Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implications of Information Technology for the Audit Process

Similar presentations


Presentation on theme: "Implications of Information Technology for the Audit Process"— Presentation transcript:

1 Implications of Information Technology for the Audit Process
Chapter 12 Implications of Information Technology for the Audit Process 1

2 Learning Objectives Describe how IT improves internal control.
Identify risks to accounting systems specific to IT. Explain how general controls and application controls reduce IT risks. Describe how general controls affect the auditor’s testing of application controls.

3 Learning Objectives Use test data, parallel simulation, and embedded audit module approaches to test automated controls. Identify issues for e-commerce systems and other specialized IT systems.

4 Describe how IT improves internal control.
1 Describe how IT improves internal control.

5 How Information Technologies Enhance Internal Control
Computer controls replace manual controls Higher-quality information is available

6 Identify risks to accounting systems specific to IT.
2 Identify risks to accounting systems specific to IT.

7 Assessing Risks of Information Technologies
Risks to hardware and data Reduced audit trail Need for IT experience and separation of IT duties IT can improve a company’s internal controls; however, it can also affect the company's overall control risk. If IT systems fail, organizations can be paralyzed by the inability to retrieve information or by the use of unreliable information caused by processing errors. Specific risks to IT systems include the aforementioned.

8 Risks to Hardware and Data
Reliance on hardware and software Unauthorized access Without proper physical protection, hardware or software may not function or may function improperly. When organizations replace manual procedures with technology-based procedures, the risk of random error from human involvement decreases. However, the risk of systematic error increases because once procedures are programmed into computer software, the computer processes information consistently for all transactions. IT cased accounting systems often allow online access to electronic data in master files software and other records. Because online access can occur from remote access points, there is potential for illegitimate access. Since much of the data is stored in centralized electronic files, this increases the risk of loss or destruction of entire data files. Systematic vs. random errors Data loss

9 Reduced Audit Trail Visibility of audit trail Lack of traditional
authorization Detection risk With the use of computers, IT often reduces or even eliminates source documents and records that allow the organization to trace accounting information. In many IT systems, employees who deal with the initial processing of transactions never see the final results. Therefore, they are less able to identify mistakes. Advanced IT systems can often initiate transactions automatically, such as calculating interest on savings accounts and ordering inventory when pre-specified order levels are reached. Reduced human involvement

10 Need for IT Experience and Separation of IT Duties
Reduced separation of duties Need for IT experience It is important to have personnel with knowledge and experience to install, maintain, and use the system.

11 Explain how general controls and application controls reduce IT risks.
3 Explain how general controls and application controls reduce IT risks.

12 Internal Controls Specific to Information Technology
Information technology controls General controls apply to all aspects of the IT function including IT admin, separation of IT duties, systems development, physical and online security over access to hardware, software and related data. Application controls apply to processing transactions. Application controls General controls

13 Relationship Between General and Application Controls

14 Categories of General and Application Controls

15 Administration of the IT Function
The perceived importance of IT within an organization is often dictated by the attitude of the board of directors and senior management.

16 Segregation of IT Duties
The CIO or IT manager should be responsible for oversight of the IT function. Systems analysts are responsible for the overall design of each application system Computer operators are responsible for the day-to-day operations of the computer following the schedule established by the CIO.

17 Systems Development Typical test strategies Pilot testing
Parallel testing Pilot testing is when a new system is implemented in one part of the organization while other locations continue to rely on the old system. Parallel testing is when the new and old systems operate simultaneously in all locations.

18 Physical and Online Security
Online Controls: User ID control Password control Separate add-on security software Physical Controls: Keypad entrances Badge-entry systems Security cameras Security personnel Physical controls decrease the risk of unauthorized changes to programs and improper use of programs and data files. Proper user IDs and passwords control access to software and related data files this reducing the likelihood that unauthorized changes are made to software applications and data files.

19 Backup and Contingency Planning
Offsite storage of critical files is a key element to a backup and contingency plan One key to a backup and contingency plan is to make sure that all critical copies of software and data files are backed up and stored off the premises.

20 Hardware Controls These controls are built into computer
equipment by the manufacturer to detect and report equipment failures.

21 Application controls are designed for each
software application Input controls Output controls Processing controls

22 Input Controls These controls are designed by an
organization to ensure that the information being processed is authorized, accurate, and complete.

23 Batch Input Controls Total for all Financial total records in a batch
Total of codes from all batch records Hash total Total of records in a batch Record count

24 Processing Controls accuracy test Correct file, database, or program?
Validation test Correct processing order? Sequence test Arithmetic accuracy test Accuracy of processed data? Data exceeds preset amounts? Data reasonableness test Completeness of record fields? Completeness test

25 Output Controls These controls focus on detecting errors
after processing is completed rather than on preventing errors.

26 4 Describe how general controls affect the auditor’s testing of application controls.

27 Impact of Information Technology on the Audit Process
Effects of general controls on system-wide applications Effects of general controls on software changes Obtaining an understanding of client general controls Ineffective general controls create the potential for material misstatements across all system applications regardless of the quality of the application controls. Client changes to application software affect the auditor’s reliance on automated controls. Auditors obtain information about general and application controls through interviews, examination of system documentation, and reviews of detailed questionnaires completed by IT staff. If general controls are ineffective, the auditor’s ability to rely on IT-related application controls to reduce control risk in all cycles is reduced. After identifying specific IT-based application controls that can be used to reduce control risk, auditors can reduce substantive testing. Relating IT controls to transaction-related audit objectives Effect of IT controls on substantive testing

28 Auditing in IT Environments with Varied Complexity
Audit around the computer LESS Smaller companies IT controls < effective Audit through the computer MORE Parallel simulation Test data

29 Auditing Around and Through the Computer

30 5 Use test data, parallel simulation, and embedded audit module approaches to test automated controls.

31 Test Data Approach 1. Test data should include all relevant
conditions that the auditor wants tested. 2. Application programs tested by the auditors’ test data must be the same as those the client used throughout the year. Auditor’s process their own test data using the client’s computer system and application program to determine whether the automated controls correctly process the test data. 3. Test data must be eliminated from the client’s records.

32 Test Data Approach Input test transactions to test key control
procedures Master files Application programs (assume batch system) Transaction files (contaminated?) Contaminated master files Control test results

33 Test Data Approach Control test results Auditor makes comparisons
Auditor-predicted results of key control procedures based on an understanding of internal control Differences between actual outcome and predicted result

34 Parallel Simulation The auditor uses auditor-controlled software
to perform parallel operations to the client’s software by using the same data files.

35 Parallel Simulation Production transactions Master file
Auditor-prepared program Client application system programs Auditor results Client results Auditor makes comparisons between client’s application system output and the auditor-prepared program output Exception report noting differences

36 Embedded Audit Module Approach
Auditor inserts an audit module in the client’s application system to identify specific types of transactions.

37 Embedded Audit Module Approach

38 6 Identify issues for e-commerce systems and other specialized IT systems.

39 Issues for Different IT Environments
Network Environments Database Management Systems Outsourced IT e-Commerce systems

40 Are there any questions?

41 Copyright All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.


Download ppt "Implications of Information Technology for the Audit Process"

Similar presentations


Ads by Google