12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of...

12 - 1©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder

The Impact of The Impact of InformationInformationTechnology on theTechnology on theAudit ProcessAudit Process

Chapter 12Chapter 12


Learning Objective 1Learning Objective 1

Describe how IT improvesDescribe how IT improves

internal control.internal control.


How Information Technologies How Information Technologies Enhance Internal ControlEnhance Internal Control

Computer controlsComputer controlsreplace manual controls.replace manual controls.

Computer controlsComputer controlsreplace manual controls.replace manual controls.

Higher-qualityHigher-qualityinformation is available.information is available.

Higher-qualityHigher-qualityinformation is available.information is available.



Identify risks that arise from usingIdentify risks that arise from using

an IT-based accounting system.an IT-based accounting system.


Assessing Risks ofAssessing Risks ofInformation TechnologiesInformation Technologies

Reliance on the capabilities of hardwareReliance on the capabilities of hardwareand softwareand software

Reliance on the capabilities of hardwareReliance on the capabilities of hardwareand softwareand software

Visibility of audit trailVisibility of audit trailVisibility of audit trailVisibility of audit trail

Reduced human involvementReduced human involvementReduced human involvementReduced human involvement

Systematic versus random errorsSystematic versus random errorsSystematic versus random errorsSystematic versus random errors


Assessing Risks ofAssessing Risks ofInformation TechnologiesInformation Technologies

Unauthorized accessUnauthorized access Unauthorized accessUnauthorized access

Loss of dataLoss of dataLoss of dataLoss of data

Reduced segregation of dutiesReduced segregation of duties Reduced segregation of dutiesReduced segregation of duties

Lack of traditional authorizationLack of traditional authorizationLack of traditional authorizationLack of traditional authorization

Need for IT experienceNeed for IT experienceNeed for IT experienceNeed for IT experience



Explain how general controlsExplain how general controls

and application controlsand application controls

reduce IT risks.reduce IT risks.


Internal Controls Specific to Internal Controls Specific to Information TechnologyInformation Technology

General controlsGeneral controlsGeneral controlsGeneral controls

Application controlsApplication controlsApplication controlsApplication controls


Relationship Between GeneralRelationship Between Generaland Administrative Controlsand Administrative Controls

Cash receiptsCash receiptsapplicationapplication

controlscontrols

Cash receiptsCash receiptsapplicationapplication

controlscontrols

SalesSalesapplicationsapplications

controlscontrols

SalesSalesapplicationsapplications

controlscontrols

PayrollPayrollapplicationapplication

controlscontrols

PayrollPayrollapplicationapplication

controlscontrols

Other cycleOther cycleapplicationapplication

controlscontrols

Other cycleOther cycleapplicationapplication

controlscontrols

GENERAL CONTROLSGENERAL CONTROLS

Risk of unauthorized changeRisk of unauthorized changeto application softwareto application software

Risk of unauthorized changeRisk of unauthorized changeto application softwareto application software Risk of system crashRisk of system crashRisk of system crashRisk of system crash

Risk of unauthorizedRisk of unauthorizedmaster file updatemaster file update

Risk of unauthorizedRisk of unauthorizedmaster file updatemaster file update Risk of unauthorizedRisk of unauthorized

processingprocessing

Risk of unauthorizedRisk of unauthorizedprocessingprocessing


General ControlsGeneral Controls

Administration of the IT functionAdministration of the IT functionAdministration of the IT functionAdministration of the IT function

Segregation of IT dutiesSegregation of IT dutiesSegregation of IT dutiesSegregation of IT duties

Systems developmentSystems developmentSystems developmentSystems development

Physical and online securityPhysical and online securityPhysical and online securityPhysical and online security

Backup and contingency planningBackup and contingency planningBackup and contingency planningBackup and contingency planning

Hardware controlsHardware controlsHardware controlsHardware controls


Administration of the IT FunctionAdministration of the IT Function

The perceived importance of IT within anThe perceived importance of IT within anorganization is often dictated by the attitude oforganization is often dictated by the attitude ofthe board of directors and senior management.the board of directors and senior management.

The perceived importance of IT within anThe perceived importance of IT within anorganization is often dictated by the attitude oforganization is often dictated by the attitude ofthe board of directors and senior management.the board of directors and senior management.


Segregation of IT DutiesSegregation of IT Duties

Chief Information Officer or IT ManagerChief Information Officer or IT ManagerChief Information Officer or IT ManagerChief Information Officer or IT Manager

SystemsSystemsDevelopmentDevelopment

SystemsSystemsDevelopmentDevelopment OperationsOperationsOperationsOperations DataData

ControlControlDataData

ControlControl

Security AdministratorSecurity AdministratorSecurity AdministratorSecurity Administrator


Systems DevelopmentSystems Development

Typical testTypical teststrategiesstrategies

Typical testTypical teststrategiesstrategies

Pilot testingPilot testingPilot testingPilot testing Parallel testingParallel testingParallel testingParallel testing


Physical and Online SecurityPhysical and Online Security

Physical Controls:Physical Controls: Keypad entrancesKeypad entrances Badge-entry systemsBadge-entry systems Security camerasSecurity cameras Security personnelSecurity personnel

Physical Controls:Physical Controls: Keypad entrancesKeypad entrances Badge-entry systemsBadge-entry systems Security camerasSecurity cameras Security personnelSecurity personnel

Online Controls:Online Controls: User ID controlUser ID control Password controlPassword control Separate add-onSeparate add-on

security softwaresecurity software

Online Controls:Online Controls: User ID controlUser ID control Password controlPassword control Separate add-onSeparate add-on

security softwaresecurity software


Backup and Contingency PlanningBackup and Contingency Planning

One key to a backupOne key to a backupand contingency planand contingency planis to make sure thatis to make sure thatall critical copies ofall critical copies ofsoftware and data filessoftware and data filesare backed up andare backed up andstored off the premises.stored off the premises.

One key to a backupOne key to a backupand contingency planand contingency planis to make sure thatis to make sure thatall critical copies ofall critical copies ofsoftware and data filessoftware and data filesare backed up andare backed up andstored off the premises.stored off the premises.


Hardware ControlsHardware Controls

These controls are built into computerThese controls are built into computerequipment by the manufacturer toequipment by the manufacturer todetect and report equipment failures.detect and report equipment failures.

These controls are built into computerThese controls are built into computerequipment by the manufacturer toequipment by the manufacturer todetect and report equipment failures.detect and report equipment failures.


Application ControlsApplication Controls

Input controlsInput controlsInput controlsInput controls

ProcessingProcessingcontrolscontrols

ProcessingProcessingcontrolscontrols

Output controlsOutput controlsOutput controlsOutput controls


Input ControlsInput Controls

These controls are designed by anThese controls are designed by anorganization to ensure that theorganization to ensure that theinformation being processed isinformation being processed isauthorized, accurate, and complete.authorized, accurate, and complete.

These controls are designed by anThese controls are designed by anorganization to ensure that theorganization to ensure that theinformation being processed isinformation being processed isauthorized, accurate, and complete.authorized, accurate, and complete.


Batch Input ControlsBatch Input Controls

Financial totalFinancial totalFinancial totalFinancial total

Hash totalHash totalHash totalHash total

Record countRecord countRecord countRecord count


Processing ControlsProcessing Controls

Validation testValidation testValidation testValidation test

Sequence testSequence testSequence testSequence test

Arithmetic accuracy testArithmetic accuracy testArithmetic accuracy testArithmetic accuracy test

Data reasonableness testData reasonableness testData reasonableness testData reasonableness test

Completeness testCompleteness testCompleteness testCompleteness test


Output ControlsOutput Controls

These controls focus on detecting errorsThese controls focus on detecting errorsafter processing is completed ratherafter processing is completed ratherthan on preventing errors.than on preventing errors.

These controls focus on detecting errorsThese controls focus on detecting errorsafter processing is completed ratherafter processing is completed ratherthan on preventing errors.than on preventing errors.



Describe how general controlsDescribe how general controls

affect the auditor’s testingaffect the auditor’s testing

of application controls.of application controls.


Impact of Information Technology Impact of Information Technology on the Audit Processon the Audit Process

Effects of general controls on control riskEffects of general controls on control riskEffects of general controls on control riskEffects of general controls on control risk

Effects of IT controls on controlEffects of IT controls on controlrisk and substantive testsrisk and substantive tests

Effects of IT controls on controlEffects of IT controls on controlrisk and substantive testsrisk and substantive tests

Auditing in less complex IT environmentsAuditing in less complex IT environmentsAuditing in less complex IT environmentsAuditing in less complex IT environments

Auditing in more complex IT environmentsAuditing in more complex IT environmentsAuditing in more complex IT environmentsAuditing in more complex IT environments



Use test data, parallel simulation,Use test data, parallel simulation,

and embedded audit moduleand embedded audit module

approaches when auditingapproaches when auditing

through the computer.through the computer.


Test Data ApproachTest Data Approach

1111Test data should include all relevantTest data should include all relevantconditions that the auditor wants tested.conditions that the auditor wants tested.

Test data should include all relevantTest data should include all relevantconditions that the auditor wants tested.conditions that the auditor wants tested.

2222Application programs tested by theApplication programs tested by theauditor’s test data must be the same asauditor’s test data must be the same asthose the client used throughout the year.those the client used throughout the year.

Application programs tested by theApplication programs tested by theauditor’s test data must be the same asauditor’s test data must be the same asthose the client used throughout the year.those the client used throughout the year.

3333Test data must be eliminated from theTest data must be eliminated from theclient’s records.client’s records.

Test data must be eliminated from theTest data must be eliminated from theclient’s records.client’s records.



Application ProgramsApplication Programs(Assume Batch System)(Assume Batch System)

Application ProgramsApplication Programs(Assume Batch System)(Assume Batch System)

Control testControl testresultsresults


Master filesMaster files

ContaminatedContaminatedmaster filesmaster files

Transaction filesTransaction files(contaminated?)(contaminated?)

Input testInput testTransactions to testTransactions to test

Key controlKey controlProceduresProcedures

Input testInput testTransactions to testTransactions to test

Key controlKey controlProceduresProcedures



Auditor-predicted resultsAuditor-predicted resultsof key control proceduresof key control proceduresbased on an understandingbased on an understandingof internal controlof internal control

Auditor-predicted resultsAuditor-predicted resultsof key control proceduresof key control proceduresbased on an understandingbased on an understandingof internal controlof internal control



Auditor makesAuditor makescomparisonscomparisons

Auditor makesAuditor makescomparisonscomparisons

Differences betweenDifferences betweenactual outcome andactual outcome and

predicted resultpredicted result

Differences betweenDifferences betweenactual outcome andactual outcome and

predicted resultpredicted result


Parallel SimulationParallel Simulation

The auditor uses auditor-controlled softwareThe auditor uses auditor-controlled softwareto perform parallel operations to the client’sto perform parallel operations to the client’ssoftware by using the same data files.software by using the same data files.

The auditor uses auditor-controlled softwareThe auditor uses auditor-controlled softwareto perform parallel operations to the client’sto perform parallel operations to the client’ssoftware by using the same data files.software by using the same data files.


Parallel SimulationParallel Simulation

Auditor makes comparisons betweenAuditor makes comparisons betweenclient’s application system output andclient’s application system output andthe auditor-prepared program outputthe auditor-prepared program output

Auditor makes comparisons betweenAuditor makes comparisons betweenclient’s application system output andclient’s application system output andthe auditor-prepared program outputthe auditor-prepared program output

Exception reportException reportnoting differencesnoting differences

Exception reportException reportnoting differencesnoting differences

ProductionProductiontransactionstransactions

Auditor-preparedAuditor-preparedprogramprogram

Auditor-preparedAuditor-preparedprogramprogram

AuditorAuditorresultsresults

MasterMasterfilefile

Client applicationClient applicationsystem programssystem programs

Client applicationClient applicationsystem programssystem programs

ClientClientresultsresults


Embedded Audit Module Embedded Audit Module ApproachApproach

Auditor inserts an audit module in theAuditor inserts an audit module in theclient’s application system to captureclient’s application system to capturetransactions with characteristics thattransactions with characteristics thatare of specific interest to the auditor.are of specific interest to the auditor.

Auditor inserts an audit module in theAuditor inserts an audit module in theclient’s application system to captureclient’s application system to capturetransactions with characteristics thattransactions with characteristics thatare of specific interest to the auditor.are of specific interest to the auditor.



Identify issues for e-commerceIdentify issues for e-commerce

systems and other specializedsystems and other specialized

IT environments.IT environments.


Issues for Different IT Issues for Different IT EnvironmentsEnvironments

Issues for microcomputer environmentsIssues for microcomputer environmentsIssues for microcomputer environmentsIssues for microcomputer environments

Issues for network environmentsIssues for network environmentsIssues for network environmentsIssues for network environments

Issues for database management systemsIssues for database management systemsIssues for database management systemsIssues for database management systems

Issues for e-commerce systemsIssues for e-commerce systemsIssues for e-commerce systemsIssues for e-commerce systems

Issues when clients outsource ITIssues when clients outsource ITIssues when clients outsource ITIssues when clients outsource IT


End of Chapter 12End of Chapter 12

12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of...

Documents

Transcript of 12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of...