TOPIC 8: AUDITING IN AN INFORMATION TECHNOLOGY ENVIRONMENT

Internal Control in an IT environment

1. General Controls – control policies and procedures that relate to the overall computer information system.
a. Organization Controls
Designed to define the strategic direction and establish an organization framework over IT activities including:
 Strategic information and technology plan
 Policies and procedures
 Segregation of incompatible functions
 Between IT department and User Department
 Segregation of duties within the IT departments
 Monitoring of IT activities performed by Third Part Consultants
b. Systems Development, Maintenance and Documentation Controls
 User Department must participate in the system design
 Written system specification must be required and approved by management and user department
 Both user and IT personnel must test new systems
 Management, user and IT personnel must approve new systems before implementation
 Control of all master and transaction files to avoid unauthorized changes
 All programs changes should be approved
 Adequate documentation should be made to facilitate the use of programs
c. Access Controls
1) Physical access control
a) Limited physical access
b) Visitor entry log
2) Electronic access control
a) Requiring user identification (specially on on-line systems) and regular changes of passwords
b) Defining user data access privilege
c) Call back – users dial up for access to the IT system, the system logs them out and then re-establish
communication link when identification is established
3) Hardware controls
a) Diagnostic routines – hardware of software supplied by manufacturers to check the internal operations
and devices within the computer system
b) Boundary protection – to ensure integrity of the allocated memory for a job currently running under
simultaneous processing in a multiprogramming environment
c) Periodic maintenance
4) Data transmission controls
a) Parity check – data are processed and transmitted by computers in arrays of bits. Redundant bit may be
added to verify the integrity of the information that is processed or transmitted
b) Data encryption – data are coded into secret characters to avoid unauthorized individuals from reading
the information
c) Message acknowledgement technique (ex. Echo Check) – receiving device sends a message that
verifies a transmission back to the sending device
d) Private lines – using phone lines owned or leased by the organization, thereby more secure

Other Access Controls

(a) Programming the operating system to generate a computer log of failed access attempt and generates
warnings for repeated access failure
(b) Programmers should not have access to input data or application programs that are currently used
(c) Computer operators should be restricted only to the application programs currently being used
(d) Computer operators should be limited access only to operations manual (instructions for processing
programs) and not detailed program documentations.
d. Data and Procedural Controls
1) Data control group receives all data for processing, ensures complete recording, and follow up errors,
determine that data are corrected and resubmitted by user department and verify output distribution
2) Processing Controls
a) Written manual of systems and procedures for all computer operation
b) Back-up and recovery
i. Grandfather-father-son principle of retention – a back-up system employed in batch
processing that enable reproduction of destroyed or lost master files from multiple (3)
generations of master files
ii. Snapshots – daily picture (copy) of the data files taken and retained until the weekly file is
prepared which are retained until the annual files is created
c) Contingency processing
i. Reciprocal agreement/Mutual aid pact
ii. Internal Site
iii. Hot Site – back-up centers that are already installed with equipment
iv. Cold Site – back-up centers that are ready for equipment to be brought in
d) File Protection Rings – enables writing to a magnetic tape only when the ring is on the magnetic tape.
This controls operator error by writing data on tapes containing critical information.
e) Internal and External Labels – provides identification of files to avoid destruction
e. Monitoring controls
 Monitoring of key IT performance indicators
  Internal/external IT audits

2. IT Application Controls – control policies and procedures that relate to specific use of the system in order to
provide reasonable assurance that all transactions are authorized, recorded, and are processed completely,
accurately and on a timely basis.
1) Controls over inputs
a) Limit test – test of reasonableness of a filed of data using predetermined upper and lower limit
b) Validity test – a comparison of data against a master file or table for accuracy
c) Self-checking digit – contains redundant information permitting accuracy check
d) Completeness check – processing will not continue unless all data required are supplied
e) Control total – the total of one filed of information for all items in a batch
 Item (Record) count – a count of the number of items or transactions being input in a given
batch
 Financial total – the total of the amount of all items in a batch
 Hash total – a total of one field of information for all items in a batch that no intrinsic
meaning
f) Menu driven input – contains set of menus or Q&A that guides the user completion of all the required
data
g) Field check – ensures that the proper character is supplied in a given field
h) Field size check – ensures that the data supplied is within the number of digits or string of characters
required for the field.
i) Logic tests – rejects data encoded which are illogical and inconsistent
2) Controls over processing
3) Controls over output

Auditing in an IT Environment

1. The overall objective and scope of an audit, including auditor’s responsibilities, does not change in an IT
environment.
2. An IT environment may affect:
a. Auditor’s consideration of internal control, which include an assessment of computerized as well as
manual controls
b. Auditor’s assessment of control risk
c. Procedures to be performed in considering internal control and performing substantive test

A. Risk Assessment Procedures

1. The auditor should obtain an understanding of the significance and complexity of the IT environment to be
able to design further audit procedures.
2. When obtaining an understanding of the significance and complexity of the IT environment, the auditor
may use automated tools and techniques
3. Understanding the risks arising from the use of IT and the general IT controls implemented by the entity
4. The auditor shall also consider risk arising from the use of IT

Specific examples of risks arising from the use of IT

 Unauthorized access to data that may result in destruction of data or improper changes to data,
including the recording of unauthorized or non-existent transactions, or inaccurate recording of
transactions. Particular risks may arise where multiple users access a common database.
 The possibility of IT personnel gaining access privileges beyond those necessary to perform their
assigned duties by breaking down segregation of duties
 Unauthorized changes to data in master files
 Unauthorized changes to IT applications or other aspects of the IT environment
 Failure to make necessary changes to IT applications or other aspects of the IT environment
 Inappropriate manual intervention
 Potential loss of data or inability to access data as required

IT characteristics and Consideration

1) Organizational structure
a. Concentration of functions and knowledge
b. Concentration of programs and data
2) Nature of processing
a. Lack of visible transaction trails
b. Ease of access to data and computer programs
3) Design and procedural aspects
a. Consistency of performance
b. System generated transaction
c. Programmed control procedures
d. Single transaction update of multiple or data base computer files
B. Test of Controls

It is more efficient to review the design of general controls before reviewing the application controls.

Black Box Approach (Auditing around the computer)

 It involves procedures generally performed in testing manual control structure

 Focuses solely on the input documents and the IT output
 The auditor ignores the client’s data processing procedures

White Box Approach

a) Auditing with the computer – the auditor uses the computer as an audit tool
b) Auditing through the computer – the auditor enters the client’s system and examines directly the computer
and its system and application software using CAATs

Computer-Assisted Auditing Techniques (CAATs) for Test of Controls

1) Factors to consider
a) Degree of technical competence in IT
b) Availability of CAATs and appropriate computer facilities
c) Impracticability of manual tests
d) Effectiveness and efficiency
e) Timing of tests
2) Tests of Controls using CAATs may be divided into the following categories of techniques:
a) Program analyses c) Continuous testing
b) Program testing d) Review of Operating Systems

(A) Program Analyses

1. These techniques allow the auditor to gain an understanding of the client’s program
a. Code Review – this technique involves actual analysis of the logic of the program’s processing
routines
b. Comparison Programs – these programs allow the auditor to compare computerized files
c. Flowcharting software – this is used to produce a flowchart of a program’s logic and may be used in
both in mainframe and microcomputer environments
d. Program Tracing and Mapping – program tracing is a technique in which each instruction executed is
listed along with control information affecting the instruction. On the other hand, program mapping
identifies sections of code that can be “entered” and thus are executable. These techniques allow the
auditor to recognize logic sequence or dormant section of code that may be a potential source of abuse.
e. Snapshot – this technique in essence “take a picture” of the status of program execution, intermediate
results, or transaction data at specified processing points in the program processing.

(B) Program Testing

2. Program testing involves the use of auditor-controlled actual or simulated data. The approach provides
direct evidence about the operation of programs and programmed controls.
a. Test Data
 A set of dummy transactions is developed by the auditor and processed by the client’s
computer programs to determine whether the controls which the auditor intends to test are
operating effectively.
 Test data shifts control over the processing to the auditor by utilizing the client’s software to
process both valid and invalid transactions
 If embedded controls are functioning effectively, the client’s software should detect all the
exceptions planted in the auditor’s test data.
 When this technique is to be used, an auditor should run the test data on a surprise basis.
b. Integrated Test Facility (ITF) or Integrated Test Data or Minicompany Approach
 This method introduces dummy transactions into a system in the midst of live transactions
and is usually built into the system during the original design
 Integrates fictitious and actual data without management’s knowledge, allowing the auditor to
compare the client’s output with the results expected by the auditor.
 One way to accomplish this is to incorporate a simulated or subsidiary into the accounting
system with the sole purpose of running test data through it.
c. Base Case System Evaluation (BSCE)
 A special type of test data
 Can provide an auditor with much more assurance than test data alone
 Develops test data that purports to test every possible condition that an auditor expects a
client’s software will confront
 Time-consuming and expensive to develop and therefore cost-effective only in large computer
systems for which the auditor can rely on internal auditors to develop the base case.
d. Parallel Simulation
 Shifts control over the computer software
  This technique processes actual client data through an auditor’s generalized audit software
program and frequently, although not necessarily, the auditor’s computer.
 After processing the data, the auditor compares the output obtained from the client.
 If the client’s software is operating effectively, the client’s software should generate the same
exceptions as the auditor’s software.
 Should be performed on a surprise basis, if possible

Limitations:

 The time it takes to build an exact duplicate of the client’s program

 Incompatibility between auditor and the client software
 Tracing differences between two sets of outputs to differences in the programs may be
difficult
 The time involve in processing large quantities of data
e. Controlled Reprocessing
 This is only a variation of parallel simulation. Instead of using generalized audit software
program to process actual client data, the auditor uses a copy of the client’s application
program.

(C) Continuous/Concurrent Testing

3. Advance computer systems, particularly using EDI (electronic data interchange), sometimes do not retain
permanent audit trails, thus requiring capture of audit data as transactions are processed. Such systems may
require audit procedures that are able to identify and capture data as transaction occurs.
a. Embedded Audit Module
 Programmed routines incorporated into an application program that are designed to perform
an audit function such as calculations, or logging activity
 It is used to select client data for subsequent testing and analysis
b. System Control Audit Review Files
 A log, usually created by an embedded audit module, used to collect information for
subsequent review and analysis
 The auditor determines the appropriate criteria and the SCARF selects the type of
transactions.
c. Audit Hooks
 An audit hook is an exit point in an application program that allows an auditor to
subsequently add an audit module by activating the book to transfer control to an audit
module.
 Auditors sometimes use audit hooks to accomplish transaction tagging
d. Transaction Tagging
e. Extended Records
(D) Review of Operating Systems and other System Software
4. System software may perform controls for computer systems. Related audit techniques range from user-
written programs to the use of purchasing operating systems monitoring software.