1. Chapter 12 The Impact of Information Technology on the Audit Process
Dr. Mohamed A. Hamada

2. 1. What Are Differences Between Manual & Computerized Accounting?
Manual accounting requires that all journal entries, invoices and other financial documents be created by hand.
Computerized accounting allows users to input information into accounting software programs.

3. Speed
Computerized accounting produces information much faster than manual accounting.
Accounting software packages, such as QuickBooks and Peachtree, come with built-in databases that allow users to input data.
Accuracy
Manual accounting systems are prone to mathematical errors and misplaced numbers. With a computerized accounting system, your company data is automatically calculated based on numbers you input.

4. Financial Statements
Computerized accounting systems allow financial statements to be created from information stored in the database.
Cost
The cost of computerized accounting systems can range from hundreds to thousands of dollars for large businesses.
A computerized accounting system may save on man hours used for creating financial statements and other reports. For this reason, many small and mid-sized businesses use computerized accounting software.

5. Reports
Reports are created in a timely manner when using a computerized accounting system.
Reports generated from computerized accounting software allow managers to run the company in a more efficient manner.

6. Safety
Accounting records kept on the manual system can be lost or damaged easily, such as by coffee spills. On the other hand, records kept by a computer are likely to be safer because many systems are backed up often.
If you lose pages in a paper pad, you may have to recreate the transactions by conducting research and writing them in again.
In a computerized system, you simply restore the latest backup and add a few transactions that were not saved.

7. Organization
Data processed through software is organized and easy to find.
Accounting programs organize the information in one place, classified by type. For instance, if you want to find certain data about a vendor, you can go to the accounts payable section of the software, usually by clicking a link or tab, and conduct a search for the vendor.
If you conduct the same process on a manual system, you may have to go through several pages and take your time to find what you're looking for.

8. Main feature of Computerized Auditing Environment
All tasks are performed electronically. In other words, the transactions and events are recorded in electronic records with electronic evidence
Electronic data interchange and online transaction are expanded
The auditing process is carried out during the year in continuously form not at the end of the year.
Technological techniques such as neural networks to detect fraud and errors in financial statements, and expert systems
Furthermore, software agent could be used to collect the electronic audit evidence

9. Main differences between traditional and computerized auditing
The way in which transactions are recorded
The way in which such recording must be controlled and authenticated
The training, skills needed and attitudes of responsible staff, on both the management and technical levels
The way in which the process and its results must be audited.

10. Learning Objective 1
Describe how IT improves internal control.

11. How Information Technologies Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available

12. Internal Control - Economy, efficiency and effectiveness of operations
Is a process affected by the company’s board of directors , management and other personnel.
It provides reasonable assurance regarding the achievement of the following objectives:
- Economy, efficiency and effectiveness of operations
Internal financial control
Compliance with applicable lows and regulations

13. Main objectives of the Internal Control
Safeguard assets of the organization
Ensure the accuracy and reliability of accounting records and information
Promote the efficiency in the firm’s operations
Measure compliance with management’s prescribed policies and procedures

14. Classifications of system controls in Computerized systems
General controls
Application controls

15. General controls Application controls Input controls
Organizational and operating controls
Business continuity and disaster recovery planning
Program development and documentation controls
Hardware controls
Access controls
Application controls
Input controls
Processing controls
Output controls

16. General controls
Concern all computer activities. They relate to all many computerized accounting activities
They include control over the development, modification and maintenance of computer programs

17. Application controls
are controls involved inside the system to ensure that all data that be entered into the system are valid and will not cause the system failure, controls that ensure proper processing of transactions and controls that include reports, checks, documents, and other printed or displayed information

18. Learning Objective 2
Identify risks that arise from using an IT-based accounting system.

19. Assessing Risks of Information Technologies
Risks to hardware and data
Reduced audit trail
Need for IT experience and
separation of IT duties

20. Risks to Hardware and Data
Reliance on the functioning capabilities
of hardware and software
Systematic versus random errors
Unauthorized access
Loss of data

21. Reduced Audit Trail Visibility of audit trail
Reduced human involvement
Lack of traditional authorization

22. Need for IT Experience and Separation of Duties
Reduced separation of duties
Need for IT experience

23. Learning Objective 3
Explain how general controls and application controls can reduce IT risks.

24. General Controls Administration of IT function Separation of IT duties
Systems development
Physical and online security
Backup and planning
Hardware controls

25. Administration of the IT Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.

26. Segregation of IT Duties
Chief Information Officer or IT Manager
Security Administrator
Systems
Development
Operations
Data
Control

27. Systems Development Typical test strategies Pilot testing
Parallel testing

28. Physical and Online Security
Physical Controls:
Keypad entrances
Badge-entry systems
Security cameras
Security personnel
Online Controls:
User ID control
Password control
Separate add-on
security software

29. Backup and Contingency Planning
One key to a backup and contingency plan
is to make sure that all critical copies of
software and data files are backed up
and stored off the premises.

30. Hardware Controls These controls are built into computer
equipment by the manufacturer to
detect and report equipment failures.

31. Application Controls Input controls Processing controls
Output controls

32. Input Controls These controls are designed by an
organization to ensure that the
information being processed is
authorized, accurate, and complete.

33. Batch Input Controls
Financial total
Hash total
Record count

34. Processing Controls Validation test Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test

35. Output Controls These controls focus on detecting errors
after processing is completed rather
than on preventing errors.

36. Learning Objective 4
Describe how general controls affect the auditor’s testing of application controls.

37. Impact of Information Technology on the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk and
substantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments

38. A. Phases of the Information Systems Audit
1. Initial review and evaluation of the area to be audited, and the audit plan preparation
2. Detailed review and evaluation of controls
3. Compliance testing
4. Analysis and reporting of results

39. B. Structure of the Financial Statement Audit
Transactions
Accounting
System
Financial
Reports
Financial Statement Audit Substantive Testing
Interim Audit
Compliance Testing

40. B1. Compliance Testing
Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned. This is known as compliance testing.

41. Please confirm that the balance of your account
B2. Substantive Testing
Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable.
Audit Confirmation
To ABC Co. Customer:
Please confirm that the balance of your account
on Dec. 31 is _____ .

42. C. Auditing Around the Computer
The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing.
Processing

43. D. Auditing With The Computer
The utilization of the computer by an auditor to perform some audit work that would otherwise have to be done manually.

44. E. Auditing Through the Computer
The process of reviewing and evaluating the internal controls in an electronic data processing system.
Audit

45. Audit Software Techniques
Information technology gives auditors a new set of techniques for examining the automated business environment,
Audit software provides auditors with the ability to extract information from several files, with different database management systems, in order to search for underlying patterns or relationships among data.
Audit software is computer programs that help auditors achieve the various tasks of auditing process.

46. Computer Assisted Audit Techniques (CAATs),
Consist of package of programs; purpose written programs, utility programs or system management programs
• Generalized Audit Software (GAS)
• Test data
• Integrated Test Facilities (ITF)
• Parallel Simulation
• Snapshot
• Mapping
• Embedded audit module EAM

47. A. Review of Systems Documentation
The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes test or real data through the program logic.

48. B. Test Data
The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results.

49. Illustration of Test Data Approach
Computer Operations
Auditors
Prepare Test
Transactions
And Results
Transaction
Test Data
Computer
Application
System
Manually
Processed
Results
Computer
Output
Auditor Compares

50. Test Data Approach 1. Test data should include all relevant
conditions that the auditor wants tested.
2. Application programs tested by the
auditors’ test data must be the same as
those the client used throughout the year.
3. Test data must be eliminated from the
client’s records.

51. Test Data Approach Input test transactions to test key control
procedures
Master files
Application programs
(assume batch system)
Transaction files
(contaminated?)
Contaminated
master files
Control test
results

52. Test Data Approach Control test results Auditor makes comparisons
Auditor-predicted results
of key control procedures
based on an understanding
of internal control
Differences between
actual outcome and
predicted result

53. C. Integrated Test Facility (ITF) Approach
A common form of an ITF is as follows:
A dummy ITF center is created for the auditors.
Auditors create transactions for controls they want to test.
Working papers are created to show expected results from manually processed information.
Auditor transactions are run with actual transactions.
Auditors compare ITF results to working papers.

54. Illustration of ITF Approach
Computer Operations
Auditors
Actual
Transactions
ITF
Transactions
Prepare ITF
Transactions
And Results
Computer
Application
System
Data Files
ITF Data
Reports
With Only
Actual Data
Reports
With Only
ITF Data
Manually
Processed
Results
Auditor
Compares

55. Parallel Simulation The auditor uses auditor-controlled software
to perform parallel operations to the client’s
software by using the same data files.

56. Parallel Simulation Production transactions Master file
Auditor-prepared
program
Client application
system programs
Auditor
results
Client
results
Auditor makes comparisons between
client’s application system output and
the auditor-prepared program output
Exception report
noting differences

57. Illustration of Parallel Simulation
Computer Operations
Auditors
Actual
Transactions
Computer
Application
System
Auditor’s
Simulation
Program
Actual Client
Report
Auditor Compares
Auditor
Simulation
Report

58. Embedded Audit Module Approach
Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions.
Embedded Audit Modules. EAMs are subroutines embedded in the client’s information system that perform control and audit procedures at the same time as the normal application processing

59. Example of EAMs : (Debreceny et, al., 2005)
JOIN INVENTORY to SUPPLIER, PURCHASES
SELECT supplier ID, [(purchase Price- standard Price) purchase Volume]
FROM INVENTORY-SUPPLIER-PURCHASES
IF purchase Price/standard Price > 1.05 OR purchase Price/standard Price < 0.95
RUN trigger

60. End of Chapter 12