Topic 6 PDF

6
THE IMPACT OF
INFORMATION
TECHNOLOGY (IT) ON
THE AUDIT PROCESS
Learning Outcomes
After studying this chapter, you should be able to:

 Discuss the aspects of computerized systems
which affect the auditors’ approach to risk.
 Explain the audit approaches of auditing around the
computer and auditing the system.
 Explain the use of computer-assisted auditing
techniques (CAATs) in the audit environment.
 Discuss how auditors can use information
technology (IT) to replace paper-based files.
FUNDAMENTALS OF AUDITING All Rights Reserved

© Oxford Fajar Sdn. Bhd. (008974-T), 2017 1– 3
Audit Objective and Scope of
Work in a Computerized
Environment
 Information system in an IT environment includes
computer hardware, software, automated controls
and procedures and data in electronic format.
 Affects the way transactions are recorded,
processed and reported.
 Controls in most IT systems would consist a
combination of manual controls and automated
controls.
 This will depend on the nature and complexity of
entity’s use of IT.
Environment (cont.)
 Among the potential benefits of IT on internal controls:
(a) Consistent application of predefined business rules and
performance of complex calculations in processing large
volumes of transactions or data;
(b) Enhancement of the timeliness, availability and accuracy of
information;
(c) Facilitation of additional analysis of information;
(d) Enhancement of the ability to monitor the performance of the
entity’s activities and its policies and procedures;
(e) Reduction in the risk that controls will be circumvented.
(f) Enhancement of the ability to achieve effective segregation of
duties by implementing security controls in applications,
databases and operating systems.
Work in a Computerize
Environment (cont.)
 Potential risks in the use of IT for internal controls such as:
(a) Reliance on systems or programmes that inaccurately process
data, process inaccurate data or both;
(b) Unauthorised access to data that may result in destruction of
data or improper changes to data, including the recording of
unauthorised or non-existent transactions or inaccurate
recording of transactions;
(c) Unauthorised changes to data in master files;
(d) Unauthorised changes to systems or programmes;
(e) Failures to make necessary changes to systems or programmes.
(f) Inappropriate manual intervention.
(g) Potential loss of data.
Environment (cont.)
 ISA 315 – requires that the auditor obtain a
knowledge of the business sufficient to enable the
auditor to identify and understand the events,
transactions and practices that may have a
significant effect on the financial statements or on
the audit report.
 Fundamental in assessing the significance of IT
to the entity’s business activities and any effect
it has on audit risk.

Environment (cont.)
 In obtaining or updating knowledge of the entity’s
business, the auditor may consider the following:
(a) The entity’s business activities and industry;
(b) The entity’s IT strategy;
(c) The extent of the entity’s IT activities, and
(d) The entity’s outsourcing arrangements.

Assessing Risks of IT
 If the IT systems were to fail, the entire organization

may face the risk of being paralyzed by the inability
to retrieve any information needed or by the use of
unreliable information due to processing errors
(increases the likelihood of material misstatements
in FS).
 Specific risks to IT systems:
(a) Loss of transaction integrity
(b) Pervasive e-commerce security risks
(c) Improper accounting policies.
Assessing Risks of IT (cont.)
(h) Reliance on the functioning capabilities of hardware &

software.
Critical to physically protect hardware, software & related
data from physical damage that might be the result of
inappropriate use, sabotage or environmental damage
(ex: fire, heat etc.);
(i) Systematic vs. random errors
By replacing manual procedures with technology-based
procedures decreases the risk of random error from
human involvement.
This increases the risk of systematic error (once
procedures are programmed into the computer, it will be
processed consistently until changed).
Unauthorized access
Without proper online restrictions such as passwords and
users ID, unauthorized access may be initiated, resulting
in improper changes in software programs and master
file.
Loss of data
(j) Visibility of audit trail
Use of IT often reduces or even eliminates source
documents & records that allow an organization to trace
accounting information (much information is entered
directly into the computer).
Other controls must be put to replace the traditional ability
to compare output information with hard-copy data.
(k) Reduced human involvement

Employees who deal with the initial processing of
transactions never see the final results (less able to
identify processing misstatements) and if they do,
the results are often highly summarized (often
difficult by then to recognize misstatements).
Employees also tend to regard output generated
through the use of IT as ‘correct’ because the
computer produced it.
(l) Lack of traditional authorization
Advanced IT system can often initiate types of
transactions automatically.
(m) Need for IT experience

When the use of IT systems increases, the need for
qualified IT specialists also increases.
(n) Reduced separation of duties
Computers do many duties that were traditionally
segregated (authorization and book-keeping).
Combining activities from different parts of the
organization into one IT function centralizes
responsibilities.
IT personnel with access to software and master files
may be able to steal assets unless key duties are
segregated within the IT function.
Auditor’s Preparation in IT
 Necessary skills and high level of competence are

essential.
 If necessary skills are absent,
– the opinion and expertise of third party should be
obtained (assist auditor in planning, monitoring and
reviewing the job performed).
 Areas that should be focused on by auditor:
– entity’s business activities and industry
– entity’s e-commerce strategy
– the extent of the entity's e-commerce activities
– the entity’s outsourcing arrangements.
Internal Control In An IT
Environment
 Auditing standards describe two broad control groupings for

IT systems: general controls and application controls.
 General controls relates to the overall information-
processing environment, which include controls over:
(a) Data centre and network operations;
(b) System software acquisition, change and maintenance;
(c) Access security, and
(d) Application system acquisition, development and
maintenance.

Environment (cont.)
 Application controls relates to the processing of

individual transactions (e.g. sales or payroll);
 The controls are specific to certain software applications
and typically do not affect all IT functions.
 It includes controls over:
(a) Data capture controls;
(b) Data validation controls;
(c) Processing controls;
(d) Output controls, and
(e) Error controls

Environment (cont.)
Auditors normally evaluate general controls very

early in the audit because of the impact of
general controls on application controls.
 The overall objectives of both controls are (i) to
maintain the integrity of the information and (ii) to
maintain security of the data.

Environment (cont.)
 Knowledge of general controls increases the

auditor’s ability to assess risks and rely on effective
application controls to reduce control risk for related
audit objectives.
 Auditors must also evaluate the effectiveness of
general controls first, before evaluating application
controls (general controls have a pervasive effect
on the effectiveness of application controls).

Environment (cont.)
Effect of General Controls on Control Risk: Effects of
general controls on system-wide applications
 Ineffective general controls create the potential for
material misstatements across all system applications,
regardless of the quality of individual application
controls.
 On the other hand, if general controls are effective,
auditors may be able to place greater reliance on
application controls (test application controls for
operating effectiveness and rely on the results to reduce
substantive testing).
Environment (cont.)
Effect of general controls on software changes

 When the client changes software, the auditor must
evaluate whether additional testing is needed.
 If general controls are effective, the auditor can easily
identify when software changes are made.
 But if general controls are weak, it may be difficult to
identify software changes, and the auditor must
consider doing tests of application controls throughout
the current year audit.

Environment (cont.)
Understanding Client General Controls

 Ways the auditor typically obtains information about
general and application controls may include:
(a) Interviews with IT personnel and key users;
(b) Examines system documentation (flowcharts, user
manuals, program change requests and testing
results); or
(c) Reviews detailed questionnaires completed by IT staff.
 Auditors should use several of these approaches
because each offers different information.

Environment (cont.)
Relating IT controls to transaction-related audit

objectives.
 Do not normally link controls and deficiencies in general
controls to specific transaction-related audit objectives
(general controls affect audit objectives in several cycles).
 If general controls are ineffective, it reduces the auditor’s
ability to rely on the application controls for all cycles.
 Auditors normally use a control risk matrix to help identify
both manual and automated application controls and
control deficiencies for each related audit objectives.

Environment (cont.)
Effect of IT Controls on Substantive Testing

 After identifying specific application controls that can be
used to reduce control risk, auditors can reduce
substantive testing.
 A systematic nature of automated application controls
may allow auditors to reduce sample sizes used to test
those controls in both audit of FS and audit of internal
controls.
 May also be able to rely on prior year testing of
automated controls when general controls are effective
and has not been changed.
Auditing Around and Through the
Computer
Auditing around the computer

 Used when auditors are faced with auditing smaller
organizations (uses industry standard, off-the-shelf
software packages).
 Also used if the client’s system is based on a single
PC or a small PC network.
 Computer simply replaces manual records and few, if
any, automated routines.
 Well-tested and error free (standard software).

Auditing Around and Through
the Computer (cont.)
 The auditor shall perform:

(a) Examine the controls around data input to ensure
the flow of day-to-day input of transaction
information;
(b) Examine the standing or master file data;
(c) Examine the output and relate it to the input, and
(d) Examine the output with external verification.

Auditing Around and Through
the Computer (cont.)
Understanding and interrogating the management

information system (MIS)
 Computerized systems are more complex and the
computer generates information internally through
automated routines.
 Problems faced by auditors:
(a) In complex situations, it may be possible that even the
organization’s IT staff do not understand all the details,
and
(b) Management may feel that they do not understand the
computer system(s) and may actively avoid becoming
involved with its day-to-day operations.
Computer Assisted Auditing
Techniques (CAATs)
 Computer-assisted audit techniques (CAATs) may

be used by auditors to execute substantive
procedures or in testing application controls.
 Necessary in advanced IT systems when the
validation and processing controls for routine
transactions are embedded in the application
programmes.
 May also be efficient for substantive procedures
when the entity’s files are maintained in machine-
readable form.
Computer Assisted Auditing
Techniques (CAATs) (cont.)
 Types of CAATs are generalized audit software, custom

audit software, test data, parallel simulation, integrated
test facility and concurrent auditing techniques.

Issues
(1) Issues for audit in era of cloud computing

(2) Issues for e-commerce system
(3) Issues when clients outsource IT


Topic 6 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Topic 6 PDF

Загружено:

Авторское право:

Доступные форматы

6

After studying this chapter, you should be able to:

FUNDAMENTALS OF AUDITING All Rights Reserved

FUNDAMENTALS OF AUDITING All Rights Reserved

FUNDAMENTALS OF AUDITING All Rights Reserved

 If the IT systems were to fail, the entire organization

(h) Reliance on the functioning capabilities of hardware &

(k) Reduced human involvement

(m) Need for IT experience

 Necessary skills and high level of competence are

 Auditing standards describe two broad control groupings for

FUNDAMENTALS OF AUDITING All Rights Reserved

 Application controls relates to the processing of

FUNDAMENTALS OF AUDITING All Rights Reserved

Auditors normally evaluate general controls very

FUNDAMENTALS OF AUDITING All Rights Reserved

 Knowledge of general controls increases the

FUNDAMENTALS OF AUDITING All Rights Reserved

Effect of general controls on software changes

FUNDAMENTALS OF AUDITING All Rights Reserved

Understanding Client General Controls

FUNDAMENTALS OF AUDITING All Rights Reserved

Relating IT controls to transaction-related audit

FUNDAMENTALS OF AUDITING All Rights Reserved

Effect of IT Controls on Substantive Testing

Auditing around the computer

FUNDAMENTALS OF AUDITING All Rights Reserved

 The auditor shall perform:

FUNDAMENTALS OF AUDITING All Rights Reserved

Understanding and interrogating the management

 Computer-assisted audit techniques (CAATs) may

 Types of CAATs are generalized audit software, custom

FUNDAMENTALS OF AUDITING All Rights Reserved

(1) Issues for audit in era of cloud computing

FUNDAMENTALS OF AUDITING All Rights Reserved

Вам также может понравиться