Beruflich Dokumente
Kultur Dokumente
Security
Verification of processing
Personnel
Certain controls should be maintained at both the user and the service bureau locations
Contract
Processing verification
Backup and recovery
Time sharing systems
The auditors responsibilities with respects to internal control over EDP systems remains
the same as with the manual systems, that is to obtain an understanding adequate:
To aid planning the remainder of the audit
To assess control risk
Internal controls over EDP activities often are classified as:
General controls
Application controls
General controls relate to all EDP applications includes such considerations:
The organization of the EDP department
Procedures for documenting, testing and approving the original system and any
subsequent changers
Controls built into the hardware
Security of files and equipment
General controls –are controls that affect multiple application systems.
Five categories of general controls are presented in the AICPA audit guide:
Organization and operations control
Systems development and documentation controls
Hardware and systems software controls
Access controls
Data and procedural controls
Controls of organizational and operation controls
Segregate functions between the EDP department and user departments
Do not allow the EDP department to initiate or authorize transactions
Segregate functions within the EDP department
System analyst- responsible for analyzing the present user environment and requirement:
Recommending the specific changes which can be made
Recommending the purchase of a new system
Designing a new EDP system
System flowchart – is one tool used by the analyst to define the system requirement.
Application programmer- is responsible for writing; testing and debugging the
application programs form the specifications.
Program flowchart- is one tool used by the application programmer to define the program
logic.
System programmer- is responsible for implementing, modifying , and debugging the
software necessary for making the hardware work
Operator- is responsible for the daily computer operations of both the hardware and
software.
Data librarian- is responsible for the custody of the removable media and for the
maintenance of program and system documentation.
Quality assurance- is a relatively new function established primarily to ensure that new
systems under development and old systems being changed are adequately controlled.
Control group- acts as a liaison between users and processing center and records the input
data in a control log.
Data security- is responsible for maintain the integrity of the on-line access control
security software.
Database administrator- is responsible for maintain the database and restricting access to
the database to authorize personnel.
Network technician- is fast becoming the most powerful position in a MIS environment.
Control In System development and documentation controls
User departments must participate in system design.
Both users and EDP personnel must test new systems.
Proper documentation standards should exist to assurance continuity of the system.
Design methodology- all new system being developed should flow through a
documented process that has specific controls points
Change controls process- change on a system that is presently operating, a formal change
process should exist that requires formal approval before any change is implemented.
Controls in hardware and system software controls
The auditor should be aware of control features inherent in the computer hardware,
operating system and other supporting software.
System software should be subjected to the same control procedures as those applied
to installation of and changes to application programs.
Parity check- a special bit is added to each character stored in memory that can detect if
the hardware loses a bit.
Echo check- primarily used in telecommunications transmissions.
Diagnostic routines- hardware or software supplied by the manufacturer to check the
internal operation and devices within the computer system.
Boundary Protection- to ensure that the simultaneous jobs cannot destroy or change the
allocated memory of another job.
Periodic maintenance – the system should be examined periodically by a qualified service
technician.
Controls in Access Controls
Access to programs documentation should be limited to those persons who require it
in the performance of their duties.
Access to data files and programs should be limited to those individuals authorize to
process data.
Access to computer hardware should be limited to authorized individuals.
Physicals access controls
Limited physical access – the physical facility that houses EPDP equipment, files and
documentation should have controls to limit access only to authorized and individual.
Visitor entry logs- any individual entering a secure area must be either pre-approved
by management and wearing an ID badge or authorized by an appropriate individual.
Electronic access controls
Access control software- the most used electronic access control is a combination of a
unique identification code and a confidential password.
Call back- is a specialized form of user identification that is used is high sensitive
system.
Encryption boards- are new devices that are installed in the back of a microcomputer
or standalone devices for larger system.
Controls in Data and procedural controls
A control group should
Receive all data to be processed
Ensure that all data are recorded
Verify the proper distribution of output
A written manual of system and procedures should be prepared for all computer
operation.
Internal auditors should review and evaluate proposed systems as critical stage.
Operation run manual – the operation manual specifies in detail for each application to
enable the computer operator to respond to any errors that may occur.
Backup and recovery – to ensure the preservation of historical records and the ability to
recover from an unexpected error, files created within the EDP are backed up in a
systematic manner.
Contingency processing- should be developed to prepare for natural disaster, manmade
disaster or general hardware failures that disable the data center.
Processing control- should be monitored by the control group to ensure that processing is
completed in a timely manner.
File protection ring- is a processing control to ensure that an operator does not use a
magnetic tape.
Internal and external labels- are paper labels attached to a reel of tape or other storage
medium which identify the file.
Trailer labels- are often used on the end of a magnetic tape file to maintain information
on the number of record processed.
Application controls – are controls that relate to a specific application instead of multiple
applications.
Each accounting application that is processed in an EDP system is controlled during three
steps within EDP:
Input step – converts human readable information into computer readable
information.
Processing step- ensuring the integrity of the information in the computer is critical.
Output step- presentation of the results of processing to the user and retention of data
for future use.
Controls in Input Controls
Input data should be properly authorized and approved.
The system should verify all significant data fields used to records information.
Conversion of data into machine- readable form should be controlled and verified for
accuracy.
Preprinted form- information pre-assigned a place and a format on the input form used.
Check digit- an extra digit is added to an identification number to detect certain types of
data transmission or transportation errors.
Controls, batch, proof total- a total of one numerical field for all the records of a batch
normally would be added.
Hash totals- a total of one field for all the records of a batch where the total is a
meaningless total for financial purposes.
Record count- A control total used for accountability to ensure all the records received
and processed.
Reasonableness and limit tests- tests determine if amount are too high, too low or
unreasonable.
Menu driven input- if input is being entered into a CRT.
Field checks- checks that made certain only numbers, alphabetical characters, special
characters and proper positive and negative signs are accepted into a specific data field
where they are required.
Validity checks-a check which allows only “valid” transactions or data to be entered into
the system.
Missing data check- if blanks exist in input data where they should not.
Field size check- if an exact number of characters are to be inputted.
Logic check- ensures that illogical combinations of inputs are not accepted into the
computer.
Controls in Processing controls
Controls total should be produced and reconciled with input control totals—proof of
batch totals.
Control should prevent processing the wrong file and detect errors in file
manipulation – label checks.
Limit and reasonableness checks should be incorporated into programs to prevent
illogical results.
Checkpoint/ restart capacity- significant amount of time to process, it is desirable to have
software within the application that allows the operator the ability to restart the
application at the last checkpoint passed as opposed to restarting the entire application.
Error resolution procedure- individual transaction may be rejected during the processing
as a result of the error detection controls in place.
Controls in Output controls
Output control totals should be reconciled with input and processing controls totals.
Output should be scanned and tested by comparison to original source documents.
Systems output should be distributed only to authorized users.
Control total- the user of the application will frequently give the operator the expected
result of processing ahead of time to allow the operator to verify that processing was
completed
Limiting the quantity of output and total processing time- time restraints and output page
generation constraints are often automated within the job being run.
Error message resolution- following each job the system provides technical codes
indicating the perceived success of the job run.
Audit Theory Chapter 28 (Auditing in a Computer Information Systems (CIS) Environment)
An auditor focuses upon all EDP functions, particularly the controls over input,
processing and output. This means that the auditor investigates the data processing system
by feeding the computer with hypothetical transactions covering all types of situations in
which he is instructed and ascertaining the answers produced are correct and wrong data are
rejected.
A CIS environment may affect:
The procedure followed by the auditor in obtaining a sufficient understanding of the
accounting and internal control system.
The consideration of inherent risk, and control risk through which the auditor arrives
at the risk assessment.
The auditor design and performance of tests of control and substantive procedures
appropriate to meet the audit objectives.
The auditor should have sufficient knowledge of the CIS to plan, direct, supervise and
review the work performed. These may be needed to:
Obtain a sufficient understanding of the accounting and internal control systems
affected by the CIS environment.
Determining the effect of the CIS environment of the assessment of overall risk and
of risk at the account balance and class of transaction level.
Design and perform appropriate tests of controls and substantive procedures.
In planning the portions of the audit which be affected by the client’s CIS environment,
the auditor should obtain an understanding of the significance and complexity of the CIS
environment and the availability of data for use in the audit.
This understand would include such matters as:
The significance and complexity of computer processing in each significant
accounting application.
The organizational structure of the client’s CIS activities and the extent of
concentration or distribution of computer processing throughout the entity.
The availability of data.
The nature of the risks and the internal control characteristics in CIS environment
includes:
Lack of transaction trails.
Uniform processing of transactions.
Lack of segregation of functions.
Potential for errors and irregularities.
The decreased human involvement in handling transactions processed by CIS can reduce
the potential for observing errors and irregularities. Errors or irregularities occurring
during the design or modification of application programs or systems software can
remain undetected for long period of time.
The inherent risk and control risk in a CIS environment may have both a pervasive effect
and an account specific effect on the likelihood of material misstatements, as follows:
The risks may result from deficiencies in pervasive CIS activities.
The risks may increase the potential for errors or fraudulent activities in specific
applications, in specific data bases or master files, or in specific processing activities.
The audit procedures applicable to evaluating the internal control in CIS systems are:
Review of the system
Test of compliance
Evaluation to determine the extent of the substantive tests.
If a client uses CIS, the auditor must be capable of understanding the entire system to
evaluate the client’s internal control and to determine whether the system provides
reasonable assurance that error and irregularities have been and will be prevented or
detected on a timely basis.
The adequacy of the audit trail and the audit objectives the auditor chooses to either:
Audit around the computer – the auditor does not use the computer to perform test,
selects samples. If there is an adequate audit trail , the auditor can do the following:
Examine for evidence of controls
Trace transactions using printouts to follow input documents through to final
report.
Process sample transactions manually, process a batch of transactions and
compare with printouts.
Auditing through computer- the auditor can use a computer program to examine data
files and perform many of clerical tasks previously performed by a junior auditor.
Substantive testing like compliance testing can be performed:
Substantive testing without using the computer
Substantive testing with the use of a computer
The sources of the programs are:
Audit written programs- specifically written to client’s file
Auditee programs – coded by the company’s own programmer to meet the
auditor’s needs.
Utility programs- provided software vendors and used to obtain data.
Generalized computer audit programs – these programs offer audit-oriented
functions for use in accessing and testing records.
Audit techniques using computers
Audit Software
3 other software may be used on either a microcomputer or mainframe computer:
Generalized audit software- is used most frequently because it allows the auditor
to access various client’s computer files.
Audit procedures that may be performed by generalized audit software:
Testing client calculation
Making additional calculation
Extracting data form the clients file
System utility software
Customized audit program
Test Data- a set of dummy transactions is developed by the auditor and processed by
the client’s computer programs to determine whether the controls which the auditor
intends to rely on are functioning as expected.
Possible problems associated with test data are that the auditor’s must:
Make certain the test data is not included in the client’s accounting records.
Determine that the program tested is actually used by the client to processed
data.
Devote necessary time to develop adequate data to test key controls.
Concurrent Audit techniques- these techniques collect evidence ass transactions are
processed, immediately reporting information requested by the auditor or storing it
for late access.
Three concurrent techniques are:
Integrated test facility (ITF)- this method introduces dummy transactions into
a system in the midst of live transactions and is usually built into the system
during the original design.
Snapshots- auditors embed software routines at different points within an
application to capture and report images of a selected transactions as it is
processed at preselected points in a program.
System control audit review file (SCARF) – uses audit software embedded in
the client’s system to gather information at predetermined points in a system.
Parallel simulation ( controlled processing/ reprocessing) – this method processes
actual client data through an auditor’s software program.
The limitations of this method:
The time it takes the auditor to build an exact duplicate of the client’s system.
Incompatibility between auditor and client software.
The time involved on reprocessing large quantities of data.
Code comparison –an auditor examines two versions of a program to determine
whether they are identical. The two versions are :
Blueprint
The one in current use by the client
Audit workstation - using a microcomputer and the necessary software, the auditor
extracts the necessary data form the client’s file and performs the desired test directly
on the microcomputer.
The seven steps in using an audit workstation
Determine data needed
Write exact routine
Run extract program
Download extracted file
Perform analysis
Prepare report
Workpapers
Data manager – where the auditor use to download client data to the auditor’s
microcomputer.
The commercially available software and software developed by public accounting firms
that can assists the auditor in:
Preparing working papers
Executing audit procedures
Research
Engagement management
Time budgeting
Other types of commercially available software that can assists in engagement
management , such as :
Audit program generators that assist in developing audit programs
Preparation of Flowchart
Performance analytical procedures
Preparation of working papers
Expert system- which are programs designed to mimic the decision- making processes of
an expert in the field.
Tagging and tracing transactions –this process involves tagging or specifically marking
or highlighting certain transactions by the auditor at the time of their input.
Internet – to the worldwide network of computer networks, it is a shared public network
that enables communication with other entities and individuals around the world.
When e-commerce has a significant effect on the entity’s business, appropriate levels of
both information technology and internet business knowledge may be required to:
Understand as they may affect the financial statements
Determines the nature, timing and extent of audit procedures and evaluate audit
evidence.
Consider the effect of the entity’s dependence on e-commerce activities on its ability
to continue as a going concern.
In obtaining or updating knowledge of the entity’s business , the auditor considers, so as
they affect the financial statements:
The entity’s business activities and industry
The entity’s e-commerce strategy
The extent of the entity’s e-commerce activities
The entity’s outsourcing arrangements
The entity’s e-commerce strategy, including the way it used IT for e-commerce and its
assessment of acceptable risk levels, may affect the security of the financial records and
the completeness and reliability of the financial information produced.
An entity becomes more involved with e-commerce, and as its internal system become
more integrated and complex, it becomes more likely that new ways of transacting
business will differ from traditional forms of business activities and will introduce new
types of risks.
Management faces many business risks relating to the entity’s e-commerce activities
including:
Loss of transactions integrity, the effects of which may be compounded by the lack of
adequate audit trail in either paper or electronic form.
Pervasive e-commerce security risks
Improper accounting policies
Noncompliance with taxation and other legal and regulatory requirements
Failure to ensure that contracts evidence only by electronic means are binding
Over reliance on e-commerce when placing significant business systems or other
business transactions on the internet.
Systems and infrastructure failures or “crashes”
Factors that may give rise to taxes on e-commerce transactions includes the place where:
The entity is legally registered
Its physical operations are based
Its web server is located
Goods and services are supplied from
Its customer are located or goods and services are delivered
When electronic commerce systems are highly automated, when transactions volumes are
high, or when electronic evidence comprising the audit trails is not retained, the auditor
mat determined that it is not possible to reduce audit risk to an acceptably low level
using only substantive procedures.
Following aspects of internal control are particularly relevant when the entity’s engages
in e-commerce:
Maintaining the integrity of control procedures in the quickly changing e-commerce
environment.
Ensuring access to relevant records for the entity’s need for audit purposes.
The entity’s security infrastructure and related controls are particularly important feature
of its internal control system when external parties are able to access the entity’s
information system using a public network
Audit procedures regarding the integrity of information in the accounting system relating
to e-commerce transactions are largely concerned with evaluating the reliability of the
systems in use for capturing and processing such information.
Process alignment- refers to the way of various IT system are integrated with one another
and thus operate, in effect, as one system.
In e-commerce environment, it is important that transactions generated from an entity’s
web site are processed properly by the entity’s internal systems.
The auditor consider whether the entity’s security of information policies and security
controls as implemented are adequate to prevent unauthorized changes to the accounting
system or records, or to system that provide data to the accounting system.