AUDITING IN AN INFORMATION TECHNOLOGY ENVIRONMENT INFORMATION TECHNOLOGY (iT) ENVIRONMENT ~ ik evict when a computer is invelved in procecting Financial Information (whether eferaiea by the ented pers) = “electric Data Prcecsing (EDP) emvitmment” and “Computer information Sycteme (CIs) Environment Components: Ww GTllnfraxtmenite - network, operating sysitwt, and databases, and rdaled hardware and sofware \ MT applications - used in initiation, processing, recording, and reporting ot fvancactiont of information! in = include data warchouce and seport uoiter Sroait and medivm-cired business (cx. Quickbooes. xere)—> payrll, invoicing, bills payments, toatic financial reporting system “Enturprie (ex. Economic Revource Plansing (ERP) Sysitm) —+ + rick management, prrearement, inventory wonagement, cupply chain management Cloud er online (ev. Oracte, SAP AHANA) WP Preceded - te manage accers to the MT emironment, manage param vnanges or changes to the TT ervinninent and manage IT optratent Gentral Contos L, Appication controls TT INFRACTRUCTHRE COMPONENTS: 1» (Datawase Sistem) enables data synchronization by mainlaining one Copy of Important record locked in organized file cystem wle iL shaved by varioul wtort wilout the neces oF maintaing 0 wpy Of the file for Phew elves = eliminates data redundancy = current cyclers entrnct tne reponcibitiry | daabate maintenance and conbal over a databace adwinistvatr \» (Operating Syctew)- gnup of computer programy that moniter and conbal all the input, outtPul, PMLEMCing And Horoge Aviver and sperations of & computor Contnis the funchoning of re CPU and ether peripheral Equi pment 0. DOS, Windows, Linux, Mac, Andinia Wo WEWOTK- interconnected vomputers and terminal ~ thawes wiers t thave camputer equipments application seftware, data, ara voice and video francmissions ~ Typer clascified vy al S00 Local Area Network (LAN) — ‘building Mehpelitan Area Network (MAN) ~ city [municipality National Area Network (NAN) ~ country Wide Area Network (WAN) - wider than NAN; continent Internet ~ entre glove Network Related Torr: ¥ Distributed olata prnceacing)~ charing #f information ard program by large mambers of wer = infmeampany (win she orgasizaton) + Elechonic dala interchange - use of felecammunication links fy exchange business data ~ lntercampany1 Campuier (hardware and software) [> Hardware - physical devices] equipment used to accomplice data prcescing functions we Central Praceising nit Cont Unit Storage wnit Aritimetic and teqic Unit (ALU) 1b Input devices 0) Reying data © keyboard 1) Oniine entry uch-senvitive Cereent + Mowe, ioveticks light pene > vin icplay terminals ~ input interface = graphical interface = Command fine interfnce~ ievt-rype wmmanas ©) Irnaround dew ments + bility bile 4) Antomated cource data + Magnetic jape reader + Automated Teller Machine + Magnetic ink character reader + Print-ot-Sale retordtet + Opfual character recagrifion + Voice secegnition * Cathode Ray Tube ©) Electronic commerce and elechanic data interchange = business # Emeumert Cor. amaion) > consumer te cansumer (ex. e-bay - 2nd hand) = busines 1 business (ex. wholesaler ty reimiler, pridncer fy wholefaler and/or retailer ) 10 Output devices + wnonitnes and printers + Plotlar + Computer Output H Micros / Mioafith Ww Dala Shrage + Magnetic Tape Od Disks ~ wo type of acest Y Random: aecect * eqmenkal - acces + Redundant arcay of independent dicks (eAto) + Gompocd Floppy, aind 2ip dicks + Pfical disks LeSoffware - cur of inttmctions (prigram) that direct, Contr! and tatidinates the operation of the hardware component? Systems Compiler +s 10 Inferpretur + wnt 1» Vietnal rremovy + Gmenunicaion 1 Applicationt Ww Dalabace Management Cyclem (DBMt) 1» Source and object pregramINTERNAL CONTROL IN AN IT ENVIRONMENT The embity’’ use of {T environment may give rite fo ride ari¢ing) frm the use Of IT (RAiT). RAIT ~ susceptibility oF Information processing controls fo Ineffechive design or operation, of rickt fh integrity of information in entity's Information cysiem, Aue #9 ineflecfve design or operation of contow in the enki TT procesces TT CONTROLS © Genecal Contras. — A $_______ La eifyewide, (Entity tvel nt contote) “General contra Vv embedded in its control environment V contynlc over the entilys IT processes Hat V detigned tp reduce Trick 1 acceptably tow level Support the conBinuous ond prper Y designed to define $he strategic direction and esiabiish Operabon of Ye MT emironment, including ‘an Organizational framework for I activitit the continued effective fanchoniiag of ineluding: (S*PARTA) infarmation precetting contals and integrity Strategie and plane information in ane entity® information Segregation of inempatible dues ‘syste. Policies and Procedures Vv there include: (CoA) Quality agcurance, Conhols ever IT changes Risk ausesement artvitier TT operations contri ‘Training Aecess conbolt Infernal adit od monitoring I ROLES AND RESPONSIBILITIES WITHIN AN INFORNATION SviTEM DEPARTMENT ® infinmaton Sytem Hanagemert (ChKY MMfermation Officer) 2) Sydiem Analytic 5) feplication prgromning 8) Databore Administration P data Entry G) Computer Operation 3) Pagram and Fie Library 1) Data font} ®) Tele communication 1m) Systems Prgramming 1H) Qualify Assurance SEGREGATION OF Duties user department TT Department 10 System Dataware Twformaton tempter development administration Seourity Operations Development oF | [Maintenance of new applicarionc | [evicting applicationAubiT_ PROCEDURES “w Tnipection i ~ Of key WT perconnel for ¥ information seeutity policy and proceduee egregation Of duties NT policies and procedures document Vt function organizational chart 1» OWmeWatien v Sample of application development decumentaton ~ of perconnel for and maintenance records te identify segregation of cies Segregation of duis ¥ Seaurity acess te entre hat original appication decign Programmers do not have access to cade for mamienance IP SYSTEM DEVELOPMENT, MAINTENANCE AND DOCUMENTATION ContiOYs V Wier department rouct participate in Syctem decign ¥ Wrillen system specification must be required and approved by management and uier department ¥ Both wer and i personnel must dest new systems Vv Management, user and IT personnel mutt approve new System before implementation ¥, Conhal of all master and trancacton Files fe aveid wnanthorized changes v All program changes showld be approved ¥ Adequate documentation showld be made +» facilitate the wie of praqrams 1 ACCESS ComnROLE = Provide Tealonable assurance that access to equipment, filet. and program are limited only fo Guthovired perconnel EPHO * Electronic, accect contrat * Physical accect canta! + Rarawore contol + Data tranmission contrat DINER ACCESS CONTROLS ¥ Prigramming the operating system 19 qenerale a campuler fog of failed accete atlemet and qeneraia warnings for repeated atc fale, ¥ Programmers should not have access 4» inpnt dala or Oppiitarion programe that arc yurrently used ¥ Computer speraters chowld ve rutvieted only 4 the appicaion programs curreaily being used V Compitter operaters should ‘be timited accest only 4 opevations manual (inchwction for pracescing progrant) and not detailed program oonmentation ID DATA AND PROCEDMRAL CONTROLS w TECOIVe® all data fer processing, eysures complety recording, and fallow up errors, Atimine thar data ave corrected and retubmited by wey Aepartments amd verity OutPur diciripution vw Prcting contnaly = writfen Manual of Gyteme ond priccaures for al) amputer Operation ~ Back-up ond recovery 4) Grandfather- father-son principle on file retention 2) Coapenore 4) Reciprical agreement oF mutral aiid Pack a Internal Site 8) Hot ste a) Gold site (0 File protection ringt 1 Infernal and external label1 MONITORING OF conrRoLe = designed # encure shat WT gontwls are working effectively ~ may include + Moniroring ef key 1 performance + Internal extemal TT awdite caters © it Application controls - form pact of the ouciness prrcter applications that help the enfily achive ik financial reporting objectiver ay 1 dhe completencse, accuracy, tictence /qutherization, ana precenta ¥ ohivity level = may include @) Controls over input ey verification View driven input lienit test flea check vatiaity teat field size cheek Selt-ehecking digit logic. teste Compreteness cheek Untmt totat ( ttem/Record count, Financial Tefal, Hach total) ) ¢ AMDITING IN AN IT ENVIRONMENT ~ Overall objective and scope of an avait clocs not differ whether an tatity operare: in a Mainly manval GivOnment and for an environmen w] avtomared element ~_An TT environment may affect + Avditers consideration of internat contals Risk = + Aaditort Osseacment 9 Comtiol risk Ascessment et ee + Prmcedures 1 be porter med Pwceducts RISK ASSESCMENT PRocEOURES Obiain undercanding Of tne iT envivsnment including enfity-leve) Tt conboie Tdeniify velevant 0 Opplicaiow ond other aupeat oT eninmmtn TaenBiey Wiser avicing fom The wie Of Ww (RAT) Tene genet contr TTRAWGATS Fhe Gedign and TMP MERTaRTER oF MO MOTTA COROT IT CHARACIERIsIC£ AND CONSIDERATIONS Ap Organizational Graviwe ~ canceutration of functions and Knowledge = concentration oF programe and cata WD Namet Of procesring = Lack of Visible 4rancaction traits = Fae oF aictess te data and computer Programs AD Detign and priceduval aupeere = Consistency H performance ~ System generated transaution ~ Programmed Cantal procedures = Single trancacton update % muthee or database compute filetTEST OF CONTROLS. = Wetiveness of apeticalion contrals ix greatly affected bby the Uffeuiveness of general contrat = Application controls which #ne auditor’ may wich tv fail include manual eontrls exersisen by the wer, nhl ower svctem output. and programmed contra! prcedure AMDIT APPROACHES = Auditor's iat of controls vary Atpending on whether audit endente generated by the computer is: 1) Exiemal fo tre computer and therefare directly obras (Byack-ox) 2) Internal to tne computer and therefert Nit ditectly oleservalle (White- box) = auditing around the compuiler. = Auditing through #he compnter = hditing with the computer Consideration oF Coinpater ‘The Full potential of computers aS an audit fool is not bined Compuiore are, considered euenbal fpols had aid in the execution oF audit _pvecedures Focus Area Input and owlpur of controls Input and prceising oF controls a Wie of CAN las waa) [Not appiicabe Apelicavie Wo (pecifie txperree Knowledge and Sas in We SOTTware, vi pee Regenrea required prgrams and fechriques uted COMPUTER-ASSISTED AUDITING TecHNIOMES (cAATS) + faclore concidered using CAAts © J Degree Of i¢chnical competence in IT V Availability % CRATE and appropriate computer facittles v lmpracticabitity of manual tests V Hfeetivenese ond efficiency ¥ Timing of tests CATEGORIES OF TECHNIQMES + Program analysis + Program testing + Coninuous tecting + Review of operating syeteme pod Test vata Actwal Data | q ty v v eer eee gee oe arena _Siowation Reproeesiing Test Data live Dater ica persennel An lien personnel Anditer |[ client personnel Anditer ‘ Test data — | Tet Data fe data| |" Live Dat# — ive ata |[ Live Date Live Data Clients clitnts i J J L T cystem Gystern Clients Client's Clients —Generained)| Clients client 3 J J eystem cystem cystem ‘walt cst evstemn owipt ouiput 4 J Softwave 4 4 ve we output ve. output ve 4 output vs. output [Predetermined Predetermined output owiput Result Result