©McGraw-Hill Education. All rights reserved. Authorized only for instructor use in the classroom.

No reproduction or further
distribution permitted without the prior written consent of McGraw-Hill Education. 8-1
Types
 Small Businesses
 Off-the-shelf software packages
 Electronic checkbooks (e.g., Quicken) basic general
ledger systems (e.g., QuickBooks)
 Large businesses
 Client/server
 ERP
 Cloud computing

©McGraw-Hill Education. 8-2

 Hardware
 Software
 System
 Application
 Data
 People
 Procedures
 Networks

©McGraw-Hill Education. 8-3

 Two Types:
 System software
 Programs that control and coordinate hardware
components and provide support to application
software
 Operating system (Examples: Unix, Windows)
 Application software
 Programs designed to perform a specific data
processing task
 Written in programming language (Example: Java)

©McGraw-Hill Education. 8-4

 Companies use various types of computer systems, such as
office automation systems, transaction processing systems,
management information systems, decision support
systems, expert systems, and enterprise wide systems.
 In auditing and accounting we focus on transaction
processing systems
 Support routine business activities, such as sales, and purchasing
 Range in size from simple general ledger packages to company-
wide enterprise resource planning systems
 Regardless of the size, systems possess one or more of the following
characteristics
 Batch vs. real-time processing
 Batch—all of one type run at a point.
 Online transaction processing
 Online analytical processing
 Database storage
 End user computing
 Client/Server environments
 Cloud computing
 Electronic commerce

©McGraw-Hill Education. 8-5

 Input data gathered and processed periodically
in groups
 Example: Accumulate all of a day’s sales
transactions and process them as a batch at end
of day
 Often more efficient than other types of
systems but does not provide up-to-minute
information

©McGraw-Hill Education. 8-6

 Online systems allow users direct access to
data stored in the system
 Two types (a company may use both)
 Online transaction processing (OLTP)
 Individual transactions entered from remote locations
 Online real time (Example: Processing transactions at
ATM)
 Online analytical processing (OLAP)
 Enables user to query a system for analysis
 Example: Use of a decision support system to make
decisions

©McGraw-Hill Education. 8-7

 In traditional IT systems, each computer
application maintains separate master files
 Redundant information stored in several files
 Database system allows users to access same
integrated database file
 Eliminates data redundancy
 Creates need for data administrator to provide
security against improper access

©McGraw-Hill Education. 8-8

 User departments are responsible for the
development and execution of certain IT
applications
 Involves a decentralized processing system
 IT department generally not directly involved
 Controls needed to prevent unauthorized
access and ensure applications do not have
programming errors

©McGraw-Hill Education. 8-9

 Networks
 Computers linked together through
telecommunication links that enable computers to
communicate information back and forth
 WAN, LAN
 Internet, intranet, extranet
 Electronic commerce
 Involves electronic processing and transmission of
data between customer and client
 Example: Electronic Data Interchange (EDI)

©McGraw-Hill Education. 8-10

 The term client/server architecture involves a logical
separation of an information system’s tasks into client
and server tiers or layers.
 The three-tier configuration that separates the
presentation, application processing, and data
management functions was the primary client/server
arrangement for most in-house enterprise business
systems until virtualized IT environments were
introduced.
 A virtualized client/server configuration requires the
system software to partition a single physical computer
server into multiple virtual machines, each capable of
running a different operating system and different
applications, simultaneously and independently.

©McGraw-Hill Education. 8-11

 System may be on-premises or off-premises
 Illustration of manual vs. automated initiation
of transactions
 Manual—May manually record sales orders on
paper forms, authorize credit, prepare shipping
reports and invoices, record sales and maintain
accounts receivable records.
 Automated—Records may all be electronic. IT may
be able to create, update, and delete data without
evidence of change.

©McGraw-Hill Education. 8-12

 Importance of internal control is not
diminished in computerized environment
 Separation of duties
 Clearly defined responsibilities
 Physical controls
 Access controls
 Augmented by controls written into computer
programs

©McGraw-Hill Education. 8-13

 Information systems management
 Supervise the operation of the department and report to vice
president of finance
 Systems analysis
 Responsible for designing the system
 Application programming
 Design flowcharts and write programming code
 Database administration
 Responsible for planning and administering the company
database
 Data Entry
 Prepare and verify input data for processing

©McGraw-Hill Education. 8-14

 IT Operations
 Run and monitor central computers
 Data Control
 Reviews and tests all input procedures, monitors processes,
and reviews IT logs
 Systems Programming
 Responsible for troubleshooting the operating system

©McGraw-Hill Education. 8-15

 History shows the person responsible for frauds in
many situations set up the system and controlled its
modifications
 Segregation of duties
 Programming separate from controlling data entry
 Computer operator from custody or detailed
knowledge of programs
 If segregation not possible need compensating controls
like batch totals
 Organizational controls not effective in mitigating
collusion

©McGraw-Hill Education. 8-16

 Interested in evaluating the overall efficiency
and effectiveness of information systems
operations and related controls throughout the
company.
 Should participate in design of IT-based system.
 Perform tests to ensure no unauthorized
changes, adequate documentation, control
activities functioning, and data group
performing duties.

©McGraw-Hill Education. 8-17

©McGraw-Hill Education. 8-18
General Control Activities

 System acquisition, development and

maintenance

 Changes to existing programs and systems

 Access security

 IT operations controls

©McGraw-Hill Education. 8-19

 Programmed Control Activities
 Input validation checks
 Limit test
 Validity test
 Allowed character test
 Missing data test
 Self-checking number
 Batch controls
 Item count
 Control total
 Hash total
 Processing controls
 Input controls

 Manual Follow-up Activities

 Exception reports follow-up

©McGraw-Hill Education. 8-20

 Designed to test the completeness and accuracy
of IT-processed transactions
 Designed to ensure reliability of processing
 Reconciliation of control totals generated by
system to totals developed at input phase, or
manually testing computer processing
 Example: Sales invoices generated by the computer
may be selectively tested for clerical accuracy and
pricing by an accounting clerk

©McGraw-Hill Education. 8-21

 Recall that Monitoring is the process of
assessing internal control performance over
time
 A major advantage of technology is that it can
be used to automatically identify transactions
or items that meet defined criteria
 As an example, technology may be used to
identify fraudulent and or unauthorized
transactions

©McGraw-Hill Education. 8-22

 Management must take responsibility for
controls regardless of whether they are applied
by the Cloud provider
 Client controls must be coordinated and
integrated with Cloud provider

©McGraw-Hill Education. 8-23

 Involves use of one or more user operated
workstations to process data
 Needed controls
 Train users
 Document computer processing procedures
 Files backed-up at a secure location
 Authorization controls
 Prohibit use of unauthorized programs
 Use antivirus and malware software

©McGraw-Hill Education. 8-24

 Step 1 – Consider IT system in planning
 Step 2 – Obtain an understanding of the client
and its environment
 Documentation of client’s IT-based system depends on
complexity of system
 Narrative
 Systems flowchart
 Program flowchart
 Internal control questionnaires

©McGraw-Hill Education. 8-25

 Identify risks
 Relate the identified risks to what can go
wrong at the relevant assertion level
 Consider whether the risks are of a magnitude
that could result in a material misstatement
 Consider the likelihood that the risks could
result in a material misstatement
 Evaluate effectiveness of related controls in
mitigating risks
 Test of controls over IT-based systems

©McGraw-Hill Education. 8-26

 Auditing Around the Computer--Manually
processing selected transactions and comparing
results to computer output
 Manual Tests of Computer Controls--Inspection of
computer control reports and evidence of manual
follow-up on exceptions
 Computer assisted techniques to test controls
 Test Data
 Integrated Test Facility
 Controlled Programs
 Program Analysis Techniques
 Tagging and Tracing Transactions

©McGraw-Hill Education. 8-27

 Obtain a Service Auditors Report
 Type 1—Provides information about the design of the
provider’s systems
 Type 2—Provides information about the design of the
provider’s systems and the results of certain tests of controls
 Perform tests of the provider’s controls

©McGraw-Hill Education. 8-28

In general, using client data and generalized
audit software
 Examine client’s records for overall quality,
completeness, and valid conditions
 Rearrange data and perform analyses
 Select audit samples
 Compare data on separate files
 Perform data analytics
 Compare results of audit procedures with client’s
records

©McGraw-Hill Education. 8-29

©McGraw-Hill Education. 8-30