Consideration of

Internal Control in an

Information

Technology

Environment

Chapter 08

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

8-2

Nature of IT Based Systems Many systems have developed away from

centralized systems with one main frame

computer using user developed software to a

combination of smaller computers using

commercially available software

Less expensive software

• Electronic checkbooks (e.g., Quicken)

Moderate system

• Basic general ledger system (e.g.., QuickBooks)

Expensive

• ERP systems (e.g., SAP)

8-3

Nature of IT Systems

Usually consists of:

Hardware

• Digital computer and peripheral

equipment

Software

• Various programs and routines for

operating the system

8-4

Computer Hardware

Input/Output Devices Central Processing Unit Auxiliary

Storage

Card Readers Arithmetic Unit Magnetic Disks

Terminals Control Unit Magnetic Drums

Electronic Cash Primary Storage Magnetic Tapes

Registers Optical Compact

Optical Scanners Disks

Magnetic Tape Drives

Magnetic Disk Drives

Optical Compact Disks

8-5

Software

Two Types:

Systems software

• Programs that control and coordinate hardware

components and provide support to application

software

• Operating system (Examples: Unix, Windows)

Application software

• Programs designed to perform a specific data

processing task

• Written in programming language (Example: Java)

8-6

System Characteristics

Regardless of size, system possesses

one or more of the following elements

Batch processing

On-line capabilities

Database storage

IT networks

End user computing

8-7

Batch Processing

Input data gathered and processed

periodically in groups

Example: Accumulate all of a day’s sales

transactions and process them as a batch

at end of day

Often more efficient than other types of

systems but does not provide up-to-minute

information

8-8

Online Capabilities

Online systems allow users direct access to data

stored in the system

Two types (a company may use both)

Online transaction processing (OLTP)

• Individual transactions entered from remote

locations

• Online real time (Example: Bank balance at ATM)

Online analytical processing (OLAP)

• Enables user to query a system for analysis

• Example: Data warehouse, decision support

systems, expert systems

8-9

Database Storage

In traditional-IT systems, each computer

application maintains separate master files

Redundant information stored in several files

Database system allows users to access

same integrated database file

Eliminates data redundancy

Creates need for data administrator for

security against improper access

8-10

IT Networks

Networks

Computers linked together through

telecommunication links that enable computers to

communicate information back and forth

WAN, LAN

Internet, intranet, extranet

Electronic commerce

Involves electronic processing and transmission of

data between customer and client

Electronic Data Interchange (EDI)

8-11

End User Computing

User departments are responsible for the

development and execution of certain IT

applications

Involves a decentralized processing

system

IT department generally not involved

Controls needed to prevent unauthorized

access

8-12

Internal Control in IT

Importance of internal control not

diminished in computerized environment

Separation of duties

Clearly defined responsibilities

Augmented by controls written into computer

programs

8-13

Audit Trail Impact

In a traditional manual system, hard-copy

documentation available for accounting

cycle

In computerized environment, audit trail

ordinarily still exists, but often not in

printed form

Can affect audit procedures

Consulting auditors during design stage of IT-

based system helps ultimate auditability

8-14

8-15

Responsibilities (1 of 2)

Information systems management

Supervise the operation of the department and report to vice

president of finance

Systems analysis

Responsible for designing the system

Application programming

Design flowcharts and write programming code

Database administration

Responsible for planning and administering the company

database

Data Entry

Prepare and verify input data for processing

8-16

Responsibilities (2 of 2)

IT Operations

Run and monitor central computers

Program and file library

Protect computer programs, master files and other records from

loss, damage and unauthorized use

Data Control

Reviews and tests all input procedures, monitors processes and

reviews IT logs

Telecommunications Specialists

Responsible for maintaining and enhancing IT networks

Systems Programming

Responsible for troubleshooting the operating system

8-17

Computer-Based Fraud

History shows the person responsible for frauds in many

situations set up the system and controlled its

modifications

Segregation of duties

Programming separate from controlling data entry

Computer operator from custody or detailed

knowledge of programs

If segregation not possible need:

Compensating controls like batch totals

Organizational controls not effective in mitigating

collusion

8-18

Internal Auditing in IT

Interested in evaluating the overall efficiency

and effectiveness of information systems

operations and related controls throughout the

company

Should participate in design of IT-based system

Perform tests to ensure no unauthorized

changes, adequate documentation, control

activities functioning and data group performing

duties.

8-19

8-20

IT Control Activities General Control Activities

Developing new programs and systems

Changing existing programs and systems

Access to programs and data

IT operations controls

8-21

Application Control Activities Programmed Control Activities

Input validation checks

• Limit test

• Validity test

• Self-checking number

Batch controls

• Item count

• Control total

• Hash total

Processing controls

• Input controls plus file labels

Manual Follow-up Activities Exception reports follow-up

8-22

User Control Activities

Designed to test the completeness and

accuracy of IT-processed transactions

Designed to ensure reliability

Reconciliation of control totals generated

by system to totals developed at input

phase

Example: Sales invoices generated by IT-

based system tested for clerical accuracy and

pricing by the accounting clerk

8-23

Control in Decentralized and

Single Workstation Systems Involves use of one or more user operated

workstations to process data

Needed controls

Train users

Document computer processing procedures

Backup files stored away from originals

Authorization controls

Prohibit use of unauthorized programs

Use antivirus software

8-24

Steps 1 and 2 of audit--Plan audit

and Obtain an Understanding

Step 1 – Consider IT system in planning

Step 2 – Obtain an understanding of the

client and its environment

Documentation of client’s IT-based system

depends on complexity of system

• Narrative

• Systems flowchart

• Program flowchart

• Internal control questionnaires

8-25

Step 3 of Audit: Assess the Risks

of Material Misstatement

Identify risks

Relate the identified risks to what can go wrong

at the relevant assertion level

Consider whether the risks are of a magnitude

that could result in a material misstatement

Consider the likelihood that the risks could result

in a material misstatement

Evaluate effectiveness of related controls in mitigating

risks

Test of controls over IT-based systems

8-26

Techniques for Testing

Application Controls

Auditing Around the Computer--Manually processing selected transactions and comparing results to computer output

Manual Tests of Computer Controls--Inspection of computer control reports and evidence of manual follow-up on exceptions

Auditing Through the Computer--Computer assisted techniques Test Data Integrated Test Facility Controlled Programs Program Analysis Techniques Tagging and Tracing Transactions Generalized audit software – parallel simulation

8-27

Using Generalized Audit Software to

Perform Substantive Procedures

In general, using client data and generalized

audit software

Examine client’s records for overall quality,

completeness and valid conditions

Rearrange data and perform analyses

Select audit samples

Compare data on separate files

Compare results of audit procedures with

client’s records

8-28

Typical Inventory Audit Procedures

Using Generalized Audit Software

8-29

Service Organizations

Computer service centers provide

processing services to customers who

decide not to invest in their own

processing of particular data

Outsourcing companies run computer

centers and provide a range of computer

processing services to companies

8-30

Service Organizations

Auditor concerned if service provided are part of

the client’s information system. Part of system if

service organization affect:

How client’s transactions are initiated

The accounting records, supporting information

The accounting processes from initiation to inclusion

in financial statements

The financial reporting process

Can obtain service auditors’ report

8-31

Service Organizations

Types of Service Auditor Reports

Type 1—Management’s description of the

system and the suitability of the design of

controls

Type 2—Attributes of 1, plus assurance on

the operating effectiveness of controls

• A Type 2 report may provide the user auditor with

a basis for assessing control risk below the

maximum.