Consideration of Internal Control in a Computer … · Consideration of Internal Control in an...
-
Upload
phungkhanh -
Category
Documents
-
view
218 -
download
2
Transcript of Consideration of Internal Control in a Computer … · Consideration of Internal Control in an...
Consideration of
Internal Control in an
Information
Technology
Environment
Chapter 08
McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
8-2
Nature of IT Based Systems Many systems have developed away from
centralized systems with one main frame
computer using user developed software to a
combination of smaller computers using
commercially available software
Less expensive software
• Electronic checkbooks (e.g., Quicken)
Moderate system
• Basic general ledger system (e.g.., QuickBooks)
Expensive
• ERP systems (e.g., SAP)
8-3
Nature of IT Systems
Usually consists of:
Hardware
• Digital computer and peripheral
equipment
Software
• Various programs and routines for
operating the system
8-4
Computer Hardware
Input/Output Devices Central Processing Unit Auxiliary
Storage
Card Readers Arithmetic Unit Magnetic Disks
Terminals Control Unit Magnetic Drums
Electronic Cash Primary Storage Magnetic Tapes
Registers Optical Compact
Optical Scanners Disks
Magnetic Tape Drives
Magnetic Disk Drives
Optical Compact Disks
8-5
Software
Two Types:
Systems software
• Programs that control and coordinate hardware
components and provide support to application
software
• Operating system (Examples: Unix, Windows)
Application software
• Programs designed to perform a specific data
processing task
• Written in programming language (Example: Java)
8-6
System Characteristics
Regardless of size, system possesses
one or more of the following elements
Batch processing
On-line capabilities
Database storage
IT networks
End user computing
8-7
Batch Processing
Input data gathered and processed
periodically in groups
Example: Accumulate all of a day’s sales
transactions and process them as a batch
at end of day
Often more efficient than other types of
systems but does not provide up-to-minute
information
8-8
Online Capabilities
Online systems allow users direct access to data
stored in the system
Two types (a company may use both)
Online transaction processing (OLTP)
• Individual transactions entered from remote
locations
• Online real time (Example: Bank balance at ATM)
Online analytical processing (OLAP)
• Enables user to query a system for analysis
• Example: Data warehouse, decision support
systems, expert systems
8-9
Database Storage
In traditional-IT systems, each computer
application maintains separate master files
Redundant information stored in several files
Database system allows users to access
same integrated database file
Eliminates data redundancy
Creates need for data administrator for
security against improper access
8-10
IT Networks
Networks
Computers linked together through
telecommunication links that enable computers to
communicate information back and forth
WAN, LAN
Internet, intranet, extranet
Electronic commerce
Involves electronic processing and transmission of
data between customer and client
Electronic Data Interchange (EDI)
8-11
End User Computing
User departments are responsible for the
development and execution of certain IT
applications
Involves a decentralized processing
system
IT department generally not involved
Controls needed to prevent unauthorized
access
8-12
Internal Control in IT
Importance of internal control not
diminished in computerized environment
Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer
programs
8-13
Audit Trail Impact
In a traditional manual system, hard-copy
documentation available for accounting
cycle
In computerized environment, audit trail
ordinarily still exists, but often not in
printed form
Can affect audit procedures
Consulting auditors during design stage of IT-
based system helps ultimate auditability
8-15
Responsibilities (1 of 2)
Information systems management
Supervise the operation of the department and report to vice
president of finance
Systems analysis
Responsible for designing the system
Application programming
Design flowcharts and write programming code
Database administration
Responsible for planning and administering the company
database
Data Entry
Prepare and verify input data for processing
8-16
Responsibilities (2 of 2)
IT Operations
Run and monitor central computers
Program and file library
Protect computer programs, master files and other records from
loss, damage and unauthorized use
Data Control
Reviews and tests all input procedures, monitors processes and
reviews IT logs
Telecommunications Specialists
Responsible for maintaining and enhancing IT networks
Systems Programming
Responsible for troubleshooting the operating system
8-17
Computer-Based Fraud
History shows the person responsible for frauds in many
situations set up the system and controlled its
modifications
Segregation of duties
Programming separate from controlling data entry
Computer operator from custody or detailed
knowledge of programs
If segregation not possible need:
Compensating controls like batch totals
Organizational controls not effective in mitigating
collusion
8-18
Internal Auditing in IT
Interested in evaluating the overall efficiency
and effectiveness of information systems
operations and related controls throughout the
company
Should participate in design of IT-based system
Perform tests to ensure no unauthorized
changes, adequate documentation, control
activities functioning and data group performing
duties.
8-20
IT Control Activities General Control Activities
Developing new programs and systems
Changing existing programs and systems
Access to programs and data
IT operations controls
8-21
Application Control Activities Programmed Control Activities
Input validation checks
• Limit test
• Validity test
• Self-checking number
Batch controls
• Item count
• Control total
• Hash total
Processing controls
• Input controls plus file labels
Manual Follow-up Activities Exception reports follow-up
8-22
User Control Activities
Designed to test the completeness and
accuracy of IT-processed transactions
Designed to ensure reliability
Reconciliation of control totals generated
by system to totals developed at input
phase
Example: Sales invoices generated by IT-
based system tested for clerical accuracy and
pricing by the accounting clerk
8-23
Control in Decentralized and
Single Workstation Systems Involves use of one or more user operated
workstations to process data
Needed controls
Train users
Document computer processing procedures
Backup files stored away from originals
Authorization controls
Prohibit use of unauthorized programs
Use antivirus software
8-24
Steps 1 and 2 of audit--Plan audit
and Obtain an Understanding
Step 1 – Consider IT system in planning
Step 2 – Obtain an understanding of the
client and its environment
Documentation of client’s IT-based system
depends on complexity of system
• Narrative
• Systems flowchart
• Program flowchart
• Internal control questionnaires
8-25
Step 3 of Audit: Assess the Risks
of Material Misstatement
Identify risks
Relate the identified risks to what can go wrong
at the relevant assertion level
Consider whether the risks are of a magnitude
that could result in a material misstatement
Consider the likelihood that the risks could result
in a material misstatement
Evaluate effectiveness of related controls in mitigating
risks
Test of controls over IT-based systems
8-26
Techniques for Testing
Application Controls
Auditing Around the Computer--Manually processing selected transactions and comparing results to computer output
Manual Tests of Computer Controls--Inspection of computer control reports and evidence of manual follow-up on exceptions
Auditing Through the Computer--Computer assisted techniques Test Data Integrated Test Facility Controlled Programs Program Analysis Techniques Tagging and Tracing Transactions Generalized audit software – parallel simulation
8-27
Using Generalized Audit Software to
Perform Substantive Procedures
In general, using client data and generalized
audit software
Examine client’s records for overall quality,
completeness and valid conditions
Rearrange data and perform analyses
Select audit samples
Compare data on separate files
Compare results of audit procedures with
client’s records
8-29
Service Organizations
Computer service centers provide
processing services to customers who
decide not to invest in their own
processing of particular data
Outsourcing companies run computer
centers and provide a range of computer
processing services to companies
8-30
Service Organizations
Auditor concerned if service provided are part of
the client’s information system. Part of system if
service organization affect:
How client’s transactions are initiated
The accounting records, supporting information
The accounting processes from initiation to inclusion
in financial statements
The financial reporting process
Can obtain service auditors’ report
8-31
Service Organizations
Types of Service Auditor Reports
Type 1—Management’s description of the
system and the suitability of the design of
controls
Type 2—Attributes of 1, plus assurance on
the operating effectiveness of controls
• A Type 2 report may provide the user auditor with
a basis for assessing control risk below the
maximum.