IT Audit: Methods and Controls

Questions and Answers

______ audit is designed to evaluate a computer-based accounting system's internal control, effectiveness and efficiency of the system, security protocols, processes and oversight.

Information Technology

The five testing methods used during audit procedures are inquiry, observations, examination, inspection of evidence, ______ and computer assisted audit techniques (CAATs).

re-performance

______ controls are those controls in the environment in which systems and programs are developed and used on a day-to-day basis.

General or organizational

______ controls are those controls in the environment in which systems and programs are used on a day-to-day basis and can be further classified into segregation of duties controls.

Administrative

______ controls ensure standard procedures and documentation, system and programs testing, file conversion, acceptance and authorization procedures, systems programs amendments are properly documented, controlled, monitored and approved by suitable levels of authority.

Systems development

______ or procedural controls are those controls over the input, processing and output; the updating and maintenance of the master file of each application processed within the computer system.

Application

______ over input conversion is the process by which analog or external signals are concerted into digital form for processing and interpretation by a control system.

Controls

______ audit approach occurs when the auditor verifies the completeness, accuracy and validity of the computer processing by recreating the computer input data, manually calculating the output and reconciling this with the computer-generated output.

Round the computer

The ______ audit approach involves auditing systems and programs used in the entity where the auditor verifies the completeness, accuracy and validity of the computer processing by directly examining the program processing procedures that occur within the computer.

through the computer

______ audit techniques (CAATs) are those audit procedures or techniques which make use of the computer data or the computer program as a means of obtaining audit evidence in a computer-based accounting environment.

Computer assisted

To determine the ______ of program proceeding procedures is a use of CAATs.

correctness

______ testing allows analysis of the functions of a program without access to the processing code and allows imputing of commands of no data, valid data, invalid data and illegal data formats.

Black-box

______ audit programs are computer programs used by the auditor to extract information from a client's computer-based information system for use in the audit.

Computer

______ audit programs are designed to offer a standard reference for use in a particular area and are developed by corporate institutions (e.g., standard program for Fintech industry).

Standardized

Embedded audit facilities also called ‘resident audit software' or an ______ allow the auditor to carry out tests at the time that transactions are being processed in real time.

integrated audit module

Flashcards

IT Audit

Evaluates a computer-based accounting system's internal control, effectiveness, efficiency, security, and integrity, ensuring minimal risks.

Main Controls in Computerized Accounting

General and application controls ensuring the reliability and integrity of data processing.

CAATs (Computer Assisted Audit Techniques)

Audit procedures using computer data or programs to obtain evidence.

Round the Computer

An audit approach where the auditor recreates input data and compares the manually calculated output to the system's output.

Through the Computer

Verifying the completeness, accuracy, and validity of processing procedures in a computerized system.

Computer Assisted Audit Techniques (CAATs)

Audit techniques that use the computer itself as an audit tool.

Test Data Packs

A sample of transactions processed through the client's system to compare outputs with predetermined results.

Computer Audit Program

Computer programs used to extract information for audit purposes from a client's system.

Embedded Audit Facilities

Audit software built into a client's system to monitor transactions in real-time.

Tracing Software

Special audit programs identifying the sequence of program instructions during transaction processing.

Snapshots (in Auditing)

Pictures of computer memory during program execution to reconstruct the processing cycle.

Audit Trail

Facilities and evidence enabling the tracing of transactions from origin to conclusion.

Causes of Loss of Audit Trail

Non-preparation of documentary evidence and inadequate printed output.

Mitigating Loss of Audit Trail

Involve the auditor early, retain relevant reports, and manually check input against output.

Integrated Test Facilities (ITF)

Integrating dummy records within the client's application files.

Study Notes

• Information Technology (IT) audit is the evaluation of a computer-based accounting system's internal control, effectiveness, efficiency, security protocols, processes, and oversight.

Testing Methods During Audits

• Inquiry involves asking questions to gather information.
• Observations involve watching processes and procedures.
• Examination involves reviewing documents and records.
• Inspection of evidence involves verifying the existence and authenticity of evidence.
• Re-performance involves independently executing procedures or controls.
• Computer Assisted Audit Techniques (CAATs) involve using computer software and data to perform audit procedures.

Main Controls in a Computer-Based Accounting Environment

• Divided into two categories: general/organizational controls and application/procedural controls
• General/organizational controls operate in the environment where systems and programs are developed and used daily.
• General/organizational controls are subdivided into administrative controls and systems development controls.
• Administrative controls are used in an environment in which systems and programs are used daily.
• Segregation of duties controls make sure that the user department personnel in charge of starting and approving input data are separate from the computer department staff in charge of data processing.
• Controls over computer operations use written manuals to guide operators; a senior officer should regularly review the computer log register. Any unauthorized computer operations should be promptly investigated.
• File controls restrict access to the file library to authorized personnel; computer files should be stored in a fireproof cabinet, and a file movement register should be kept.
• Security and standby arrangements controls restrict access to the computer room and provide regular maintenance of the computer system.
• Systems development controls are used in an enviornment in which systems and programs are developed to ensure standard procedures and documentation, system and programs testing, file conversion, acceptance and authorization procedures, and system programs amendments are properly documented, controlled, monitored and approved by suitable levels of authority.

Application or Procedural Controls

• Controls oversee input, processing, and output, as well as the updating and maintenance of the master file of each application processed within the computer system.
• Application or procedural controls include input controls, input conversion controls, processing controls, output controls, file maintenance, and updating controls.
• Input controls ensure the completeness, accuracy, and authorization of inputs.
• Input conversion controls ensure that analog or external signals are converted into digital form for processing.
• Processing controls maintains processing completeness and accuracy
• Master file controls maintains master files and standing data, e.g., batch total, document check, periodic print out of master file and standing data etc.
• Output controls controls the distribution of output, and checks output against input.

Approaches to IT Accounting Environment Audit

• Round the computer (black box approach): verifies completeness, accuracy, and validity of computer processing; auditor recreates computer input data, manually calculates the output, and reconciles with the computer-generated output.
• This approach was common when auditors had low computer literacy.
• This is feasible when there is documented evidence of the computer input data, detailed computer printed output, a direct co-relation between the input data and the computer output, and the volume of transactions is not too large.
• Within the computer audit approach: involves using embedded audit facilities (integrated test facilities (ITF) and System controls and review file (SCARF)).
• Through the computer: auditor verifies processing completeness, accuracy, and validity by directly examining program processing procedures. It also uses computer assisted audit techniques (CAAT).
• Increase in transaction volume, loss of audit trail, and complexity of internal processing are factors for applying the through the computer audit approach.

Computer Assisted Audit Techniques (CAATs)

• CAATs use computer data or programs to obtain audit evidence in a computer-based accounting environment
• CAATs can verify program controls, determine accuracy of proceeding procedures, confirm reports, review transactions/balances, stratify items, sample transactions, match computer files, copy/download balances, print file content, sort transactions, and perform calculations.
• CAATs test completeness/accuracy, overcome loss/change, test programmed controls, offer repetitive use, have low costs, and enable large-volume testing.

Disadvantages of CAATs

• Require special skills and client knowledge
• CAATs demands greater knowledge of the client's accounting application.
• *CAATs is generally expensive and difficult to develop and set up.
• It may be difficult to obtain computer time when carrying out audit test using CAATS

CAATs: Factors to Consider

• Auditor's computer knowledge/expertise
• CAAT availability and suitable computer facilities
• Time availability, as CAATs may shorten audit work
• Usage extent of CAATs

Two Types of CAATs

• Test data packs
• Computer audit program (audit software)

Test Data Packs

• Test data: an auditor processes a sample of transactions through the client's system and compares the results with pre-determined output.
• Test data is primarily for test of control.
• Test data verifies program controls, determines correctness of programs, and confirms reports.
• Test data is easy/cheap to develop and implement, can be reused, results in savings, and allows error conditions.

Demerits of Test Data

• Requires computer knowledge and client accounting proficiency
• May be difficult to obtain computer time, and audit conclusions apply to the period covered.
• Test data may erroneously update the client's files and records.

Examples of Test Data

• Performance testing measures data handling speed to identify bottlenecks.
• Security testing measures ability to protect data
• Black-box testing analyzes program functions without accessing the code.
• White-box testing measures program structure and responsiveness.

Computer Audit Program (Audit Software)

• These computer programs extracts clients information from a computer-based information system for use in the audit.
• Audit program enables reviewing transactions, stratifying data, sampling items, printing content, sorting data, and performing calculations.
• There are standardized, tailored, and compliance audit programs.
• Standardized audit programs offer a standard for use in a particular area
• Tailored audit programs are designed to consider company specifics
• Compliance audit programs determine whether a current regulation has been followed.
• There are fixed and flexible audit programs
• Fixed audit programs are rigid and do not allow for changes.
• Flexible audit programs allow auditor freedom to determine how the work will be done; determines any modification of parts of the program

Merits of Audit Program

• Enable to overcome problems caused by loss of or change in audit trail
• Enabling an examination of large volume of transactions and balances on a hundred percent basis without random error
• Once set up, it can be used from one audit period to another until there is significant change in the client's accounting application
• They have low annual running cost

Demerits of Audit Program

• Requires special skills and computer knowledge
• A greater knowledge of client's accounting is required than that normally required under conventional audit
• Computer audit programs are generally expensive and are difficult to develop and set up
• It may be difficult to obtain computer time when carrying out audit test using computer audit programs

Embedded Audit Facilities

• They allow the auditor to carry out tests at the processing time (real time).
• Procedures are included in the entity's system, generating data for audit purposes every time the system runs.
• Embedded audit: audit software built into the client's computer system is either temporary or permanent.
• Embedded audit facilities are called ‘resident audit software' or an integrated audit module'.
• Auditors use Integrated test facilities (ITF) and System controls and review file (SCARF).

Integrated Test Facilities (ITF)

• Simulates “mini company”/“dummy company," integrating dummy records into the client's files.
• The computer posts test data into the dummy records.
• Enables auditor to process test data with actual data, known as ‘live data test data processing,' without corrupting client data
• There is surprise test processing, no new computer time is required and simulated transactions can be input at any time.

Disadvantages of ITF

• They are generally expensive to develop as dummy files are often integrated with the client system
• Fictitious information may be included in accounting record, thereby reduce data base integrity for users

System Controls and Review File (SCARF)

• It involves the integration of audit program within the client's accounting application so the audit program simultaneously reviews any transaction processed by the client's staff. The integrated audit helps monitor and analyze processing.
• Any exceptional data is captured by the program and recorded in a special file for the auditor's subsequent review. It provides the auditor with the capability to monitor and analyse the processing of client's transactions continuously as part of the enterprise everyday processing.

Tracing Software

• Special audit programs identify the sequences in which program instructions are executed during processing for auditing processing sequences are logical and correct

Snapshots

• Snapshots are Computer memory pictures taken during execution of program instructions
• Auditors can reconstruct the program cycle and confirms correctness.

System Software Data Analysis

• This technique examines computer logs produced by systems programs and the data base management system. Examination reveals audit matters like unauthorized access. The information provides advice on added audit procedures

Audit Trail

• Audit trails are facilities and evidence generated within an accounting system, it enables tracing individual transactions to their conclusion.
• Following the audit trail allows the auditor to know which documents, and records were updated, which controls were executed, and the activity of the sequence.
• The absence of audit trail may impede vouching and frustrate the audit.

Factors Causing Loss of Audit Trail

• Non-preparation of documentary evidence before input
• Non-retention of source documents
• Filling of dissimilar source documents
• Non-production of documentary evidence, non-retention of printed computer output. and inadequate printed output.
• Screen use as output devices

Overcoming Change or Loss of Audit Trail

• Involve the auditor in system development. Seek advisor on controls
• Retain reports with audit relevance.
• Recognize computer data data manually, calculate the output and compare it to computer output.
• Perform alternative procedures for audit evidence (third party confirmation/physical verification).
• Perform reasonableness tests on total balances.
• Ensure the entity’s auditor regularly reviews systems/transactions.
• Increase frequency of audit visits.
• Employ CAATs such as computer audit programs and test data packs.