Slide 1ObjectivesBenefits of Audit AutomationUse of software toolsAudit productivity toolsCAATsApplication TestingSamplingData AnalysisOther CATTSComputer ForensicsComputer Forensics: ChallengesCase: Holt Valley Hospital ServicesCHAPTER 4: AUDITING INFORMATION TECHNOLOGY USING COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUESMBAD 7090Fall, 20081IS Security, Audit, and Control (Dr. Zhao)OBJECTIVESAudit Productivity ToolsComputer-Assisted Audit Techniques (CAATs)Computer Forensics Methods and TechniquesFall, 20082IS Security, Audit, and Control (Dr. Zhao)BENEFITS OF AUDIT AUTOMATIONIncrease audit productivity and coverageProvide responsiveness to the changeEnhance service quality by having a standard set of audit tools and proceduresBetter knowledge managementFall, 20083IS Security, Audit, and Control (Dr. Zhao)Risk AssessmentAudit ScheduleAudit ProgramAudit TestsAnalysisAudit ResultsReportingBudgetUSE OF SOFTWARE TOOLSTwo categoriesAudit productivity tools: automate the audit function and integrate information gatheredComputer-assisted audit tools (CAATs): tools for substantive audit tests such as data and control evaluationAppropriate use and application of CAATTs relies on appropriate training, sharing of experiences, and supervision.Fall, 20084IS Security, Audit, and Control (Dr. Zhao)AUDIT PRODUCTIVITY TOOLSPlanning and tracking audit activitiesSpreadsheets or project management toolsDocumentation and presentationsWord, PowerPoint, flowcharting, etc.CommunicationsData managementA central knowledge base, a central repository of historical dataGroupwareFor distributed workforcesInformation sharing & individual customizationDocument-oriented databasesExample: Lotus NotesFall, 20085IS Security, Audit, and Control (Dr. Zhao)CAATSValidate the processTest for the existence and execution of computer controls at all levelsGather information and data from production cyclesSupport audit findingsGather evidenceExamples:Audit Command Language (ACL)Interactive Data Extraction and Analysis (IDEA)Fall, 20086IS Security, Audit, and Control (Dr. Zhao)APPLICATION TESTINGSubmit a set of test data that will produce known resultsBoth valid and invalid transactionsParallel simulationA copy of original programReperform the logic of the applicationCould partially duplicate the application logic to test key functionsContinuous monitoringExtract anomalies in real timeFall, 20087IS Security, Audit, and Control (Dr. Zhao)SAMPLINGJudgmental samplingSelect the sample based on the auditor’s experienceItem of audit interestsSpecify criteria based on amount, time, region, etc.Statistical samplingRandom selectionRepresentative of the populationVarious methodsRandom number samplingsCluster samplingFall, 20088IS Security, Audit, and Control (Dr. Zhao)DATA ANALYSISGoal: using computers to compare and summarize dataHistogramGraphical representationIdentify relationships among dataModelingIdentify trends or patterns for evaluating reasonablenessComparative analysisCompare same data at different time periodsFall, 20089IS Security, Audit, and Control (Dr. Zhao)OTHER CATTSTransaction tagging:Follow a selected transaction through the entire application (e.g., Trace function)SnapshotExamine selected variablesCheck the value before and after a certain processIntegrated test facilityCreate a fictitious entity, such as a customer, within the context of the regular applicationProcess test transaction together with live inputsFall, 200810IS Security, Audit, and Control (Dr. Zhao)COMPUTER FORENSICSComputer criminals become more advanced right along with the technologyFast developing fieldA few rules:Never work on the original evidenceEstablish and maintain a continuing chain of custodyDocument everythingFall, 200811IS Security, Audit, and Control (Dr. Zhao)COMPUTER FORENSICS: CHALLENGESAdvancement of encryptionMaintaining credible certifications and industry standardsMore standards need to be developedHiding dataVarious data storage mediaChange file extensionRequires high degree of patience and perseveranceA videoFall, 200812IS Security, Audit, and Control (Dr. Zhao)CASE: HOLT VALLEY HOSPITAL SERVICESHolt Valley Hospital Services, Inc., is a large health care services company that acquired W. Wilson Hospital, an acute-acre hospital, this past year. This is a large facility with a typically long collection cycle for its patients’ accounts receivable. During the annual audit, the “Big Four” auditors supplied a year-end aged accounts receivable trial balance to the internal audit staff. Now, three month later, the internal audit team needs to determine subsequent collections on 22,567 patient accounts.Q1: What is the audit objective?Q2: Discuss functions in which use of a computer would be helpful to the auditors in meeting that objectives.Fall, 200813IS Security, Audit, and Control (Dr.