Sie sind auf Seite 1von 33

INFORMATION

TECHNOLOGY IN
BUSINESS
AND
ITS IMPACT ON AUDIT
PROCESS

1
LEARNING OBJECTIVES

• Disruptive Technologies
• IT and business
• Impact of IT on Internal Control
• Impact of IT on Audit Process
• Audit Documentation
• Audit Evidence

2
Catalyst of Change – Internet of Things (IoT)

3
DISRUPTIVE TECHNOLOGIES
• BIG DATA
• Definition: large and complex datasets
• Characteristics: 4Vs [Volume (qty), Velocity (speed), Variety
(complexity: structured and unstructured), **Veracity
(inconsistencies)
• Example: Instagram, Facebook, Google
• Evolution: Database Management System (storage), Data
Warehousing (analytics), Stream Computing (real time analytics) –
significantly used for Business Intelligence
• Problems: Capture, storage, analysis, visualisation
• Benefits: real time, spot trends, correlations,
informed decisions
4
DISRUPTIVE TECHNOLOGIES
• Definition: process of collecting, organising
and analysing large data sets in seeking
patterns and useful information
DATA • Examples: Predictive analysis, Data Mining,
ANALYTICS Business Intelligence
• Usage: Customer analytics, Operational
analytics, Fraud & Compliance
(Infrastructure & Apps)

ARTIFICIAL • Definition: Machine are programmed to


‘think’ like human
INTELLIGENCE • Siri IoS, speech / image recognition 5
DISRUPTIVE TECHNOLOGIES

• Ability to learn with data without explicitly


being programmed (machine progressively
MACHINE improve performance over specific task)
• Unsupervised Learning – Clustering (grouping)
LEARNING • Supervised Learning – Classification,
Regression (predictive)

• Distributed database, decentralised ledger


(secure, permanent, unrestricted / restricted,
smart contracts, disrupting middleman – self
BLOCKCHAIN auditing & fully traceable)
• Issues: Data sharing, Transparency, Trust
• Impacts: no reconciliation, easy to audit
(lesser time & cost)

6
https://www.youtube.com/watch?v=_Xcmh1LQB9I
DISRUPTIVE
TECHNOLOGIES

WHAT IS MOST
NEEDED????

DATA
SCIENCE

7
BUSINESS MAJOR CONCERNS
• Business survival & competitiveness
• Cost of investment
• Data & Information – an emerging crucial assets
• Cognitive technology (artificial intelligence /
machine learning) – better decision making
• Robotics automation – HUMAN ???

8
TECHNOLOGY IN BUSINESS

9
IT SYSTEM & ENVIRONMENT
• Stand alone, online, database, mobile computing
• Online real-time systems – embedded audit facilities,
snapshots, extended records (log)
• Distributed data processing

10
IT INFRASTRUCTURE

• IT infrastructure
• Network – LANs, WANs, EDI
• Database Management System – Intelligence System (DSS,
CRM)
• ERP systems – Knowledge Sharing (KMS)
• Firewall
• Encryption
• Digital signatures
• Outsource (Offshoring) i.e. cloud computing, application
service providers, shared services 11
DISCUSS THE
IMPACTS OF
TECHNOLOGY
TOWARDS
INTERNAL
CONTROL?
12
BENEFITS OF IT TO
BUSINESS
• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits through
effective and innovative use of IT – databases
• Achieve operational excellence through reliable and efficient
application of technology
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology – ROI

13
INTERNAL CONTROL IN IT
• Importance of internal control not diminished in
computerized environment
• Separation of duties
• Defined responsibilities
• Controls specific to IT
• General controls
• Application controls
GENERAL CONTROLS
Physical control
• Policies and procedures that support effective
functioning of application controls
• Controls over computer equipment & documents
• Organizational controls.
• Systems development and modification controls.
• Hardware and systems software controls.
• Security and access controls.
• Operations and data controls.
15
APPLICATION CONTROLS
Technical control
• Controls within the systems
• Electronic based (data encryption), authorisation or approval
Input Process Output
 Accuracy  Readable  Accurate &
 Completeness  Errors complete
identification  Restricted
 Batch / online access
 Timely basis
 Data capture  Processing  Output
 Data validation controls controls
 Error controls 16
IT & AUDIT

IT GOVERNANCE AUDITORS’ AUDIT COMPUTER


& IT AUDIT CONCERN DOCUMENTATION AUDITING

17
IT GOVERNANCE
• Leadership, organizational structures and processes in relation
to IT initiatives and systems that ensure that the organization’s
IT sustains and extends the organization’s strategy and
objectives.
• Directors should govern IT through three main tasks:
• Evaluate the current and future use of IT.
• Direct preparation and implementation of plans and
policies to ensure that use of IT meets business
objectives.
• Monitor conformance to policies, and performance 18
against the plans.
AUDITING IT GOVERNANCE
Steps:
• Asking management to collect program documentation in
preparation for the audit.
• Evaluating the IT governance's design adequacy and the
effectiveness of IT and risk management controls.
• Assessing information security processes, procedures, and
performance metrics.
• Defining tests to confirm the operational effectiveness of
information security activities.
• Identifying and recommending opportunities for improving 19
information security activities.
IT AUDIT
TYPES OF IT AUDIT
• IT audit in financial audit
• Scope –IT portfolio, entity-level controls, information
security, backup and recovery, and third-party IT
providers, compliance audit
• IT audit / IS audit
• Scope – application, database, OS, networking and
infrastructure, physical controls and entity-level
controls.
• Main objective of IT audit - to enable integrity,
reliability, timely communication and security of the
data through checking data life cycle management
20
AUDITOR’S CONCERNS
• Degree of dependency of business process on the system.
• Extent of complexity of the system & audit trail (i.e.
accessibility and evidences)
• Safeguarding of assets (controls) and data integrity
• Cost of error in computer or system.

21
A) DEGREE OF DEPENDENCY
Shared Services / Outsourcing / Offshoring Services
• The auditor should consider:
• The inherent risk and significance of the audit objectives
affected by the controls.
• The extent of the interaction between the client's controls and
the service organization's controls.
• Controls applied by the client to transactions processed by the
service organization.
• The auditor's prior experience with the service organization.
• The extent of audit trail within the client's internal control.
22
B) COMPLEXITY, TRAIL &
ASSETS
• Complexity – Infrastructure
• Trail – Networking, Security, Backup
• Safeguarding Assets – hardware, software, data files, manuals
(SOPs)

23
C) DATA INTEGRITY

• Complete - Complete transaction at source (i.e.


documents) and input (i.e. system) levels.

• Reliable - Input data is accurate and authorised


data.

24
EFFECT OF IT ON
AUDIT APPROACH &
AUDIT PROCESS
• Risk based approach
• Understand nature of business, business & technology risks
• Understand AIS, security system, general and application
controls
• Scope of audit
• Fair & true view, going concern, proper accounting records.
• Audit strategy
• Auditing ‘around’ computer
• Auditing ‘through’ computer
25
AUDITING ‘AROUND’
COMPUTER
SUBSTANTIVE STRATEGY

• Adequate source documents and accounting


reports in non-machine-readable form (i.e.
hard copy).

• Transactions can be traced from the source


documents to the accounting reports AND
from the reports back to the source
documents (vice versa).

26
AUDITING ‘THROUGH’
COMPUTER
RELIANCE STRATEGY
How to audit in IT environment:
• Control Risk Assessment
• General and application controls are reviewed and tested.
• CAAT in gathering audit evidence
• Computer-Audit Assisted Techniques (CAAT).
• Modelling – predictive audit tests, statistical
• Tools – risk assessment procedures (AR)
• Audit Automation – IT in audit documentation
• Expert systems – customized audit software
27
• WP – electronic working paper
TEST OF CONTROLS IN
AUDITING ‘THROUGH’
COMPUTER
Input Process Output
 Paper  Online vs batch  Files
document processing  Reports
 Database  Time stamp  Control totals /
 Application doc  Storage device hash totals
 Sign on
procedures
 Time stamp
 ACL

28
COMPUTER-ASSISTED
AUDIT TECHNIQUES
(CAAT)
• Integrated test facility – test data
• Generalized audit software – ACL / IDEA
• Analyse data (large data i.e. 100%) & gather
evidence (i.e. computerised records)
• Data analysis software prog (not documenting
audit work)
• Routines: read computer files, select desired info
(i.e. exception reports on specified criteria),
perform repetitive calculations (i.e. arithmetic)
and print reports in auditor- specified format
• Custom audit software
29

• Parallel simulation – Continuous auditing


AUDIT DOCUMENTATION

• Electronic working paper


• Standardise audit work, more productive and consistent
results & reporting styles
• Facilitate review and sharing of audit files among peers
• Centralised storage for ease of access
• Ease of audit tracking, follow up assignments, cut down
planning time and staff workload

30
AUDIT PROGRAM

31
WORKING PAPER – EXCEL

32
GROUP PROJECT BRIEFING
• Objective: To examine extent of use of IT in different audit stages
• Audit planning – AR, RA
• Audit fieldwork -
• Use of CAAT in data collection and analysis
• Use of IT in audit documentation
• Use of Excel / Word
• Use of standard or customized audit software
• Audit completion – audited FS, AR, Memorandum etc.
• Specific task(s)
• Challenges / obstacles & enablers

33