Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Consideration of Internal Control in a Computer Environment

Chapter 8
Consideration of
Internal Control in an
Information
Technology
Environment
McGraw-Hill/Irwin
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
Nature of IT Based Systems
Many systems have developed away from
centralized systems with one main frame
computer using user developed software to a
combination of smaller computers using
commercially available software

Less expensive software
• Electronic checkbooks (e.g., Quicken)

Moderate system
• Basic general ledger system (e.g.., Quickbooks)

Expensive
• ERP systems (e.g., SAP)
8-2
Nature of IT Systems
 Usually


consists of:
Hardware
• Digital computer and peripheral
equipment
Software
• Various programs and routines for
operating the system
8-3
Computer Hardware
Input/Output Devices
Storage
Card Readers
Terminals
Electronic Cash
Registers
Optical Scanners
Magnetic Tape Drives
Magnetic Disk Drives
Optical Compact Disks
Central Processing Unit
Arithmetic Unit
Control Unit
Primary Storage
Auxiliary
Magnetic Disks
Magnetic Drums
Magnetic Tapes
Optical Compact
Disks
8-4
Software
 Two

Types:
Systems software
• Programs that control and coordinate hardware
components and provide support to application
software
• Operating system (Examples: Unix, Windows)

Application software
• Programs designed to perform a specific data
processing task
• Written in programming language (Example: Java)
8-5
System Characteristics
 Regardless
of size, system possesses
one or more of the following elements





Batch processing
On-line capabilities
Database storage
IT networks
End user computing
8-6
Batch Processing
 Input
data gathered and processed
periodically in groups
 Example: Accumulate all of a day’s sales
transactions and process them as a batch
at end of day
 Often more efficient than other types of
systems but does not provide up-to-minute
information
8-7
Online Capabilities

Online systems allow users direct access to data
stored in the system
 Two types (a company may use both)
 Online transaction processing (OLTP)
• Individual transactions entered from remote
locations
• Online real time (Example: Bank balance at ATM)

Online analytical processing (OLAP)
• Enables user to query a system for analysis
• Example: Data warehouse, decision support
systems, expert systems
8-8
Database Storage
 In
traditional-IT systems, each computer
application maintains separate master files

Redundant information stored in several files
 Database
system allows users to access
same integrated database file


Eliminates data redundancy
Creates need for data administrator for
security against improper access
8-9
IT Networks


Networks
 Computers linked together through
telecommunication links that enable computers to
communicate information back and forth
 WAN, LAN
 Internet, intranet, extranet
Electronic commerce
 Involves electronic processing and transmission of
data between customer and client
 Electronic Data Interchange (EDI)
8-10
End User Computing
 User
departments are responsible for the
development and execution of certain IT
applications
 Involves a decentralized processing
system
 IT department generally not involved
 Controls needed to prevent unauthorized
access
8-11
Internal Control in IT
 Importance
of internal control not
diminished in computerized environment



Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer
programs
8-12
Audit Trail Impact
 In
a traditional manual system, hard-copy
documentation available for accounting
cycle
 In computerized environment, audit trail
ordinarily still exists, but often not in
printed form


Can affect audit procedures
Consulting auditors during design stage of ITbased system helps ultimate auditability
8-13
8-14
Responsibilities (1 of 2)





Information systems management

Supervise the operation of the department and report to vice
president of finance
Systems analysis

Responsible for designing the system
Application programming

Design flowcharts and write programming code
Database administration

Responsible for planning and administering the company
database
Data Entry

Prepare and verify input data for processing
8-15
Responsibilities (2 of 2)





IT Operations

Run and monitor central computers
Program and file library

Protect computer programs, master files and other records from
loss, damage and unauthorized use
Data Control

Reviews and tests all input procedures, monitors processes and
reviews IT logs
Telecommunications Specialists

Responsible for maintaining and enhancing IT networks
Systems Programming

Responsible for troubleshooting the operating system
8-16
Computer-Based Fraud




History shows the person responsible for frauds in many
situations set up the system and controlled its
modifications
Segregation of duties
 Programming separate from controlling data entry
 Computer operator from custody or detailed
knowledge of programs
If segregation not possible need:
 Compensating controls like batch totals
Organizational controls not effective in mitigating
collusion
8-17
Internal Auditing in IT

Interested in evaluating the overall efficiency and
effectiveness of information systems operations
and related controls throughout the company
 Should participate in design of IT-based system
 Perform tests to ensure no unauthorized
changes, adequate documentation, control
activities functioning and data group performing
duties.
8-18
8-19
IT Control Activities
General Control Activities

Developing new programs and systems

Changing existing programs and systems

Access to programs and data

IT operations controls
8-20
Application Control Activities

Programmed Control Activities




Input validation checks
• Limit test
• Validity test
• Self-checking number
Batch controls
• Item count
• Control total
• Hash total
Processing controls
• Input controls plus file labels
Manual Follow-up Activities

Exception reports follow-up
8-21
User Control Activities
 Designed
to test the completeness and
accuracy of IT-processed transactions
 Designed to ensure reliability
 Reconciliation of control totals generated
by system to totals developed at input
phase

Example: Sales invoices generated by ITbased system tested for clerical accuracy and
pricing by the accounting clerk
8-22
Control in Decentralized and
Single Workstation Systems
 Involves
use of one or more user operated
workstations to process data
 Needed controls






Train users
Document computer processing procedures
Backup files stored away from originals
Authorization controls
Prohibit use of unauthorized programs
Use antivirus software
8-23
Steps 1 and 2 of audit--Plan audit
and Obtain an Understanding
1 – Consider IT system in planning
 Step 2 – Obtain an understanding of the
client and its environment
 Step

Documentation of client’s IT-based system
depends on complexity of system
•
•
•
•
Narrative
Systems flowchart
Program flowchart
Internal control questionnaires
8-24
Step 3 of Audit: Assess the Risks
of Material Misstatement

Identify risks
 Relate the identified risks to what can go wrong
at the relevant assertion level
 Consider whether the risks are of a magnitude
that could result in a material misstatement
 Consider the likelihood that the risks could result
in a material misstatement


Evaluate effectiveness of related controls in mitigating
risks
Test of controls over IT-based systems
8-25
Techniques for Testing
Application Controls

Auditing Around the Computer--Manually processing
selected transactions and comparing results to
computer output

Manual Tests of Computer Controls--Inspection of
computer control reports and evidence of manual
follow-up on exceptions

Auditing Through the Computer--Computer assisted
techniques






Test Data
Integrated Test Facility
Controlled Programs
Program Analysis Techniques
Tagging and Tracing Transactions
Generalized audit software – parallel simulation
8-26
Using Generalized Audit Software to
Perform Substantive Procedures
In general, using client data and generalized
audit software





Examine client’s records for overall quality,
completeness and valid conditions
Rearrange data and perform analyses
Select audit samples
Compare data on separate files
Compare results of audit procedures with
client’s records
8-27
Typical Inventory Audit Procedures
Using Generalized Audit Software
8-28
Service Organizations
 Computer
service centers provide
processing services to customers who
decide not to invest in their own
processing of particular data
 Outsourcing companies run computer
centers and provide a range of computer
processing services to companies
8-29
Service Organizations

Auditor concerned if service provided are part of
the client’s information system. Part of system if
service organization affect:




How client’s transactions are initiated
The accounting records, supporting information
The accounting processes from initiation to inclusion
in financial statements
The financial reporting process
 Can

obtain service auditors’ report
SAS 70 report
8-30
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Title: Audit
Title: Audit
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
Download