Learning Objective 1. The Impact of Information Technology on the Audit Process. Describe how IT improves internal control.

(1)

12 - 1 ©

The Impact of

Information

Technology on the

Audit Process

Chapter 12

12 - 2 ©

Learning Objective 1

Describe how IT improves

internal control.

12 - 3 ©

How Information Technologies

Enhance Internal Control

Computer controls

replace manual controls.

Higher

Higher--qualityquality

information is available.

12 - 4 ©

Learning Objective 2

Identify risks that arise from using

an IT

-

based accounting system.

Assessing Risks of

Information Technologies

Risks to hardware and data

Reduced audit trail

Need for IT experience and separation

of IT duties

Learning Objective 3

Explain how general controls

and application controls

reduce IT risks.

(2)

12 - 7 ©

Internal Controls Specific to

Information Technology

General controls General controls Application controls Application controls 12 - 8 ©

Relationship Between General

and Administrative Controls

Cash receipts Cash receipts application application controls controls Sales Sales applications applications controls controls Payroll Payroll application application controls controls Other cycle Other cycle application application controls controls GENERAL CONTROLS GENERAL CONTROLS Risk of unauthorized change

Risk of unauthorized change to application software

to application software Risk of system crashRisk of system crash

Risk of unauthorized Risk of unauthorized master file update

master file update Risk of unauthorizedRisk of unauthorizedprocessingprocessing

12 - 9 ©

General Controls

Administration of the IT function

Segregation of IT duties

Systems development

Physical and online security

Backup and contingency planning

Hardware controls

12 - 10 ©

Administration of the IT Function

The perceived importance of IT within an

organization is often dictated by the attitude of

the board of directors and senior management.

Segregation of IT Duties

Chief Information Officer or IT Manager

Systems

Development

Development OperationsOperations Data Data Control Control Security Administrator Security Administrator

Systems Development

Typical test Typical test strategies strategies Pilot testing

(3)

12 - 13 ©

Physical and Online Security

Physical Controls:

Keypad entrancesKeypad entrances

BadgeBadge--entry systemsentry systems

Security camerasSecurity cameras

Security personnelSecurity personnel

Online Controls:

User ID controlUser ID control

Password controlPassword control

Separate addSeparate add--onon security software

security software

12 - 14 ©

Backup and Contingency Planning

One key to a backup

and contingency plan

is to make sure that

all critical copies of

software and data files

are backed up and

stored off the premises.

12 - 15 ©

Hardware Controls

These controls are built into computer

equipment by the manufacturer to

detect and report equipment failures.

12 - 16 ©

Application Controls

Input controls Input controls Processing Processing controls controls Output controls Output controls

Input Controls

These controls are designed by an

organization to ensure that the

information being processed is

authorized, accurate, and complete.

Batch Input Controls

Financial total Financial total Hash total Hash total Record count Record count

(4)

12 - 19 ©

Processing Controls

Validation test Validation test Sequence test Sequence test

Arithmetic accuracy test

Data reasonableness test

Completeness test

12 - 20 ©

Output Controls

These controls focus on detecting errors

after processing is completed rather

than on preventing errors.

12 - 21 ©

Learning Objective 4

Describe how general controls

affect the auditor

’

s testing

of application controls.

12 - 22 ©

Impact of Information Technology

on the Audit Process

Effects of general controls on control risk

Effects of IT controls on control

risk and substantive tests

Auditing in less complex IT environments

Auditing in more complex IT environments

Learning Objective 5

Use test data, parallel simulation,

and embedded audit module

approaches when auditing

through the computer.

Test Data Approach

1

1 Test data should include all relevantTest data should include all relevant

conditions that the auditor wants tested.

2

Application programs tested by the

auditor

auditor’’s test data must be the same ass test data must be the same as those the client used throughout the year.

those the client used throughout the year.

3

(5)

12 - 25 ©

Test Data Approach

Application Programs Application Programs (Assume Batch System) (Assume Batch System)

Control test Control test results results Master files Master files Contaminated Contaminated master files master files Transaction files Transaction files (contaminated?) (contaminated?) Input test Input test Transactions to test Transactions to test Key control Key control Procedures Procedures 12 - 26 ©

Test Data Approach

Auditor-predicted results of key control procedures based on an understanding of internal control

Auditor

Auditor--predicted resultspredicted results of key control procedures of key control procedures based on an understanding based on an understanding of internal control of internal control Control test results Control test Control test results results Auditor makes comparisons Auditor makes Auditor makes comparisons comparisons Differences between actual outcome and predicted result

Differences between Differences between actual outcome and actual outcome and predicted result predicted result

12 - 27 ©

Parallel Simulation

The auditor uses auditor

The auditor uses auditor--controlled softwarecontrolled software to perform parallel operations to the client

to perform parallel operations to the client’’ss

software by using the same data files.

12 - 28 ©

Parallel Simulation

Auditor makes comparisons between Auditor makes comparisons between client

client’’s application system output ands application system output and the auditor

the auditor--prepared program outputprepared program output

Exception report Exception report noting differences noting differences Production Production transactions transactions Auditor Auditor--preparedprepared

program program Auditor Auditor results results Master Master file file Client application Client application system programs system programs Client Client results results

Embedded Audit Module

Approach

Auditor inserts an audit module in the

client

client’’s application system to captures application system to capture transactions with characteristics that

transactions with characteristics that

are of specific interest to the auditor.

Learning Objective 6

Identify issues for e

-

commerce

systems and other specialized

IT environments.

(6)

12 - 31 ©

Issues for Different IT

Environments

Issues for microcomputer environments

Issues for network environments

Issues for database management systems

Issues for e

Issues for e--commerce systemscommerce systems

Issues when clients outsource IT

12 - 32 ©