The Impact of Information Technology on the Audit Process

advertisement
The Impact of Information
Technology on the
Audit Process
Chapter 11
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 1
Learning Objective 1
Describe how IT improves
internal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 2
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls.
Higher-quality information is available.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 3
Learning Objective 2
Identify risks that arise
from using an IT-based
accounting system.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 4
Assessing Risks of
Information Technologies
Reliance on the capabilities
of hardware and software
Visibility of audit trail
Reduced human involvement
Systematic versus random errors
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 5
Assessing Risks of
Information Technologies
Unauthorized access
Loss of data
Reduced segregation of duties
Lack of traditional authorization
Need for IT experience
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 6
Learning Objective 3
Explain how general controls
and application controls
reduce IT risks.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 7
Internal Controls Specific to
Information Technology
General Controls
Application Controls
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 8
General Controls
Administration of the
IT function
Physical and
online security
Segregation of
IT duties
Backup and
contingency planning
Systems
development
Hardware
controls
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley
11 - 9
Application Controls
Input controls
Processing
controls
Output controls
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 10
Relationship Between General
and Administrative Controls
Risk of unauthorized change
to application software
Risk of system crash
Cash Receipts
Application
Controls
Sales
Applications
Controls
Payroll
Application
Controls
Other Cycle
Application
Controls
Risk of unauthorized
master file update
GENERAL CONTROLS
Risk of unauthorized
processing
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 11
Administration of the
IT Function
The perceived importance of IT
within an organization is often
dictated by the attitude of the
board of directors and
senior management.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 12
Segregation of IT Duties
Chief Information Officer or IT Manager
Security Administrator
Systems
Development
Operations
Data
Control
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 13
Systems Development
Pilot testing
Typical test
strategies
Parallel testing
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 14
Physical and Online Security
Physical Controls:
 Keypad entrances
 Badge-entry systems
 Security cameras
 Security personnel
Online Controls:
 User ID control
 Password control
 Separate add-on
security software
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 15
Backup and
Contingency Planning
One key to a backup and contingency
plan is to make sure that all critical
copies of software and data files are
backed up and stored off the premises.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 16
Hardware Controls
These controls are built into computer
equipment by the manufacturer to
detect and report equipment failures.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 17
Input Controls
These controls are designed by an
organization to ensure that the
information being processed is
authorized, accurate, and complete.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 18
Batch Input Controls
Financial total
Hash total
Record count
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 19
Processing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 20
Output Controls
These controls focus on detecting errors
after processing is completed rather
than on preventing errors.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 21
Learning Objective 4
Describe how general controls
affect the auditor’s testing
of application controls.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 22
Impact of Information Technology
on the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk
and substantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 23
Learning Objective 5
Use the test data, parallel
simulation, and embedded
audit module approaches
when auditing through
the computer.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 24
Test Data Approach
Test data should include all relevant
1
conditions that the auditor wants tested.
Application programs tested by the
2
auditor’s test data must be the same as
those the client used throughout the year.
Test data must be eliminated
3
from the client’s records.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 25
Test Data Approach
Input Test
Transactions to Test
Key Control
Procedures
Master Files
Contaminated
Master Files
Application Programs
(Assume Batch System)
Transaction Files
(Contaminated?)
Control Test
Results
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 26
Test Data Approach
Control Test
Results
Auditor Makes
Comparisons
Auditor-predicted
Results of Key
Control Procedures
Based on an
Understanding of
Internal Control
Differences Between
Actual Outcome
and Predicted Result
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 27
Parallel Simulation
The auditor uses auditor-controlled
software to perform parallel operations to
the client’s software by using the same data files.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 28
Parallel Simulation
Production
Transactions
AuditorPrepared
Program
Auditor
Results
Auditor Makes
Comparisons Between
Client’s Application
System Output and
Understanding of the
Client Systems Via the
Parallel Simulation
Exception Report
Noting Differences
Master File
Client
Application
System
Programs
Client
Results
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 29
Embedded Audit
Module Approach
Auditor inserts an audit module in the
client’s application system to capture
transactions with characteristics that
are of specific interest to the auditor.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 30
Learning Objective 6
Identify issues for e-commerce
systems and other specialized
IT environments.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 31
Issues for Different
IT Environments
Issues for microcomputer environments
Issues for network environments
Issues for database management systems
Issues for e-commerce systems
Issues when clients outsource IT
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 32
End of Chapter 11
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 33
Download