Beruflich Dokumente
Kultur Dokumente
Computerised Information
System (CIS )
Learning outcomes
Describe the impact of IT on the audit process
Discuss the use of IT in audit management
Describe and illustrate the audit procedures in
an IT audit environment
Understand
about the
impact of IT
on the audit
process
3
INTRODUCTION
An entity may use automated systems that
may share data and that are used to
support all aspects of the entitys financial
reporting, operations and compliance
objectives. An entity with such information
systems is likely to use automated
procedures to initiate, record, process, and
report routine business transactions in
electronic.
IT environment
Use of IT enhances internal controls by adding
new control procedures
Use of IT also increases risk
We will study what are the risks associated with
IT environment, identify controls to minimize
such risk and how IT controls affect the audit
practices
17
18
Types of control in an IT
environment
23
Environmental controls
24
Internal controls in an IT
environment
Internal controls in an IT environment
includes both manual and computerised
controls
Classified under 2 categories
General controls
Applies to the overall IT processing
environment
Application controls
Apply to specific computer applications
25
General
Controls
Application
Controls
1.
2.
3.
4.
5.
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
Risk of unauthorized
master file update
GENERAL CONTROLS
Risk of unauthorized
processing
TYPES OF CONTROLS IN AN IT
ENVIRONMENT
There are 2 broad categories of information
systems control procedures: general controls
and application controls.
(A) General Controls
Relates to overall information processing
environment and they have a pervasive effect
on the entitys information systems and
operations.
(B) Application Control
Application controls are manual or
automated procedures that typically operate
at a business process level.
General controls
General IT controls are policies and procedures
that relate to many applications and support
the effective functioning of application controls by
helping to ensure the continued proper operation of
information systems.
They commonly include controls over data centre
and network operations, system software
acquisition, change and maintenance, access
security, and application system acquisition,
development and maintenance.
General controls include controls over the
following:
Password controls
32
Audit Procedures
Data centre and network operations controls
1. Review and test whether authorisation to
gain access to the system is consistent
with the segregation of duties in IT
2.Review controls over work flow and error
correction procedures
3.Review backup and recovery procedures
33
Audit Procedures
Systems software acquisition, change and
maintenance controls
1) Review equipment manufacturers documentation to determine
what software controls and hardware controls are available
2) Review equipment failure logs or other operating reports on the
equipment reliability
3) Review maintenance contract with computer equipment
manufacturers
4) Inquire of IT personnel about the types of systems software
and whether any modifications have been made to the
programmers
35
Hardware Controls
Hardware controls are built into computer
equipment by manufacturer to detect and
report equipment failures. Auditor are more
concerned with how the client handles
errors identified by the hardware controls
than with their adequacy. Regardless of the
quality of hardware controls, output will be
corrected only if the client has provided for
handling machine errors.
38
Examples:
Segregation of duties
Full records of program changes
Password protection of programs so
that access is limited to
computer operations staff.
Restricted access to central computer
by locked doors, keypads
Maintenance of programs logs
Auditors concern
Segregation of duties
System programming and application
programming
System programmers may amend application programs
to create fictitious transactions or unauthorised changes
of application programs
40
Application controls
Applies to processing of individual
accounting applications to ensure
Completeness and accuracy of processed
transactions
Authorisation
Validity
48
49
Application controls
Application controls are manual or automated
procedures that typically operate at a business
process level.
They can be preventative or detective in nature
and are designed to ensure the integrity of the
accounting records.
Accordingly, they relate to procedures used to
initiate, record, process and report transactions or
other financial data.
The categories of Application Control include:
Output controls
Results that are finally reported as a
consequence of the inputting and processing of
the data are valid accurate and complete.
Concerns that confidential information is
accessible to unauthorised personnel
Define who should be able to read what
information in the system
Define who should get a copy of those hard copies
report
Ensure proper control over the sending of
hardcopy reports (reports, cheques, documents,
bank statements, ATM mailers) and subsequent
receipt
61
Error controls
On line input
Batch input
Validation
Program
Accepted
data
Error file
Error report
Error
Program
Unclear/outstanding
Error report
Review
William F. Margaret B (2004) Auditing and Assurance Services in Malaysia, McGraw Hill, pg213
63
Audit Process in an IT
environment
64
65
Auditors concern
May need more time to understand clients IT
environment to conduct test of control and
substantive procedure
May need computer audit specialists to use
CAAT as a cost effective auditing approach
Also specialist skills in the evaluation of IT
related controls
67
68
69
70
CAATs
What auditors should consider when applying
CAATs?
71
CAATs
In a computer information (IT) environment, the
application of auditing procedures may require the
auditor to consider techniques known as Computer
Assisted Audit Techniques (CAATs) that use the
computer as an audit tool.
To to assist auditors, by providing guidance on the
use of CAATs as an audit tool.
The statement provides practical assistance to
auditor by describing:
What are CAATs
Consideration in the use of CAATs
Usage of CAATs
Usage of CAATs in small entity IT environment
72
73
Computer-assisted audit
techniques
Types of CAATs
85
Test Data
Test data prepared by the auditor is processed on
the current production version of the client's
software, but separately from the client's normal
input data. The test data that is processed
updates the auditor's copies of the client's data
files. The updated files are examined to ensure
that the transactions were processed in the
manner expected. This procedure is typically
used to gather evidence as to the effectiveness
of design of programmed control procedures, as
well as aspects of the effectiveness of operation.
91
Test Data
The auditor uses test data for testing the
application controls in the entitys computer
programs. In using this method, the auditor
first creates a set of simulated transaction
data (test data) for testing.
The data should include both valid (correct)
and invalid (incorrect) data.
The auditor manually calculated what the
processing results should be and runs the
test data through the entitys application
program.
99
100
Parallel Simulation
Parallel simulation in which actual client data is
processed using a copy of the client's software
that has undergone program code analysis by
the auditor and is under the control of the
auditor. The data processed on the auditor's
copy of the software is compared to the data
previously processed by the client to ensure that
the processing is identical. This procedure
provides evidence as to the effectiveness of
design of programmed control procedures as
well as aspects of the effectiveness of operation.
104
Parallel Simulation
The use of parallel simulation requires that
the auditor construct a simulation program
that mimics the entitys application
program.
With this method the auditor processes
the actual data of the entity through the
simulated program and compares the
results with the data processed by the
entitys program.
108
109
112
E-Commerce
Control measures-PAGE 257 of
Margaret Boh
118
Control measures
The entity engaging in e-commerce activities
should have proper security infrastructure and
related controls to address such business risk
to ensure the security and integrity of
transactions. Controls to address security
risks are important to ensure that information
are secure to the extent that the requirements
for its authorization, confidentiality, integrity
and availability are satisfied.
If the entity does not have adequate controls,
electronic transactions can be changed, lost,
duplicated or processed incorrectly.
Audit Implications
The e-commerce or e-business environment
presents new risks that must be considered
by the auditors when planning and
performing the audit of financial statements.
To assist the auditors in identifying and
assessing these risks, IFAC has issued a
practical statement, Electronic CommerceEffect on the Audit of Financial
Statements.
Audit Procedures
The auditors concern in the audit of financial
statements is the completeness, accuracy,
timeliness and authorization of information
processed in the entitys financial records.
Internal controls can be used to mitigate many of
the risks associated with e-commerce activities.
Accordingly, the auditor is likely to focus his audit
procedures in an e-commerce environment
largely on the evaluation on the entitys security
infrastructure and related controls established
for ensuring integrity of transactions.
Ecommerce
Managements responsibilities
Managements responsibility for
establishing and maintaining adequate
internal controls over financial reporting
management assessment and auditor
attestation/review of the effectiveness of the
internal control structure and procedures.
131
E-commerce
Providing assurance to stakeholders
To provide investors and others,
reasonable assurance that companies
have designed processes to help ensure
transactions are properly authorized,
recorded and reported, and assets are
safeguarded against unauthorized or
improper use.
132
E-Commerce
Audit implication
To have adequate skills and knowledge to
understand
Clients ecommerce strategy and activities
Technology that enables the ecommerce
operations
IT skills and knowledge of clients personnel
Risk associated with ecommerce risk and clients
approach to manage these risks
Security infrastructure and related controls that
have impact on financial statements
Auditors may need to engage expert, as per
ISA620 Using the work of an expert
133
134
Central
computer
Internet
gateway
Organise and coordinate data
processing by decentralising computer
function and power
135
The
other
level
of
networking
provides
communication outside the organization. An entity
can send data to various groups (such as suppliers
or customers) outside the organization directly by the
computer via connection to Wide Area Networks
(WANs).
This includes the initiation and execution of
transactions.
Another innovation is the use of Electronic Data
Interchange (EDI), which allows organization to
transmit
business
transactions
over
telecommunications networks.
The benefits of EDI include in reduction in paperwork
and faster turnaround times for transactions.
Audit Implications:
The auditors main concerns with distributed
data processing are the controls that limit
access
to
the
system
and
the
telecommunication controls that transmit data
to and from the central computer.
If unauthorized individuals can access the
system at either the division or corporate levels,
assets and record may be misappropriated.
The auditor must also be concerned about the
completeness and accuracy of the data sent
back and forth between the central (server) and
divisional (client) computers.
142
Audit Procedures:
Review formal partner & 3rd party agreements
Review important components of the EDI system
Review automated control structure & authorized
electronic signatures
143
EDI Benefits
Business can concentrate of sales and
manufacturing, knowing that the retail
fulfillment, shipping, and billing aspects
are taken care of.
Reduced paper work
Faster turnaround time for each
transaction
Achieving cost reduction
144
Integrity
How can the recipient know that the contents of the
data have not been changed?
Availability
How can the systems be made to operate without any
disruption or outage?
146
149
Audit Implications:
Such systems are likely to have fewer source
documents in hard copy form, and there may
also be no batch type controls to ensure
completeness, thus the concern over controls
over access to the system is increased.
In an online, real time system, the auditor
must rely more on the entitys controls, the
auditing needs to be conducted more
continuously.
151
Other consideration in IT
environment
IT Environment - Database Systems
IT Environment - On-line Computer
Systems
IT Environment - Stand Alone Personal
Computers
152
IT Environment - Database
Systems
Practical assistance to auditors when
database systems are used in the production
of information that is material to the financial
statements.
Specifically the statement focuses on:
Description of database systems and
characteristics of such systems
Internal control in a database environment
The effect of database systems on the accounting
system and related internal controls
The effect of database systems on audit
procedure
153
IT Environment - On-line
Computer Systems
Practical assistance to auditors when on-line computer
systems are used in the production of information that is
material to the financial statements.
Specifically the statement focuses on:
154
156
IT Environment Distributed
Systems
Communication controls to preserve
integrity of data from unauthorized access
High standard for physical access controls
Prompt corrective recovery
157
End of Lecture
159