Escolar Documentos
Profissional Documentos
Cultura Documentos
Auditing in an IT Environment Auditing risking only increase General Controls vs Application Controls Testing Internal Controls
IT Audit Environment
Lecture Outline
- Critical Nature of IT Systems to the Business enterprise of any size
- Increased Reliance on IT Systems both Business and Personal brings New Risks for the Auditor
- Understanding the difference with Business implemented IT Controls: - General Controls (IT System Wide)
e-Commerce Considerations
Relationships with e partners - issues of reliability and ongoing support? Recording & processing of transactions Fraud Privacy
Transaction integrity
Competition & transparency Terms of trade
Reputation
Security System failures reliance on 3rd parties
loss of data
Monitoring
- access violations not monitored difficult to enforce responsibility and accountability
IT - General Controls
Are manual and computer controls surrounding the environment in which computer systems operate and relate to all or many computerised accounting applications; and Provide a reasonable level of assurance that overall objectives of internal control are achieved (i.e. proper recording, prevent and detect errors) Provide a control framework (i.e. address technology, people and processes)
Segregation of Duties
Auditor interested in:
- separation between IT and user department functions (e.g. users are not programmers); and - separation of incompatible functions within IT department, especially separating those with an understanding of system from those with access to system (e.g. operators are not programmers)
- Access to the Source Code (third party providers, the use of ESCROW)
- Level of testing: - The data flow
- access to programs (e.g. via passwords or physical access restriction to software) - Administrator vs user - Administrators should not also act user of a system or at application level ! - Why? - Breach of Segregation of duties as an administrator the person is in a position to over-ride internal controls and manipulate data
11
There is no change in the Auditors approach to testing, as these are mainly manual: inquiry inspection
Observation
Physical Testing (playing the part of a staff member) Re-performance
IT - Application Controls
Relate to individual computerised accounting applications May be programmed or manual, and located in either the user departments or IT department Can be preventative or detective in nature and ensure that transactions occurred, are authorised and are completely and accurately recorded and processed
Have the application controls been correctly amended to reflect software modifications?
Consider staff relevance to:
reluctance to change,
IT Application Controls
processing
output
Ensure all authorised data is completely and accurately converted into machine readable form, e.g:
- Pre-numbering of documents/sequence and/or duplication check - control totals (e.g. batch controls/totals) - key verification links to data in master files - key entry verification duplication of the input, not widely used
Automated/Programmed Input Application Controls We Shall work through some practical examples of each of: Self-checking digits (e.g. only transactions with valid employee
numbers will be processed)
Field checks (e.g. all relevant information for purchase transaction has
been input, i.e. check for missing fields/data; alphanumeric check)
Auditing IT Systems
Planning:
- level of IT dependence / IT business related risks
Audit Evidence:
- use of CAATs for
- tests of controls
- substantive testing CAAT refers to computer-assisted audit technique. This implies that an auditor's use of a computer-assisted audit technique is something special- normally the techniques used by an auditor are not computer assisted. Today, in most large and medium-sized enterprises, there are few business processes that are not driven by computers. The business does not refer to them as computerassisted business processing.
(c) (d)
e) f) g) h) i)
When processing a customer order for goods the inventory system rejects the quantity if the remaining balance would be negative Only the Senior accountant can amend the table of depreciation rates contained in the Fixed Asset System. A payroll transaction is rejected as the number of overtime hours for the pay period exceeds 15 hours. Staff are required to wear their staff ID badge while working in the Server Room The Firewall log is reviewed each morning by a senior program analysis