Professional Documents
Culture Documents
It & Audit
It & Audit
Benefits of IT
Consistency
Timeliness
Analysis data can be accessed for AP more conveniently
Monitoring electronic controls can be monitored by the computer system
itself.
Circumvention controls are difficult to circumvent
Segregation of duties enhanced segregation of duties thru effective
implementation of security controls.
Risks of IT
Segregation of duties may be undermined thru unauthorized access
Audit trail may be lacking there is no paper trail auditors are accustomed
to following. The audit trail is the means by which an accounting
transaction can be traced thru an a/cing info system. In an EDI system,
the audit trail would include activity logs that indicate failed transactions,
as they identify the disposition of those transactions.
Overreliance
Access destruction and alteration of large amounts of data are possible
if unauthorized access occurs. In general, data files are compact and in a
single location. It is more difficult to secure micro-computers.
Changes in progs unauthorized program changes could cause severe
consequences without being detected.
Failure to change sometimes programs are not updated to new laws.
Manual intervention
Loss of data
The internet is a large and growing communications media. The recording of
sales via the internet is subject to internal and external system failures, virus and
hacker attacks, power fluctuations.
The specific evidence gathering procedures might differ.
GENERAL CONTROLS
General controls are critical to any EDI system. If the general controls are not
functioning properly, the application controls will not be secure. General IT controls are
policies and procedures that relate to different applications and support the effective
functions of application controls. In order to assess control risk at a low level would
mean there is an effective functioning of application controls, and thus the auditor would
initially focus on the general controls.
Thus, the encryption performed by physically secure hardware devices is more
secure than encryption performed by software and so software encryption could
1
be broken if a hacker or other outside party were able to get into the software via
access to the hardware.
TOCs initially focus on General controls.
2
for the custody of the removable media (i.e. magnetic tapes or disks) and
for the maintenance of program and system documentation.
Security responsible for protecting the programs and data files and
implementing procedures to safeguard the system.
Database administrator is responsible for maintaining the database and
restricting access to the database to authorized personnel.
4. Access
The access to data, software, and the hardware should be limited to
authorized personnel. The database administrator ordinarily controls
access to the database. Access controls are particularly important to
a distributed system in which remote computers are linked to the main
system. These controls are designed to limit the use of the system and
the entry to files of authorized persons. To test that online access
controls are properly functioning, an auditor would directly test them by
entering invalid id numbers or passwords to ascertain whether the
system rejects them.
Systems documentation is a general control that would assist an entity whose
systems analyst left in the middle of a major project. Such documentation would
be prepared for each application system and would include narratives and
flowcharts. It would document the work completed to date on the project and
enable an analyst to take over.
Examples of general controls are program change controls, controls that
restrict access to programs or data, controls over the implementation of new
releases of packaged software applications, and controls over system software
that restrict access to or monitor the use of system utilities that could change
financial data or records without leaving an audit trail.
3
Application controls can be performed by IT (automated) or by individuals. When
application controls are performed by people interacting with IT, they may be
referred to as user controls.
IT EVIDENCE-GATHERING PROCEDURES
Audit software (focus is on substantive test work) especially used to access the
client files.
Generalized audit software canned audit programs to access and test clents
files; initially expensive to develop, but can be efficient as can be used on
numerous engagements.
o Convert machine readable data into auditor readable form with added data
manipulation routines and so utilize the speed and accuracy of the
computer. They do not store data in a machine readable form.
o Parallel simulation uses a generalized audit software package prepared by
auditors.
4
TEST DATA
Here, testing an entity's controls by using the entity's system (under the auditor's
supervision) to process a set of transactions containing known errors of interest
is known as the test data approach. The auditor need not include every
possible type of error; include only those kinds of errors that are of interest
to the auditor. Only one transaction of each type need be tested. But be careful
not to contaminate the clients database. In auditing thru a computer, the test
data method is used by auditors to test the procedures contained within the
program.
When trying to detect whether data was altered, the auditor needs to test the
computer system. By using test data to verify the performance of edit routines,
the auditor will be able to determine if the data was edited.
A problem not associated with test data is that auditing thru the computer is
more difficult than auditing around the computer. In fact, with test data it is even
impossible to audit thru the computer.
Integrated Test facility (ITF) - is a concurrent technique that processes data thru
simulated files by creating a dummy company, division, branch, supplier etc. ,
fictitious transactions are processed along with live transactions. It enables the auditor
to test fictitious data in the client's system. This is done by inserting a dummy
company, division, branch, supplier etc. Testing can occur at the same time that real
data are being processed and can be performed without the knowledge of co
employees, as dummy and actual records are processed concurrently.
PARALLEL SIMULATION
5
auditor-controlled program is used to process client data. The results are then
compared to those obtained using the clients program and differences are
investigated Parallel simulation uses a generalized audit software package
prepared by auditors.
The electronic nature of the transactions processed with parallel simulation and
the speed of the computer allows the auditor to greatly expand the sample at little
cost.
Note: Test data,, ITF and parallel simulation test how well the clients systems
work (after the fact), especially in detecting errors.
Systems that dont have a permanent audit trail require that any auditing occurs
while processing take place.
Embedded audit modules It enables the auditor to continuously test and monitor
the clients computerized information system.
However, auditors may hesitate to use embedded audit modules because they
are required to be involved in the system design of the application to be
monitored.
Audit hooks an exit point that is built into the application program where an
audit module can be added subsequently.
Note: tagging, embedding audit modules, and audit hooks test the working
of the system while processing takes place.
6
Controlled reprocessing is not a technique that continuously tests
controls. It is a variation of parallel simulation, which processes actual
client data thru a copy of the clients application program.
To access a clients electronic files for substantive purposes, the auditor will
either use generalized audit software or write customized client-specific
programs.
Logic checks refers to certain computer edit routines that flag/signal
erroneous data input.
IMPORTANT TERMS
8
(and, consequently, the built-in controls), a programmer could modify a
program to bypass programmed controls and manipulate data. The best
way to prevent this is not to allow programmers to have access to
programs during actual processing. This is accomplished by segregation
of duties within EDP for computer programming and computer operations.
Destructive updating in an online EDP system is destructive of transaction
files. Accordingly, auditing of the balances in a/cs where transactions are
periodically destroyed requires a well-documented audit trail for the
auditor.
Networks:
LAN is a network of hardware and software interconnected thru out a
building or campus (ltd to few miles).
9
WAN is a larger version of LAN that might span a WHOLE CITY OR
COUNTRY.
Internet wwide network of privately controlled computers
Intranet LAN that uses internet to facilitate communications thru out an
orgn with using a firewall to insulate outside entry.
Extranet like intranet but also connects important external constituents
e.g. major customers or suppliers.
Computer assisted auditing techniques:
Parallel simulation processes client input data on a controlled
program (auditor-written or auditor-controlled) to process data that
can be compared to the same data processed by the clients program and
then both are compared and differences are investigated. This technique
enables the auditor to test controls in and processing performed by a
client program.
WebTrust is the AICPAs assurance service that facilitates e-commerce.
EXAM NOTES
10
Mapping is the process used to determine which elements in the entitys
computer system correspond to the standard data elements. It monitors the
execution of the program.
To obtain understanding of the relationships among the records and processing
steps within a transaction processing system the auditor would utilize flowcharts.
GF-F-SON record retention would provide backup in the form of last 3 updates,
which allows reconstruction of damaged or lost data files. However, for new
systems being developed system documentation would be more helpful to a new
analyst if the old system analyst left the entity in the middle of the project.
The recording of sales via internet is subject to internal and external system
failures, virus and hacker attacks, power fluctuations etc.
When I/C system is highly computerized then the basis control objectives are the
same, but the specific evidence-gathering procedures may differ.
Embedded audit module is a computer program inserted by the auditor into the
clients application system. The audit module selects transactions e.g. large or
unusual transactions, for further review and testing by the auditor.
A utility program is a std routine for performing commonly required processing
such as sorting, merging, editing, and mathematical routines.
Testing numeric xters in alphanumeric fields will not represent error conditions as
alphanumeric will except numeric fields.
To test whether credit limits are being exceeded the auditor would develop a
program to compare credit limits with a/c balances and print out the details of any
a/c with a balance exceeding its credit limit. Developing test data would only
indicate that a/c balances can be exceeded and not the ones that are actually
being exceeded.
Online inquiry is an interactive procedure that allows an auditor or other
authorized personnel to select and view individual records or transactions. It
would be used to confirm whether operating personnel had corrected errors in
transaction files discovered during a recent audit.
Tracing provides an audit trail of the instructions that are executed when a
program is run.
Building access security is not a part of IT general controls. Security of access to the
computers or the network would pertain to IT.
General controls are policies and procedures that relate to many applications and
support the effective functioning of application controls by helping to ensure the
continued proper operation of information systems. These controls often include
controls over:
11
application system acquisition, development, and maintenance.
Specific I/C in a database environment may differ from controls in a non-database
environment e.g. controls should exist to ensure that users have access to and can
update only the data elements that they have been authorized to access.
IT is both an added benefit and an increased risk to internal controls, depending on the
organization.
12
The greatest risk regarding an entitys use of EDI is improper distribution of EDI
transactions. An EDI system must include controls to make certain that EDI transactions
are processed by the proper entity, using the proper a/cs. Authorization of EDI
transactions, Duplication of EDI transmissions and elimination of paper documents are
not considered sources of greatest risk by auditors.
The extent and nature of the risks to internal control associated with IT vary depending
on the nature and characteristics of the entity's information system. The auditor should
consider whether the entity has responded adequately to the risks arising from IT by
establishing effective controls, including effective general controls upon which
application controls depend. From the auditor's perspective, controls over IT systems
are effective when they maintain the integrity of information and the security of the data
such systems process.
Feedback, feedforward, and preventive control systems are all controls and procedures
implemented in an attempt to keep actions within certain desired parameters. Feedback
is information provided about an action that has already occurred and may be used to
help adjust future actions. Feedforward is information provided that attempts to predict
future outcomes and may be used to adjust future actions. Preventive control systems
are systems that prevent certain actions from occurring. The question provides many
examples of each of these. The question asks you to identify which set can be matched
to the order of feedback, feedforward, and preventive control systems. Only one
alternative provides three examples in the order of feedback (cost accounting
variances), feedforward (cash budgeting), and organizational independence (preventive
control system).
The auditor should test the design effectiveness of IT controls by determining
whether the controls, if they are operated as prescribed, satisfy the company's control
objectives and can effectively prevent or detect errors or fraud that could result in
material misstatements in the financial statements.
The auditor cannot verify the reliable operation of programmed controls by manually re-
performing, as of a point in time, the processing of input data and comparing the
simulated results with the actual results of the computer processed data. This is
because the auditor does not ordinarily have complete knowledge of the programmed
instructions for programmed controls. Similarly, at no point in time could the auditor
match the processing of the input data.
User identification and password controls are designed to address this concern by
limiting the access to program documentation, program and data files, and to other
assets of the company (e.g., computer hardware, inventory, and cash). An effective test
of these controls is to examine a sample of assigned passwords and access authority to
determine whether password holders have access authority incompatible with their
other responsibilities.
13
The test data approach (sometimes called the test deck approach) is a way to audit
through the computer. Test data is introduced into the client's computer system using
the same program to operate the application being tested. The output is compared to
the auditor's predetermined results. The test data approach does not involve a separate
program.
An integrated test facility introduces a fictitious entity (such as a dummy subsidiary) with
real entries in the master files of the client's computer system. The auditor then
compares the processing of data through the fictitious entity with what should be there
in order to test that the data processing is reliable. Like the test data (or test deck)
approach, an integrated test facility uses the client's system.
The audit of an entity that processes most of its financial data only in electronic form
may require continual monitoring throughout the year, including testing of controls and
analysis of transaction processing at the time it occurs. Such testing may only be
effectively accomplished through the use of auditing software embedded in the
program. While the other strategies are important in testing aspects of the internal
control system, the testing of such attributes as completeness, authorization, and
accuracy in a paperless system can only be achieved at the time the transaction takes
place.
14