDEA)

• can be used to select a sample, analyze the characteristics of a data file, identify trends in data, and evaluate
data integrity.
• Microsoft Access and Microsoft Excel.
• Microsoft Access can be used to analyze data, create reports, and query data files.
• Microsoft Excel also analyzes data, generates samples, creates graphs, and performs regression or trend
analysis.
• SAP Audit Management
• SAP Audit Management facilitates the documentation of evidence, organization of working papers, and
creation of audit reports. This technique also provides analytical capabilities to shift the focus of audits
from basic assurance to providing insight and advice.
Broad Categories of
Computer Auditing Functions

• Three broad categories of computer auditing functions can be identified:

• Items of audit interest
• Audit mathematics
• Data analysis
Items of Audit Interest

• The auditor can use the computer to select items of interest, such as material
items, unusual items, or statistical samples of items by, for instance, stipulating
specific criteria for the selection of sample items, or by stating relative criteria
and let the computer do the selection.
Audit Mathematics

• Performing extensions or footings

• Although it can be programmed to make many logical comparisons and tests,
the computer cannot supplant human judgment in examining items to be tested.
Data Analysis

• Data analysis programs use techniques such as:

• Histograms
• Modeling
• Comparative Analysis
CAATs for Auditing Application Controls
Spreadsheet Controls

• Some of the key controls that minimize the risks in spreadsheet development and use include:
• Understanding the requirements before building the spreadsheet
• Source of data. Assurances that data being used are valid, reliable, and can be authenticated to originating
source
• Design review. Reviews performed by peers or system professionals.
• Formulas, macro commands, and any changes to the spreadsheet should be documented externally and
within the spreadsheet
• Verification of logic. Reasonableness checks and comparisons with known outputs
• Extent of training. Formal training in spreadsheet design, testing, and implementation
• Extent of audit. Informal design reviews or formal audit procedures
• Support commitment. Ongoing application maintenance and support from IT personnel
CAATs for Auditing Application Controls
Database Controls

• Controls that auditors commonly expect to identify (and ultimately assess) within
client or organization-prepared databases include:
• Referential integrity. Prevent deleting key values from related tables
• Transaction integrity. Restore value of unsuccessful transactions
• Entity integrity. Create unique record identification
• Value constraints. Limit values to a selected range
• Concurrent update protection. Prevent data contention
• Backup and recovery protection. Ability to back up critical information and applications and
restore to continue
• Testing protection. Perform tests at the systems, application, and unit level
CAATs for Operational Reviews

• Specific activities in an operational review include:

• Review operating policies and documentation
• Confirm procedures with management and operating personnel
• Observe operating functions and activities
• Examine financial and operating plans and reports
• Test accuracy of operating information
• Test operational controls
Auditing Around the Computer Vs
Auditing Through the Computer

• Auditing around the computer or “black box auditing approach”

• The auditor obtains source documents that are associated with particular input transactions and
reconciles them against output results. Hence, audit supporting documentation is drawn and
conclusions are reached without considering how inputs are being processed to provide outputs.
• Auditing through the computer
• The auditing through the computer approach includes a variety of techniques to evaluate how
the application and their embedded controls respond to various types of transactions (anomalies)
that can contain errors. When audits involve the use of advanced technologies or complex
applications, the IT auditor must draw upon techniques combined with tools to successfully test
and evaluate the application.
Integrated Test Facility

• Integrated test facilities are built-in test environments within a system. This
approach is used primarily with large-scale, online systems serving multiple
locations within the company or organization. The test facility is composed of a
fictitious company or branch, set up in the application and file structure to
accept or process test transactions as though it was an actual operating entity.
Throughout the financial period, auditors can submit transactions to test the
system.
Test Data

• This technique involves methods of providing test transactions to a system for

processing by existing applications. Test data provide a full spectrum of transactions to
test the processes within the application and system. Both valid and invalid
transactions should be included in the test data as the objective is to test how the
system processes both correct and erroneous transaction input. For a consumer credit
card service, such transactions may be invalid account numbers, accounts that have
been suspended or deleted, and others. If reliance is placed on program, application, or
system testing, some form of intermittent testing is essential. Test data generators are
very good tools to support this technique but should not be relied on entirely for
extreme condition testing.
Parallel Simulation

• Parallel simulation involves the separate maintenance of two presumably identical sets of
programs. The original set of programs is the production copy used in the application under
examination. The second set could be a copy secured by auditors at the same time that the
original version was placed into production. As changes or modifications are made to the
production programs, the auditors make the same updates to their copies. If no unauthorized
alteration has taken place, using the same inputs, comparing the results from each set of
programs should yield the same results. Another way is for the auditor to develop pseudocode
using higher-level languages (Vbasic, SQL, JAVA, etc.) from the base documentation following
the process logic and requirements. For audit purposes, both software applications (test versus
actual) would utilize same inputs and generate independent results that can be compared to
validate the internal processing steps.
Embedded Audit Module

• Programmed audit module that is added to the application under review.

Systems Control Audit Review File (SCARF)

• Systems Control Audit Review File (SCARF) is another real-time technique

that can collect specific transactions or processes that violate certain
predetermined conditions or patterns. This may be enhanced by decision
support software that alerts designated personnel (audit, security, etc.) of
unusual activity or items out of the ordinary. Computer forensic specialists can
collect data to log files for further review and examination.
Transaction Tagging

• Follows a selected transaction through the application from input, transmission,

processing, and storage to its output to verify the integrity, validity, and
reliability of the application. Some applications have a trace or debug function,
which can allow one to follow the transaction through the application. This
may be a way to ensure that the process for handling unusual transactions is
followed within the application modules and code.
Computer Forensics Tools

• Computer forensics is the examination, analysis, testing, and evaluation of

computer-based material conducted to provide relevant and valid information
to a court of law.
• Computer forensics tools are increasingly used to support law enforcement,
computer security, and computer audit investigations.
Questions?
End
Announcements