WOLLEGA UNIVERSITY

COLLAGE OF BUSINESS AND ECONOMICS

POSTGRADUATE PROGRAM IN ACCOUNTING AND FINANCE
MSC IN ACCOUNTING AND FINANCE
COURSE: AUDITING PRACTICES AND CONTROL
WEEKEND PROGRAM
INDIVIDUAL ASSIGNMENT: BOOK REVIEW
Individual Assignment III on Advanced Auditing and Control

BY:- Abebe kumela

ID NO : WU1208485

Submitted to Instructor:Dr. Adamu Terfa(PhD).

JUNE, 2020

NEKEMTE ,ETHIPIA

I
 Table content

Content page

1. Information technology auditing …………………………………………………………..1

1.1. Introduction to information technology auditing……………………..................................1
1.2. Role and responsibilities of information technology auditing ………………………….....1
1.3. The impact of information technology on internal control ………………………………..1
1.4. Internal controls specific to information …………………………………………………..2
1.5. The impact of information technology on the audit process……………………….............4
1.5.1. Effects of general controls on system-wide applications ………………………...4
1.5.2. Effect of general controls on software changes……………………….……….....5
1.5.3. Obtaining an understanding of client general controls…………………………....5
1.5.4. Relating it controls to transaction-related audit objectives ……………………....5
1.5.5. Effect of it controls on substantive testing……………………………………….6
1.6 The use of computers creates the following unique audit considerations:………………...6
1.7. Advantages and disadvantages of information technology on auditing compared to
the manual auditing process………………………………………………………………..9
1.7.1. It auditing -vs- manual auditing process………………………………………….9
1.7.2. Computer controls replace manual controls………………………………………9
1.7.3. Higher-quality information is available…………………………………………..10
1.7.4. Advantages of manual record audit process ……………………………………. 10
1.7.5. Disadvantages of manual records audit process…………………………………10
1.7.6. Advantages of information technology on the audit process ……………………10
1.7.7. Disadvantages of information technology on the audit process …………………………11
2. Summary…………………………………………………………………………………..11
3. Reference………………..…………………………………………………………………13

II
 1. Information Technology Auditing

1.1. Introduction to Information Technology Auditing

Information technology (IT) auditing involves evaluating the computer’s role in achieving
audit and control objectives. The assurance aspect of IT auditing means proving that data and
information are reliable, confidential, secure, and available as needed. Traditional financial audit
objectives are also present in information technology auditing. These include attest objectives
such as the safeguarding of assets and data integrity, and management objectives such as
operational effectiveness.
Information technology Auditing or information system auditing is an examination of the
management control within an information technology (IT) infrastructure .the evaluation of
Obtained evidence determine, if the information system are safe guarding assets, maintaining
data integrity and operating effectively to achieve the organization goals or objectives.
The use of IT improves internal control by adding new control procedures done by the computer
and by replacing manual controls subject to human error. At the same time, IT introduces risks,
which the client can manage by using controls specific to IT systems.
1.2. Role and responsibilities of information technology auditing
An information technology auditors is responsible for the internal controls and risks within a company’s
technology system .he actively monitors the system to ensure it follows policies best practice by
designing and executing internal audit strategies.
1.3. The impact of information technology on internal control
Internal audits are designed to evaluate the effectiveness of an operation's internal controls by
first gathering information about how a unit operates, identifying points at which errors or
inefficiencies are possible, and identifying system controls designed to prevent or detect such
occurrences. Then, they test the application and performance of those controls to assess how well
they work. Managers ought to routinely evaluate controls in their department's operations by
following the same process. Computers and networks provide most of the information needed for
auditing. In order to be effective, auditors must use the computer as an auditing tool, audit
automated systems and data, understand the business. Purposes for the systems, and understand
the environment in which the systems operate. The other important uses for computers and
networks by auditors are in audit administration. By seeking new uses for computers and
1
communications, auditors improve their ability to review systems and information and manage
their activities more effectively. Automated tools allow auditors to increase individual
productivity and that of the audit function. By recognizing the importance of emerging
environment and requirement to perform audit task effectively, auditors must recognize the key
reasons to use audit tools and software, which will be further explored, in later section.
The key reasons include:
 On a personal level, learn a new skill.
 Improve company decision-making using improved data.
 Increase the efficiency of an audit.
 Reduce routine tasks to provide more time for creative and business analysis.
 Provide improved transparency governance of the organization.
 Identify quantitative root causes for issues.
 Reduce fraud and abuse.
Identify savings in supplier, customer, human resource, computer, and enterprise management
1.4. Internal controls specific to information
To address many of the risks associated with reliance on IT, organizations often implement specific IT
controls. Auditing standards describe two categories of controls for IT systems: general controls and
application controls.
General controls: apply to all aspects of the IT function, including IT administration; separation of IT
duties; systems development; physical and online security over access to hardware, software, and related
data; backup and contingency planning in the event of unexpected emergencies; and hardware controls.
Because general controls often apply on an entity-wide basis, auditors evaluate general controls for the
company as a whole.
Application controls: apply to processing transactions, such as controls over the processing of sales or
cash receipts. Auditors must evaluate application controls for every class of transactions or account in
which the auditor plans to reduce assessed control risk because IT controls will be different across classes
of transactions and accounts. Application controls are likely to be effective only when general controls
are effective.
Administration of the IT Function:
The board of directors’ and senior management’s attitude about IT affect the perceived importance of IT
within an organization. Their oversight, resource allocation, and involvement in key IT decisions each
signal the importance of IT. In complex environments, management may establish IT steering committees

2
to help monitor the organization’s technology needs. In less complex organizations, the board may rely on
regular reporting by a chief information officer (CIO) or other senior IT manager to keep management
informed. Responsibilities for IT management, systems development, operations, and data control should
be separated as follows:
Physical and Online Security
Physical controls over computers and restrictions to on line software and related data files decrease the
risk of unauthorized changes to programs and improper use of programs and data files. Security plans
should be in writing and monitored. Security controls include both physical controls and online access
controls.
I. Physical controls. Proper physical controls over computer equipment restrict access to
hardware, software, and backup data files on magnetic tapes or disks, hard drives, CDs, and
external disks.
II. Online access controls. Proper user IDs and passwords control access to software and
related data files, reducing the likelihood that unauthorized changes are made to software
applications and data files. Separate add-on security software packages, such as firewall and
encryption programs, can be installed to improve a system’s security
Backup and Contingency Planning. Power failures, fire, excessive heat or humidity, water damage,
or even sabotage can have serious consequences to businesses using IT. To prevent data loss during
power outages, many companies rely on battery backups or on-site generators. For more serious disasters,
organizations need detailed backup and contingency plans such as off-site storage of critical software and
data files or out - sourcing to firms that specialize in secure data storage.
Hardware Controls: is built into computer equipment by manufacturers to detect and report
equipment failures. Auditors are more concerned with how the client handles errors identified by the
hardware controls than with their adequacy. Regardless of the quality of hardware controls, output will be
corrected only if the client has provided for handling machine errors.
Application controls may be done by computers or client personnel. When they are done by client
personnel, they are called manual controls. The effectiveness of manual controls depends on both the
competence of the people performing the controls and the care they exercise when doing them.
When controls are done by computers, they are called automated controls. Because of the nature of
computer processing, automated controls, if properly designed, lead to consistent operation of the
controls.
Application controls fall into three categories: input, processing, and output. Although the objectives for
each category are the same, the procedures for meeting the objectives vary considerably. Let’s examine
each more closely.

3
 I. Input Controls Input controls are designed to ensure that the information entered into the
computer is authorized, accurate, and complete.
II. Processing Controls is prevented and detect errors while transaction data are processed.
III. Output Controls is focus on detecting errors after processing is completed, rather than on
preventing errors.
e.g. Link between internal control and IT Control

1.5. The impact of information technology on the audit process.

Because auditors are responsible for obtaining an understanding of internal control, they must be
knowledgeable about general and application controls, whether the client’s use of IT is simple or
complex. Knowledge of general controls increases the auditor’s ability to assess and rely on
effective application controls to reduce control risk for related audit objectives. For public
company auditors who must issue an opinion on internal control over financial reporting,
knowledge of both general and application IT controls is essential.
Auditors should evaluate the effectiveness of general controls before evaluating application
controls. General controls have a pervasive effect on the effectiveness of application controls, so
auditors should first evaluate those controls before concluding whether application controls are
effective.
1.5.1. Effects of General Controls on System-wide Applications
Ineffective general controls create the potential for material misstatements across all system
applications, regardless of the quality of individual application controls. For example, if IT duties
are inadequately separated such that computer operators also work as programmers and have
access to computer programs and files, the auditor should be concerned about the potential for
unauthorized software program or data file changes that might lead to fictitious transactions or

4
unauthorized data and omissions in accounts such as sales, purchases, and salaries. Similarly, if
the auditor observes that data files are inadequately safeguarded, the auditor may conclude that
there is a significant risk of loss of data for every class of transaction that relies on that data to
conduct application controls. In this situation, the auditor may need to expand audit testing in
several areas such as cash receipts, cash disbursements, and sales to satisfy the completeness
objective.
1.5.1. Effect of General Controls on Software Changes
Client changes to application software affect the auditor’s reliance on automated controls. When
the client changes the software, the auditor must evaluate whether additional testing is needed. If
general controls are effective, the auditor can easily identify when software changes are made.
But in companies where general controls are deficient, it may be difficult to identify soft ware
changes. As a result, auditors must consider doing tests of application controls that depend on IT
throughout the current year audit.
1.5.2. Obtaining an Understanding of Client General Controls
Auditors typically obtain information about general and application controls through the
following ways:
 Interviews with IT personnel and key users
 Examination of system documentation such as flowcharts, user manuals, program change
requests, and system testing results
 Reviews of detailed questionnaires completed by IT staff
In most cases, auditors should use several of these approaches because each offers different
information. For example, interviews with the chief information officer and systems analysts
provide useful information about the operation of the entire IT function and the extent of
software development and hardware changes made to accounting application software.
1.5.3. Relating IT Controls to Transaction-Related Audit Objectives
Auditors do not normally link controls and deficiencies in general controls to specific transaction
related audit objectives. Because general controls affect audit objectives in several cycles, if the
general controls are ineffective, the auditor’s ability to rely on IT-related application controls to
reduce control risk in all cycles is reduced. Conversely, if general controls are effective, it
increases the auditor’s ability to rely on IT-based application controls for all cycles.

5
Auditors can identify manual and automated Controls at the same time or separately, but they
should not identify deficiencies or assess control risk until both types of controls have been
identified. For example, to prevent payments to fictitious employees, a computer comparison of
inputted employee identification numbers with the employee master file might reduce control
risk for the occurrence objective for payroll transactions.
1.5.4. Effect of IT Controls on Substantive Testing.
After identifying specific IT-based application controls that can be used to reduce control risk,
auditors can reduce substantive testing. The systematic nature of automated application controls
may allow auditors to reduce sample sizes used to test those controls in both an audit of financial
statements and an audit of internal control over financial reporting.
Auditors may also be able to rely on prior year testing of automated controls, when general
controls are effective and the automated control has not been changed since testing by the
auditor. Auditors often use their own software to test the controls. These factors, when
combined, often lead to extremely effective and efficient audits.
Many organizations design and use accounting software to process business transactions so that
source documents are retrievable in a readable form and can be traced easily through the
accounting system to output. Such systems retain many of the traditional source documents such
as customer purchase orders, shipping and receiving records, and sales and vendor invoices. The
software also produces printed journals and ledgers that allow the auditor to trace transactions
through the accounting records. Internal controls in these systems often include client personnel
comparing computer-produced records with source documents.
This approach to auditing is often called auditing around the computer because the auditor is
not using automated controls to reduce assessed control risk. Instead, the auditor uses manual
controls to support a reduced control risk assessment.
1.6. The use of computers creates the following unique audit considerations:
I. Limited reliance on automated controls. Even in less sophisticated IT environments,
automated controls can often be relied on. For example, software programs can be loaded
on the computer’s hard drive in a format that does not permit changes by client personnel,
making the risk of unauthorized changes in the software low. Before relying on controls
built into that software, auditors must be confident that the software vendor has a
reputation for quality.

6
 II. Access to master files. When clients use desktop computers and servers, auditors should
be concerned about access to master files by unauthorized people. Appropriate separation
of duties between personnel with access to master files and responsibilities for processing
is critical. Regular owner-manager review of transaction output improves internal control.
III. Risk of computer viruses. Computer viruses can lead to the loss of data and programs.
Certain viruses can damage electronic files or shut down an entire network of computers.
Regularly updated virus protection software that screens for virus infections improves
controls.
As organizations expand their use of IT, internal controls are often embedded in applications that
are available only electronically. When traditional source documents such as invoices, purchase
orders, billing records, and accounting records such as sales journals, inventory listings, and
accounts receivable subsidiary records exist only electronically, auditors must change their
approach to auditing. This approach is often called auditing through the computer.
Auditors use three categories of testing approaches when auditing through.
a. the computer test data approach,
b. parallel simulation,
c. Embedded audit module approach.
A). Test Data Approach
In the test data approach, auditors process their own test data using the client’s computer
system and application program to determine whether the automated controls correctly process
the test data. Auditors design the test data to include transactions that the client’s system should
either accept or reject. After the test data are processed on the client’s system, auditors compare
the actual output to the expected output to assess the effectiveness of the application program’s
automated controls.
When using the test data approach, auditors have three main considerations:
1. Test data should include all relevant conditions that the auditor wants tested.
Auditors should design test data to test all key computer-based controls and include realistic data
that are likely to be a part of the client’s normal processing, including both valid and invalid
transactions.
2. Application programs tested by auditors’ test data must be the same as those the client
used throughout the year.

7
One approach is to run the test data on a surprise basis, possibly at random times throughout the
year, even though doing so is costly and time consuming. Another method is to rely on the client.
General controls in the librarian and systems development functions to ensure that the program
tested is the one used in normal processing.
3. Test data must be eliminated from the client’s records. If auditors process test data
while the client is processing its own transactions, auditors must eliminate the test data in the
client’s master files after the tests are completed to prevent master files and transaction files
from being permanently contaminated by the auditor’s testing.
Auditors can do this by developing and processing data that reverses the effect of the test data.
Because of the complexities of many clients’ application software programs, auditors who use
the test data approach often obtain assistance from a computer audit specialist.
B). Parallel Simulation
Auditors often use auditor-controlled software to do the same operations that the client’s
software does, using the same data files. The purpose is to determine the effectiveness of
automated controls and to obtain evidence about electronic account balances. This testing
approach is called parallel simulation testing.
1. Generalized audit software is used to test automated controls. An auditor obtains copies of a
client’s customer credit limit master file and a customer order file, and then instructs the
auditor’s computer to list transactions that exceed the customer’s authorized credit limit. The
auditor then compares the audit output to the client’s list of customer orders that were rejected
for exceeding authorized credit limits.
2. Generalized audit software is used to verify the client’s account balances. An auditor can use
the software to sum the master file of customer accounts receivable to determine whether the
total agrees with the general ledger balance.
C). Embedded Audit Module Approach
When using the embedded audit module approach, auditors insert an audit module in the
client’s application system to identify specific types of transactions. For example, auditors might
use an embedded module to identify all purchases exceeding $25,000 for follow-up with more
detailed examination for the occurrence and accuracy transaction-related audit objectives. In
some cases, auditors later copy the identified transactions to a separate data file and then process

8
those transactions using parallel simulation to duplicate the function done by the client’s system.
The auditor then compares the client’s output with the auditor’s output.
 Discrepancies are printed on an exception report for auditor follow-up.
 The embedded audit module approach allows auditors to continuously audit transactions
by identifying actual transactions processed by the client as compared to test data and
parallel simulation approaches, which only allow intermittent testing.
 Internal audit may also find this technique useful.
1.7. Advantages and disadvantages of information technology on auditing
compared to the manual auditing process
1.7.1. IT auditing -VS- Manual Auditing process
Most entities, including small, family-owned businesses, rely on IT to record and process
business transactions. As a result of explosive advancements in IT, even relatively small
businesses use personal computers with commercial accounting software for their accounting. As
businesses grow and have increased information needs, they typically upgrade their IT systems.
The accounting function’s use of complex IT networks, the Internet, and centralized IT functions
is now commonplace.
Let’s examine several changes in internal control resulting from the integration of IT into
accounting systems:
1.7.2. Computer controls replace manual controls.
The obvious benefit of IT is the ability to handle large amounts of complex business transactions
cost-effectively. Because computers process information consistently, IT systems can potentially
reduce misstatements by replacing manual procedures with automated controls that apply checks
and balances to each processed transaction.
This reduces the human errors that often occur in manually processed transactions. Computers
now do many internal control activities that once were done by employees, including comparing
customer and product numbers with master files and comparing sales transaction amounts with
preprogrammed credit limits. Online security controls in applications, databases, and operating
systems can improve separation of duties, which reduces opportunities for fraud.

9
1.7.3. Higher-quality information is available.
Complex IT activities are usually ad - ministered effectively because the complexity requires
effective organization, procedures, and documentation. This typically results in providing
management with more and higher-quality information, faster than most manual systems. Once
management is confident that information produced by IT is reliable, management is likely to
use the information for better management decisions.
1.7.4. Advantages of manual auditing process
The advantage of manual recording an auditing process as:
 Less expensive to set up
 The risk of corrupted data is much less
 Data loss is less of a risk .particularly if records are stored in a fire proof records
 Problems with duplicated copies of the same records are generally avoided
 The process is simplified as you don’t need to familiar with how accounting soft ware
calculates and treats your information.
1.7.5. Disadvantages
 It needs to much time when searching files
 It needs store house or board and easily damaged and lost if there is no fire protect room
 If damaged and their copy of information it have high risk to back up information
 Take much time to recording and processing information
1.7.6. Advantages of Information Technology on the Audit Process
Information technology is perceived to bring advantages to auditors in the audit process
Information technology assist auditors getting their work done more efficient and effective, can
shorten the time of substantive test during an audit process, and can enhance their productivity.
Several auditing standards suggest that usage of information technology in auditing improves
audit efficiency and effectiveness. Computerized assisted auditing includes any use of
technology to assist in the completion of audits. Auditing standards also encourage auditors to
use the computerized assisted auditing to check the accuracy of electronic files and re-perform
selected procedures such as aging of accounts receivable.
Information technology can help auditors to shorten the time of substantive test in terms of
samples selection process. Both statistical and non-statistical sampling methods are allowed for
substantive tests in auditing.

10
In other words, information technology can improve the productivity of the firm and reduce its
operating costs, while at the same time increase revenue of the firm. In such situation, electronic
presentation of audit working paper can led to high quality of audit decision making and gets
more new client, which can boost up the audit firm’s revenue.
1.7.7. Disadvantages of Information Technology on the Audit Process
However, it is also claimed that using information technology has a few disadvantages too. It is
claimed that computerized assisted auditing lack a common interface with information
technology systems, such as file formats, operating systems, and application programs. The
problem is, auditors have to design one specialized audit software for each auditee’s electronic
data processing system if the electronic data processing system uses proprietary file formats or
different operating systems.
Applying an advanced computerized assisted auditing is usually very costly even if it is possible
because for some audit software, it requires special audit software modules be embedded in the
electronic data processing system in the designing stage.
As the auditees’ electronic data processing systems become more complex, it is essential for the
auditors to audit through the computers. Most computerized assisted auditing currently in use
cannot directly access the clients’ data on-line. Auditors usually gather the historical data file
from the auditee’s personnel. This situation creates the possibility that the auditors may be given
manipulated data.
2. SUMMARY of the chapter
This chapter studied how IT influences the audit process. Even when a client’s use of IT leads to
improved internal control, the use of IT-based accounting systems introduces new risks typically
not associated with traditional manual systems. Well-managed companies recognize these risks
and respond by implementing effective general and application controls in the IT system to
reduce the impact of these risks on financial reporting. The auditor must be knowledgeable about
these risks and obtain an understanding of the client’s general and application controls to
effectively plan an audit. Knowledge about general controls provides a basis for the auditor to
rely on automated application controls and may reduce the extent of tests of key automated
controls in audits of financial statements and internal controls. Some of the auditor’s tests of
controls can be done by the computer, often as a way to achieve more effective and efficient
audits. Reliance on general and application controls to reduce control risk is likely to change

11
when clients use desktop computers, networks, database management systems, e-commerce
systems, and out sourced computer service centers instead of centralized IT systems.

12
3. Reference
1. Audit and assurance service 14th edition ( chapter 12)
2. ebooksclub.org__Core_Concepts_of_Accounting_Information_Systems.pdf( chapter 14)
3. Banker, R.D., Chang, H., Kao, Y. (2002), Impact of information technology on public
accounting firm productivity. Journal of Information System, 16(2), 209-222.
4. Davis Robert E.(2005) ,Advanced system ,network and IT Auditing an adaptive
process ,ISBN 978-0974302997.
5. IT audit manual (ITAM) 1st edition November 2017 African Organization of English-Speaking
Supreme Audit Institutions
6. Higgins, H.N., Nandram, B. (2009), Monetary unit sampling: Improving estimation of the
total audit error. Advances in Accounting, 25(2), 174-182.
7. Shaikh, J.M. (2005), E-commerce impact: Emerging technology – Electronic auditing.
Managerial Auditing Journal, 20(4), 408-421
8. Zhao, N., Yen, D.C., Chang, I. (2004), Auditing in the e-commerce era. Information
Management and Computer Security, 12(5), 389-400.

13