Ch01 The Nature of IT Audit PDF

Summary

This document presents a lecture on Chapter 1 of Information Systems Audit (IS Audit). It begins by defining IS audit and the importance of information systems in today’s business environment. It also discusses the critical components of an IS audit, such as safeguarding assets and maintaining data integrity, and different types of audits.

Full Transcript

PR108 INFORMATION SYSTEMS AUDIT
Ch01 The Nature of IT Audit
By: Robert E. Regala
Link to Youtube video: https://youtu.be/O_uwWX2Yrp8

OPENING SLIDE
Hi! It’s Sir Rob! Today I am going to discuss Chapter 01 of the course IS Audit. Our topic
is “The Nature of Information Systems Audit.” We begin by defining what an IS Audit is.
To make things clear, information systems audit and information technology audit are
interchangeable; they refer to the same discipline and you can not separate one from
the other. But for classroom purposes we will be using “IS Audit” throughout the course.
As always, in the practice of Accountancy, we should remember to be professional,
perform effectively and efficiently, follow standards, and document our work adequately
and properly.

SLIDE 02
What is IS Audit?
The concept of IS Audit was formed in the mid-1960s when computers are finally finding
their way into the business world with programs with business applications. Since that
time, IS Audit has gone through numerous changes, largely due to advances in
technology and the incorporation of technology into business.
Currently, there are many IT-dependent companies that rely on information technology
in order to operate their business e.g. Telecommunication or Banking company. For the
other types of business, IT plays a big part of company’s endeavors including:
application of workflow instead of using the paper request form
using the application control instead of manual control, which is more reliable or
implementing the ERP application to facilitate the organization by using only 1
central application.
According to these, the importance of IS Audit is constantly increasing. One of the most
important roles of the IS Audit, dispensed primarily by the Internal Audit unit of an entity,
is the audit over the critical systems in order to support the financial audit or to support
the specific regulations, e.g. the Sarbanes-Oxley Law Act of 2002. The law, specifically
in Section 404 “Assessment of Internal Control” requires management to produce an
"internal control report" that contains an “assessment, as of the end of the most recent
fiscal year of the Company, of the effectiveness of the internal control structure (which
includes the IT components) and procedures of the issuer for financial reporting". To
do this, managers are generally adopting an internal control framework such as that
described in COSO, or the “Committee of Sponsoring Organizations of the Treadway
Commission” which emphasizes a 5-frame component that includes “Information and
Communication,” a component focused on information systems.
SLIDE 03
Within the scope of Assurance services, IS Audit is usually a part of a more general
financial audit that verifies an organization’s accounting records and financial
statements. Information systems are designed so that every financial transaction can
be traced. In other words, an audit trail must exist that can establish where each
transaction originated and how it was processed.
Aside from financial audits, operational audits are used to evaluate the effectiveness
and efficiency of information systems operations, and technological audits verify that
information technologies are appropriately chosen, configured, and implemented. While
financial and technological audits may be rendered by the Auditor as components of a
single FS audit engagement, the latter may be separately offered for entities that need a
Type 2 independent opinion on the description, design, and operating effectiveness of
their information systems controls, such as service organizations that provide 3 rd party
services.

SLIDE 04
Having considered all the foregoing discussions, we can now proffer a definition of IT
Audit. IT Audit is an internal or independent external examination of the management
controls within an Information technology (IT) infrastructure and business applications.
The evaluation of evidence obtained determines if the information systems are
1 safeguarding assets.
IT assets generally include hardware (e.g. servers and switches), software (e.g. mission
critical applications and support systems) and confidential information. Assets should
be protected from illicit access, use, disclosure, alteration, destruction, and/or theft,
resulting in loss to the organization.
2 maintaining data integrity.
This includes the maintenance of, and the assurance of, data accuracy and consistency
over its entire life-cycle. Data Integrity is a critical aspect to the design, implementation,
and usage of any system that stores, processes, or retrieves data. The term is broad in
scope and may have widely different meanings depending on the specific context – even
under the same general umbrella of computing. Any unintended changes to data as the
result of a storage, retrieval or processing operation, including malicious intent,
unexpected hardware failure, and human error, is failure of data integrity.
3 using resources efficiently, and
IT Resource Management is acquiring, allocating and managing the resources, such as
individuals and their skills, finances, technology, hardware, software and netware
required for a project. IT resource management ensures that internal, as well as external
resources (such as the case when IT outsourcing is employed by the entity) are used
effectively on time and to budget.
4 operating effectively to achieve the organization's goals or objectives.
Any specific information system aims to support operations, management and decision-
making. Therefore, the quality of operations of an information system may hamper
operations causing delays and backlogs, and stifle management’s effort at improving
operations. Ineffective operations will also affect the timeliness of decision making and
the quality of the decisions; and we know that decisions made on delayed or inaccurate
data may do harm than good to the enterprise.
These examinations or reviews may be performed in conjunction with a financial
statement audit, internal audit, or other form of attestation engagement, such as what
we have described previously.

SLIDE 05
IT audits are also known as automated data processing audits (ADP audits)
and computer audits.
They were formerly called electronic data processing audits (EDP audits).
SLIDE 06
The threefold objective of IT Audit, in relation to a risk-based audit, are as follows:
1 Evaluate the information system and business processes in place that secure
company data
Information systems and business processes go hand in hand. Obtaining an
understanding of the entity’s business processes, which include how transactions are
originated, assists the auditor in obtaining an understanding of the entity’s information
system in a manner that is appropriate to the entity’s circumstances.
An entity’s business processes include the activities designed to:
Develop, purchase, produce, sell and distribute an entity’s products and services;
Ensure compliance with laws and regulations; and
Record information, including accounting and financial reporting information.
Business processes result in the transactions that are recorded, processed and reported
by the information system. It is important to document such processes to see where
the manual controls interact with computer-based controls and thus help the auditor to
determine where gaps and lapses exists throughout the process.
2 Determine risks to a company’s information assets
This is accomplished by the entity under IS Audit, as we have learned in the Assurance
and Auditing subjects. Management has the responsibility to assess the risks and
design and implement controls to address the risks. During IS Audit, the auditor too
performs risks assessment in conjunction with materiality setting in audit planning. The
auditor’s risk assessment and corresponding audit report will uncover areas the entity
might need to improve its control to mitigate or eliminate the risks to information assets.
3 Help identify methods to minimize those risks
IS auditors may identify control weaknesses that exist in the enterprise. The extent to
which conclusions and recommendations about the weaknesses are communicated to
the management and TCwG. Some third parties may not be willing, or able, to implement
recommendations. In these situations, the IS auditor should recommend compensating
controls that the enterprise could implement to address control weaknesses at the third-
party organization. In some cases, the enterprise may have to refer back to contract
language to determine the appropriate course of action with management if significant
issues continue to exist.

SLIDE 07
An IT audit is different from a financial statement audit. While a financial audit's purpose
is to evaluate whether the financial statements present fairly, in all material respects, an
entity's financial position, results of operations, and cash flows in conformity
to standard accounting practices, the purposes of an IT audit is to evaluate the system's
internal control design and effectiveness. This includes, but is not limited to, efficiency
and security protocols, development processes, and IT governance or
oversight. Therefore, it is also appropriate to consider the peculiar characteristics of IT
that are of significance to IS Audit.
The first of these characteristics is…
Lack of visible audit trail
An audit trails (also called audit logs) is a security-relevant chronological record, set of
records, and/or destination and source of records that provide documentary or
electronic evidence of the sequence of activities that have affected at any time a specific
operation, procedure, event, or device. It is also defined as “An audit trail is a sequence
of recorded computer events that involves any activity around the operating system,
applications or user actions. One computer can have several audit trails that each serve
a different purpose.”
While audit trails are used in finance and software, they are ultimately tools for analyzing
and reporting on managerial and operational processes. An audit trail is important
because it's used to verify and validate financial, software, and business transactions
by tracking selected user activities or accounting financial statement amounts back to
the transaction, event source, and data access used to create or modify a record. An
audit trail helps businesses detect unauthorized use, errors, and fraud.
The use of computers has led to the disappearance of many elements of the visual audit
trails necessary to keep track of financial operations, starting from the original
documents until the account balances and vice versa. This has resulted to manipulation
of information using computers. The prevalence of this type of crime was caused
mostly by inadequate internal controls and the inadequate design of the information
system.
Data may be input to a system without leaving an audit trail of transactions. For example,
a customer may order goods by accessing the client’s system directly; in that case, no
hard copy purchase order would exist. The internal accounting, preparation of the
invoice and shipping documents, debit to accounts receivable and related credit to sales,
debit to cost of goods sold and the related credit to inventory, and reduction in the
inventory records for the quantities sold can be accomplished without generating hard
copy documentation. The auditor must be able to confirm that the system is properly
recording all of these activities.

SLIDE 08
For the IS Auditor, if the information system audit trail hasn’t been designed properly or
hasn’t been activated during implementation, the auditor will be unable to trace
individual transactions from source to completion or from completion back to source
and would therefore not be able to perform conventional audit tests.
Fortunately, most information systems today have incorporated Audit Trails and the
functionality to activate or deactivate it, or turn on or off some features of it into their IS
products. For example, the audit trail function in the Accounting Software Quickbooks
allows the enterprise to:
1 retain a history of how many changes have been done to the data file.
2 track user login details and activities, and
3 find deleted or lost transactions.

SLIDE 09
The following is an example of how an audit trail might be designed by the enterprise
and used by the auditor in auditing Accounts receivable balance:
1 – Starting with the Financial Statements, the auditor compares the accounts
receivable balance in the Balance Sheet with the master file AR control account.
2 – He then reconciles the AR control figure with the AR subsidiary account total which
is another master file which may be owned by a different user who has no access to the
AR control master file.
3 – He selects a sample of update entries made to accounts in the AR subsidiary ledger
and trace these to transactions in the sales journal, an archive file of sales transactions,
which contain the unique serial numbers that identify each individual transactions.
4 – From these journal entries, he identifies specific hard copy or printed source
documents that can be pulled from their files and verified. If necessary, the auditor can
confirm the accuracy and propriety of these source documents by contacting the
customers in question.
The same procedure may be performed when tracing user login details and activities, or
finding deleted or lost transactions.

SLIDE 10
Consistency of performance
Consistency of performance in a computer-based information system refer to he
requirement that any given database transaction must change affected data only in
allowed ways. Any data written to the database must be valid according to all defined
rules, including constraints, cascades, triggers, and any combination thereof. The
business rules and constraints that are built into the system parameters ensure that all
similar transactions will be uniformly processed. This means that if the rules and
constraints have not been changed, the auditor gets a guarantee that result in one
transaction will be consistent to all similar transactions.

SLIDE 11
However, this does not guarantee correctness of the transaction. If the business rules
and constraints have not been properly defined in the system, the error will be carried by
all the transactions. Thus, the error in one transaction that the auditor uncovers can be
projected to all similar transactions in a particular database. If not detected, the error
can easily escalate to materiality levels during planning. Fortunately, the consistency in
processing also allows consistency, and therefore, simplicity in correcting errors. This
means that all the erroneous transactions can be corrected in one go with an update to
the business rules and constraints or a backend correction of the data.

SLIDE 12
Ease of access to data and programs
This characteristic of IS Audit is a double-edged sword. It has equally weighty benefits
and risks. First, let’s talk about the benefits.

SLIDE 13
Benefits
Employees or users of an information system don’t just want instant access to the exact
information they need; they expect it. They expect that business-critical information will
be quickly and easily accessible. However, in many cases, the consumer-grade
technology experience employees are expecting at work is impeded by critical
information being hard to access and nearly impossible to process. This is due in part
to factors such as information silos, restricted permissions, and lack of centralized and
updated content.
Yet, providing employees with the ability to access and process data is well worth the
effort. In fact, it can create competitive advantages for businesses in these four ways:
1. Improve Customer Service. Giving employees ready access to relevant information
can enable better customer service. When customers have an issue with a product or
service, they don’t contact the entity hoping to be put on music hold for a while or to wait
a couple of days for a response to their email. They want answers, and fast. Businesses
need to empower their team to provide them. Informed, engaged employees with
immediate access to critical data can get to work helping customers resolve their issue;
those working in organizations where information is siloed cannot.
2. Build Trust, In 2017, the annual Edelman Trust Barometer report found that regular
rank-and-file company employees have considerable credibility. That’s one of many
reasons it’s important that employees feel integrated with the organization, whether it’s
understanding the company mission or knowing how to access the data they need for
superior customer service.
Not only are employees who feel connected more engaged when they interact with
customers and partners, they become valuable brand ambassadors when the work day
– or night – is over. Whether they’re vacationing on the other side of the world or taking
classes across town, your employees are bound to be asked the one question that
seems to translate effortlessly across cultures: What do you do? Simply put, employees
who feel set up for success by leadership are more likely to say nice things!
3. Drive Profitability. Employees who are connected to centralized sources of
information make more informed decisions. If a customer spends time on the phone
with an employee to resolve an issue, then has to start over from the very beginning with
another employee to resolve the next issue, the company loses twice. First, a favorable
impression in the service category is sacrificed. And second, by having employees
perform redundant tasks, the company also takes a hit on profitability (never mind
productivity).
On the other hand, however, according to a study by Gallup, companies that scored
higher on employee engagement realized many benefits, including higher earnings per
share.
4. Empower Business Leaders. Business leaders need quick and easy access to
business data in order to identify trends, visualize bottlenecks, focus on the most
pressing issues, and quickly obtain the insight they need to make informed business
decisions. This instant access to critical information can mean the difference between
a fully aligned, well-oiled organization, and one that is overwhelmed by data, riddled by
inefficient processes, and lacking the necessary visibility to stay competitive.

SLIDE 14
Now, let’s look at the dark side of ease of access, one that carries risks that the IS Auditor
is interested in, namely: digital security risks and confidentiality breaches.
1. Digital security risk
Enhanced access and sharing typically requires opening information systems so that
data can be accessed and shared. This may further expose parts of an organization to
digital security threats, such as hacking, that can lead to incidents that disrupt the
availability, integrity or confidentiality of data and information systems on which
economic and social activities rely. Consequently, organizations’ assets, reputation and
even physical activities can be affected to a point where their competitiveness and
ability to innovate are undermined.
More importantly, where data is shared among suppliers and customers, these incidents
may have a negative impact along an entire supply chain. If critical information systems
are concerned, they could undermine the functioning of essential services.
The risk of digital security incidents is growing with the intensity of data use (OECD,
2017). The actual proportion of the impact varies significantly, depending on the
motivation and form of the incidents. Organized crime groups may target valuable
assets that they can sell on illegal markets. And as innovation becomes more digital,
industrial digital espionage is also likely to further rise. In some cases, the motive may
be political, or the attacks may be designed to damage an organization or an economy.
2. Increasing impact of (personal) data breaches
Where data can be accessed and is shared, personal data breaches are more likely to
occur. They will not only cause harm because of the privacy violation of the individuals
whose personal data have been breached. They can also cause significant economic
losses to the business affected, including loss of competitiveness and reputation. In
addition, further consumer detriment may result from a data breach, such as harm
caused by identity theft.
Personal data breaches are less frequently experienced compared to other types of
digital security incidents, such as malware, phishing and social engineering, or denial of
service (DoS) attacks. However, evidence from Privacy Rights Clearinghouse suggests
that although the total number of identified incidents may be relatively small compared
to other security incident types, their impact is increasing drastically as large-scale data
breaches, i.e. data breaches involving more than 10 million records, become more
frequent. This is confirmed by available evidence suggesting that data breaches have
increased with the collection, processing and sharing of large volumes of personal
data (OECD, 2017).
In 2005, for example, ChoicePoint, a consumer data aggregation company, was the
target of one of the first high-profile data breaches involving over 150 000 personal
records. The company paid more than USD 26 million in fees and fines. Data breaches
have since become almost commonplace. In October 2018, Facebook was fined
GBP 500 000, the maximum fine possible by the Information Commissioner’s Office
(ICO) of the United Kingdom, for “unfairly process[ing] personal data” and “fail[ing] to
take appropriate technical and organizational measures against unauthorized or
unlawful processing of personal data” (Information Commissioner's Office,
2018). This incident involved more than 87 million personal records that were used by
Cambridge Analytica (Granville, 2018; Cadwalladr and Graham-Harrison,
2018; Hern and Pegg, 2018). Data breaches are not limited to the private sector, as
evidenced by the theft in 2015 of over 21 million records stored by the US Office of
Personnel Management, including 5.6 million fingerprints, and by the Japanese Pension
Service breach that affected 1.25 million people (Otaka, 2015).
3. The violation of privacy, intellectual property rights and other interests
The risks of enhanced access and sharing go beyond digital security and personal data
breaches. They include most notably risks of violating contractual and socially agreed
terms of data re-use, and thus risks of acting against the reasonable expectations of
users. This is true in respect to individuals (data subjects), their consent and their privacy
expectations, but also in respect to organizations and their contractual agreements with
third parties and the protection of their commercial interests.
In the case of organizations, these risks can negatively affect incentives to invest and
innovate. This is true even in cases where these risks may be the unintended
consequences of business decisions. For small and medium-sized enterprises (SMEs),
identifying which data to share and defining the scope and conditions for access and re-
use is perceived as a major challenge. Inappropriate sharing of data can lead to
significant costs to the organization, including fines due to privacy violations and
opportunity costs due to a lower ability to innovate. For example, it has been noted that
sharing data too prematurely can undermine the ability to obtain IPR (e.g. patent and
trade secret) protection.

SLIDE 15
Consolidation of Duties Without Weakening Control
Internal control objectives are the same under manual systems and computer systems;
however, their evaluation is different. The auditor must be aware of the differences
between the two systems: certain differences may result in improved controls, while
other differences may result in reduced controls. Some differences — for example, the
centralization of processing — may be a mixed blessing.
In a manual environment, the traditional controls of segregation of the general
categories of duties and responsibilities for authorization, processing, recording,
custody, record keeping and reconciliation. In an ideal manual system, different
employees would perform each of these major functions.

SLIDE 16
One of the most important issues related to a computer processing system is the
potential control risk associated with the concentration of functions. For example, in an
advanced ERP implementation, the functions of authorization, processing, recording and
reconciliation may be vested in a single computer program. Thus, in IS Audit, the
consolidation of functions will require auditing the automated process using other non-
traditional techniques. In general, implementation of computer-based systems requires
new policies and procedures to ensure that proper segregation of duties is maintained.
The audit implication is to ensure that appropriate controls are in place, which may
include segregating the following IT-related functions:
data control – includes the policies and processes for governing and managing data.
These are internal controls related to data management and data governance.
data entry - the process of transcribing information into an electronic medium such as
a computer or other electronic device. It can either be performed manually or
automatically by using a machine or computer. Most data entry tasks are time
consuming in nature, however data entry is considered a basic, necessary task for most
organizations.
 computer operation – is a major function of IT that has the responsibility to monitor
the operations of hardware and software and ensure that they are operating normally, to
troubleshoot or escalate alarms and errors, to perform IT housekeeping tasks like data
backup and restore, and to serve the computer output needs of the users.
data and programs custody – includes the function of the Database Administrator who
manages and maintains the Database Management System and the logical and physical
components of the databases.

SLDE 17
System-generated transactions based on business rules
System-generated transactions are automatically-generated transactions created by a
computer-based information system. For example, a credit card statement and invoice
is system-generated every single month. So are certain internal reserve requirement
transfers, some depreciation payments, allowances for losses, etc. They can be
generated periodically, with a specific schedule, using business rules (or policies) that
are integrated as parameters on the information system itself, and the programs
perform these functions automatically time after time.

SLIDE 18
The business rules integrated into the system is, of course, management-approved
through a blanket approval document, such as a sign-off to the initial system parameters
at the start of implementation of a system. Revisions to this rules are done in the system
using a parameter update process, one that requires an approved request and another
approval for the update of the system. For example, in my previous corporate job, the
parameter for one business rule was not immediately updated (it took several days
before the update) and our company lost hundreds of millions of revenue because of
the outdated parameter.
In the context of IS Audit, system-generated transactions require auditors to verify the
business rules, or parameters, that are set in the system and trace the updates to
approved documents, noting the effectivity of the update in the system and the
effectivity of the parameter as stated in the parameter update document.

SLIDE 19
Vulnerability of data and program storage media
Digital files are great because they take up less space, can be retrieved and copied easily,
and can be mined for content far more efficiently than paper records -- but preservation
is not their strong point. Not yet anyway. Cloud-based preservation helps, but it doesn't
completely solve things because you have to keep funding the storage and migration
over very long time periods. Funding gaps and lapses in maintenance will happen,
especially if you are thinking on the scale of centuries.
SLIDE 20
If you are curious about which lasts longer, paper or electronic records, the answer is:
Paper can last centuries, given that the proper type is used and the proper conditions for
storage are met. Electronic records currently last about 10-20 years unless they are
migrated to new formats/media. Thus, having data stored on electronic media are more
vulnerable to damage than data on paper.
Electronic records seem like they would be less vulnerable than paper, because you can
copy them millions of times with very little loss of data. However, if you have ever tried
to open a Word document you made on a PC in 1991, you will have some idea of the
problems that can occur. The software that originally read the file format may not exist;
the medium the file is stored on could get lost/destroyed; the data might have gotten
corrupted; you may not have the hardware used to read the data; and so on. Someone
tried to save a bunch of old documentation from the early 1990s that was saved on
floppy disks, and only succeeded in salvaging about 1/3 of it, for example.
Digital archivists recommend scheduled back-ups, migration of files to new formats,
saving files in multiple physical locations, and so on. But imagine a situation common
to archives -- lets say someone cuts funding and no one does the maintenance for 20
years. A gap of a decade or two in doing back-ups and migrations could result in losing
all the files saved up until that point.
What happens if there is a fire? Computer systems tend to centralize programs and data.
In case of fire, files and computers may be destroyed. If it is not possible to reconstruct
the information files from another source, the company could be in serious difficulties.
From an audit standpoint, there may even be a denial of opinion, because nothing can
be verified without proper access to records.
Internal controls must be in place to make sure that data can be recovered in case of an
accident. The auditor would have to ensure that there are policies and procedures to
back up and recover data, as well as adequate insurance coverage for business
interruption and for replacement of hardware that is destroyed or stolen.

SLIDE 21
The Auditor’s Responsibility related to IS controls
The overall objective and scope of an audit does not differ whether an entity operates in
a mainly manual environment, a completely automated environment, or an environment
involving some combination of manual and automated elements (i.e., manual and
automated controls and other resources used in the entity’s system of internal control).

SLIDE 22
ISA 315 lays down the responsibility of the auditor as regards internal controls in
general. In the Requirements section, under the heading “The Required Understanding
of the Entity and its Environment, Including the Entity’s Internal Control” and the
subheading “The Entity’s Internal Control”, paragraph 18, PSA 315 requires the auditor
to obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including:
Item b) The procedures, within both information technology (IT) and manual systems,
by which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements;
Item c) The related accounting records, supporting information and specific accounts in
the financial statements that are used to initiate, record, process and report
transactions; this includes the correction of incorrect information and how information
is transferred to the general ledger. The records may be in either manual or electronic
form;
Item d) How the information system captures events and conditions, other than
transactions, that are significant to the financial statements;

SLIDE 23
In “Appendix 3”, paragraph 15 of PSA 315, therein described the object of the auditor,
i.e., the information system relevant to the preparation of the financial statements
consists of activities and policies, and accounting and supporting records, designed and
established to:
Initiate, record and process entity transactions (as well as to capture, process and
disclose information about events and conditions other than transactions) and to
maintain accountability for the related assets, liabilities and equity;
Resolve incorrect processing of transactions, for example, automated suspense files
and procedures followed to clear suspense items out on a timely basis;
Process and account for system overrides or bypasses to controls;
Incorporate information from transaction processing in the general ledger (e.g.,
transferring of accumulated transactions from a subsidiary ledger);
Capture and process information relevant to the preparation of the financial
statements for events and conditions other than transactions, such as the depreciation
and amortization of assets and changes in the recoverability of assets; and
Ensure information required to be disclosed by the applicable financial reporting
framework is accumulated, recorded, processed, summarized and appropriately
reported in the financial statements.

SLIDE 24
Entity-level Controls
PSA 315 also describes the auditor’s responsibility as regards understanding of the
different levels of controls in an IT environment. In evaluating the effectiveness of the
design of controls and whether they have been implemented (see paragraphs A175 to
A181) the auditor’s understanding of each of the components of the entity’s system of
internal control provides a preliminary understanding of how the entity identifies
business risks and how it responds to them.
It may also influence the auditor’s identification and assessment of the risks of material
misstatement in different ways (see paragraph A86). This assists the auditor in
designing and performing further audit procedures, including any plans to test the
operating effectiveness of controls. For example:
The auditor’s understanding of the entity’s control environment, the entity’s risk
assessment process, and the entity’s process to monitor controls components are more
likely to affect the identification and assessment of risks of material misstatement at
the financial statement level.
The auditor’s understanding of the entity’s information system and communication,
and the entity’s control activities component, are more likely to affect the identification
and assessment of risks of material misstatement at the assertion level
The first level is the Entity-Level controls, which includes (1) Control Environment, (2) the
Entity’s Risk Assessment Process and (3) the Entity’s Process to Monitor the System of
Internal Control.

SLIDE 25
Why is the auditor required to understand the control environment, the entity’s risk
assessment process and the entity’s process to monitor the system of internal control?
The control environment provides an overall foundation for the operation of the other
components of the system of internal control. The control environment does not directly
prevent, or detect and correct, misstatements. It may, however, influence the
effectiveness of controls in the other components of the system of internal control.
Similarly, the entity’s risk assessment process and its process for monitoring the system
of internal control are designed to operate in a manner that also supports the entire
system of internal control.
Because these components are foundational to the entity’s system of internal control,
any deficiencies in their operation could have pervasive effects on the preparation of the
financial statements. Therefore, the auditor’s understanding and evaluations of these
components affect the auditor’s identification and assessment of risks of material
misstatement at the financial statement level, and may also affect the identification and
assessment of risks of material misstatement at the assertion level. Risks of material
misstatement at the financial statement level affect the auditor’s design of overall
responses, including, as explained in ISA 330, an influence on the nature, timing and
extent of the auditor’s further procedures.

SLIDE 26
In addition to understanding the control environment, why does the auditor EVALUATE
the control environment? The auditor’s evaluation of how the entity demonstrates
behavior consistent with the entity’s commitment to integrity and ethical values; whether
the control environment provides an appropriate foundation for the other components
of the entity’s system of internal control; and whether any identified control deficiencies
undermine the other components of the system of internal control, assists the auditor in
identifying potential issues in the other components of the system of internal control.
This is because the control environment is foundational to the other components of the
entity’s system of internal control. This evaluation may also assist the auditor in
understanding risks faced by the entity and therefore in identifying and assessing the
risks of material misstatement at the financial statement and assertion levels.
The auditor’s evaluation of the control environment as it relates to the entity’s use of IT
may include such matters as:
Whether IT Governance initiatives is commensurate with the nature and complexity of
the entity and its business operations enabled by IT, including the complexity or maturity
of the entity’s technology platform or architecture and the extent to which the entity
relies on IT applications to support its financial reporting.
The IT organizational structure and the resources allocated (for example, whether the
entity has invested in an appropriate IT environment and necessary enhancements, or
whether a sufficient number of appropriately skilled individuals have been employed
including when the entity uses commercial software (with no or limited modifications))

SLIDE 27
Why does the auditor evaluate whether the entity’s risk assessment process is
appropriate? The auditor’s evaluation of the entity’s risk assessment process may assist
the auditor in understanding where the entity has identified risks that may occur, and
how the entity has responded to those risks. The auditor’s evaluation of how the entity
identifies its business risks, and how it assesses and addresses those risks assists the
auditor in understanding whether the risks faced by the entity have been identified,
assessed and addressed as appropriate to the nature and complexity of the entity. The
former having to do with THEORETICAL risks that the entity may encounter, while the
latter looks at ACTUAL risks that the entity has encountered.
This evaluation may also assist the auditor with identifying and assessing financial
statement level and assertion level risks of material misstatement.
Whether the entity’s risk assessment process is appropriate to the entity’s
circumstances considering the nature and complexity of the entity is a matter of the
auditor’s professional judgment. For example, in some less complex entities, and
particularly owner-managed entities, an appropriate risk assessment may be performed
through the direct involvement of management or the owner-manager (e.g., the manager
or owner-manager may routinely devote time to monitoring the activities of competitors
and other developments in the market place to identify emerging business risks). The
evidence of this risk assessment occurring in these types of entities is often not formally
documented, but it may be evident from the discussions the auditor has with
management that management are in fact performing risk assessment procedures.

SLIDE 28
Matters that may be relevant for the auditor to consider when understanding how the
entity monitors its system of internal control include:
The design of the monitoring activities, for example whether it is periodic or ongoing
monitoring;
The performance and frequency of the monitoring activities;
The evaluation of the results of the monitoring activities, on a timely basis, to determine
whether the controls have been effective; and
How identified deficiencies have been addressed through appropriate remedial
actions, including timely communication of such deficiencies to those responsible for
taking remedial action.
The auditor may also consider how the entity’s process to monitor the system of internal
control addresses monitoring information processing controls that involve the use of IT.
This may include, for example:
Controls to monitor complex IT environments that:
o Evaluate the continuing design effectiveness of information processing controls
and modify them, as appropriate, for changes in conditions; or
o Evaluate the operating effectiveness of information processing controls.
Controls that monitor the permissions applied in automated information processing
controls that enforce the segregation of duties.
Controls that monitor how errors or control deficiencies related to the automation of
financial reporting are identified and addressed.

SLIDE 29
Why is the auditor required to understand the sources of information used for the
entity’s monitoring of the system of internal control? The auditor’s understanding of the
sources of information used by the entity in monitoring the entity’s system of internal
control, including whether the information used is relevant and reliable, assists the
auditor in evaluating whether the entity’s process to monitor the entity’s system of
internal control is appropriate. If management assumes that information used for
monitoring is relevant and reliable without having a basis for that assumption, errors
that may exist in the information could potentially lead management to draw incorrect
conclusions from its monitoring activities.

SLIDE 30
General IT and Application-Level Controls
General IT controls are implemented to address risks arising from the use of IT.
Accordingly, the auditor uses the understanding obtained about the identified IT
applications and other aspects of the IT environment and the applicable risks arising
from the use of IT in determining the general IT controls to identify. In some cases, an
entity may use common IT processes across its IT environment or across certain IT
applications, in which case common risks arising from the use of IT and common
general IT controls may be identified.
The General IT controls include (1) Applications, (2) Database, (3) Operating System, and
(4) Network. These will be discussed in detail in Unit II.
In general, a greater number of general IT controls related to IT applications and
databases are likely to be identified than for other aspects of the IT environment. This is
because these aspects are the most closely concerned with the information processing
and storage of information in the entity’s information system. In identifying general IT
controls, the auditor may consider controls over actions of both end users and of the
entity’s IT personnel or IT service providers.

SLIDE 31
Application controls, as the name specifies, include safeguards related to specific
computer applications. For companies, these may consist of both automated and
manual procedures. The software ensures that only authorized data gets processed by
the application. Application controls relate to the accuracy and completeness of the data
the enters the technology systems. Application controls use several methods to ensure
the data entered into the systems is complete and accurate. For some systems, these
controls may be more crucial than others. For example, application controls may exist
to check whether the data entered into a system is reasonable and meets the required
format. There are three primary categorizations of application controls, including input,
processing, and output controls.
For example, a company may require employees to fill forms for every order.
Applications controls include checking whether the entered information meets the
required format. For example, ensuring that employees can only put numbers for the
units required. Similarly, it may include examining whether an order already exists with
similar information to identify duplication.

SLIDE 32
What Are The Key Differences Between General And Application Controls?
There are several key differences between general and application controls. For
companies that employ information technology systems, these controls are critical. It is
crucial to have both of these controls. However, it is still necessary to understand how
they differ from each other. Some of the aspects in which general and application
controls vary are as follows:
1 Definition. General controls apply to all computerized systems or applications. They
include a mixture of software, hardware, and manual procedures that shape an overall
control environment. In contrast, application controls are specific controls that differ
with each computerized application. For example, the application controls for payroll
systems differ from sales systems.
2 Types. As mentioned, general controls include software, hardware, and manual
procedures. Therefore, these controls may consist of software controls, computer
operations controls, data security controls, administrative controls, physical hardware
controls, and much more. On the other hand, application controls are more specific. As
mentioned above, there are only three types of application controls. These include input,
processing, and output controls. Each of these may consist of more kinds, which all fall
under application controls.
3 Scope. General controls affect the operations of a company’s whole information
technology system. Therefore, it has a broader scope when it comes to its usage. On the
other hand, application controls only apply to one application. Therefore, application
controls have a narrower and defined scope. However, that does not suggest that these
controls are futile.
4 Example. As mentioned, general controls may include all controls related to
information technology systems. Therefore, controls over data center and network
operations are an example of general controls. These controls are specific to any
information that uses networks. Antivirus or firewall is a typical general control that
applies to all information technology systems.
On the other hand, application controls are application-specific. Therefore, input controls
are a prime example of application controls. With these controls, it is possible to validate
any information that enters the systems. This way, companies can ensure only valid data
gets into their systems. Control to make sure every employee gets paid once using the
payroll software is application control.
We will learn a lot more about these General IT and Application controls when we come
to Unit III.

END SLIDE
There it is! Chapter 01 The Nature of IS Audit. In summary, IS Audit is a service included
in the Assurance services that may be offered by the Audit firm. It may be offered as
part of an FS audit engagement or as a separate attestation service. The primary goal
of IS Audit are safeguarding assets, maintaining data integrity, efficient use of IT
resources, and ensuring that controls integrated in the organization at the entity-level,
general IT-level, and application-level, are operating effectively.
For comments and questions, please visit our FB group and post a comment on the post
related to this video presentation, or you can send me a personal message. I discourage
commenting on the Youtube post as I don’t normally look at the comments to my videos.
Also, be sure to check out and watch the supplementary learning materials, including the
supplemental videos, accessible from the FB post.
Thanks for listening and stay safe always!