Akash Mukesh Kumar, ACA

Information Technology (IT) System

Why ?

Manual Invoice Automatic Invoice

Manual Journal Automatic Journal

Entry Entry

Manual Preparation Automatic Preparation

Of Financial Statements Of Financial Statements

Before IT Systems After IT Systems

 Computer Assisted Audit Techniques (CAAT)

Advantages Disadvantages Approaches to Audit

Accuracy and completeness Cost of hardware, software
of IT Transaction and updating
Audit Around Audit Through
The Computer The Computer
Testing of large volume of Cost of training
data is possible jo transaction hain bas IT system ko bhi understand
unhein verify karlo IT karo (evaluate karo) agar
system ko nahi who IT system use karna hai
tou humein bhi IT system
use karna chaiye

Internal Controls
Input Financial
IT System
(Transaction) Statements
 Overview of IT System

IT System = + +

Hardware Software Data

(Program Application)

Physical Access Control Logical Access Control

 Saary parts bandh k rakh diye  Softwares waghera par password laga diye takey har
warna koi le ka bhaag jae ga koi access na karey
 Tagging kardi takey agar koi  Saari files encrypt kar din and backups bana liye
ghayab ho to foran pata chal jae
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software

Preventive Corrective General Application

Controls Controls
Detective
Control over
Transmission
of Data
 Types of System

Micro Computer System Online

Many desktop computers are used System that allows users direct access

Definition
(located throughout the organization) Definition to centralized data and programs
instead of a large centralized through terminals linked in a network
computer based information system.
Benefits
Benefits - Immediate Entry
- Operated by users without much training - Immediate update of files
- More efficient - Immediate response

Risks Controls
- Physical security
- Logical security General Controls Application Controls
- Compatibility issues
- Weak backup and virus protection - Firewall - Input authorization
- No Documentation for off-the-shelf software - System logs - Input validation
- Lack of segregation of duties - Programming controls - Balancing controls
- Logical access controls
 Controls

General Controls Application Controls

Firewall → Preventive Control Input authorization
Jese filmon mein hero k samne aag laga detey hain k agar Jo banda input kar raha hai wo authorized ho. Koi bhi
bandi k paas pohonchna hai to is ko paar kar k dikha enter na krey
Wese hi virus k agey firewall laga dete hain k agar data Input validation
tak pohonchna hai to is ko paar kar k dikha Data bhi bilkul sahi ho

System logs → Detective Control Balancing controls

History delete karne ka option nahi hai Entry karo tou dekh lo debit and credit tally ho suspense
Bahut masley wali baat hai account create hua wa ho

Programming controls → Preventive Control Important

Har koi software mein changes na karsaky
 General control zyada eham hain as compared
Logical access controls → Preventive Control to application controls
Passwords waghera lagaye hue hain kaam ki jagah par
 Because application control override hue tou
ek branch jaegi general gaye tou pura data gaya
 Types of System

Micro Computer System Online

Many desktop computers are used System that allows users direct access

Definition
(located throughout the organization) Definition to centralized data and programs
instead of a large centralized through terminals linked in a network
computer based information system.
Benefits
Benefits - Immediate Entry
- Operated by users without much training - Immediate update of files
- More efficient - Immediate response

Risks Controls
- Physical security
- Logical security General Controls Application Controls
- Compatibility issues
- Weak backup and virus protection - Firewall - Input authorization
- No Documentation for off-the-shelf software - System logs - Input validation
- Lack of segregation of duties - Programming controls - Balancing controls
- Logical access controls
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software

Preventive Corrective General Application

Controls Controls
Detective
Control over
Transmission
of Data
 Types of Control

Preventive Detective Corrective

System mein error honey se rokey

Honey k bad correct karey
System mein errors ko dhundey
↓ ↓
Passwords ↓ Antivirus install karliya, firewall
System mein changes kon kar
ziada achi wali banwa li
raha hai us ka record ho (System
Log)
 Preventive

Access Control Input Authorization Control Training & Testing

Physical Logical
Authorized banda he data enter kar sakey Bandon ki System ki
Controls Controls
- Security guard - Passwords
↓
passwords k zariye Human element ko eliminate nahi
- Card swipe system - Thumb impression
kar sakty
↓
Control to Prevent Unauthorized Shabbar sahib ne kaha sab computer
Program Changes kareyga audit aap bas data enter karo gai
khud hi sample size mile ga khud assess
Banda system mein enter hua us ne hours kar k dega khali deviation rate batao
wagera change nahi kiye na he wage rate ↓
taa k hours sahi dikhein Bataega tou banda hi na
bas system mein aisey kareyga k 1.5 total Training is liye k sahi se entries park
se multiply hojae karey

Example
Segregation
Firewall
of Duties
 Types of Control

Preventive Detective Corrective

System mein error honey se rokey

Honey k bad correct karey
System mein errors ko dhundey
↓ ↓
Attendance mein location ka ↓ Antivirus install karliya, firewall
check laga diya. Tou jab tak System mein changes kon kar
banda pohnchay ga nahi ziada achi wali banwa li
raha hai us ka record ho (System
attendance nahi lagey gi Log)
 Detective Corrective

Controls To Detect Unauthorized Contracts To Ensure Continuing of

Program Changes Operations
Jesey jab jab main program nein kuch change Agar koi aag waag lag jaye tou data tou urdd
System hoga ya unauthorized attempts hongi tou log
→ Backups → jaega kya koi disaster continuity plan hona
log maintain hoga and popup message ayega chaiye ? aisa ho tou foran company chal sakey

Input Validation Controls Service Level Agreements

Range Test / Salary record hotey he galat popup msg Third party se agreement hamara computer jab bhi
→ kharab hoga ap akar sahi kardeingy foran
Limit Test aye nahi babu

Control Over Processing

jesey process honey se pehly banda dekh le
Review → randomly sahi hai ya nhi tou galti pakrdi jaegi
Deficiencies jesey hum ML mein detey hain
Exception wesey he IT system ki lackness IT system khud
→ generate kar k IT Head ko send kardey
Report
automatically report form mein
 Types of Control

Preventive Detective Corrective

System mein error honey se rokey

Honey k bad correct karey
System mein errors ko dhundey
↓ ↓
Passwords ↓ Antivirus install karliya, firewall
System mein changes kon kar
ziada achi wali banwa li
raha hai us ka record ho (System
Log)
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software

Preventive Corrective General Application

Controls Controls
Detective
Control over
Transmission
of Data
 General Controls
Are Implemented To Support Specific Controls

Development & Acquisition of IT Documentation & Testing of Program

System Changes
System is developed / acquired in To ensure proper documentation development
consistency with entity’s objective documentation, testing, training and approval of
Jo bhi system acquire kar rahey ho check karelo k hamari
program changes
organization k processes k mutabiq hai ya nahi hai. Experts kehtey hain some times aap jab market se cheez khareedein
(Purchase system sales system paroll sab k liye) tou laazmi nahi wo organization need k mutabiq ho. Jesey system
khareeda to cash sales ka option tha lekin credit sales ka nahi
Example
Example
IT standards ko use Training bhi honi
karna hai chahiye Training before live
Fully Documented
operations
Segregation of Live operation se
duties pehle test bhi karlo Tested before Changes approved
operations by management
Approved by system
Full documentation
user
 General Controls
Are Implemented To Support Specific Controls

Prevention & Detection of Unauthorized Using Correct Version of Programs &

Changes to Program & Data Files
To ensure programs are not installed without
proper authorization
Yeh bhi change hai in program but management nahi kar rahi
khud log fraud k liye kareingy boley tou employee or hackers
Data Files
To ensure correct version of program is used
Pizza order kiya raat mein midnight deals tou billing system ko
midnight wala hona chaiye discounted
Phone pe super card use karo tou us k usage different system k
tehat revenue record ho and jis ka package nahi who alag

Example
Example
Segregation of Physical access
Duties control Training Job scheduling

Virus protection Program log Supervision Review by mgmt.

Access to program files should be restricted

 General Controls
Are Implemented To Support Specific Controls

Access Controls to Prevent

Ensure Continuity of Operations
Unauthorized Access/Amendments
Ensure continuity of operations in event of
To prevent un-authorized access to data files disaster

Example Example

Appropriate measures for

Disaster continuity plan
protection equipment
Physical access Logical access → Backup copies
controls control → Insurance
→ Maintenance and service
Fire Automatic agreements
extinguisher water sprays → Agreement with another
entity to make use of its
computer equipment and
infrastructure
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software

Preventive Corrective General Application

Controls Controls
Detective
Control over
Transmission
of Data
 Application Controls
Controls implemented on a specific application/process
Matlab agar pooray system k liye hai to General Control kehlaye ga
And agar sirf ek process par lagaya hai to Application Control kehlaye ga

Jab bhi application use hogi tou 4 phases hongay

Example: IT System For Payroll

1 Input Manager ne hours enter karey ga

System automatically process karega

2 Processing salary and deduction waghera

3 Output Pay slip print hogi

Employee ka name, salary, rate, contact

4 Master Data waghera database mein save ho ga

Mobile par password lagaya to Specific app par password lagaya to

General Control Application Control
 Input Processing

Authorization Validation
On screen prompt Exception report
Login Limit test
Bar codes Range test
requirements Existence
Sequence
Check point and
test test Manual review recovery procedures
Digital signatures Batch total Check digit
for approval
Check input/output

Output Master Data

Restricted access to Restriction on
output printing Regular update Access right

Acknowledgement
Log of distribution
of recipient
Record count &
Management compare with
Check visually for E-report should be review previous record
reasonableness pswd protected
 Application Controls
Controls implemented on a specific application/process
Matlab agar pooray system k liye hai to General Control kehlaye ga
And agar sirf ek process par lagaya hai to Application Control kehlaye ga

Jab bhi application use hogi tou 4 phases hongay

Example: IT System For Payroll

Input Manager ne hours enter karey ga

System automatically process karega

Processing salary and deduction waghera

Output Pay slip print hogi

Employee ka name, salary, rate, contact

Master Data waghera database mein save ho ga

Mobile par password lagaya to Specific app par password lagaya to

General Control Application Control
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software

Preventive Corrective General Application

Controls Controls
Detective
Control over
Transmission
of Data
 Control over Transmission of Data
Electronic Data Interchange (EDI) System

EDI se pehley EDI key baad

Electronic transmission of business document.

Definition
Maybe internal or external

agar koi msg kisi or takh puhanchana hai tou likh k bheja Jesey goods order karney hai tou apney inventory
peon ko bola jao is ko dekar aao . ya kuch karwana hai system ko supplier k system se link karo k inventory
tou likh k diya for documentation level kum ho tou order place hojae
Abh Emails or other means of communication
 Electronic Data Interchange (EDI) System

Security risk

Ability of users to trace transaction through all of processing stages

Lack of proper audit trail
Increased dependency on
computer system
Money trial  yeh batana paisa kahan se aya abbu ne kamaye dada
jee virasat mein le kar aaye
link down ho gaya abh kya karein ruk jaega kaam

Possible loss or corruption of Windows corrupt tou data gaya

data

Control over
Hum boley to Controls Transmission of Data
Controls over transmission of data
What
?
To Do Electronic audit trial

Virus protection system

Contingency plans and backup arrangements

 Control over Transmission of Data

Objective Ensure that data is transmitted accurately, completely and confidentially

Data Encryption
Data ko is form mein convert kar k bhejna k kisi ko samajh na aye

Coding schedules or data translation tables

banaye jatey hain
A 1
B 2
C 3
D 4
E 5
Example
Wo waley rishtedar ghar aye jo sirf result k time hi atey hain
↓
Atey hi puchen gai kiya kar rahe ho
↓
Tum ne bola CAF 3 de raha hu
↓
Ab CAF 3 mein tumharey sath jo dukh dard mein shareek hai
usey to pata hai CAF 3 kiya hai
Lekin reshtey daar shayad samjhein kiya baat hai 3 papers
ek saath de raha hai
 Control over Transmission of Data

Data Encryption Using Secured WIFI With

Password Protection
Encryption
Symmetric Asymmetric Wifi system jo ho secured ho
Level
Single key use for Bit/Byte (00 11) Encryption and Warna jitni devices attached hain un pe access ho sakta hai
encryption & Steam Block decryption k liye
decryption Cypher Cypher alag alag key Using check digit to ensure
Har word 3 words
alag alag ek sath data received is intact
convert convert

Firewalls
Programmed controls that ensure data
Hacker se bachney k liye is transmitted in the correct format
Format change na ho for example tum send karo us k pass
Authentication codes kisi bug ki wajah se sahi nahi khuley
Easy paisa k zariye paise transfer karo kisi ko tou code share
kiya jata hai YA Jesey pswd change karo tou code ata hai
Restricting access to source data
Acknowledgement Codes Jo apney ne data banaya hai us pe bhi unrestricted access
Receiving end pe banda confirm karey nahi hona chaiye
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software
Planning phase mein Jab CAATs ko test of Jab CAATs substantive
control karney k liye k lite liye use karey
use karey
Preventive Corrective General Application
Controls Controls
100,000 transactions arahi us k k total
Detective ko trace karna hai FS k total se hamari
Control over
Transmission zindagi nikal jaegi calculator pe but
computer dalo total ek second mei
of Data
 Test Data

Definition Dummy transactions developed by auditor, processed by client’s IT System

Actual results are compared with expected

Problem Problems Problem

Mr. B ki credit limit 400,000 already
300,000 ka receivable
Solution
Tou abh hum dummy 150,000 ki
transaction enter karein dekhein
accept kiya tou weak controls
Data is processed in real time
Credit limit check
Inventory balance check
Provide evidence of at the time of use.
Pichley tou ho chukey hongey na ho
sakta hai us waqt sab sahi kar liya ho
Solution
Embedded audit facilities
usb type ek cheez laga lo us k system
mein jesey who system on kareyga
aapka software on hojaega or violations
record kardega
Examples
Inventory minimum level is 30. And
35 pardhi hai
Solution
Aap 6 daal k dekho exception report
aani chaiye nahi aai tou controls
weak
When paper audit trial is not available
Credit limit check
Dispatch note without invoice
 Overview of IT System

Used By Client Used By Auditor

Types of System Types of Control Risk

Test of Substantive
Assessment
Control Procedures
Procedures
Micro Online
Computer
System Flow Charts Test Data Audit Software

Preventive Corrective General Application

Controls Controls
Detective
Control over
Transmission
of Data
 Audit Software

Definition Programs used by auditor to extract and interrogate financial information from client’s IT system

Types
Problems
 High cost on initial setup Interrogative Program Interactive Software
 Compatibility issues Practically ye ziada use hota hai
(hamari windows 10 uski 7 files transfer ka masla)
 Client files at risk if checked lively Package Purpose
(aap ne usb lagai uska system corrupt hogaya abh (Market se Written Used in online
galiyan dega) khareeda hua) (Apney hisaab system
se banwaya)

Identify large or
To recalculate
unusual items

Examples
Stratification and
Analytical procedures
sample selection
 Stratification and sample selection

Sales System Inventory System

 Cast list of debtors (to match with FS)  Cast inventory list and compare with FS

 Compare balance with last year (unsusal variation)  Check calculation

 Preparation of aging report (Bad debts k liye)  Calculate inventory turnover ratio

 Calculation of debtors turnover ratio  Aging report of inventory

 Stratification and sampling of data  Stratification and sampling of inventory

 The End

Course Khatam !!!