2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 1

The Impact of Information

Technology on the Audit
Process
Chapter 12
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 2
Learning Objective 1
Describe how IT improves
internal control.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 3
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 4
Learning Objective 2
Identify risks that arise from using
an IT-based accounting system.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 5
Assessing Risks of
Information Technologies
Risks to hardware and data
Reduced audit trail
Need for IT experience and
separation of IT duties
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 6
Risks to Hardware and Data
Reliance on the functioning capabilities
of hardware and software
Systematic versus random errors
Unauthorized access
Loss of data
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 7
Reduced Audit Trail
Visibility of audit trail
Reduced human involvement
Lack of traditional authorization
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 8
Need for IT Experience and
Separation of Duties
Reduced separation of duties
Need for IT experience
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 9
Learning Objective 3
Explain how general controls
and application controls
reduce IT risks.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 10
Internal Controls Specific to
Information Technology
General controls
Application controls
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 11
Relationship Between General
and Application Controls
Cash receipts
application
controls
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
GENERAL CONTROLS
Risk of unauthorized change
to application software
Risk of system crash
Risk of unauthorized
master file update
Risk of unauthorized
processing
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 12
General Controls
Administration of the IT function
Separation of IT duties
Systems development
Physical and online security
Backup and contingency planning
Hardware controls
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 13
Administration of the IT
Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 14
Segregation of IT Duties
Chief Information Officer or IT Manager
Systems
Development
Operations
Data
Control
Security Administrator
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 15
Systems Development
Typical test
strategies
Pilot testing Parallel testing
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 16
Physical and Online Security
Physical Controls:
Keypad entrances
Badge-entry systems
Security cameras
Security personnel
Online Controls:
User ID control
Password control
Separate add-on
security software
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 17
Backup and Contingency
Planning
One key to a backup and contingency plan
is to make sure that all critical copies of
software and data files are backed up
and stored off the premises.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 18
Hardware Controls
These controls are built into computer
equipment by the manufacturer to
detect and report equipment failures.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 19
Application Controls
Input controls
Processing controls
Output controls
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 20
Input Controls
These controls are designed by an
organization to ensure that the
information being processed is
authorized, accurate, and complete.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 21
Batch Input Controls
Financial total
Hash total
Record count
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 22
Processing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 23
Output Controls
These controls focus on detecting errors
after processing is completed rather
than on preventing errors.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 24
Learning Objective 4
Describe how general controls
affect the auditors testing
of application controls.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 25
Impact of Information Technology
on the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk and
substantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 26
Learning Objective 5
Use test data, parallel simulation,
and embedded audit module
approaches when auditing
through the computer.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 27
Test Data Approach
1. Test data should include all relevant
conditions that the auditor wants tested.
2. Application programs tested by the
auditors test data must be the same as
those the client used throughout the year.
3. Test data must be eliminated from the
clients records.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 28
Test Data Approach
Application programs
(assume batch system)
Control test
results
Master files
Contaminated
master files
Transaction files
(contaminated?)
Input test
transactions to test
key control
procedures
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 29
Test Data Approach
Auditor-predicted results
of key control procedures
based on an understanding
of internal control
Control test
results
Auditor makes
comparisons
Differences between
actual outcome and
predicted result
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 30
Parallel Simulation
The auditor uses auditor-controlled software
to perform parallel operations to the clients
software by using the same data files.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 31
Parallel Simulation
Auditor makes comparisons between
clients application system output and
the auditor-prepared program output
Exception report
noting differences
Production
transactions
Auditor-prepared
program
Auditor
results
Master
file
Client application
system programs
Client
results
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 32
Embedded Audit Module
Approach
Auditor inserts an audit module in the
clients application system to identify
specific types of transactions.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 33
Learning Objective 6
Identify issues for e-commerce
systems and other specialized
IT environments.
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 34
Issues for Different IT
Environments
Issues for network environments
Issues for database management systems
Issues for e-commerce systems
Issues when clients outsource IT
2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 35
End of Chapter 12