IT AUDIT

Questions and Answers

What is a consequence of reducing human involvement in IT-based processes?

Increased recognition of misstatements

Improved audit trail visibility

Loss of opportunity to detect unusual transactions (correct)

Enhanced manual approval protocols

How can IT-based systems impact traditional authorization processes?

They eliminate the need for any authorization

They increase the complexity of approval processes

They automate some transactions without manual approvals (correct)

They require more manual interventions

What issue arises from the reduced separation of duties in IT environments?

More thorough oversight of IT operations

Increased need for manual audits

Consolidation of multiple roles into one individual (correct)

Better compliance with IT regulations

Why is it important to have knowledgeable personnel for IT systems?

To ensure proper installation and maintenance of the system

Which component is essential for the governance and management of enterprise IT according to COBIT?

Connection between control requirements and business risks

What does reduced audit trail visibility imply for an organization?

Increased likelihood of undetected fraud

What key separation is often needed within IT duties?

Functions like systems development should be separate from day-to-day operations

What characteristic of COBIT 5 enhances its effectiveness in IT governance?

Integration of governance and management aspects

What is a potential risk associated with reliance on IT systems?

Systematic versus random errors

How does information technology impact the audit trail?

It converts the paper trail to an electronic format

What is a common risk regarding unauthorized access in information technology?

Increased potential for remote access

What does the need for separation of IT duties primarily address?

Preventing fraud and ensuring checks and balances

Which of the following is considered a type of IT General Control?

Controls over data centre and network operations

How does a reduced audit trail affect internal controls?

It diminishes the capacity to trace actions related to transactions

What is the primary purpose of IT Application Controls?

To ensure input data is complete, accurate, and valid

Which of the following is a risk associated with loss of data?

Complete data loss if files are altered

What is a major concern when implementing IT systems without proper experience?

Increased vulnerability to errors

What does the term 'Auditing Through the Computer' refer to?

Auditing where the auditor directly interfaces with the application software

What aspect of IT systems increases the risk of systematic errors?

Automation of tasks

In the Test Data Approach, which consideration is essential for auditors?

Test data should include all relevant conditions that the auditor wants tested

Which of the following is a risk associated with reliance on IT?

Unauthorized access to systems and data

What is a crucial aspect of Separation of IT Duties?

Dividing responsibilities among different individuals to reduce risk

Why is IT experience considered essential in auditing IT environments?

To properly evaluate application performance and compliance

What is the role of policies and procedures in IT General Controls?

To support the effective functioning of application controls

Study Notes

Audit Practice & Procedures II: Information Technology and the Audit Process

• Information Technology (IT) has improved internal control by enabling access to high-quality business transactions and larger volumes of information.

Information Technology (IT) & Internal Control

• IT has improved internal control.
• How? Access to high-quality business transactions.
• How? Access to larger volumes of information.
• Question: Do improvements experienced as a result of IT present any risks?

IT Systems and Risks

• Risks to hardware and data.
• Reduced audit trail.
• Need for IT experience and separation of IT duties.

Risks of Information Technology

Risks to Hardware and Data

• Reliance on the functioning capabilities of hardware and software.
• Evaluation of the risk of system crashes.
• Systematic versus random errors.
• Errors in computer software can result in incorrect processing for all transactions processed.
• Unauthorized access.
• Potential for unauthorized on-line access from remote locations is increased.
• Loss of data. Increased risk of total data loss in the event the data file is altered or destroyed.

Reduced Audit Trail

• Visibility of audit trail. The use of IT often converts the traditional paper trail to an electronic audit trail.
• Reduced human involvement. The replacement of traditional manual processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees.
• Lack of traditional authorization. IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual approvals.

Need for IT Experience & Separation of IT Duties

• Reduced separation of duties. As organizations convert from manual to computer processes, computers do many duties that were traditionally segregated, such as authorization and record keeping.
• Need for IT experience. Even when companies purchase simple off-the-shelf accounting software packages, it is important to have personnel with knowledge and experience to install, maintain, and use the system.
• Separation of Duties in IT Function/Dept.:
  • IT management (Oversight)
  • Systems development (Application Design).
  • Operations (day-to-day operations).
  • Data control (input/output control personnel).

IT Governance

• COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
• COBIT 5 is a business framework for the governance and management of enterprise IT.
• Developed by ISACA (Information Systems Audit and Control Association).
• Used globally by those who have the primary responsibility for business processes and technology.

Auditing Standards IT Controls

• Types of controls. General Controls; Application Controls.
• Used to address many of the risks associated with reliance on IT.

IT General Controls

• Policies and procedures that relate to many applications.
• Support the effective functioning of application controls.
• Controls over data centre and network operations.
• System software acquisition, change and maintenance.
• Access security. Includes: Application system acquisition, development, and maintenance.
• Physical security of assets
• Authorization for access to computer programs and data files

IT Application Controls

• Controls that relate to specific computer software applications and the individual transactions, for example, the general ledger. Includes: Controls over the input, processing, and output functions.
• Necessary conditions for data inputs: Complete, accurate and valid.
• Internal processing should produce correct outputs.

Auditing Around the Computer Versus Auditing Through the Computer

• Internal Controls

  • Credit is approved for sales on account.
  • Payroll is processed only for individuals currently employed.
  • Column totals for the cash disbursements journal are subtotaled automatically by the computer.

• Auditing Around the Computer Approach

  • Select a sample of sales transactions from the sales journal and obtain the related customer sales order to determine that the credit manager’s initials are present, indicating approval of sales on account.
  • Select a sample of payroll disbursements from the payroll journal and verify by reviewing human resource department files that the payee is currently employed.
  • Obtain a printout of the cash disbursements journal and manually foot each column to verify the accuracy of the printed column totals.

• Auditing Through the Computer Approach

  • Obtain a copy of the client's sales application program and related credit limit master file and process a test data sample of sales transactions to determine whether the application software properly rejects those test sales transaction that exceed the customer’s credit limit amount and accepts all other transactions.
  • Create a test data file of valid and invalid employee ID numbers and process that file using a controlled copy of the client’s payroll application program to determine that all invalid employee ID numbers are rejected and that all valid employee ID numbers are accepted.
  • Obtain an electronic copy of the cash disbursements journal transactions and use generalized audit software to verify the accuracy of the column totals.

Information Technology (IT) Auditing: Generalized Audit Software (GAS)

• Uses: Verify extensions and footings; Examine records for quality, completeness, consistency, and correctness; Compare data on separate files; Summarize or resequence data and do analyses; Select audit samples; Print confirmation requests; Compare data obtained through other audit procedures with company records.
• Description: Verify the accuracy of the client's computations by calculating information independently; Scan all records using specified criteria; Determine that information in two or more data files agrees; Change or aggregate data; Select samples from machine-readable data; Print data for sample items selected for confirmation testing; Compare machine-readable data with audit evidence gathered manually, which is converted to machine-readable form.
• Examples: Foot accounts receivable trial balance; Review payroll files for terminated employees; Compare changes in accounts receivable balances between two dates using sales and cash receipts in transaction files; Resequence inventory items by location to facilitate physical observation; Randomly select accounts receivable for confirmation; Print customer name, address, and account balance information from master files; Compare confirmation responses with accounts receivable master files.

Auditing Through the Computer; Testing Categories

• Test data approach
• Parallel simulation
• Embedded audit module approach

Auditing in Complex IT Environments (Categories of Testing): Test Data Approach

• Auditors process their own test data using the client's computer system and application program to determine whether the automated controls correctly process the test data.
• Test data considerations:
  • Test data should include all relevant conditions that the auditor wants tested.
  • Application programs tested by auditors' test data must be the same as those the client used throughout the year.
  • Test data must be eliminated from the client's records.

Auditing in Complex IT Environments (Categories of Testing): Parallel Simulation

• To determine the effectiveness of automated controls.
• To obtain evidence about electronic account balances.
• Parallel simulation is a process of simulating data processing with a set of data (from client) and comparing the results of simulation with that of client's system results.

Auditing in Complex IT Environments (Categories of Testing): Embedded Audit Module Approach

• Auditors insert an audit module in the client's application system to identify specific types of transactions.