The Impact of Information
Technology on the Audit
Process
Chapter 12
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
12 - 1
Learning Objective 1
Describe how IT improves
internal control.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 2
How Information Technologies
Enhance Internal Control
 Computer controls replace manual controls
 Higher-quality information is available
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 3
Learning Objective 2
Identify risks that arise from using
an IT-based accounting system.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 4
Assessing Risks of
Information Technologies
 Risks to hardware and data
 Reduced audit trail
 Need for IT experience and
separation of IT duties
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 5
Risks to Hardware and Data
 Reliance on the functioning capabilities
of hardware and software
 Systematic versus random errors
 Unauthorized access
 Loss of data
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 6
Reduced Audit Trail
 Visibility of audit trail
 Reduced human involvement
 Lack of traditional authorization
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 7
Need for IT Experience and
Separation of Duties
 Reduced separation of duties
 Need for IT experience
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 8
Learning Objective 3
Explain how general controls
and application controls
reduce IT risks.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 9
Internal Controls Specific to
Information Technology
 General controls
 Application controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 10
Relationship Between General
and Application Controls
Risk of unauthorized change
to application software
Risk of system crash
Cash receipts
application
controls
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
Risk of unauthorized
master file update
GENERAL CONTROLS
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Risk of unauthorized
processing
12 - 11
General Controls
 Administration of the IT function
 Separation of IT duties
 Systems development
 Physical and online security
 Backup and contingency planning
 Hardware controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 12
Administration of the IT Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 13
Segregation of IT Duties
Chief Information Officer or IT Manager
Security Administrator
Systems
Development
Operations
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Data
Control
12 - 14
Systems Development
Typical test
strategies
Pilot testing
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Parallel testing
12 - 15
Physical and Online Security
Physical Controls:
 Keypad entrances
 Badge-entry systems
 Security cameras
 Security personnel
Online Controls:
 User ID control
 Password control
 Separate add-on
security software
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 16
Backup and Contingency
Planning
One key to a backup and contingency plan
is to make sure that all critical copies of
software and data files are backed up
and stored off the premises.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 17
Hardware Controls
These controls are built into computer
equipment by the manufacturer to
detect and report equipment failures.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 18
Application Controls
 Input controls
 Processing controls
 Output controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 19
Input Controls
These controls are designed by an
organization to ensure that the
information being processed is
authorized, accurate, and complete.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 20
Batch Input Controls
 Financial total
 Hash total
 Record count
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 21
Processing Controls
 Validation test
 Sequence test
 Arithmetic accuracy test
 Data reasonableness test
 Completeness test
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 22
Output Controls
These controls focus on detecting errors
after processing is completed rather
than on preventing errors.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 23
Learning Objective 4
Describe how general controls
affect the auditor’s testing
of application controls.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 24
Impact of Information Technology on
the Audit Process
 Effects of general controls on control risk
 Effects of IT controls on control risk and
substantive tests
 Auditing in less complex IT environments
 Auditing in more complex IT environments
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 25
Learning Objective 5
Use test data, parallel simulation,
and embedded audit module
approaches when auditing
through the computer.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 26
Test Data Approach
1. Test data should include all relevant
conditions that the auditor wants tested.
2. Application programs tested by the
auditors’ test data must be the same as
those the client used throughout the year.
3. Test data must be eliminated from the
client’s records.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 27
Test Data Approach
Input test
transactions to test
key control
procedures
Master files
Contaminated
master files
Application programs
(assume batch system)
Transaction files
(contaminated?)
Control test
results
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 28
Test Data Approach
Control test
results
Auditor makes
comparisons
Auditor-predicted results
of key control procedures
based on an understanding
of internal control
Differences between
actual outcome and
predicted result
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 29
Parallel Simulation
The auditor uses auditor-controlled software
to perform parallel operations to the client’s
software by using the same data files.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 30
Parallel Simulation
Production
transactions
Master
file
Auditor-prepared
program
Client application
system programs
Auditor
results
Client
results
Auditor makes comparisons between
client’s application system output and
the auditor-prepared program output
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Exception report
noting differences
12 - 31
Embedded Audit Module
Approach
Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 32
Learning Objective 6
Identify issues for e-commerce
systems and other specialized
IT environments.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 33
Issues for Different IT
Environments
 Issues for network environments
 Issues for database management systems
 Issues for e-commerce systems
 Issues when clients outsource IT
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 34
End of Chapter 12
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
12 - 35