565 DB 3

MOD3Reading1.pptx

Home >Business & Finance homework help >Accounting homework help >565 DB 3

Information Technology Auditing

A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy

To err is human, but to really foul things up you need a computer.

Attributed to Paul R. Ehrlich, American biologist, author, and technology commentator

H-1

©McGraw-Hill Education

Module H Learning Objectives

Identify how the use of an automated transaction processing system affects the audit examination.

Understand the steps that are taken to determine whether an audit team can rely on IT controls.

Provide examples of general controls and understand how these controls relate to transaction processing in an accounting information system.

Provide examples of automated application controls and understand how these controls relate to transaction processing in an accounting information system.

Describe how the audit team assesses control risk in an IT environment.

H-2

©McGraw-Hill Education.

Illustration of Automated Processing of Sales Transactions

H-3

©McGraw-Hill Education.

Issues Introduced In IT Environments

Input errors

Systematic vs. random processing errors

Lack of an audit trail

Inappropriate access to computer files and programs

Reduced human involvement in processing transactions

H-4

©McGraw-Hill Education.

Reliance on IT Controls

Three major phases to determine reliability of controls

Determining the scope of the IT testing plan by carefully identifying each of the IT dependencies

Understanding the IT controls and processes that need to be tested for each IT dependency

Testing the IT controls

©McGraw-Hill Education.

Types of IT Control Activities

General Controls

Apply to all applications of an automated accounting information system

Seen as pervasive across the entire technological infrastructure at an audit client

Automated Application Controls

Applied to specific business activities within an accounting information system

Address relevant assertions about significant accounts in the financial statements

H-6

©McGraw-Hill Education.

Categories of General Controls

Access to programs and data controls

Program change controls

Computer operations controls

Program development controls

H-7

©McGraw-Hill Education.

Access to Programs and Data Controls

Provides reasonable assurance that access to programs and data is granted only to authorized users

Examples

Passwords

Automatic terminal logoff

Review access rights and compare to usage (through logs)

Report and communicate security breaches

H-8

©McGraw-Hill Education.

Timeline of the massive Equifax breach

©McGraw-Hill Education.

Program Change Controls

Implemented by the entity to provide reasonable assurance that requests for modifications to existing programs

Are properly authorized and conducted in accordance with policies

Involve appropriate users participate in process

Are tested and validated prior to use

Have appropriate documentation

Two additional controls: related to “emergency” change requests and the migration of new programs into operations

H-10

©McGraw-Hill Education.

Computer Operations Controls

Concerned with providing reasonable assurance that

The processing of transactions is in accordance with the entity’s objectives

Processing failures are resolved on a timely basis

Actions are taken to facilitate the backup and recovery of important data

H-11

©McGraw-Hill Education.

Examples of Computer Operations Controls

Important roles in an IT environment

Systems analysts, programmers, computer operators, data conversion operators, librarians, control group

Important general control: separation of the duties performed by the

Systems analysts

Programmers

Computer operators

H-12

©McGraw-Hill Education.

Computer Operations Controls: Files and Data

Three major objectives for files and data used in processing

The files used in automated processing are appropriate

The files are appropriately secured and protected from loss

Files can be reconstructed from earlier versions of information used in processing

©McGraw-Hill Education.

Program Development Controls

Provide reasonable assurance that

Acquisition and development of new programs is properly authorized and conducted in accordance with policies

Appropriate users participate in process

Programs and software are tested and validated prior to use

Programs and software have appropriate documentation

H-14

©McGraw-Hill Education.

Testing General IT Controls

©McGraw-Hill Education.

General Controls and Assertions

H-16

©McGraw-Hill Education.

General Controls: Category, Examples, and Objectives

H-17

©McGraw-Hill Education.

Automated Application Controls

Controls applied to specific business activities within an accounting information system to mitigate the risk of material misstatement

Specific to each cycle (revenue and collection, acquisition and expenditure)

Organized into 3 Categories

Input controls

Processing controls

Output controls

©McGraw-Hill Education.

Input Controls

Designed to provide reasonable assurance that data received for processing by the computer department have been

Properly authorized

Accurately entered or converted for processing

H-19

©McGraw-Hill Education.

Processing Controls

Provide reasonable assurance that

Data processing has been performed accurately without any omission or duplicate processing of transactions

Examples

Test processing accuracy of programs

File and operator controls

Run-to-run totals

Control total reports

Limit and reasonableness tests

Error correction and resubmission procedures

H-20

©McGraw-Hill Education.

Output Controls

Provide reasonable assurance that

Output reflects accurate processing

Only authorized persons receive output or have access to files generated from processing

Examples

Review of output for reasonableness

Control total reports

Master file changes

Output distribution limited to appropriate person(s)

H-21

©McGraw-Hill Education.

Automated Application Controls

H-22

©McGraw-Hill Education.

Assessing Control Risk in an IT Environment

Identify specific types of misstatement that could occur

Identify points in the flow of transactions where misstatements could occur

Identify control procedures designed to prevent or detect misstatements

General controls and automated application controls

Evaluate design of control procedures

Are tests of controls cost-effective?

Does the design suggest a low control risk?

H-23

©McGraw-Hill Education.

Points of Potential Misstatement in an IT Environment

H-24

©McGraw-Hill Education.

Examples of Controls to Mitigate Risk of Material Misstatement

©McGraw-Hill Education.

Testing Controls in an IT Environment

Testing controls

Inquiry

Observation

Inspection of documentation

Reperformance

Characteristics auditors must consider when evaluating

Possibility of temporary transaction trails

Uniform processing of transactions

Potential for errors and frauds

Potential for increased management supervision

Initiation or subsequent execution of transactions by computer

Use of cloud computing applications

H-26

Methods of Testing General Controls

H-27

Methods of Testing Automated Application Controls

H-28

Test Data Approach

Test data: Simulated transactions containing known errors to test the client’s controls

The Test of One

Only one type of each kind of transaction error needs to be tested

Because a client’s IT system processes transactions in the same manner every time, once the audit team is satisfied based on testing performed that an automated internal control activity operates effectively, there is no need to test the control activity again

H-29

Auditors’

Manual

Processing

Client

System

Processing

Compare

Test Approach Data – Test of One

End-User Computing and other Environments

Control issues

Lack of separation of duties

Lack of physical security

Lack of program documentation and testing

Limited computer knowledge of personnel

H-31

End-User Computing Control Considerations

Computer Operations Controls

Data Entry Controls

restricted access, standard screens and computer prompting, online editing and sight verification

Processing Controls

transaction logs, control totals, data comparisons, audit trail

System Development and Modification Controls

H-32

End-User Computing in Service Organizations

Service Organizations

Limit concentration of functions and increase supervision

Access to program and data controls are critical

Computer Abuse and Computer Fraud

The use of computer technology by perpetrator to achieve gains at the expense of a victim

Controls

Preventative: Stop fraud from entering system

Detective: Identify fraud when it enters system

Damage-limiting: Designed to limit the damage if a fraud does occur

Levels of Controls

Administrative controls

Physical controls

Technical controls

H-34

Protecting the Computer from Fraud (Selected Controls)

H-35