1 Module 6

AUDITING WITH TECHNOLOGY

A. Basic Audit Sampling Concepts

1. Definition of Sampling

a. Audit Sampling

To obtain evidence that user identification and password controls are functioning as designed, an auditor would
most likely examining a sample of assigned passwords and access authority will allow the auditor to test the
effectiveness of the controls.

To strengthen internal control by making it difficult for one to create a valid customer account number,
the inclusion of a check digit which normally at the end of an account number, may be placed
consistently in any position in the account when adequate computer programming exists

Auditor wishes to test this file to determine whether credit limits are being exceeded. Develop program
to compare actual account balances with the predetermined credit limit and thereby prepare a report on
whether any actual credit limits are being exceeded is the best procedure for the auditor.

Major reason for maintaining an audit trail for a computer system

1. Deterrent irregularities
2. Monitoring purpose
3. Query answering

Auditors usually begin by considering general control procedures. Since the effectiveness of specific
application controls is often dependent on the existence of effective general controls over all computer
activities, this is usually an efficient approach.

Parallel simulation and controlled reprocessing are likely to be more effective in an environment that
does not involve continuous auditing.

Embedded audit modules are programmed routines incorporated directly into an application program
that will help auditors perform audit functions such as calculations and to allow continuous
monitoring.

Database administrator ordinarily controls access to the database and he is the individual with whom
an auditor would be most likely to discuss specific access controls.

“Join" term is well established in information technology as consisting of the combination of various
tables, or parts of tables.
2 Module 6

AUDITING WITH TECHNOLOGY

Data control language is composed of commands used to control a database, including controlling
which users have various privileges (e.g., who is able to read from and write to various portions of the
database).

Data manipulation language is composed of commands used to maintain and query a database,
including updating, inserting in, modifying and querying (asking for data).

Data definition language is used to define a database, including creating, altering, and deleting tables
and establishing various constraints.

Destructive updating in an on-line computer system is destructive of transaction files. Accordingly,

auditing of the balances in accounts where transactions are periodically destroyed requires a well-
documented audit trail for the auditor.

if controls related to the computer appear adequate, the auditor should tests them unless:
1. it is determined that the costs of testing are expected to exceed the possible savings in
substantive tests.
2. the review of the system indicates that there are conditions which would preclude reliance on
the system.
3. the controls are redundant to other internal control activities.

The advantage of using a value-added network for EDI transactions is reviewing transaction submitted
for processing and comparing them to related outputs.

The auditor's study and evaluates a client's computer system includes tests of controls that might
include an examination of the machine room log book to verify that control information is properly
recorded would be such a test.

Auditing around the system is possible if the system performs uncomplicated processes and produces
detailed output.

Auditing by testing the input and output of a computer system instead of the computer program itself will not
detect program errors which don’t show up in the output sampled