AUDITING

IN COMPUTERIZED
ENVIRONMENT

7-1
How Information Technologies Enhance
Internal Control

Computer controls replace manual controls.

Higher-quality information is available.

7-2
 Assessing Risks of
Information Technologies
RISK TO HARDWARE
AND DATA

Reliance on the capabilities

of hardware and software
Systematic vs. random errors
Unauthorized access
Loss of data

7-3
 Assessing Risks of
Information Technologies

REDUCE AUDIT TRAIL

& TRADITIONAL
AUTHORIZATION

Visibility of audit trail

Reduced human involvement
Lack of traditional authorization

7-4
 Assessing Risks of
Information Technologies

NEED FOR IT EXPERIENCE

AND SEPARATION
OF IT DUTIES

Reduced separation of duties

Need for IT experience

7-5
 Learning Objective 2

Explain how general controls

and application controls
reduce IT risks.

7-6
Internal Controls Specific to Information
Technology

General Controls

o n t r o l s
c a ti o n C
Ap p l i

7-7
 General Controls

Administration of the Physical and

IT function online security

Segregation of Backup and

IT duties contingency planning

Systems Hardware
development controls

7-8
Application Controls

Input controls

Processing
controls

Output controls

7-9
 Relationship Between General and
Administrative Controls
Risk of unauthorized change
Risk of system crash
to application software

Cash Receipts
Application
Controls
Sales Payroll
Applications Application
Controls Controls
Other Cycle
Application
Controls

Risk of unauthorized GENERAL CONTROLS Risk of unauthorized

master file update processing
7 - 10
 GENERAL CONTROL
• Relate to all aspects of the IT function
• Designed to protect all application controls to
ensure its effectiveness
• Have an overriding effect on all IT functions
• Auditor evaluate general control early in the
audit because of its impact on application
control

7 - 11
 Administration of the
IT Function

The perceived importance of IT

within an organization is often
dictated by the attitude of the
board of directors and
senior management.

7 - 12
 Segregation of IT Duties

Chief Information Officer or IT Manager

Security Administrator

Systems Data
Operations
Development Control

7 - 13
 Systems Development

Pilot testing

Typical test
strategies

Parallel testing

7 - 14
 Physical and Online Security

Physical Controls: Online Controls:

 Keypad entrances  User ID control
 Badge-entry systems  Password control
 Biometric systems  Separate add-on
 Security cameras security software
 Security personnel
 Humidity/temperature
control

7 - 15
 Backup and
Contingency Planning

One key to a backup and contingency

plan is to make sure that all critical
copies of software and data files are
backed up and stored off the premises.

7 - 16
 Hardware Controls

These controls are built into computer

equipment by the manufacturer to
detect and report equipment failures.

7 - 17
 APPLICATION CONTROL
• Designed to satisfy transaction-related audit
objectives.
• May be done by:
– Client personnel – manual controls
- depends on competence of the personnel & due
care exercised
– Computer – automated controls
- if properly designed, lead to consistent operation
of the controls

7 - 18
 Input Controls

These controls are designed by an

organization to ensure that the
information being processed is
authorized, accurate, and complete.

7 - 19
 Input Controls
• Manual control:
– Management’s authorization of transaction
– Adequate preparation of input source docs
– Competent personnel
• IT controls:
– Prompts for transaction information
– Computer-performed validation tests
– Immediate error correction procedures
– Accumulation of errors in error file for follow-up.

7 - 20
 Processing Controls
• Prevent, detect and correct processing errors
when transaction are processed.
• Often imbedded into software.

7 - 21
 Processing Controls

Validation test – ensures the use of correct master file, database, prog

Sequence test – determines data for processing are in correct order

Arithmetic accuracy test – checks the accuracy of processed data

Data reasonableness test –whether data exceed prespecified amounts

Completeness test – determines every field has been completed

7 - 22
 Output Controls

These controls focus on detecting errors

after processing is completed rather
than on preventing errors. E.g.:

• Reconcile computer output to manual ctrl total

• Compare no. of units processed to submitted
• Compare sample to input source docs.
• Verify dates and times

7 - 23
 Learning Objective 3

Describe how general controls

affect the auditor’s testing
of application controls.

7 - 24
Impact of Information Technology on the
Audit Process

Effects of general controls on control risk

Effects of IT controls on control risk
and substantive tests
Auditing in less complex IT environments
– Auditing
Auditing in morearound
complextheITcomputer
environments
Auditing in more complex IT environments
– Auditing through the computer

7 - 25
 Learning Objective 4

Use the test data, parallel

simulation, and embedded
audit module approaches
when auditing through
the computer.
7 - 26
 Test Data Approach

Test data should include all relevant

1
conditions that the auditor wants tested.
Application programs tested by the
2 auditor’s test data must be the same as
those the client used throughout the year.
Test data must be eliminated
3
from the client’s records.

7 - 27
 Test Data Approach
Input Test
Transactions to Test
Key Control
Procedures

Application Programs
Master Files Transaction Files
(Assume Batch System)
(Contaminated?)

Control Test
Contaminated Results
Master Files

7 - 28
 Test Data Approach
Control Test
Results

Auditor-predicted
Results of Key
Auditor Makes Control Procedures
Comparisons Based on an
Understanding of
Internal Control
Differences Between
Actual Outcome
and Predicted Result

7 - 29
 Parallel Simulation

The auditor uses auditor-controlled

software to perform parallel operations to
the client’s software by using
the same data files.

7 - 30
 Parallel Simulation
Auditor Makes
Production Comparisons Between Master File
Transactions Client’s Application
System Output and
Understanding of the
Client Systems Via the Client
Auditor-
Parallel Simulation Application
Prepared
System
Program
Programs

Exception Report
Auditor Noting Differences Client
Results Results

7 - 31
 Embedded Audit
Module Approach

Auditor inserts an audit module in the

client’s application system to capture
transactions with characteristics that
are of specific interest to the auditor.

7 - 32
 Learning Objective 5

Identify issues for e-commerce

systems and other specialized
IT environments.

7 - 33
 Issues for Different
IT Environments

Issues for microcomputer environments

Issues for network environments
Issues for database management systems
Issues for e-commerce systems
Issues when clients outsource IT

7 - 34