Advantages and Disadvantages of Technology

Computer controls replace manual controls Higher quality information available faster Hardware and software and therefore all the companys information is a risk when computer malfunctions Loss of hard copy audit trail Systematic vs random errors (make the same error every time.

Advantages and Disadvantages of Technology

Reduced human involvement Unauthorized access exposes confidential information and changes programming Loss of data (all centralized) Reduced segregation of duties Lack of traditional authorization Need for IT experience

General Internal Controls over Information Technology

General Controls
relate to all aspects of the IT function
administration of the IT function segregation of IT duties systems development physical and online security backup and contingency planning hardware controls

General Controls
Administration of the IT Function
Must be given importance in organization Chief Information Officer IT steering Committees

General Controls
Segregation of IT duties
Separate custody, authorization, recordkeeping in traditional controls Separate IT Management, Systems Development, Operations, Data Control

IT Functions
IT Management
CIO Security Administrator

System Development
Systems Analysts Programmers
cannot have access to input data or operations
(use test copies of programs and data)

IT Functions
Operations
Computer Operators- Day to day operations
execute jobs according to schedule monitoring computer consoles for messages on efficiency and malfunctions

Librarian
Maintains programs and transaction files

Network administrator
planning, implementing and maintaining network

IT Functions
Data Control
Data input/output control verify quality of input and reasonableness of output Database administrator controls operation and access security of shared databases

General Controls
Systems Development
Controls = system development methodology procedures
Involve IT and non IT personnel in development testing of software
Pilot testing- one part of organization Parallel testing - both systems operate

General Controls
Physical and Online Security
Physical control over computer equipment restricts access to hardware, software, backup files, hard drives, CDs, thumb drives, laptops etc.
keypad entry badge-entry systems security cameras security personnel

General Controls
Physical and Online Security (cont.)
Online access controls
User IDs passwords key cards bio-id

General Controls
Backup and Contingency Planning
Several copies of backup, some stored off premises battery backups for temporary power outages

General Controls
Hardware Controls
Built into computer equipment to detect and report equipment failures Someone must review and act on these reports

Application Controls
Exist to satisfy the 6 transaction related audit objectives
Existence Completeness Accuracy Classifications Timing Posting/Summarization

Application Controls
Performed by people Performed by computers

Application Controls
Input Controls- Entering Data
Design of screens Pull-down lists Valid combinations Batch totals Record counts

Application Controls
Processing Controls
Validation Sequence Test Math Reasonableness Completeness

Application Controls
Output Controls
Review by human eyes for reasonableness

Audit Process and IT

General Controls are the most important
auditors evaluate General Controls first Use Flow charts, manuals, interviews, change request forms, testing results to understand systems

Audit Process and IT Controls

Application controls may reduce control risk and need for evidence
reduce sample size use software to test controls

Audit Process and IT

For less complex systems we can audit around the computer
test documents before input and reports after output as if it was done manually

Audit Process and IT

For more Complex systems we Audit through the computer
Test Data Approach - Auditors data, clients system
All relevant conditions Programs must be the same all year Eliminate test data when done

Parallel simulation- Auditor software, client data using Generalized Audit software (ACL or IDEA)

Audit Process and IT

For more Complex systems we Audit through the computer (continued)
Embedded Audit Module - Auditor software and client data (software embedded all year in client system) real time parallel simulation.

PC Environments
General Controls less effective in smaller companies Auditors audit around the computer Access is a greater risk Loss of data (viruses)

Network Environments
LAN - Local area networks
single or small cluster of buildings

WAN - wide area networks

larger regions including global

Network risks
lack of security

Network Environments
Internal Controls over Financial Reporting
network configuration network software Access controls Change controls

Database Management Systems

Database Management System = storage of data for multiple uses
reduce data redundancy control data integrated information (cost reduction)

Risks
Improper Access loss of data

E-Commerce Systems
Linking your network to outside networks for business purposes increases risk
firewall (filters data) hardware and software encryption techniques- change message into code
use decryption program to decode Public key to code, private key to decode

Digital signatures- verify source of public key

Outsourcing IT
Application Service Providers (ASPs) and Computer service centers
Difficulty in obtaining understanding of internal controls of the service center Rely on report done on Service Center by other auditors
report on controls placed in operation report on controls placed in operations and tests of operating effectiveness