Implications of Information Technology for the Audit Process Chapter 12 Implications of Information Technology for the Audit Process 1
Learning Objectives Describe how IT improves internal control. Identify risks to accounting systems specific to IT. Explain how general controls and application controls reduce IT risks. Describe how general controls affect the auditor’s testing of application controls.
Learning Objectives Use test data, parallel simulation, and embedded audit module approaches to test automated controls. Identify issues for e-commerce systems and other specialized IT systems.
Describe how IT improves internal control. 1 Describe how IT improves internal control.
How Information Technologies Enhance Internal Control Computer controls replace manual controls Higher-quality information is available
Identify risks to accounting systems specific to IT. 2 Identify risks to accounting systems specific to IT.
Assessing Risks of Information Technologies Risks to hardware and data Reduced audit trail Need for IT experience and separation of IT duties IT can improve a company’s internal controls; however, it can also affect the company's overall control risk. If IT systems fail, organizations can be paralyzed by the inability to retrieve information or by the use of unreliable information caused by processing errors. Specific risks to IT systems include the aforementioned.
Risks to Hardware and Data Reliance on hardware and software Unauthorized access Without proper physical protection, hardware or software may not function or may function improperly. When organizations replace manual procedures with technology-based procedures, the risk of random error from human involvement decreases. However, the risk of systematic error increases because once procedures are programmed into computer software, the computer processes information consistently for all transactions. IT cased accounting systems often allow online access to electronic data in master files software and other records. Because online access can occur from remote access points, there is potential for illegitimate access. Since much of the data is stored in centralized electronic files, this increases the risk of loss or destruction of entire data files. Systematic vs. random errors Data loss
Reduced Audit Trail Visibility of audit trail Lack of traditional authorization Detection risk With the use of computers, IT often reduces or even eliminates source documents and records that allow the organization to trace accounting information. In many IT systems, employees who deal with the initial processing of transactions never see the final results. Therefore, they are less able to identify mistakes. Advanced IT systems can often initiate transactions automatically, such as calculating interest on savings accounts and ordering inventory when pre-specified order levels are reached. Reduced human involvement
Need for IT Experience and Separation of IT Duties Reduced separation of duties Need for IT experience It is important to have personnel with knowledge and experience to install, maintain, and use the system.
Explain how general controls and application controls reduce IT risks. 3 Explain how general controls and application controls reduce IT risks.
Internal Controls Specific to Information Technology Information technology controls General controls apply to all aspects of the IT function including IT admin, separation of IT duties, systems development, physical and online security over access to hardware, software and related data. Application controls apply to processing transactions. Application controls General controls
Relationship Between General and Application Controls
Categories of General and Application Controls
Administration of the IT Function The perceived importance of IT within an organization is often dictated by the attitude of the board of directors and senior management.
Segregation of IT Duties The CIO or IT manager should be responsible for oversight of the IT function. Systems analysts are responsible for the overall design of each application system Computer operators are responsible for the day-to-day operations of the computer following the schedule established by the CIO.
Systems Development Typical test strategies Pilot testing Parallel testing Pilot testing is when a new system is implemented in one part of the organization while other locations continue to rely on the old system. Parallel testing is when the new and old systems operate simultaneously in all locations.
Physical and Online Security Online Controls: User ID control Password control Separate add-on security software Physical Controls: Keypad entrances Badge-entry systems Security cameras Security personnel Physical controls decrease the risk of unauthorized changes to programs and improper use of programs and data files. Proper user IDs and passwords control access to software and related data files this reducing the likelihood that unauthorized changes are made to software applications and data files.
Backup and Contingency Planning Offsite storage of critical files is a key element to a backup and contingency plan One key to a backup and contingency plan is to make sure that all critical copies of software and data files are backed up and stored off the premises.
Hardware Controls These controls are built into computer equipment by the manufacturer to detect and report equipment failures.
Application controls are designed for each software application Input controls Output controls Processing controls
Input Controls These controls are designed by an organization to ensure that the information being processed is authorized, accurate, and complete.
Batch Input Controls Total for all Financial total records in a batch Total of codes from all batch records Hash total Total of records in a batch Record count
Processing Controls accuracy test Correct file, database, or program? Validation test Correct processing order? Sequence test Arithmetic accuracy test Accuracy of processed data? Data exceeds preset amounts? Data reasonableness test Completeness of record fields? Completeness test
Output Controls These controls focus on detecting errors after processing is completed rather than on preventing errors.
4 Describe how general controls affect the auditor’s testing of application controls.
Impact of Information Technology on the Audit Process Effects of general controls on system-wide applications Effects of general controls on software changes Obtaining an understanding of client general controls Ineffective general controls create the potential for material misstatements across all system applications regardless of the quality of the application controls. Client changes to application software affect the auditor’s reliance on automated controls. Auditors obtain information about general and application controls through interviews, examination of system documentation, and reviews of detailed questionnaires completed by IT staff. If general controls are ineffective, the auditor’s ability to rely on IT-related application controls to reduce control risk in all cycles is reduced. After identifying specific IT-based application controls that can be used to reduce control risk, auditors can reduce substantive testing. Relating IT controls to transaction-related audit objectives Effect of IT controls on substantive testing
Auditing in IT Environments with Varied Complexity Audit around the computer LESS Smaller companies IT controls < effective Audit through the computer MORE Parallel simulation Test data
Auditing Around and Through the Computer
5 Use test data, parallel simulation, and embedded audit module approaches to test automated controls.
Test Data Approach 1. Test data should include all relevant conditions that the auditor wants tested. 2. Application programs tested by the auditors’ test data must be the same as those the client used throughout the year. Auditor’s process their own test data using the client’s computer system and application program to determine whether the automated controls correctly process the test data. 3. Test data must be eliminated from the client’s records.
Test Data Approach Input test transactions to test key control procedures Master files Application programs (assume batch system) Transaction files (contaminated?) Contaminated master files Control test results
Test Data Approach Control test results Auditor makes comparisons Auditor-predicted results of key control procedures based on an understanding of internal control Differences between actual outcome and predicted result
Parallel Simulation The auditor uses auditor-controlled software to perform parallel operations to the client’s software by using the same data files.
Parallel Simulation Production transactions Master file Auditor-prepared program Client application system programs Auditor results Client results Auditor makes comparisons between client’s application system output and the auditor-prepared program output Exception report noting differences
Embedded Audit Module Approach Auditor inserts an audit module in the client’s application system to identify specific types of transactions.
Embedded Audit Module Approach
6 Identify issues for e-commerce systems and other specialized IT systems.
Issues for Different IT Environments Network Environments Database Management Systems Outsourced IT e-Commerce systems
Are there any questions?
Copyright All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.