IT & AUDIT

Benefits of IT
Consistency
Timeliness
Analysis data can be accessed for AP more conveniently
Monitoring electronic controls can be monitored by the computer system
itself.
Circumvention controls are difficult to circumvent
Segregation of duties enhanced segregation of duties thru effective
implementation of security controls.
Risks of IT
Segregation of duties may be undermined thru unauthorized access
Audit trail may be lacking there is no paper trail auditors are accustomed
to following. The audit trail is the means by which an accounting
transaction can be traced thru an a/cing info system. In an EDI system,
the audit trail would include activity logs that indicate failed transactions,
as they identify the disposition of those transactions.
Overreliance
Access destruction and alteration of large amounts of data are possible
if unauthorized access occurs. In general, data files are compact and in a
single location. It is more difficult to secure micro-computers.
Changes in progs unauthorized program changes could cause severe
consequences without being detected.
Failure to change sometimes programs are not updated to new laws.
Manual intervention
Loss of data
The internet is a large and growing communications media. The recording of
sales via the internet is subject to internal and external system failures, virus and
hacker attacks, power fluctuations.
The specific evidence gathering procedures might differ.

GENERAL CONTROLS
General controls are critical to any EDI system. If the general controls are not
functioning properly, the application controls will not be secure. General IT controls are
policies and procedures that relate to different applications and support the effective
functions of application controls. In order to assess control risk at a low level would
mean there is an effective functioning of application controls, and thus the auditor would
initially focus on the general controls.
Thus, the encryption performed by physically secure hardware devices is more
secure than encryption performed by software and so software encryption could

1
 be broken if a hacker or other outside party were able to get into the software via
access to the hardware.
TOCs initially focus on General controls.

In a well-designed system of I/C, ff duties must be segregated: There are 5

categories of General controls
1. Physical safeguards to protect data files:
File labels
File protection rings
File protection plans

2. Hardware and software systems controls

Parity check a bit added to each xter so that the loss of any portion of
the data might be detected. This relates to info transmissions between
system hardware components.
Echo check a signal that what was sent was in fact received. This is
usu for info transmissions over phone lines. It is a verification check which
involves sending data back to the terminal for comparison with data
originally sent.
Diagnostic routines check internal operations of hardware components
(usually when booting up the system).
Boundary protection for running multiple jobs concurrently. Boundary
protection is necessary because most large computers have more than
one job running simultaneously. To ensure that these simultaneous jobs
cannot destroy or change the allocated memory of another job, the
systems software contains boundary protection controls.

3. Organization and Operation - IT duties that must be segregated

Systems analyst responsible for designing the system. He may:
o Recommend specific changes
o Recommend the purchase of a new system
o Design a new IS
o The analyst is in constant contact with user depts. And
programming staff to ensure the users actual and ongoing needs
are being met. A system flowchart is a tool used by the analyst to
define the systems requirements.
Programmer responsible for writing the code that makes up the
programs
Operator responsible for running the system
Librarian responsible for keeping track of the programs and files and
verifying that access is ltd to authorized personnel. He/she is responsible

2
 for the custody of the removable media (i.e. magnetic tapes or disks) and
for the maintenance of program and system documentation.
Security responsible for protecting the programs and data files and
implementing procedures to safeguard the system.
Database administrator is responsible for maintaining the database and
restricting access to the database to authorized personnel.
4. Access
The access to data, software, and the hardware should be limited to
authorized personnel. The database administrator ordinarily controls
access to the database. Access controls are particularly important to
a distributed system in which remote computers are linked to the main
system. These controls are designed to limit the use of the system and
the entry to files of authorized persons. To test that online access
controls are properly functioning, an auditor would directly test them by
entering invalid id numbers or passwords to ascertain whether the
system rejects them.
Systems documentation is a general control that would assist an entity whose
systems analyst left in the middle of a major project. Such documentation would
be prepared for each application system and would include narratives and
flowcharts. It would document the work completed to date on the project and
enable an analyst to take over.
Examples of general controls are program change controls, controls that
restrict access to programs or data, controls over the implementation of new
releases of packaged software applications, and controls over system software
that restrict access to or monitor the use of system utilities that could change
financial data or records without leaving an audit trail.

Ineffective general controls by themselves do not cause misstatements.

However, they can permit application controls to operate improperly and
allow misstatements to occur.
APPLICATION CONTROLS
Application controls are designed to achieve specific control objectives related to
specific accounting tasks. They pertain to the processing of individual
applications.
Application controls are manual or automated procedures that operate at a
business process level.. Application controls refers to the transactions and data
relating to each computer-based application system and are, therefore, specific
to each such application.
The objectives of application controls, which may be manual or programmed, are
to ensure the completeness and accuracy of the records and the validity of the
entries made therein. Application controls consist of input controls, processing
controls, and output controls.

3
 Application controls can be performed by IT (automated) or by individuals. When
application controls are performed by people interacting with IT, they may be
referred to as user controls.

IT EVIDENCE-GATHERING PROCEDURES

Audit software (focus is on substantive test work) especially used to access the
client files.

Generalized audit software canned audit programs to access and test clents
files; initially expensive to develop, but can be efficient as can be used on
numerous engagements.

o They can be used to access information stored on computer files while

having a limited understanding of the clients hardware and software
features.
o Such software programs perform common audit tasks, such as footing a
file, sorting, checking for gaps and duplicates, extracting and
summarizing.
o It does not check for accuracy thru self-checking digits and hash totals.
Such controls are present in only the client software.
o Can be used for audits of clients that use different computer equipment
and file formats. They are simply a very generalized input-output program.

o Convert machine readable data into auditor readable form with added data
manipulation routines and so utilize the speed and accuracy of the
computer. They do not store data in a machine readable form.
o Parallel simulation uses a generalized audit software package prepared by
auditors.

Customized software programs specifically written to access the files of a

particular client; in short run cheaper but in long run more expensive if such costs
are incurred for many clients.

Data mining software commercially available software (such ACL or IDEA)

can be easily used to access clients electronic data and perform a broad range
of substantive audit tasks (such as performing AP and sampling for confirmation
work).

1. Procedures related to TOCs when those IT-related controls are internal

and unobservable:

4
TEST DATA

Test data are dummy/hypothetical transactions inputted into the clients

program to be processed by the clients computer programs under auditors
supervision.
Only one type of transaction of each need be tested.
Need consist of only those valid and invalid conditions that interest the auditor.
The clients programs should ideally accept the valid data and reject the invalid
data.
The program with which the test data are processed may differ from the one
used in actual operations.
Test data usually contains common errors (invalid) as well as good (valid) data.
The auditor wants to see that the program detects the errors and processes the
good data correctly.

Here, testing an entity's controls by using the entity's system (under the auditor's
supervision) to process a set of transactions containing known errors of interest
is known as the test data approach. The auditor need not include every
possible type of error; include only those kinds of errors that are of interest
to the auditor. Only one transaction of each type need be tested. But be careful
not to contaminate the clients database. In auditing thru a computer, the test
data method is used by auditors to test the procedures contained within the
program.
When trying to detect whether data was altered, the auditor needs to test the
computer system. By using test data to verify the performance of edit routines,
the auditor will be able to determine if the data was edited.
A problem not associated with test data is that auditing thru the computer is
more difficult than auditing around the computer. In fact, with test data it is even
impossible to audit thru the computer.

INTEGRATED TEST FACILITY (ITF)

Integrated Test facility (ITF) - is a concurrent technique that processes data thru
simulated files by creating a dummy company, division, branch, supplier etc. ,
fictitious transactions are processed along with live transactions. It enables the auditor
to test fictitious data in the client's system. This is done by inserting a dummy
company, division, branch, supplier etc. Testing can occur at the same time that real
data are being processed and can be performed without the knowledge of co
employees, as dummy and actual records are processed concurrently.

PARALLEL SIMULATION

Parallel simulation processing the clients actual data on the auditors

software and then comparing auditors output to clients output for agreement. It
is a computer-assisted auditing technique in which an auditor-written or

5
 auditor-controlled program is used to process client data. The results are then
compared to those obtained using the clients program and differences are
investigated Parallel simulation uses a generalized audit software package
prepared by auditors.
The electronic nature of the transactions processed with parallel simulation and
the speed of the computer allows the auditor to greatly expand the sample at little
cost.

Note: Test data,, ITF and parallel simulation test how well the clients systems
work (after the fact), especially in detecting errors.

TECHNIQUES FOR CONTINUOUS (OR CONCURRRENT) TESTING

1. TransactionTagging is a technique in which the identifier providing a

transaction with a special designation is added to the transaction record. The tag
is often used to allow logging of transactions or snapshot activities.Such tagging
is analogous to an electronic tag attached to an animal in the wilderness so that
researchers can follow the animals movement.
2. Embedded audit modules and audit hooks - are routines built into the
application program to perform an ongoing audit function. It is inserted into the
clients system to capture designated transactions, such as large or unusual
transactions, for later review by the auditor.

Systems that dont have a permanent audit trail require that any auditing occurs
while processing take place.
Embedded audit modules It enables the auditor to continuously test and monitor
the clients computerized information system.
However, auditors may hesitate to use embedded audit modules because they
are required to be involved in the system design of the application to be
monitored.
Audit hooks an exit point that is built into the application program where an
audit module can be added subsequently.

Note: tagging, embedding audit modules, and audit hooks test the working
of the system while processing takes place.

3. SYSTEM CONTROL AUDIT REVIEW RILES (SCARF) is a log, usually

created by an embedded audit module, used to collect info for subsequent review
and analysis. The auditor determines the appropriate criteria for review and the
SCARF selects the type of transaction, dollar limit, or other xtic.
4. Extended records This technique attaches additional audit data which would
not otherwise be saved to regular historic records and thereby helps to provide a
more complete audit trail. The extended record info may subsequently be
analyzed.

6
 Controlled reprocessing is not a technique that continuously tests
controls. It is a variation of parallel simulation, which processes actual
client data thru a copy of the clients application program.

To access a clients electronic files for substantive purposes, the auditor will
either use generalized audit software or write customized client-specific
programs.
Logic checks refers to certain computer edit routines that flag/signal
erroneous data input.

Limit test the computer ensures that a numerical amount in a record

does not exceed some predetermined amount. E.g. not above 40 hours
per week if there is no overtime. A limit test is a control that sets an upper
or lower limit. After input or a processing step, the result can be compared
to the limit set. A program that restricts weekly payroll checks to $10,000
or less is a limit test.
Edit checks ensure that only valid transactions are processed. A direct
report of edit check would be exception reports.
A validity check is a check to see if the data carry valid values. The
computer matches a control field value to an existing file record and
highlights/flags those which do not match. Gender M of F all others are
invalid.
Missing data check are there any omissions from any fields in which
data should have been present.
Check digit A check digit is an extra digit added to an identification
number to detect certain types of data transmission or transposition errors.
It is used to verify that the number entered into the computer system
correctly. It is a digit that enables verification of other digits in the item. It is
calculated based on the other digits and is used to detect errors. For
example, a student identification number could consist of 7 digits with the
7th digit computed based on the first 6 digits. If the number is input
incorrectly or inappropriately changed during processing, the check digit
won't compute properly and the number will be rejected as invalid. This
number while normally at the end of an a/c number, may be placed
consistently in any position in the a/ce when adequate computer
programming exists.
Automated error correction is a printout of the causes of errors
corrected by the system. Whenever, the control procedures flag a data
input/application/output problem, there should be procedures to pull out
the item, fix the problem, and then put the item back in line for proper
output.

Completeness check is verification that all data required to process a

given type of transaction has been entered in the required data fields. If
missing data is detected, the operator is generally prompted to enter or
complete the submission before it will be accepted for processing. E.g.
7
 omitted purchase order no. Missing data check a control that will detect
blanks existing in input data where they should not (e.g. an employees
division no). When the data is missing, an error message is output.
Limit tests and validity check tests are both input and processing controls
designed to ensure the reliability and accuracy of data processing.
Code review - This technique involves actual analysis of the logic of the
program's processing routines. The primary advantage is that the auditor
obtains a detailed understanding of the program. Difficulties with the
approach include the fact that it is extremely time-consuming, it requires a
very high level of computer expertise, and difficulties involved with making
certain that the program being verified is in fact the program in use
throughout the accounting period.

IMPORTANT TERMS

Trojan horse involves the inclusion of unauthorized programming/illicit activity

when it is run in an otherwise legitimate program.They are frequently included in
free software downloadable from internet sites.
EDI involves an electronic transaction btw cos (one is selling, one is buying).
Involves point-to-point transactions i.e. direct computer-to-computer
communication btw parties. EDI is different from other forms of e-commerce
in that EDI uses standardized formats for electronically transferring info. By
adopting EDI, a co can electronically transfer info from one system to another.
The elimination of manual re-entry of data and paperwork reduces cost and
increases accuracy.. In building an EDI system, a standard format uniform
worldwide is adopted for electronically transferring info. By adopting EDI, a co
can electronically transfer info from one system into another. The elimination of
manual reentry of data and paperwork reduces costs and increases accuracy. An
EDI environment enables the b/s cycle to be reduced (or compressed). For e.g.
sales may be invoiced immediately, with the resultant speed up of cash
collections and reductions of receivable balances.

ONLINE EDP - Segregation of duties within EDP is critical separation of

computer programming from computer operations is the most effective control for
preventing personnel from modifying programs to bypass programmed controls.
Physical security of EDP facilities in limiting access to EDP equipment will
only prevent personnel who are not authed to access the system but will
not prevent authorized personnel who can still modify programs. nquiry,
observation and inspection can be used to gather evidence about
external, observable EDP-related controls that are not otherwise
documented.
Programmed controls are controls built into programs to prevent
unauthorized manipulation of data. Since programmers write the programs

8
 (and, consequently, the built-in controls), a programmer could modify a
program to bypass programmed controls and manipulate data. The best
way to prevent this is not to allow programmers to have access to
programs during actual processing. This is accomplished by segregation
of duties within EDP for computer programming and computer operations.
Destructive updating in an online EDP system is destructive of transaction
files. Accordingly, auditing of the balances in a/cs where transactions are
periodically destroyed requires a well-documented audit trail for the
auditor.

A worm is a program (like a virus but a program instead of a segment of code)

that copies itself automatically and actively sends itself to other systems.
A hash total is a meaningless total that serves a control function. It totals a field
that would not normally be totaled such as customer account numbers. By
creating a hash total at the beginning of processing, subsequent totals can be
compared to the original after each processing step to ensure that the data in the
field were not erroneously changed.
A batch total is calculated as a control total. It helps ensure that the data being
input for a batch, e.g., total hours worked for a payroll period, are input accurately
and completely. There are three different types of batch totals - financial totals,
hash totals, and record counts. A total of the day's sales transactions is a
financial total.
Value-added network is a network that facilitates EDI transactions, btw buying
and selling cos but VAN is maintained by an independent co.
Compiler is a program that converts instructions written in a particular
computer language (the source program) into machine-readable instructions
(object program). A source program is not in a machine readable program.
Source program written in specific programming language e.g. FORTRAN.
Source code comparison program is a comparison of the compiled object
program code with the original program would reveal unauthorized program
changes.
Object program The instructions in a machine-readable form.
Database systems is a set of interconnected files that eliminates the
redundancy associated with maintaining separate files for different subsets of the
orgn. A key concern is limiting unauthed access.

Hierarchical DB systems outdated. Relates to elements constructed

like a cos orgn chart. Level 2 is more than level 1.
Relational DB systems an integrated DB like a spreadsheet.

Networks:
LAN is a network of hardware and software interconnected thru out a
building or campus (ltd to few miles).

9

WAN is a larger version of LAN that might span a WHOLE CITY OR
COUNTRY.
Internet wwide network of privately controlled computers
Intranet LAN that uses internet to facilitate communications thru out an
orgn with using a firewall to insulate outside entry.
Extranet like intranet but also connects important external constituents
e.g. major customers or suppliers.
Computer assisted auditing techniques:
Parallel simulation processes client input data on a controlled
program (auditor-written or auditor-controlled) to process data that
can be compared to the same data processed by the clients program and
then both are compared and differences are investigated. This technique
enables the auditor to test controls in and processing performed by a
client program.
WebTrust is the AICPAs assurance service that facilitates e-commerce.

EXAM NOTES

When the documentation of details of transactions of an entity will be retained

only for a short period of time then the auditor must perform tests several times
during the year, rather than only at the year end.
Auditing around the computer involves examining inputs into and outputs from
the computer while ignoring processing. Auditing by manually testing the input
and output of a computer system.
Personal Identification codes require individuals to in some manner identify
themselves to determine that only authorized users access programs or files.
A database can be described as a set of interconnected files which efficiently
avoids the redundancy associated with maintaining separate files for different
subsets of the orgn.
Network and sender/recipient acknowledgements document the trail of a/cing
data (and transactions) thru the system. In doing so, they serve as essential
elements of the audit trail in an EDI system.
Message directories and header segments identify file contents.
Trading partner security and mailbox codes help to ensure that messages and
data are viewed only by authorized parties.
A hoax virus is a message warning of a virus that doesnt really exist.
A web crawler is a software program that automatically searches the web. It is
also known as a spider, robot or wanderer. A web crawler is used as a search
engine to identify web contents related to a particular topic.
Preventive controls are generally more important than detective controls in EDI
systems as waiting to discover problems could result in millions of $.

10
 Mapping is the process used to determine which elements in the entitys
computer system correspond to the standard data elements. It monitors the
execution of the program.
To obtain understanding of the relationships among the records and processing
steps within a transaction processing system the auditor would utilize flowcharts.

GF-F-SON record retention would provide backup in the form of last 3 updates,
which allows reconstruction of damaged or lost data files. However, for new
systems being developed system documentation would be more helpful to a new
analyst if the old system analyst left the entity in the middle of the project.
The recording of sales via internet is subject to internal and external system
failures, virus and hacker attacks, power fluctuations etc.
When I/C system is highly computerized then the basis control objectives are the
same, but the specific evidence-gathering procedures may differ.
Embedded audit module is a computer program inserted by the auditor into the
clients application system. The audit module selects transactions e.g. large or
unusual transactions, for further review and testing by the auditor.
A utility program is a std routine for performing commonly required processing
such as sorting, merging, editing, and mathematical routines.
Testing numeric xters in alphanumeric fields will not represent error conditions as
alphanumeric will except numeric fields.
To test whether credit limits are being exceeded the auditor would develop a
program to compare credit limits with a/c balances and print out the details of any
a/c with a balance exceeding its credit limit. Developing test data would only
indicate that a/c balances can be exceeded and not the ones that are actually
being exceeded.
Online inquiry is an interactive procedure that allows an auditor or other
authorized personnel to select and view individual records or transactions. It
would be used to confirm whether operating personnel had corrected errors in
transaction files discovered during a recent audit.
Tracing provides an audit trail of the instructions that are executed when a
program is run.

Building access security is not a part of IT general controls. Security of access to the
computers or the network would pertain to IT.

General controls are policies and procedures that relate to many applications and
support the effective functioning of application controls by helping to ensure the
continued proper operation of information systems. These controls often include
controls over:

data center and network operations,

system software acquisition, change, and maintenance,
access security, and

11
 application system acquisition, development, and maintenance.
Specific I/C in a database environment may differ from controls in a non-database
environment e.g. controls should exist to ensure that users have access to and can
update only the data elements that they have been authorized to access.

IT is both an added benefit and an increased risk to internal controls, depending on the
organization.

Generally, IT provides potential benefits of effectiveness and efficiency for an entity's

internal control because it enables an entity to:

consistently apply predefined business rules and perform complex calculations in

processing large volumes of transactions or data.
enhance the timeliness, availability, and accuracy of information.
facilitate the additional analysis of information.
enhance the ability to monitor the performance of the entity's activities and its
policies and procedures.
reduce the risk that controls will be circumvented.
enhance the ability to achieve effective segregation of duties by implementing
security controls in applications, databases, and operating systems.

IT also poses specific risks to an entity's internal control, including:

reliance on systems or programs that are processing data inaccurately, processing

inaccurate data, or both.
unauthorized access to data that may result in destruction of data or improper
changes to data, including the recording of unauthorized or nonexistent transactions
or inaccurate recording of transactions.
unauthorized changes to data in master files.
unauthorized changes to systems or programs.
failure to make necessary changes to systems or programs.
inappropriate manual intervention.
potential loss of data or inability to access data as required.
Electronic data interchange (EDI) is the exchange of documents in standardized
electronic form between different entities in an automated manner directly from a
computer application in one entity to an application in another. Advantages of an EDI
system include reduced errors, costs, and processing time. It was developed in
conjunction with the just-in-time (JIT) inventory system.

12
The greatest risk regarding an entitys use of EDI is improper distribution of EDI
transactions. An EDI system must include controls to make certain that EDI transactions
are processed by the proper entity, using the proper a/cs. Authorization of EDI
transactions, Duplication of EDI transmissions and elimination of paper documents are
not considered sources of greatest risk by auditors.
The extent and nature of the risks to internal control associated with IT vary depending
on the nature and characteristics of the entity's information system. The auditor should
consider whether the entity has responded adequately to the risks arising from IT by
establishing effective controls, including effective general controls upon which
application controls depend. From the auditor's perspective, controls over IT systems
are effective when they maintain the integrity of information and the security of the data
such systems process.
Feedback, feedforward, and preventive control systems are all controls and procedures
implemented in an attempt to keep actions within certain desired parameters. Feedback
is information provided about an action that has already occurred and may be used to
help adjust future actions. Feedforward is information provided that attempts to predict
future outcomes and may be used to adjust future actions. Preventive control systems
are systems that prevent certain actions from occurring. The question provides many
examples of each of these. The question asks you to identify which set can be matched
to the order of feedback, feedforward, and preventive control systems. Only one
alternative provides three examples in the order of feedback (cost accounting
variances), feedforward (cash budgeting), and organizational independence (preventive
control system).
The auditor should test the design effectiveness of IT controls by determining
whether the controls, if they are operated as prescribed, satisfy the company's control
objectives and can effectively prevent or detect errors or fraud that could result in
material misstatements in the financial statements.
The auditor cannot verify the reliable operation of programmed controls by manually re-
performing, as of a point in time, the processing of input data and comparing the
simulated results with the actual results of the computer processed data. This is
because the auditor does not ordinarily have complete knowledge of the programmed
instructions for programmed controls. Similarly, at no point in time could the auditor
match the processing of the input data.
User identification and password controls are designed to address this concern by
limiting the access to program documentation, program and data files, and to other
assets of the company (e.g., computer hardware, inventory, and cash). An effective test
of these controls is to examine a sample of assigned passwords and access authority to
determine whether password holders have access authority incompatible with their
other responsibilities.

13
The test data approach (sometimes called the test deck approach) is a way to audit
through the computer. Test data is introduced into the client's computer system using
the same program to operate the application being tested. The output is compared to
the auditor's predetermined results. The test data approach does not involve a separate
program.

An integrated test facility introduces a fictitious entity (such as a dummy subsidiary) with
real entries in the master files of the client's computer system. The auditor then
compares the processing of data through the fictitious entity with what should be there
in order to test that the data processing is reliable. Like the test data (or test deck)
approach, an integrated test facility uses the client's system.

Data extraction programs have the following advantages:

They allow the CPA a high degree of independence.

They reduce the CPA's required level of EDP expertise and training.
They access a wide variety of client records interchangeably without special
programming and only a limited knowledge of the client's hardware and software
features.
They allow the CPA to totally control program execution.
They use the speed and accuracy of the computer.

The audit of an entity that processes most of its financial data only in electronic form
may require continual monitoring throughout the year, including testing of controls and
analysis of transaction processing at the time it occurs. Such testing may only be
effectively accomplished through the use of auditing software embedded in the
program. While the other strategies are important in testing aspects of the internal
control system, the testing of such attributes as completeness, authorization, and
accuracy in a paperless system can only be achieved at the time the transaction takes
place.

14