Research Questions:

1. How do automated authorization procedures differ from manual

authorization procedures ( Bano,, Bastona)
2. Explain why certain duties that are deemed incompatible in a manual
system may be combined in an IT environment. Give example (Bernardo,
Bondoc)
3. Explain how can IT environment affects the segregation of functions(
Chuidian, Datu)
4. Explain how can IT environment affects supervision( Gozun, Gravoso)
5. Explain how can IT environment affects the firm’s obligation to maintain
adequate accounting records (Mendez, Nuevo)
6. Explain how can IT environment affects access control (Quinones)
7. Explain how can IT environment affect independent verification
procedures (Rodriquez)

Transaction Authorization
− Purpose: to ensure that all material transactions processed by the information
system are valid and in accordance with management’s objectives
− Authorization may be General authorization and Specific authorization
● Example of General Authorization is the procedure to authorize the
purchase of inventories from a designated vendor only when inventory
levels fall to their predetermined reorder points. This procedure is called a
programmed procedure
● Example of Specific authorization is the decision to extend a particular
customer’s credit limit beyond the normal amount. It is usually a
management responsibility
 − In an IT environment, transaction authorization may consist of coded rules
embedded within computer programs. Within this setting, it may be difficult for
auditors to assess whether these transactions are in compliance with
management’s objectives.
− In an IT environment, the responsibility for achieving the control objectives of
transaction authorization rests directly on the accuracy and consistency
(Integrity) of the computer programs that perform these tasks.

Segregation Of Duties
− One of the most important control activities is segregation of employee duties to
minimize incompatible function.
− Three objectives provide general guidelines applicable to most organizations ;
1. The segregation of duties should be such that the authorization for a
transaction is separate from the processing of the transaction
2. Responsibility for the custody of assets should be separate from the
record–keeping responsibility
3. The organization should be structured so that a successful fraud requires
collusion between two or more individuals with incompatible responsibilities
− . In an IT environment, segregation of duties is not identical to that of the manual
environment. Computer programs typically perform tasks that are deemed
incompatible in a manual system.
− There are several reasons why duties that are separated in a manual system need
not be separated in an IT environment. It would be inefficient, contrary to the
objectives of automation, and operationally futile to separate incompatible tasks
among several different programs simply to emulate traditional manual
procedures. The reason for segregating duties in a manual environment is to
control against some negative aspects of human behavior. Humans make
mistakes and occasionally perpetrate frauds.
− Computers do not make mistakes and do not perpetrate frauds. Most so-called
computer errors are actually programming errors that are, in fact, human
errors.
− Segregation of duties still plays a role in the IT environment. However, the IT
auditor’s attention must be redirected to those activities that threaten application
integrity. The activities of program development, program operations, and
program maintenance are critical IT functions that must be adequately separated
Supervision
− Implementing adequate segregation of duties requires that a firm employ a
sufficiently large number of employees. Achieving adequate segregation of duties
often presents difficulties for small organizations. Therefore, in a small
organization or in functional areas that lack sufficient personnel, management
must compensate for the absence of segregation controls with close supervision.
For this reason, supervision is often called a compensating control. the
supervision can be in the form of physical supervision, reports or other means
− In an IT environment, supervisory control must be more elaborate than in manual
systems for three reasons:
1. It relates to the problem of attracting competent employees. Those who
design, program, maintain, and operate the firm’s computer system must
possess highly specialized skills. These individuals operate in a dynamic
setting characterized by a high rate of staff turnover.
2. It reflects management’s concern over the trustworthiness of data
processing personnel in high-risk areas. Some systems professionals
serve in positions of authority that permit direct and unrestricted access to
the organization’s programs and data. The combination of technical skill
and opportunity in the hands of an individual who may be mischievous or
corrupt, represents a significant risk to the organization
3. The management’s inability to adequately observe employees in an IT
environment. The activities of employees engaged in data processing are
frequently hidden from management’s direct observation. Supervisory
controls must, therefore, be designed into the computer system to
compensate for the lack of direct supervision.

Accounting Records
− The records capture the economic essence of transactions and provide an audit
trail of economic events. The audit trail enables the auditor to trace any
transaction through all phases of its processing from the initiation of the event to
the financial statements.
− The obligation to maintain an audit trail exists in an IT environment just as it does
in manual setting. However, automated accounting records and audit trails
are very different from those in manual systems. Some computer systems
maintain no physical source documents. Instead, records of transactions
and other economic events are fragmented across several normalized
database tables.
 − Auditors must understand the operational principles of the database management
systems in use and the effects on accounting records and auditor trails of
alternative file structures.

Access Controls
− Purpose: to ensure that only authorized personnel have access to the firm’s
assets.
− Unauthorized access exposes assets to misappropriation, damage, and theft.
− Physical security devices, such as locks, safes, fences, and electronic and infrared
alarm systems, control against direct access.
− Indirect access to assets is achieved by gaining access to the records and
documents that control their use, ownership, and disposition.
− Data consolidation exposes the organization to two forms of threats: (1)
computer and (2) losses from disasters
− Another problem unique to the IT environment is controlling access to computer
programs.

− Access control in an IT environment covers many levels of risk. Controls that

address these risks include:
● techniques designed to limit personnel access authority
● restrict access to computer programs
● provide physical security for the data processing center
● ensure adequate backup for data files, and
● provide disaster recovery capability

Independent Verification
− Verification procedures are independent checks of the accounting system to
identify errors and misrepresentations.
− Through independent verification procedures, management can assess: (1) the
performance of individuals, (2) the integrity of the transaction processing system,
and (3) the correctness of data contained in accounting records.
− Examples of independent verifications include:
● Reconciling batch totals at points during transaction processing
● Comparing physical assets with accounting records
● Reconciling subsidiary accounts with control accounts
 ● Reviewing management reports (both computer and manually generated)
that summarize business activity
− In the IT environment, IT auditors perform an independent verification function by
evaluating controls over systems development and maintenance activities and
occasionally by reviewing the internal logic of programs.