The University of Sydney Business School

ACCT3014 - Auditing and Assurance

Semester 1, 2013 Eric Clubb Week 9 Lecture

Business School Auditing and Assurance

Auditing in an IT Environment Auditing risking only increase General Controls vs Application Controls Testing Internal Controls

IT Audit Environment
Lecture Outline
- Critical Nature of IT Systems to the Business enterprise of any size

- Increased Reliance on IT Systems both Business and Personal brings New Risks for the Auditor
- Understanding the difference with Business implemented IT Controls: - General Controls (IT System Wide)

- Application Controls (Detailed Focus on a specific application, Payroll. Sales etc)

- Working examples of these controls - Introduction: How does the Auditor evaluate and test the control environment

e-Commerce Considerations
Relationships with e partners - issues of reliability and ongoing support? Recording & processing of transactions Fraud Privacy

Transaction integrity
Competition & transparency Terms of trade

Reputation
Security System failures reliance on 3rd parties

Examples of IT Risks Relevant to the Auditor

Planning and Organisation
- IT strategy not aligned with the business strategy unable to support business information needs / accounting processes and increasing risk of errors

Acquisition, Implementation and Maintenance

- implementation of new accounting application under time pressure e.g. inadequate testing may lead to operation problems and processing errors

- unauthorised changes to programs

increase risk of processing and reporting errors - interface problems loss, duplication or corruption of data

Examples of IT Risks Relevant to the Auditor (cont.)

Delivery and Support
- unauthorised access to application, operating systems and data improper initiation, approval or execution of transactions - inadequate backup and recovery procedures

loss of data

Monitoring
- access violations not monitored difficult to enforce responsibility and accountability

IT And Non IT Audit Environments

IT Risks Loss of Data Hacking Business Interruption & Legal Claims
The Auditor

Non IT Business Risks And presence of Fraud

Evaluate Internal Controls

Use of IT Tools during Evaluation & testing

Evaluate Internal Controls

Determine type & volume of Substantive Tests

Determine type & volume of Substantive Tests

6

IT - General Controls
Are manual and computer controls surrounding the environment in which computer systems operate and relate to all or many computerised accounting applications; and Provide a reasonable level of assurance that overall objectives of internal control are achieved (i.e. proper recording, prevent and detect errors) Provide a control framework (i.e. address technology, people and processes)

Categories of General Controls

General controls address:
- segregation of duties
- control over hardware - control over software - control over data

Segregation of Duties
Auditor interested in:
- separation between IT and user department functions (e.g. users are not programmers); and - separation of incompatible functions within IT department, especially separating those with an understanding of system from those with access to system (e.g. operators are not programmers)

Control Over Software System Wide Processes

Includes control over:
- development or acquisition of new programs - Must be authorised and linked to a business case - The higher the degree of specialisation the greater the RISK - Documentation a must

- Access to the Source Code (third party providers, the use of ESCROW)
- Level of testing: - The data flow

- Integration with over systems

- Security

Control Over Software

- changes to existing programs - Authorisation and documentation

- Testing (off line and Parallel)

- access to programs (e.g. via passwords or physical access restriction to software) - Administrator vs user - Administrators should not also act user of a system or at application level ! - Why? - Breach of Segregation of duties as an administrator the person is in a position to over-ride internal controls and manipulate data

11

Other General Controls

These controls back-up hardware, software and files and ensure recovery when computer installation or particular files or programs are damaged General IT expectations Unless it is backup in three separate ways it is not backed up! Also back up of little protection is located next to the computer or server. These do not normally have an effect on control risk assessment
Although dont underestimate the significance
of secure back up and disaster recovery / business interruption plans

may be critical to the Auditors evaluation of Going Concern

Testing of General Controls

There is no change in the Auditors approach to testing, as these are mainly manual: inquiry inspection

Observation
Physical Testing (playing the part of a staff member) Re-performance

IT - Application Controls
Relate to individual computerised accounting applications May be programmed or manual, and located in either the user departments or IT department Can be preventative or detective in nature and ensure that transactions occurred, are authorised and are completely and accurately recorded and processed

Have the application controls been correctly amended to reflect software modifications?
Consider staff relevance to:
reluctance to change,

Over-ride of controls to maintain productivity

Non reporting software faults

IT Application Controls

Usually classified under the following categories:

input file

processing
output

Input Application Controls

Ensure all authorised data is completely and accurately converted into machine readable form, e.g:
- Pre-numbering of documents/sequence and/or duplication check - control totals (e.g. batch controls/totals) - key verification links to data in master files - key entry verification duplication of the input, not widely used

Automated/Programmed Input Application Controls We Shall work through some practical examples of each of: Self-checking digits (e.g. only transactions with valid employee
numbers will be processed)

Limit / reasonableness / range check (e.g. all hourly rates or

number of hours worked for payroll transactions are within authorised limits)

Field checks (e.g. all relevant information for purchase transaction has
been input, i.e. check for missing fields/data; alphanumeric check)

Valid code test / validity checks (e.g. supplier details confirmed

from master file when customer number is input into the system; data takes on valid values; valid combination of items)

File and Processing Application Controls

Ensure all input data is completely and accurately processed onto master files, e.g:
- internal file labels computer-readable data that identifies content of the file
- external file labels printed or handwritten labels attached to disk or tape - programmed control procedures: - checking numerical sequence of records - comparing related fields - run-to-run control totals

Output Application Controls

Ensure complete and accurate output is distributed only to authorised persons, e.g:
- restricted distribution
- Restricted print access (screen only) - automatic dating of reports - page numbering - end-of-report messages

Relationship Between IT General Controls and Application Controls

Should start internal control evaluation by looking at general controls. If these controls are unreliable, auditor can have little confidence in programmed application controls and reduced confidence in manual application controls. Auditor must take more substantive approach to the audit. If general controls are reliable, auditor makes preliminary evaluation of application controls, and, if appropriate, a more detailed evaluation of application controls is made. Auditor determines appropriate degree of tests of controls and substantive testing.

Auditing IT Systems
Planning:
- level of IT dependence / IT business related risks

- IT related IC strengths and weaknesses

Audit Evidence:
- use of CAATs for

- tests of controls
- substantive testing CAAT refers to computer-assisted audit technique. This implies that an auditor's use of a computer-assisted audit technique is something special- normally the techniques used by an auditor are not computer assisted. Today, in most large and medium-sized enterprises, there are few business processes that are not driven by computers. The business does not refer to them as computerassisted business processing.

Lecture Discussion Question 1

When reviewing an IT environment, the auditor distinguishes between general controls (i.e. overall control environment) and application controls (input, processing, output at an account assertion level). For the following separate situations identify whether it is a general or an application control.
(a) (b) A trade receivables listing is produced and distributed to the Finance Manager, Sales Manager, Accountant and Account Managers. A new accounts receivable system has been developed by employee programmers and is currently being tested to ensure that it is compatible with the rest of the IT system. Significant number of sales invoices that are contained in a batch are not properly authorised. When a desktop PC is inactive for 5mins the computer will go into auto logoff mode

(c) (d)

Lecture Discussion Question 1

e) f) g) h) i)

When processing a customer order for goods the inventory system rejects the quantity if the remaining balance would be negative Only the Senior accountant can amend the table of depreciation rates contained in the Fixed Asset System. A payroll transaction is rejected as the number of overtime hours for the pay period exceeds 15 hours. Staff are required to wear their staff ID badge while working in the Server Room The Firewall log is reviewed each morning by a senior program analysis