AUDITING IN THE IT

ENVIRONMENT
DA: CH9
ISA 315

ISA 330

ISA 402

ISRE 3402

INTRO

6 broad IT systems

- Transaction processing system (TPS)  process daily routine business transactions at an operational
level
- Management reporting systems (MRS)  provide management with exception reports, summaries
and routine reports to allow managers to control their area of responsibility
- Decision support system (DSS)  contain more analytical power and may use information from
external sources
- Executive information systems (EIS)  provide more summarised data that focuses on long term
strategic views used by senior executive management
- Professional support systems (PSS) more specific to individual professional disciplines such as
engineering, medicine or law
- Office information systems (OIS)  support work in an office environment such as email, work
scheduling, word processing and calculative functions

Focus of ch9 is on TPS AND MRS

IT environment influences the nature, scope and timing of audit procedures to be performed, specifically:

- Procedures to gain an understanding of the IT and internal control environment

- Evaluation of inherent and control risks
- The effect of IT on audit procedures, including the availability of data and the use of audit software
- The design and performance of TOCs and SPs

STRATEGIC MANAGEMENT OF THE COMPUTER ENVIRONMENT

IT

- Is aligned with the overall strategy of the business

- Must be integrated into the entire organisation
- Must be designed to improve business processes

DIFFERENT IT ENVIRONMENTS

- Online systems
 - Real-time systems
- Distributed processing (networks)
- Mobile applications
- Database systems
- Internet/intranet
- Batch processing
- Personal computer systems
- Other subsets
o Electronic business transactions
o Enterprise software applications
o Could systems
o Virtualisation
o Virtual office
o Open source software
o Data warehousing
o Analytics
o Thin applications

ONLINE COMPUTER SYSTEMS

Data is captured via a terminal and immediately edited, processed and written to a computer file

Advantages

- Files are up to date

- Accuracy of entry
- Risk of non-recording of transactions is small
- The system is fast

Disadvantages

- Absence of visible entry and audit trails

- Higher risk of unauthorised
o Access to the system and data
o Processing on the system
o Changes to data

Operating system is necessary to control access to the system and to monitor processing on all input devices

Types of online systems

- Online entry with real-time processing

- Online entry with batch processing
- Shadow processing
- Online entry with memory update
- Online enquiry facilities
- Online downloading/uploading processing

REAL TIME SYSTEMS

Online systems where transactions are processed immediately

DISTRIBUTED PROCESSING (NETWORKS)

Essentially online processing with sharing of hardware, software and data

LAN

WAN

Middleware

- Server-aware software, layered between applications, the operating system and the underlying
network
- Facilitates cooperative processing

MOBILE APPLICATIONS

Input devices

DATABASE SYSTEMS

Database – a collection of data used and shared by a number of different users for a number of different
purposes

Components: database: data, & database management system (DBMS)

Characteristics:

- Data sharing
- Data independence

Flat file – single record holding all data concerned

Relational – multiple tables containing relationships

THE INTERNET

Internet vs internet vs intranet

Internet - Shared worldwide public network

internet – connection of computers without the Internet

intranet – private network restricted to a particular organisation or group (for internal use)

extranet – extension of intranet allowing for communication with customers and suppliers

VPN – private encrypted network through the internet

VANS – value added network service – service provider responsible for the maintenance of a data
communication network. Receives, stores and transmits information. Similar to switch but quicker.

BATCH PROCESSING

Transactions collected in batches before being processed

Control totals of batch calculated (batch total = financial information ; hash total = non-financial information)
 - By user and computer systems -> comparison is done

Advantages

- Visible audit trails

- Accuracy

Disadvantages

- Slow
- Files not continuously updated

PERSONAL COMPUTER (PC) BASED SYSTEMS

1. Stand-alone workstations
2. Network of PCs (distributed processing)
3. Links to central computer

ELECTRONIC BUSINESS TRANSACTIONS (ELECTRONIC COMMERCE OR E-COMMERCE)

Use of IT to conduct business between buyers and sellers

Electronic data interchange (EDI)

Electronic funds transfer (EFT)

Business-to-business (B2B)

Business-to-customer (B2C)

SA legislation -> only advanced electronic signature will be accepted (authorised by an accrediting authority
established i.t.o legislation

ENTERPRISE SOFTWARE APPLICATIONS

Purpose designed applications for the organisation

CLOUD SYSTEMS

Enable businesses to use computer services over a network without client having to install an application.

Data is centrally stored

Concerns: abuse, security, legal compliance, confidentiality, privacy

VIRTULISATION

Software as a service (SaaS) -> applications

Infrastructure as a service (IaaS) -> equipment

Platform as a Service (PaaS) -> software development framework

THE VIRTUAL OFFICE

EEs working from home using remote networks

OPEN SOURCE SOFTWARE

No charge or no contractual expectation

Concerns: security, support, maintenance

DATAWAREHOUSING

Storage database separate from transaction processing applications

ANALYTICS

Identify and interpret patterns within data

Convert raw data into meaningful information

THIN APPLICATIONS

Device users software which remains on the server

OUTSOURCING AND THE USE OF SERVICE ORGANISATIONS AND SERVICE PROVIDERS

COMPUTER SERVICE ORGANISATIONS

Attend to all information processing needs

SERVICE PROVIDERS

E-commerce applications

- VANS and switches

o VANS = online service
o Switch = store and forward techniques

Internet service providers

Data storage facilities

- Incl. data storage facilities

Management of facilities

- Development and maintenance of application software

- Website applications
- Disaster recovery services
- Data network operations

Cloud computing

RISKS IN AN IT ENVIRONEMENT

Governance of IT = responsibility of the board

Responsibility should be delegated to the CIO, appointed by the CEO

1. Risks relating to the integrity of financial information (management and auditor)

 2. Risks relating principally to managements requirements

Detailed discussion on risks pg 9-22

CONTROLS IN AN IT ENVIRONMENT

Specific risks of an IT system

- Programs processing data inaccurately

- Inaccurate data
- Failure to make necessary changes to systems
- Unauthorised access to data
- Inappropriate manual intervention
- Breakdown in segregation of duties
- Unauthorised changes to data in master files
- Unauthorised changes to systems or programs
- Loss of data or inability to access data as required

AUDITING IN AN IT ENVIRONMENT
IMPACT OF IT ENVIRONMENT ON THE AUDIT PROCESS

- Prior to accepting engagements

- When obtaining an understanding of the business, accounting systems and related controls
- Planning the nature, timing and extent of audit procedures
- When performing audit procedures