IT AUDIT

Questions and Answers

What is a consequence of reducing human involvement in IT-based processes?

• Increased recognition of misstatements
• Improved audit trail visibility
• Loss of opportunity to detect unusual transactions (correct)
• Enhanced manual approval protocols

How can IT-based systems impact traditional authorization processes?

• They eliminate the need for any authorization
• They increase the complexity of approval processes
• They automate some transactions without manual approvals (correct)
• They require more manual interventions

What issue arises from the reduced separation of duties in IT environments?

• More thorough oversight of IT operations
• Increased need for manual audits
• Consolidation of multiple roles into one individual (correct)
• Better compliance with IT regulations

Why is it important to have knowledgeable personnel for IT systems?

To ensure proper installation and maintenance of the system (D)

Which component is essential for the governance and management of enterprise IT according to COBIT?

Connection between control requirements and business risks (C)

What does reduced audit trail visibility imply for an organization?

Increased likelihood of undetected fraud (D)

What key separation is often needed within IT duties?

Functions like systems development should be separate from day-to-day operations (A)

What characteristic of COBIT 5 enhances its effectiveness in IT governance?

Integration of governance and management aspects (D)

What is a potential risk associated with reliance on IT systems?

Systematic versus random errors (B)

How does information technology impact the audit trail?

It converts the paper trail to an electronic format (C)

What is a common risk regarding unauthorized access in information technology?

Increased potential for remote access (A)

What does the need for separation of IT duties primarily address?

Preventing fraud and ensuring checks and balances (C)

Which of the following is considered a type of IT General Control?

Controls over data centre and network operations (B)

How does a reduced audit trail affect internal controls?

It diminishes the capacity to trace actions related to transactions (C)

What is the primary purpose of IT Application Controls?

To ensure input data is complete, accurate, and valid (A)

Which of the following is a risk associated with loss of data?

Complete data loss if files are altered (B)

What is a major concern when implementing IT systems without proper experience?

Increased vulnerability to errors (B)

What does the term 'Auditing Through the Computer' refer to?

Auditing where the auditor directly interfaces with the application software (B)

What aspect of IT systems increases the risk of systematic errors?

Automation of tasks (D)

In the Test Data Approach, which consideration is essential for auditors?

Test data should include all relevant conditions that the auditor wants tested (C)

Which of the following is a risk associated with reliance on IT?

Unauthorized access to systems and data (C)

What is a crucial aspect of Separation of IT Duties?

Dividing responsibilities among different individuals to reduce risk (C)

Why is IT experience considered essential in auditing IT environments?

To properly evaluate application performance and compliance (D)

What is the role of policies and procedures in IT General Controls?

To support the effective functioning of application controls (A)

Flashcards

Reduced audit trail

Computerized processes reduce opportunities for recognizing misstatements because employees can't easily spot unusual transactions.

Lack of traditional authorization

Computer systems can automatically initiate transactions without traditional manual approvals.

Reduced separation of duties

Conversion to computer processes merges duties that were previously separated (like authorization and record-keeping).

Need for IT experience

Even simple software needs personnel with knowledge to install, maintain, and use the system effectively.

COBIT

A framework for managing enterprise IT that connects controls, technology, and business risks.

Separation of Duties in IT

Dividing IT tasks into separate roles (management, development, operations, data control) to mitigate risk.

IT Governance Framework

A structured approach for managing IT, connecting it with business objectives and risk management.

COBIT 5

A specific business framework for IT governance and management, developed by ISACA.

IT's Impact on Internal Control

Information Technology (IT) has improved internal control by providing access to high-quality business transactions and larger volumes of information.

IT Risks: Hardware & Data

IT systems face risks to hardware and data due to reliance on software and hardware functionality, potential for systematic or random errors, unauthorized access, and data loss.

Systematic Errors in IT

Errors in computer software can lead to incorrect processing of all transactions, impacting data accuracy and reliability.

Unauthorized Access in IT

IT systems increase the risk of unauthorized access to sensitive information, especially from remote locations.

Data Loss in IT Systems

Data loss becomes a greater risk with IT systems as alteration or destruction of data files can lead to significant losses.

Reduced Audit Trail in IT

The use of IT converts traditional paper trails to electronic ones, making it harder to trace transactions and identify irregularities.

Human Involvement in IT Audits

Automated processes in IT systems often reduce human involvement, making it harder to identify unusual transactions or potential errors.

Traditional Authorization in IT

IT systems can automatically initiate transactions without traditional manual approvals, potentially bypassing authorization controls.

IT General Controls

Policies and procedures that apply to many applications, ensuring the effective functioning of application controls.

Application Controls

Controls that relate specifically to computer software applications and individual transactions, ensuring data integrity and accuracy.

Auditing Through the Computer

An audit approach that involves directly testing the client's computer system and applications to verify data and processes.

Test Data Approach

Involves using pre-designed test data to assess how the client's application system handles different scenarios and controls.

Parallel Simulation

Involves running a separate, parallel system with simulated data to compare results with the client's system, identifying any discrepancies.

Embedded Audit Module (EAM)

Programmed routines integrated into the client's application system, capturing data for audit purposes during normal operations.

What is the test data approach?

The test data approach involves using pre-designed test data processed through the client's system to assess the effectiveness of IT controls and the accuracy of results.

What are the three main considerations for the test data approach?

The three main considerations for the test data approach are: (1) test data must include all relevant conditions to be tested, (2) data should be processed independently from the client's production data, and (3) test data should be carefully removed from the client's production data after processing to avoid disrupting the client's operations.

Study Notes

Audit Practice & Procedures II: Information Technology and the Audit Process

• Information Technology (IT) has improved internal control by enabling access to high-quality business transactions and larger volumes of information.

Information Technology (IT) & Internal Control

• IT has improved internal control.
• How? Access to high-quality business transactions.
• How? Access to larger volumes of information.
• Question: Do improvements experienced as a result of IT present any risks?

IT Systems and Risks

• Risks to hardware and data.
• Reduced audit trail.
• Need for IT experience and separation of IT duties.

Risks of Information Technology

Risks to Hardware and Data

• Reliance on the functioning capabilities of hardware and software.
• Evaluation of the risk of system crashes.
• Systematic versus random errors.
• Errors in computer software can result in incorrect processing for all transactions processed.
• Unauthorized access.
• Potential for unauthorized on-line access from remote locations is increased.
• Loss of data. Increased risk of total data loss in the event the data file is altered or destroyed.

Reduced Audit Trail

• Visibility of audit trail. The use of IT often converts the traditional paper trail to an electronic audit trail.
• Reduced human involvement. The replacement of traditional manual processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees.
• Lack of traditional authorization. IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual approvals.

Need for IT Experience & Separation of IT Duties

• Reduced separation of duties. As organizations convert from manual to computer processes, computers do many duties that were traditionally segregated, such as authorization and record keeping.
• Need for IT experience. Even when companies purchase simple off-the-shelf accounting software packages, it is important to have personnel with knowledge and experience to install, maintain, and use the system.
• Separation of Duties in IT Function/Dept.:
  • IT management (Oversight)
  • Systems development (Application Design).
  • Operations (day-to-day operations).
  • Data control (input/output control personnel).

IT Governance

• COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
• COBIT 5 is a business framework for the governance and management of enterprise IT.
• Developed by ISACA (Information Systems Audit and Control Association).
• Used globally by those who have the primary responsibility for business processes and technology.

Auditing Standards IT Controls

• Types of controls. General Controls; Application Controls.
• Used to address many of the risks associated with reliance on IT.

IT General Controls

• Policies and procedures that relate to many applications.
• Support the effective functioning of application controls.
• Controls over data centre and network operations.
• System software acquisition, change and maintenance.
• Access security. Includes: Application system acquisition, development, and maintenance.
• Physical security of assets
• Authorization for access to computer programs and data files

IT Application Controls

• Controls that relate to specific computer software applications and the individual transactions, for example, the general ledger. Includes: Controls over the input, processing, and output functions.
• Necessary conditions for data inputs: Complete, accurate and valid.
• Internal processing should produce correct outputs.

Auditing Around the Computer Versus Auditing Through the Computer

• Internal Controls

  • Credit is approved for sales on account.
  • Payroll is processed only for individuals currently employed.
  • Column totals for the cash disbursements journal are subtotaled automatically by the computer.

• Auditing Around the Computer Approach

  • Select a sample of sales transactions from the sales journal and obtain the related customer sales order to determine that the credit manager’s initials are present, indicating approval of sales on account.
  • Select a sample of payroll disbursements from the payroll journal and verify by reviewing human resource department files that the payee is currently employed.
  • Obtain a printout of the cash disbursements journal and manually foot each column to verify the accuracy of the printed column totals.

• Auditing Through the Computer Approach

  • Obtain a copy of the client's sales application program and related credit limit master file and process a test data sample of sales transactions to determine whether the application software properly rejects those test sales transaction that exceed the customer’s credit limit amount and accepts all other transactions.
  • Create a test data file of valid and invalid employee ID numbers and process that file using a controlled copy of the client’s payroll application program to determine that all invalid employee ID numbers are rejected and that all valid employee ID numbers are accepted.
  • Obtain an electronic copy of the cash disbursements journal transactions and use generalized audit software to verify the accuracy of the column totals.

Information Technology (IT) Auditing: Generalized Audit Software (GAS)

• Uses: Verify extensions and footings; Examine records for quality, completeness, consistency, and correctness; Compare data on separate files; Summarize or resequence data and do analyses; Select audit samples; Print confirmation requests; Compare data obtained through other audit procedures with company records.
• Description: Verify the accuracy of the client's computations by calculating information independently; Scan all records using specified criteria; Determine that information in two or more data files agrees; Change or aggregate data; Select samples from machine-readable data; Print data for sample items selected for confirmation testing; Compare machine-readable data with audit evidence gathered manually, which is converted to machine-readable form.
• Examples: Foot accounts receivable trial balance; Review payroll files for terminated employees; Compare changes in accounts receivable balances between two dates using sales and cash receipts in transaction files; Resequence inventory items by location to facilitate physical observation; Randomly select accounts receivable for confirmation; Print customer name, address, and account balance information from master files; Compare confirmation responses with accounts receivable master files.

Auditing Through the Computer; Testing Categories

• Test data approach
• Parallel simulation
• Embedded audit module approach

Auditing in Complex IT Environments (Categories of Testing): Test Data Approach

• Auditors process their own test data using the client's computer system and application program to determine whether the automated controls correctly process the test data.
• Test data considerations:
  • Test data should include all relevant conditions that the auditor wants tested.
  • Application programs tested by auditors' test data must be the same as those the client used throughout the year.
  • Test data must be eliminated from the client's records.

Auditing in Complex IT Environments (Categories of Testing): Parallel Simulation

• To determine the effectiveness of automated controls.
• To obtain evidence about electronic account balances.
• Parallel simulation is a process of simulating data processing with a set of data (from client) and comparing the results of simulation with that of client's system results.

Auditing in Complex IT Environments (Categories of Testing): Embedded Audit Module Approach

• Auditors insert an audit module in the client's application system to identify specific types of transactions.