The Impact of Information
Technology on the Audit
Process
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 2
Learning Objective 1
Describe how IT improves
internal control.
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 4
Learning Objective 2
Identify risks that arise from using
an IT-based accounting system.
Assessing Risks of
Information Technologies
Risks to hardware and data
Reduced audit trail
Need for IT experience and
separation of IT duties
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 6
Risks to Hardware and Data
Reliance on the functioning capabilities
of hardware and software
Systematic versus random errors
Unauthorized access
Reduced Audit Trail
Visibility of audit trail
Reduced human involvement
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 8
Need for IT Experience and
Separation of Duties
Reduced separation of duties
Learning Objective 3
Explain how general controls
and application controls
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 10
Internal Controls Specific to
Information Technology
General controls
Relationship Between General
and Application Controls
Cash receipts
application
controls
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
GENERAL CONTROLS
Risk of unauthorized change
to application software
Risk of system crash
Risk of unauthorized
master file update
Risk of unauthorized
processing
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 12
General Controls
Administration of the IT function
Separation of IT duties
Systems development
Physical and online security
Backup and contingency planning
Administration of the IT
Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management
.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 14
Segregation of IT Duties
Chief Information Officer or IT Manager
Systems
Development
Operations
Data
Control
Systems Development
Typical test
strategies
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 16
Physical and Online Security
Physical Controls:
Keypad entrances
Badge-entry systems
Security cameras
Security personnel
Online Controls:
User ID control
Password control
Separate add-on
security software
Backup and Contingency
Planning
One key to a backup and contingency plan
is to make sure that all critical copies of
software and data files are backed up
and stored off the premises.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 18
Hardware Controls
These controls are built into computer
equipment by the manufacturer to
Application Controls
Input controls
Processing controls
Output controls
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 20
Input Controls
These controls are designed by an
organization to ensure that the
information being processed is
Batch Input Controls
Financial total
Hash total
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 22
Processing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
Output Controls
These controls focus on detecting errors
after processing is completed rather
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 24
Learning Objective 4
Describe how general controls
affect the auditor’s testing
Impact of Information Technology
on the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk and
substantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 26
Learning Objective 5
Use test data, parallel simulation,
and embedded audit module
approaches when auditing
through the computer.
Test Data Approach
1. Test data should include all relevant
conditions that the auditor wants tested.
2. Application programs tested by the
auditors’ test data must be the same as
those the client used throughout the year.
3. Test data must be eliminated from the
client’s records.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 28
Test Data Approach
Application programs
(assume batch system)
Control test
results
Master files
Contaminated
master files
Transaction files
(contaminated?)
Input test
transactions to test
key control
procedures
Test Data Approach
Auditor-predicted results
of key control procedures
based on an understanding
of internal control
Control test
results
Auditor makes
comparisons
Differences between
actual outcome and
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 30
Parallel Simulation
The auditor uses auditor-controlled software
to perform parallel operations to the client’s
software by using the same data files.
Parallel Simulation
Auditor makes comparisons between
client’s application system output and
the auditor-prepared program output
Exception report
noting differences
Production
transactions
Auditor-prepared
program
Auditor
results
Master
file
Client application
system programs
Client
results
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 32
Embedded Audit Module
Approach
Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions.
Learning Objective 6
Identify issues for e-commerce
systems and other specialized
IT environments.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 34