Auditing in an IT Environment

Questions and Answers

In an IT environment, what determines whether a computer's involvement is significant to the audit?

• The significance of the financial information processed by the computer. (correct)
• Whether the computer is operated by the entity or a third party.
• The brand or model of the computer system.
• The physical size of the computer.

How might an IT environment impact an audit?

• By altering the auditor's responsibility to detect fraud.
• By eliminating the need to assess inherent and control risks.
• By changing the overall objective of the audit.
• By affecting the procedures for understanding accounting and internal control systems. (correct)

What should an auditor do if specialized IT skills are required for an audit?

• Seek assistance from a professional with the necessary skills, either internal or external. (correct)
• Proceed without specialized knowledge, adjusting the audit scope accordingly.
• Use generalized audit software to compensate for the lack of specific IT expertise.
• Rely solely on the client's IT staff for expertise.

What aspect of a client's IT environment should an auditor understand when planning an audit?

The significance and complexity of IT activities and data availability. (C)

Which of the following is a potential consequence of the concentration of functions and knowledge within an IT organizational structure?

Reduced number of personnel involved in processing financial information. (D)

How might the nature of IT processing affect the availability of evidence compared to manual systems?

The use of computers may result in systems with less visible evidence. (D)

In an online transaction system, what might replace written evidence of individual data entry authorization?

Authorization controls contained within computer programs. (C)

What is a key consideration regarding the audit trail in an IT environment?

The transaction trail may be partly in machine-readable form and exist only for a limited time. (D)

Which of the following is a design and procedural aspect that is unique to IT systems compared to manual systems?

Consistency of performance. (B)

What is a general IT control designed to achieve?

Establish a framework of overall control over IT activities. (D)

Which of the following is an example of an 'organization and management control' in an IT environment?

Strategic information technology plan. (B)

What is the purpose of 'development and maintenance controls' in an IT environment?

To provide reasonable assurance that systems are developed and maintained in an authorized manner. (C)

Which of the following controls fall under the category of 'delivery and support controls'?

Systems Security (A)

What is the primary objective of 'IT application controls'?

To provide reasonable assurance that all transactions are authorized, recorded, and processed accurately. (C)

Which control ensures that 'transactions are properly authorized before being processed by the computer'?

Controls over input. (A)

Flashcards

IT Environment Definition

Exists when a computer processes financial information that is significant to the audit.

Organization and management controls

Strategic direction and framework over IT, including policies, procedures, and segregation of duties.

Development and maintenance controls

Assurance that systems are developed, acquired, and maintained in an authorized and efficient manner.

Delivery and support controls

Designed to control the delivery of IT services, includes service level agreements and security.

Monitoring controls

Ensure IT controls are working effectively as planned. Includes monitoring performance indicators and audits.

IT Application Controls

Specific procedures over application systems to ensure authorized, recorded, and accurate transactions.

Controls Over Input

Ensure transactions are properly authorized, accurately converted, and not lost or duplicated.

Controls Over Processing/Data Files

Ensure transactions are properly processed and not lost, added, or duplicated.

Controls Over Output

Designed to provide reasonable assurance that results of processing are accurate and access to output is restricted.

On-Line Computer System

Enables users to directly access data and programs. Allows direct initiation of functions.

On-Line/Real Time Processing

A method where individual transactions are entered, validated, and used immediately to update computer files.

On-Line/Batch Processing

Individual transactions go through validation checks and are added to a transaction file for later batch processing.

Network Environment

It allows computer users to share equipment, software, data, voice, and video.

Electronic Data Interchange (EDI)

Electronic exchange of transactions between computers of different entities.

Auditing Through the Computer

Auditor reviews the client's system and examines the application software itself.

Study Notes

• An IT environment exists when a computer processes financial information significant to an audit, regardless of whether the entity or a third party operates the computer.
• The overall objective and scope of an audit remains the same in an IT environment.
• An IT environment can impact procedures for understanding accounting/internal control systems, consideration of inherent/control risk, and the design/performance of tests/substantive procedures.
• Auditors should possess adequate IT knowledge to plan, direct, and review performed work.
• Specialized skills can be sought from professionals within or outside the auditor's staff when needed.
• Auditors should understand the significance/complexity of IT activities and data availability when planning audits affected by a client's IT environment.
• When IT activities are significant, auditors should understand the IT environment and its influence on inherent/control risks.
• Auditors should consider the IT environment when designing audit procedures to reduce audit risk, using manual procedures, computer-assisted techniques, or a combination.

Risk Assessments and Internal Control: IT Characteristics

• IT organizational structures often feature concentrated functions and knowledge. Fewer people are involved in processing financial information compared to manual systems.
• Transaction and master file data are often concentrated in machine-readable form, either centrally located or distributed.

Nature of Processing

• Computer use can lead to systems with less visible evidence than manual systems, and they can be accessed by more people.
• Absence of input documents: Data may be directly entered without support. Online systems may replace written authorization with program-based controls.
• Lack of visible audit trail: The transaction trail is partly in machine-readable form and exists for a limited time, such as audit logs set to overwrite after a period.
• Lack of visible output: Some transactions/processing results may not be printed, or only summary data is printed.
• Ease of access: Data and programs can be accessed/altered at the computer or remotely, raising the risk of unauthorized access or modification without controls.

Design and Procedural Aspects

• IT development leads to different design and procedural characteristics compared to manual systems.
• Consistency of performance: IT systems perform functions as programmed and are potentially more reliable than manual systems. However, incorrectly programmed systems can consistently process data erroneously.
• Programmed control procedures: Computer processing enables internal control procedures within programs.
• Single transaction update: Input to the accounting system can automatically update all associated records.
• System-generated transactions: The IT system can initiate certain transactions without needing an input document.
• Vulnerability of data and storage media: Large data volumes/programs are stored on portable media, which are susceptible to theft, loss, or destruction.

Internal Controls in an IT Environment

• General IT Controls: Establish overall control framework to ensure internal control objectives are achieved.

General IT Controls Include

• Organization and management controls: Define strategic direction/framework over IT activities, like IT plan, policies, segregation of duties, and monitoring of third-party consultants.
• Development and maintenance controls: Provide assurance that systems are properly developed, implemented, and maintained. Includes control over project initiation, system design, testing, conversion, documentation, and software acquisition.
• Delivery and support controls: Designed to control the delivery of IT services: service level agreements, performance management, problem management, disaster recovery, computer operations, system security.
• Monitoring controls: Ensure IT controls are working effectively, including monitoring performance indicators and conducting IT audits.

IT Application Controls

• Establish specific control procedures for application systems to provide assurance that transactions are authorized, recorded, and processed accurately and timely.
• Controls over input: Ensure transactions are authorized, accurately converted into machine-readable form, not lost/duplicated or improperly changed, and incorrect transactions are rejected/corrected.
• Controls over processing and computer data files: Assurance that transactions are processed properly and not lost/duplicated or improperly changed.
• Controls over output: Ensure processing results are accurate, access to output restricted, and output is provided to authorized personnel on a timely basis.

Reviewing General IT Controls

• General IT controls are often essential to the effectiveness of IT application controls, making it more efficient to review their design first.

Reviewing IT Application Controls

• IT application controls that the auditor may wish to test include manual controls exercised by the user, controls over system output and programmed control procedures

IT Environments

• Stand-Alone Personal Computers
  • PCs can be used as stand-alone workstations, or part of a Local Area Network (LAN), or connected to a server.
  • In a stand-alone PC environment, implementing sufficient risk-reducing controls may not be practical or cost-effective.
  • Auditors may find it more cost-effective to focus on substantive procedures rather than reviewing general/application controls.
• On-Line Computer systems: Computer systems that enable users to access data/programs directly through terminal devices.
  • They enable users to initiate functions such as entering transactions, making inquiries, updating master files, requesting reports, and engaging in e-commerce activities.
  • Types of Terminals: General-purpose terminals (basic keyboard/screen, intelligent terminals, PCs) and Special purpose terminals (point-of-sale, ATMs).
• Types of Online computer systems:
  • On-line/Real Time: Transactions entered, validated, and used to update computer files immediately.
  • On-line/Batch: Transactions entered, validated, and added to a transaction file for later processing.
  • On-line/Memo Update: Transactions update a memo file immediately, while a transaction file is updated on a batch basis.
  • On-line/Inquiry: Use terminal devices to make inquiries to master file which master files are updated by other systems.
  • On-line Downloading/Uploading: The transfer of data from a master file to an intelligent terminal for further user processing.
• Network Environment: A means of communicating that allows computer users to share computer equipment, application software, data, voice, and video transmissions,
• A file server is a computer that allows multiple users to access software applications and data files.
• LAN (Local Area Network), WAN (Wide Area Network), and MAN (Metropolitan Area Network) are basic network types.

IT Environments - Database Systems

• Database is a collection of data that is shared and used by many different users for different purposes.
• It includes the Database Management System (DBMS), which is the software that creates, maintains, and operates the database.
• The database has characteristics of data sharing and data independence.
• EDI facilitates electronic transactions between entities through electronic networks. EFT illustrates this by replacing checks with electronic transactions.

EDI Controls

• Authentication: Controls on the origin, submission, and delivery to ensure EDI messages are accurately sent/received from authorized entities.
• Encryption: Converts plain text to cipher text to protect EDI messages from unauthorized access.
• VAN controls: Utilizes a value added network (VAN) for network, storage, and forwarding (mailbox) services for EDI messages.

Audit Approaches

• Auditing around the computer: The auditor ignores or bypasses the computer's processing function in an entity's EDP system.
• Auditing with the computer: The computer is leveraged as an audit tool.
• Auditing through the computer: The auditor accesses directly a client's system, scrutinizing the computer, its system, and application software.

Computer Assisted Audit Techniques for Tests of Controls

• Program analysis helps the auditor understand the client's program.
  • It can be done through code review involving analysis of program logic.
  • Comparison programs allow the auditor to compare computerized files.
  • Flowcharting software produces workflow diagrams of a program logic in mainframe/microcomputer environments.
  • Program tracing and mapping list data to identify code sections which pose a potential source of abuse.
  • Snapshots take "pictures" of program execution or transaction data at specified points in program processing.
• Program testing: Auditor-controlled data is tested, either actual or simulated.
  • Historical audit techniques conduct a computer controls test at a point in time through Test data which allows the auditor to use client software to process test data which can identify if embedded controls work properly.
  • Base Case System Evaluation (BCSE) which will test all possible conditions for the software.
  • Integrated Test Facility (ITF) simulates data that run simultaneously to compare computer results with the auditor's predetermined results for financial reports.
  • Parallel Simulation processes client data with the auditor's software to see if any exceptions arise and should be performed on a surprise basis if possible.
  • Controlled reprocessing processes client data copy through its application program.
• Continuous audit techniques is a computer audit controls test throughout a period -Audit modules program audit routines into an application program to preform audit functions.
  • Systems Control Audit Review Files collects transaction data to perform a review and analysis.
  • Audit hooks allows an auditor to insert commands for audit processing.
  • Transaction Tagging tags a transaction record and traces control points.
  • Extended records add audit data that helps provide a more complete audit trail.
• Reviewing operating systems and other systems software
  • Job accounting data/operating system logs track particular functions for processed application.
  • Library Management Software logs programming changes and activities.
  • Access Control and Security which restrict computer access unless authorized.

Computerized Audit Tools

• Audit software: They are programs to process significant audit data.
• Package programs can be used for multiple clients to preform audit tasks such as:
  • reading computer files.
  • creating data files.
  • selecting samples.
  • creating reports.
• Purpose Written Programs are programs designed for specific audit tasks.
• Utility Programs perform routine CIS tasks that are not for auditing purposes.
• Electronic spreadsheets are used with predefine mathematical equations and can be applied to cell data.
• Automated workpaper software helps to generate a trial balance, lead schedules, and other reports.
• Text Retrieval helps a user find all available text.
• Database management systems manage processing and information of records.
• Public databases can be used to obtain information for particular companies.
• Word Processing Software

Factors to consider in using CAAT

• Technical competence in IT
• Availability of CAAT and facilities
• Impracticability of manual tests
• Effectiveness and efficiency
• Timing of tests with arrangements between the auditor and client for data retention
• Procedures to control the use of Audit/Test software which include: - Participating/checking in the test data - Having IT personnel review procedures - Ensuring correct files were used - Obtaining evidence that the software functioned as planned - Establishing security to safeguard manipulated file data.