©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Learning Objective 1 Describe how IT improves internal control.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder How Information Technologies Enhance Internal Control  Computer controls replace manual controls  Higher-quality information is available

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Learning Objective 2 Identify risks that arise from using an IT-based accounting system.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Assessing Risks of Information Technologies  Risks to hardware and data  Reduced audit trail  Need for IT experience and separation of IT duties

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Risks to Hardware and Data  Reliance on the functioning capabilities of hardware and software  Systematic versus random errors  Unauthorized access  Loss of data

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Reduced Audit Trail  Visibility of audit trail  Reduced human involvement  Lack of traditional authorization

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Need for IT Experience and Separation of Duties  Reduced separation of duties  Need for IT experience

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Learning Objective 3 Explain how general controls and application controls reduce IT risks.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Internal Controls Specific to Information Technology  General controls  Application controls

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Relationship Between General and Application Controls Cash receipts application controls Sales application controls Payroll application controls Other cycle application controls GENERAL CONTROLS Risk of unauthorized change to application software Risk of system crash Risk of unauthorized master file update Risk of unauthorized processing

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder General Controls  Administration of the IT function  Separation of IT duties  Systems development  Physical and online security  Backup and contingency planning  Hardware controls

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Administration of the IT Function The perceived importance of IT within an organization is often dictated by the attitude of the board of directors and senior management.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Segregation of IT Duties Chief Information Officer or IT Manager Systems Development Operations Data Control Security Administrator

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Systems Development Typical test strategies Pilot testingParallel testing

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Physical and Online Security Physical Controls:  Keypad entrances  Badge-entry systems  Security cameras  Security personnel Online Controls:  User ID control  Password control  Separate add-on security software

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Backup and Contingency Planning One key to a backup and contingency plan is to make sure that all critical copies of software and data files are backed up and stored off the premises.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Hardware Controls These controls are built into computer equipment by the manufacturer to detect and report equipment failures.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Application Controls  Input controls  Processing controls  Output controls

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Input Controls These controls are designed by an organization to ensure that the information being processed is authorized, accurate, and complete.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Batch Input Controls  Financial total  Hash total  Record count

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Processing Controls  Validation test  Sequence test  Arithmetic accuracy test  Data reasonableness test  Completeness test

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Output Controls These controls focus on detecting errors after processing is completed rather than on preventing errors.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Learning Objective 4 Describe how general controls affect the auditor’s testing of application controls.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Impact of Information Technology on the Audit Process  Effects of general controls on control risk  Effects of IT controls on control risk and substantive tests  Auditing in less complex IT environments  Auditing in more complex IT environments

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Learning Objective 5 Use test data, parallel simulation, and embedded audit module approaches when auditing through the computer.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Test Data Approach 1. Test data should include all relevant conditions that the auditor wants tested. 2. Application programs tested by the auditors’ test data must be the same as those the client used throughout the year. 3. Test data must be eliminated from the client’s records.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Test Data Approach Application programs (assume batch system) Control test results Master files Contaminated master files Transaction files (contaminated?) Input test transactions to test key control procedures

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Test Data Approach Auditor-predicted results of key control procedures based on an understanding of internal control Control test results Auditor makes comparisons Differences between actual outcome and predicted result

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Parallel Simulation The auditor uses auditor-controlled software to perform parallel operations to the client’s software by using the same data files.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Parallel Simulation Auditor makes comparisons between client’s application system output and the auditor-prepared program output Exception report noting differences Productiontransactions Auditor-preparedprogram Auditorresults Masterfile Client application system programs Clientresults

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Embedded Audit Module Approach Auditor inserts an audit module in the client’s application system to identify specific types of transactions.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Learning Objective 6 Identify issues for e-commerce systems and other specialized IT environments.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Issues for Different IT Environments  Issues for network environments  Issues for database management systems  Issues for e-commerce systems  Issues when clients outsource IT

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder End of Chapter 12