chapter 12 – the impact of information technology on the audit …vcact02q/460 arens'...
TRANSCRIPT
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens/Elder/Beasley Arens/Elder/Beasley 12 - 1
The Impact of Information The Impact of Information Technology on the Audit Technology on the Audit
ProcessProcess
Chapter 12Chapter 12
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 22
Learning Objective 1Learning Objective 1
Describe how IT improvesDescribe how IT improvesinternal control.internal control.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 33
How Information Technologies How Information Technologies Enhance Internal ControlEnhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 44
Learning Objective 2Learning Objective 2
Identify risks that arise from usingIdentify risks that arise from usingan IT-based accounting system.an IT-based accounting system.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 55
Assessing Risks ofAssessing Risks ofInformation TechnologiesInformation Technologies Risks to hardware and data
Reduced audit trail
Need for IT experience andseparation of IT duties
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 66
Risks to Hardware and Data Risks to Hardware and Data
Reliance on the functioning capabilitiesof hardware and software
Systematic versus random errors
Unauthorized access
Loss of data
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 77
Reduced Audit TrailReduced Audit Trail
Visibility of audit trail
Reduced human involvement
Lack of traditional authorization
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 88
Need for IT Experience and Need for IT Experience and Separation of DutiesSeparation of Duties
Reduced separation of duties
Need for IT experience
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 99
Learning Objective 3Learning Objective 3
Explain how general controlsExplain how general controlsand application controlsand application controlsreduce IT risks.reduce IT risks.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1010
Internal Controls Specific to Internal Controls Specific to Information TechnologyInformation Technology General controls
Application controls
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1111
Relationship Between GeneralRelationship Between Generaland Application Controlsand Application Controls
Cash receiptsapplication
controls
Salesapplication
controls
Payrollapplication
controls
Other cycleapplication
controls
GENERAL CONTROLS
Risk of unauthorized changeto application software Risk of system crash
Risk of unauthorizedmaster file update
Risk of unauthorizedprocessing
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1212
General ControlsGeneral Controls
Administration of the IT function
Separation of IT duties
Systems development
Physical and online security
Backup and contingency planning
Hardware controls
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1313
Administration of the IT Administration of the IT FunctionFunction
The perceived importance of IT within anorganization is often dictated by the attitude ofthe board of directors and senior management.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1414
Segregation of IT DutiesSegregation of IT Duties
Chief Information Officer or IT Manager
SystemsDevelopment Operations Data
Control
Security Administrator
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1515
Systems DevelopmentSystems Development
Typical teststrategies
Pilot testing Parallel testing
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1616
Physical and Online SecurityPhysical and Online Security
Physical Controls:Physical Controls: Keypad entrancesKeypad entrances Badge-entry systemsBadge-entry systems Security camerasSecurity cameras Security personnelSecurity personnel
Online Controls:Online Controls: User ID controlUser ID control Password controlPassword control Separate add-onSeparate add-on
security softwaresecurity software
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1717
Backup and Contingency Backup and Contingency PlanningPlanning
One key to a backup and contingency planis to make sure that all critical copies ofsoftware and data files are backed upand stored off the premises.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1818
Hardware ControlsHardware Controls
These controls are built into computerequipment by the manufacturer todetect and report equipment failures.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 1919
Application ControlsApplication Controls
Input controls
Processing controls
Output controls
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2020
Input ControlsInput Controls
These controls are designed by anorganization to ensure that theinformation being processed isauthorized, accurate, and complete.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2121
Batch Input ControlsBatch Input Controls
Financial total
Hash total
Record count
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2222
Processing ControlsProcessing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2323
Output ControlsOutput Controls
These controls focus on detecting errorsafter processing is completed ratherthan on preventing errors.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2424
Learning Objective 4Learning Objective 4
Describe how general controlsDescribe how general controlsaffect the auditor’s testingaffect the auditor’s testingof application controls.of application controls.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2525
Impact of Information Technology on Impact of Information Technology on the Audit Processthe Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk andsubstantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2626
Learning Objective 5Learning Objective 5
Use test data, parallel simulation,Use test data, parallel simulation,and embedded audit moduleand embedded audit moduleapproaches when auditingapproaches when auditingthrough the computer.through the computer.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2727
Test Data ApproachTest Data Approach
1. Test data should include all relevantconditions that the auditor wants tested.
2. Application programs tested by theauditors’ test data must be the same asthose the client used throughout the year.
3. Test data must be eliminated from theclient’s records.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2828
Test Data ApproachTest Data Approach
Application programsApplication programs(assume batch system)(assume batch system)
Control testControl testresultsresults
Master filesMaster files
ContaminatedContaminatedmaster filesmaster files
Transaction filesTransaction files(contaminated?)(contaminated?)
Input testInput testtransactions to testtransactions to test
key controlkey controlproceduresprocedures
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 2929
Test Data ApproachTest Data Approach
Auditor-predicted resultsAuditor-predicted resultsof key control proceduresof key control proceduresbased on an understandingbased on an understandingof internal controlof internal control
Control testControl testresultsresults
Auditor makesAuditor makescomparisonscomparisons
Differences betweenDifferences betweenactual outcome andactual outcome and
predicted resultpredicted result
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 3030
Parallel SimulationParallel Simulation
The auditor uses auditor-controlled softwareto perform parallel operations to the client’ssoftware by using the same data files.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 3131
Parallel SimulationParallel Simulation
Auditor makes comparisons betweenAuditor makes comparisons betweenclient’s application system output andclient’s application system output andthe auditor-prepared program outputthe auditor-prepared program output
Exception reportException reportnoting differencesnoting differences
ProductionProductiontransactionstransactions
Auditor-preparedAuditor-preparedprogramprogram
AuditorAuditorresultsresults
MasterMasterfilefile
Client applicationClient applicationsystem programssystem programs
ClientClientresultsresults
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 3232
Embedded Audit Module Embedded Audit Module ApproachApproach
Auditor inserts an audit module in theclient’s application system to identifyspecific types of transactions.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 3333
Learning Objective 6Learning Objective 6
Identify issues for e-commerceIdentify issues for e-commercesystems and other specializedsystems and other specializedIT environments.IT environments.
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens//Elder/Beasley Arens//Elder/Beasley 12 - 12 - 3434
Issues for Different IT Issues for Different IT EnvironmentsEnvironments
Issues for network environments
Issues for database management systems
Issues for e-commerce systems
Issues when clients outsource IT
©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens/Elder/Beasley Arens/Elder/Beasley 12 - 35
End of Chapter 12End of Chapter 12