You are on page 1of 36

AUDITING IN COMPUTERIZED ENVIRONMENT

Chapter 7

7-1

LEARNING OBJECTIVES
Explain the impact of IT in enhancing internal control and related risk that arises Describe the types of control in an IT environments Discuss the impact of IT on audit process Use the test data, parallel simulation, and embedded audit module approaches when auditing through the computer Identify issues for e-commerce systems and other specialized IT environments
7-2

Learning Objective 1 Identify the impact of IT in enhancing internal control and related risk that arises

7-3

How Information Technologies Enhance Internal Control


Computer controls replace manual controls.
Higher-quality information is available.

7-4

Assessing Risks of Information Technologies


RISK TO HARDWARE AND DATA Reliance on the capabilities of hardware and software Systematic vs. random errors Unauthorized access

Loss of data
7-5

Assessing Risks of Information Technologies


REDUCE AUDIT TRAIL & TRADITIONAL AUTHORIZATION Visibility of audit trail Reduced human involvement

Lack of traditional authorization


7-6

Assessing Risks of Information Technologies


NEED FOR IT EXPERIENCE AND SEPARATION OF IT DUTIES Reduced separation of duties Need for IT experience

7-7

Learning Objective 2 Explain how general controls and application controls reduce IT risks.

7-8

Internal Controls Specific to Information Technology General Controls

7-9

General Controls
Administration of the IT function

Physical and online security Backup and contingency planning Hardware controls
7 - 10

Segregation of IT duties Systems development

Application Controls

Input controls
Processing controls Output controls
7 - 11

Relationship Between General and Administrative Controls


Risk of unauthorized change to application software Cash Receipts Application Controls Sales Applications Controls Other Cycle Application Controls Risk of unauthorized master file update GENERAL CONTROLS Risk of unauthorized processing
7 - 12

Risk of system crash

Payroll Application Controls

GENERAL CONTROL
Relate to all aspects of the IT function Designed to protect all application controls to ensure its effectiveness Have an overriding effect on all IT functions Auditor evaluate general control early in the audit because of its impact on application control

7 - 13

Administration of the IT Function


The perceived importance of IT within an organization is often dictated by the attitude of the board of directors and senior management.

7 - 14

Segregation of IT Duties
Chief Information Officer or IT Manager
Security Administrator

Systems Development

Operations

Data Control
7 - 15

Systems Development
Pilot testing
Typical test strategies Parallel testing

7 - 16

Physical and Online Security


Physical Controls: Online Controls: Keypad entrances User ID control Badge-entry systems Password control Biometric systems Separate add-on Security cameras security software Security personnel Humidity/temperature control
7 - 17

Backup and Contingency Planning


One key to a backup and contingency plan is to make sure that all critical copies of software and data files are backed up and stored off the premises.

7 - 18

Hardware Controls
These controls are built into computer equipment by the manufacturer to detect and report equipment failures.

7 - 19

APPLICATION CONTROL
Designed to satisfy transaction-related audit objectives. May be done by:
Client personnel manual controls - depends on competence of the personnel & due care exercised Computer automated controls - if properly designed, lead to consistent operation of the controls

7 - 20

Input Controls
These controls are designed by an organization to ensure that the information being processed is authorized, accurate, and complete.

7 - 21

Input Controls
Manual control:
Managements authorization of transaction Adequate preparation of input source docs Competent personnel

IT controls:
Prompts for transaction information Computer-performed validation tests Immediate error correction procedures Accumulation of errors in error file for follow-up.
7 - 22

Processing Controls
Prevent, detect and correct processing errors when transaction are processed. Often imbedded into software.

7 - 23

Processing Controls
Validation test ensures the use of correct master file, database, prog Sequence test determines data for processing are in correct order

Arithmetic accuracy test checks the accuracy of processed data


Data reasonableness test whether data exceed pre-specified amounts Completeness test determines every field has been completed

7 - 24

Output Controls
These controls focus on detecting errors after processing is completed rather than on preventing errors. E.g.:
Reconcile computer output to manual ctrl total Compare no. of units processed to submitted Compare sample to input source docs. Verify dates and times

7 - 25

Learning Objective 3 Describe how general controls affect the auditors testing of application controls.

7 - 26

Impact of Information Technology on the Audit Process


Effects of general controls on control risk
Effects controls on on control control risk risk Effects of IT IT controls and substantive tests and tests Auditing in in less less complex complex IT ITenvironments environments Auditing around the computer Auditing in more complex IT environments Auditing in more complex IT environments Auditing through the computer
7 - 27

Learning Objective 4 Use the test data, parallel simulation, and embedded audit module approaches when auditing through the computer.
7 - 28

Test Data Approach


Test data should include all relevant conditionsthat that the the auditor auditor wants conditions wants tested. tested. Application programs programs tested tested by the the Application auditorstest test data data must must be auditors be the thesame sameas as those the the client used throughout those throughoutthe theyear. year. Test data must be eliminated from the clients records.
7 - 29

1 2 3

Test Data Approach


Input Test Transactions to Test Key Control Procedures Application Programs (Assume Batch System) Control Test Results
7 - 30

Master Files

Transaction Files (Contaminated?)

Contaminated Master Files

Test Data Approach


Control Test Results Auditor-predicted Results of Key Control Procedures Based on an Understanding of Internal Control

Auditor Makes Comparisons Differences Between Actual Outcome and Predicted Result

7 - 31

Parallel Simulation

The auditor uses auditor-controlled software to perform parallel operations to the clients software by using the same data files.

7 - 32

Parallel Simulation
Production Transactions Auditor Makes Comparisons Between Clients Application System Output and Understanding of the Client Systems Via the Parallel Simulation Master File

AuditorPrepared Program

Client Application System Programs

Auditor Results

Exception Report Noting Differences

Client Results
7 - 33

Embedded Audit Module Approach

Auditor inserts an audit module in the clients application system to capture transactions with characteristics that are of specific interest to the auditor.

7 - 34

Learning Objective 5 Identify issues for e-commerce systems and other specialized IT environments.

7 - 35

Issues for Different IT Environments


Issues for microcomputer environments
Issues for network environments Issues for database management systems Issues for e-commerce systems Issues when clients outsource IT

7 - 36

You might also like