MODUL 13

THE IMPACT OF INFORMATION TECHNOLOGY ON THE AUDIT

PROCESS

1. How Information Technologies Improve Internal Control

 Several changes in internal control resulting from the integration of IT into accounting

systems:

1) Computer controls replace manual controls. The obvious benefit of IT is the

ability to handle large amounts of complex business transactions cost-effectively.

Because computers process information consistently, IT systems can potentially

reduce misstatements by replacing manual procedures with automated controls

that apply checks and balances to each processed transaction. This reduces the

human errors that often occur in manually processed transactions. Computers now

do many internal control activities that once were done by employees, including

comparing customer and product numbers with master files and comparing sales

transaction amounts with preprogrammed credit limits. Online security controls in

applications, databases, and operating systems can improve separation of duties,

which reduces opportunities for fraud.

2) Higher-quality information is available. Complex IT activities are usually

administered effectively because the complexity requires effective organization,

procedures, and documentation. This typically results in providing management

with more and higher-quality information, faster than most manual systems. Once

management is confident that information produced by IT is reliable, management

is likely to use the information for better management decisions.

1
2. Assessing Risks Of Information Technology

Although IT can improve a company’s internal control, it can also affect the company’s

overall control risk. Many risks in manual systems are reduced and in some cases

eliminated. However, there are risks specific to IT systems that can lead to substantial losses

if ignored. If IT systems fail, organizations can be paralyzed by the inability to retrieve

information or by the use of unreliable information caused by processing errors. These risks

increase the likelihood of material misstatements in financial statements.

 Specific risks to IT systems:

1) Risks to hardware and data

Although IT provides significant processing benefits, it also creates unique risks

in protecting hardware and data, as well as introducing potential for new types of

errors. Specific risks include the following:

o Reliance on the functioning capabilities of hardware and software.

Without proper physical protection, hardware or software may not

function or may function improperly. Therefore, it is critical to physically

protect hardware, software, and related data from physical damage that

might result from inappropriate use, sabotage, or environmental damage

(such as fire, heat, humidity, or water).

o Systematic versus random errors. When organizations replace manual

procedures with technology based procedures, the risk of random error

from human involvement decreases. However, the risk of systematic

error increases because once procedures are programmed into computer

software, the computer processes information consistently for all

2
 transactions until the programmed procedures are changed.

Unfortunately, flaws in software programming and changes to that

software affect the reliability of computer processing, often resulting in

many significant misstatements. This risk is increased if the system is not

programmed to recognize and flag unusual transactions or when trans

action audit trails are inadequate.

o Unauthorized access. IT-based accounting systems often allow online

access to electronic data in master files, software, and other records.

Because online access can occur from remote access points, including by

external parties with remote access through the Internet, there is potential

for illegitimate access. Without proper online restrictions such as

passwords and user IDs, unauthorized activity may be initiated through

the computer, resulting in improper changes in software programs and

master files.

o Loss of data. Much of the data in an IT system are stored in centralized

electronic files. This increases the risk of loss or destruction of entire data

files. This has severe ramifications, with the potential for misstated

financial statements and, in certain cases, serious interruptions of the

entity’s operations.

2) Reduced audit trail

Misstatements may not be detected with the increased use of IT due to the loss

of a visible audit trail, as well as reduced human involvement. In addition, the

computer replaces traditional types of authorizations in many IT systems.

3
 o Visibility of audit trail. Because much of the information is entered

directly into the computer, the use of IT often reduces or even eliminates

source documents and records that allow the organization to trace

accounting information. These documents and records are called the audit

trail. Because of the loss of the audit trail, other controls must be put into

place to replace the traditional ability to compare output information with

hard-copy data.

o Reduced human involvement. In many IT systems, employees who deal

with the initial processing of transactions never see the final results.

Therefore, they are less able to identify processing misstatements. Even if

they see the final output, it is often difficult to recognize misstatements

because underlying calculations are not visible and the results are often

highly summarized. Also, employees tend to regard output generated

through the use of technology as “correct” because a computer produced

it.

o Lack of traditional authorization. Advanced IT systems can often initiate

transactions automatically, such as calculating interest on savings

accounts and ordering inventory when pre-specified order levels are

reached. Therefore, proper authorization depends on software procedures

and accurate master files used to make the authorization decision.

3) Need for IT experience and separation of IT duties

IT systems reduce the traditional separation of duties (authorization, record

keeping, and custody) and create a need for additional IT experience.

4
 o Reduced separation of duties. Computers do many duties that were

traditionally segregated, such as authorization and record keeping.

Combining activities from different parts of the organization into one IT

function centralizes responsibilities that were traditionally divided. IT

personnel with access to software and master files may be able to steal

assets unless key duties are segregated within the IT function.

o Need for IT experience. Even when companies purchase simple off-the-

shelf accounting software packages, it is important to have personnel

with knowledge and experience to install, maintain, and use the system.

As the use of IT systems increases, the need for qualified IT specialists

increases. Many companies create an entire function of IT personnel,

while other companies outsource the management of IT operations. The

reliability of an IT system and the information it generates often depends

on the ability of the organization to employ personnel or hire consultants

with appropriate technology knowledge and experience.

3. Internal Controls Specific to Information Technology

Auditing standards describe two categories of controls for IT systems: general controls and

application controls.

1) General controls

General controls apply to all aspects of the IT function, including IT administration;

separation of IT duties; systems development; physical and online security over access

to hardware, software, and related data; backup and contingency planning in the event

of unexpected emergencies; and hardware controls. Because general controls often

5
 apply on an entity wide basis, auditors evaluate general controls for the company as a

whole.

2) Application controls

Application controls apply to processing transactions, such as controls over the

processing of sales or cash receipts. Auditors must evaluate application controls for

every class of transactions or account in which the auditor plans to reduce assessed

control risk because IT controls will be different across classes of transactions and

accounts. Application controls are likely to be effective only when general controls are

effective.

Categories of General and Application Controls

Control Type Category of Control
Administration of the IT
Function
Separation of IT duties
Systems development
General controls
Physical and online security
. passwords and user IDs limit access
Backup and contingency
planning
Hardware controls
Input controls
Application controls Processing controls
Output controls
Example of Control
Chief information officer or IT
manager reports to senior
management and board
Responsibilities for programming,
operations, and data control are
separated.
Teams of users, systems analysts,
and programmers develop and
thoroughly test software.
Access to hardware is restricted,
to software and data files, and
encryption and firewalls protect data
and programs from external parties.
Written backup plans are prepared
and tested regularly throughout the
year.
Memory failure or hard drive failure
causes error messages on the monitor
Preformatted screens prompt data
input personnel for information to be
entered.
Reasonableness tests review unit-
selling prices used to process a sale.
The sales department does post
processing review of sales
transactions.

6
4. Impact of Information Technology On The Audit Process

Because auditors are responsible for obtaining an understanding of internal control, they

must be knowledgeable about general and application controls, whether the client’s use of IT

is simple or complex. Knowledge of general controls increases the auditor’s ability to assess

and rely on effective application controls to reduce control risk for related audit objectives.