Chapter 3

DQ

1. The reasons for the start of IT Auditing are:

(a) Auditing around the computer was becoming unsatisfactory for the purpose of data
reliance.
(b) Reliance on controls was becoming highly questionable.
(c) Financial institutions were losing money due to creative programming.
2. Some skills that are needed in order for an auditor to be effective in their field:

Team player - Has the ability to work as a team, whether it is working with the government,
management or training new employees. This person must have the system/business in mind
whenever making decisions and can't be a individual contractor for lack of a better term.

Attention to detail - An auditor has to look at what some people may think is dry information. This
means that an auditor must be able to stay focused and pay great attention to the smallest of
details.

Communication - In pretty much any field now-a-days you have to have good communications skills.
You must be able to communicate via writing or verbally so that upper management knows what's
going on. This will make the company work a lot smoother and make the company perform better.
Also an auditor needs to know when to notify upper management of problems that require their
attention.

3. The examples of auditor’s standard of practice are Yellow Book, Government Accepted Auditing
Standards (GAAS), Red Book (International Professional Practices Framework). Some of the
organizations that produce such standards of practice are the AICPA, IIA, IFAC, CICA, and ISACA.
4. SAS 1 “References in Auditors’ Reports to the Standards of the Public Company Accounting
Oversight Board” This section describes the responsibilities and functions of the independent
auditor. The section also includes distinction between the responsibilities of the auditor and
management and the professional qualifications required by the independent auditor.
5. The incidents that happened with Enron and Equity Funding were extremely important because
they are great high profile examples of auditing failure. These are companies that were making
fraudulent deals and weren’t getting audited and were able to get away with their bad behavior
for a while until it finally came to a head and Enron crashed.
6. The biggest difference is time. An audit using a computer can be quicker making it more
efficient. Where the old way of doing things, on paper, might be preferred by some auditors it is
slower and can be a hassle to make sure you hold onto the audit and not lose it.
7. SAS 48 “The Effects of Computer Processing on the Examination of Financial Statements.” SAS
48 requires auditors to consider the effects of computer processing throughout the whole audit
process, and not just during the evaluation of internal control.
SAS 55 “Consideration of the Internal Control Structure in a Financial Statement”
SAS 78, “Amendment to SAS 55”
SAS 94 “The Effect of Information Technology on the Auditor’s Consideration of Internal Control
in a Financial Statement Audit,”
SAS 99 “Consideration of Fraud in a Financial Statement”
 These are important to external and internal auditors because these standards address the
changes in technology that impact the audit process and the financial statements.
8. The Institute of Internal Auditors (IIA) is an international professional association. It is the
internal audit profession's global voice, recognized authority, acknowledged leader, chief
advocate, and principal educator.
ISACA, previously known as the Information Systems Audit and Control Association is an
independent, nonprofit, global association, engages in the development, adoption and use of
globally accepted, industry-leading knowledge and practices for information systems.
The Government Accountability Office (GAO) is a legislative branch government agency that
provides auditing, evaluation, and investigative services for the United States Congress. It is the
supreme audit institution of the federal government of the United States.
AICPA (American Institute of Certified Public Accountants) represents the CPA profession
nationally regarding rule-making and standard-setting, and serves as an advocate before
legislative bodies, public interest groups and other professional organizations.
IFAC (International Federation of Accountants) is the global organization for the accountancy
profession dedicated to serving the public interest by strengthening the profession and
contributing to the development of strong international economies.
They are important in to internal/external auditors and IT auditors because they set the
standards of practice for auditing function.
9. GAAP is important to IT Auditor because it establishes consistent guidelines for financial
reporting by corporate managers. An auditor, rendering an opinion indicating that financial
statements are presented fairly, stipulates that the financial statements conform to GAAP.
GAAS is important to IT Auditor because it provides broad guidelines and guidance to the
different aspects of auditing.
10. Resources available to train IT auditors are:
(a) Mixture of on-the-job training and in-house programs
(b) Seminars presented by professional organizations or vendor
(c) Traditional university academic environment
11. The basic skills needed to perform in the area IT Auditing are:
a. IT and its application
b. Systems analysis, design, development, and implementation
c. Internal controls and documentation of IS
d. Data structures, database concepts, and management
e. IS applications and processing cycles
f. Management of IS and technology
g. Computer programming languages and procedures
h. Computer communications a nd net works
i. Model-based systems (decision support and expert systems)
j. Systems security and disaster recovery planning
k. Auditing of IT and its role in business
12. For education in IT auditing beyond the bachelor’s degree, the technical proficiency areas
suggested are:
a. Proficiency as an auditor
 b. Ability to review and evaluate IT internal controls and recommend the extent of
audit procedures required
c. Understanding of IT system design and operations
d. Knowledge of programming languages and techniques and the ability to apply
computer-assisted audit techniques and assess their results
e. General familiarity with computer operating systems and soft ware
f. Ability to identify and reconcile problems with client datafile format and
structure
g. Ability to bridge the communications gap between the auditor and the I T
professional, providing support and advice to management
h. Knowledge of when to seek the assistance of an IT professional
13. Some supplemental skill development areas for auditors are communication and negotiation.
14. External auditor evaluates the reliability and the validity of systems controls in all forms. The
principal objective in their evaluation is to minimize the amount of substantial auditing or
testing of transactions required to render an opinion on a financial statement. External auditors
are provided by public accounting firms and also exist in government as well. For example, the
GAO is considered an external reviewer because they can examine the work of both federal and
private organizations where federal funds are provided. From a public accounting firm
standpoint, firms such as Deloitte, Ernst & Young, PriceWaterhouseCoopers (formerly Price
Waterhouse and Coopers & Lybrand), and KPMG have provided these types of external audit
services worldwide.
15. The internal audit function is a control function within a company or organization. The primary
purpose of the internal audit function is to assure that management authorized controls are
being applied effectively.
16. Computer forensics is the practice of collecting, analysing and reporting on digital data in a way
that is legally admissible. It can be used in the detection and prevention of crime and in any
dispute where evidence is stored digitally.

MCQ

1. C
2. D
3. B
4. D
5. C
6. A
7. B
8. D
9. B
10. D