UDE 2005 – AUDITING II

06-E-COMMERCE (E-COM) AND ELECTRONIC DATA

PROCESSING AUDIT (EDP)

MUSTAFFA BUKHARI
 INTRODUCTION
• The auditing profession was the professions
that are related to the particular needs of
human profession developing accounts
through the ages associated with the
development of economic life in communities
and institutions and of developments that
have accompanied globalization and
economies winepress emergence of the
concept of E-commerce.
 BENEFIT OF E-COM AND EDP
• Computer control replace manual control.
– Cost effective
– Electronic backup
– Security and control
– Better management
• Higher – quality information is available
– Smooth vendor business collaboration
– Better timelines
– Reliable content
 RISK RELATED TO E-COM DAN EDP
• IT can improve a company’s internal controls; however,
it can also affect the company's overall control risk.
• If IT systems fail, organizations can be paralyzed by the
inability to retrieve information or by the use of
unreliable information caused by processing errors.
• The following specific risk relating to E-COM and EDP:
1. Risk to hardware and data
2. Reduce audit trail
3. Need for Information Technology (IT) experience and
separation of IT duties
1- RISKS TO HARDWARE AND DATA
• Reliance on hardware and software
– Without proper physical protection, hardware or software may not function or
may function improperly.
• Systematic versus random error
– When organizations replace manual procedures with technology-based
procedures, the risk of random error from human involvement decreases.
However, the risk of systematic error increases because once procedures are
programmed into computer software, the computer processes information
consistently for all transactions.
• Unauthorized access
– IT cased accounting systems often allow online access to electronic data in
master files software and other records. Because online access can occur
from remote access points, there is potential for illegitimate access.
• Data loss
– Since much of the data is stored in centralized electronic files, this increases
the risk of loss or destruction of entire data files.
 2- REDUCED AUDIT TRAIL
• Visibility of audit trail
– With the use of computers, IT often reduces or even eliminates
source documents and records that allow the organization to
trace accounting information.
• Reduced human involvement
– In many IT systems, employees who deal with the initial
processing of transactions never see the final results.
Therefore, they are less able to identify mistakes.
• Lack of traditional authorization
– Advanced IT systems can often initiate transactions
automatically, such as calculating interest on savings accounts
and ordering inventory when pre-specified order levels are
reached.
Hence increase DETECTION RISK
 AUDIT RISK MODEL
RISK AUDIT RISK = INHENRENT CONTROL DETECTION
RISK RISK RISK
IMPACT VERY LOW HIGH HIGH LOW

HENCE

RISK AUDIT RISK = INHENRENT CONTROL DETECTION

RISK RISK RISK
IMPACT LOW LOW HIGH MODERATE

MODERATE HIGH LOW MODERATE

 3- NEED FOR IT EXPERIENCE AND
SEPARATION OF DUTIES
• Reduced separation of duties
– The it environment may reduced the separation of
duties or segregation of duties due to lack of
human involvement and traditional authorization.
• Need for IT experience
– It is important to have personnel with knowledge
and experience to install, maintain, and use the
system since the environment may be new to
certain other personnel.
 INTERNAL CONTROLS SPECIFIC TO
INFORMATION TECHNOLOGY
• In order to deal with specific risk relating to E-
COM and EDP specific internal control need to be
maintained in place.
• Internal controls specific to information
technology include:
– General controls
• Which is control that apply to all aspects of the IT function
including IT admin, separation of IT duties, systems
development, physical and online security over access to
hardware, software and related data.
– Application controls
• Which is control apply to processing transactions.
RELATIONSHIP BETWEEN GENERAL
AND APPLICATION CONTROLS
CATEGORIES OF GENERAL AND
APPLICATION CONTROLS
 CATEGORIES OF GENERAL CONTROL
• Administration of the IT Function
– The perceived importance of IT within an
– organization is often dictated by the attitude of
– the board of directors and senior management.
• Systems Development
– Typical test strategies
• Pilot testing
– Pilot testing is when a new system is implemented in one part of
the organization while other locations continue to rely on the old
system
• Parallel testing
– Parallel testing is when the new and old systems operate
simultaneously in all locations.
 CATEGORIES OF GENERAL CONTROL
CONT.
• Segregation of IT Duties
 CATEGORIES OF GENERAL CONTROL
CONT.
• Physical and Online Security
– Online Controls:
• Proper user IDs and passwords control access to software and related
data files this reducing the likelihood that unauthorized changes are
made to software applications and data files.
– User ID control
– Password control
– Separate add-on
– security software
– Physical Controls:
• Physical controls decrease the risk of unauthorized changes to
programs and improper use of programs and data files.
– Keypad entrances
– Badge-entry systems
– Security cameras
– Security personnel
 CATEGORIES OF GENERAL CONTROL
CONT.
• Backup and Contingency Planning
– Offsite storage of critical files is a key element to a
backup and contingency plan
– One key to a backup and contingency plan is to make
sure that all critical copies of software and data files
are backed up and stored off the premises.
• Hardware Controls
– These controls are built into computer equipment by
the manufacturer to detect and report equipment
failures.
 CATEGORIES OF APPLICATION
CONTROL
• Application controls are designed for each
software application including:
– Input control
• These controls are designed by an organization to
ensure that the information being processed is
authorized, accurate, and complete.
• Input control also include Batch Input Controls
 CATEGORIES OF APPLICATION
CONTROL CONT.
– Processing Controls
 CATEGORIES OF APPLICATION
CONTROL CONT.
– Output Controls
• These controls focus on detecting errors after
processing is completed rather than on preventing
errors.
 HOW GENERAL CONTROLS AFFECT THE AUDITOR’S
TESTING OF APPLICATION CONTROLS.
• Ineffective general controls create the potential for material
misstatements across all system applications regardless of the
quality of the application controls.
• Client changes to application software affect the auditor’s reliance
on automated controls.
• Auditors obtain information about general and application controls
through interviews, examination of system documentation, and
reviews of detailed questionnaires completed by IT staff.
• If general controls are ineffective, the auditor’s ability to rely on IT-
related application controls to reduce control risk in all cycles is
reduced.
• After identifying specific IT-based application controls that can be
used to reduce control risk, auditors can reduce substantive testing.
AUDITING IN IT ENVIRONMENTS (E-COM & EDP)
WITH VARIED COMPLEXITY
AUDITING AROUND AND THROUGH
THE COMPUTER
AUDITING THROUGH THE COMPUTER USING TEST
DATA, PARALLEL SIMULATION, AND EMBEDDED AUDIT
MODULE APPROACHES
• Test Data Approach
AUDITING THROUGH THE COMPUTER USING TEST DATA,
PARALLEL SIMULATION, AND EMBEDDED AUDIT MODULE
APPROACHES CONT.
• Parallel Simulation
– The auditor uses auditor-controlled software to perform
parallel operations to the client’s software by using the
same data files.
AUDITING THROUGH THE COMPUTER USING TEST DATA,
PARALLEL SIMULATION, AND EMBEDDED AUDIT MODULE
APPROACHES CONT.
• Embedded Audit Module Approach
– Auditor inserts an audit module in the client’s application system to identify
specific types of transactions.
COMMON USE OF GENERALIZED AUDIT SOFTWARE: