-
Overview of IT
- ERP- (SAP, Oracle, Dynamics), Small (quickbooks)
- Batch, on-line batch, real-time
- Core of all systems are data bases
- Hardware
- SW applications
- Networks
- Electronic Commerece- EDI,FEDI, EFT, web
-
Internal Control in IT
- Segregation of dutiesIt operations
- User access to data/applications
- Clearly defined responsibilities
- Augmented by controls written into computer programs
- Software Development Life Cycle
-
Audit Trail Impact
- In computerized environment, audit trail ordinarily still exists, but often not in printed form
- Can affect audit procedures
- Consulting auditors during design stage of IT-based system helps ultimate audibility
-
Organization Information System Department-PIC
-
Responsibilities In IT
- Information systems management
- Systems analysis
- Application Programming
- Database Administration
- Data Entry
- It Operations
- Program and file library
- Data Controls
- Telecommunications Specialists
- System Programing
-
Information System Managment
Supervise the operation of the department and report to the vice president of finance
-
Systems Analysis
Responsible for designing the system
-
Application Programming
Design flowcharts and write programming code
-
Database Administration
Responsible for planning and adminstering the company database
-
Data Entry
Prepare and verify input data for processing
-
IT Operations
Run and monitor central computers
-
Program and file library
Protect computer programs, master files and other records from loss, damage and unauthorized use
-
Data Control
Reviews and tests all input procedures, monitors processes and reviews IT logs
-
Telecommunications Specialists
Responsible for maintaining and enhancing IT networks
-
System programing
Responsible for Troubleshooting the operating system
-
IT Control Activities -General
- Developing new programs and systems
- changing existing programs and systems
- Access to programs and data
- It operations controls
-
Computer-Based Fraud
- History shows that developer is mostly the culprit
- Segregation's of duties
- programing separate from controlling data entry
- computer operator from custody or detailed knowledge of programs
- If segregation not possible need:
- Compensating controls like batch totals
- Organizational controls not effective in mitigating collusion
-
IT Control Activities - Pic
-
Elements of System Reliability
- Security:
- Authentication-who get in
- Authorization-what can the user do
- Encryption
-
Application Control Activities- Programmed Control Activities
- Input validation checks
- Batch controls
- Processing Controls
-
Step 1 of Plan Audit and Obtain an Understanding
Consider IT system in planning
-
Step 2- Obtain an understanding of the client and its enviornment
- Documentations of clients's IT-based system depends on complexity of system
- Narrative
- Systems flowchart
- Program flowchart
- Internal Control questionnaires
-
Step 3- Asses the Risks of Material Misstatement
- ID risks
- Relate the ID risks to what can go wrong at the relevant assertion level
- Consider whether the risks are of a mangitude that could result in a material misstatement
- Consider the likelihood that the risks could result in a material misstatement
-
IT Controls Assessment
- Hire IT control expert if auditor not experienced
- Use COBIT or AICPA trust services
- General Control assessment- applies to all IT operations and applications
- Application Control- embedded in process control evaluation
- Must test controls at both levels
- Same assessment outcomes as manual process controls
- Operational Effectiveness
- Material Weakness and significant deficiencies.
-
Techniques for Testing Application Controls- Auditing Around the Computer
Manually processing selected transaction and comparing results to computer output
-
Techniques for Testing Application Controls-Manual Tests of Computer Controls
Inspection of computer control reports and evidence of manual follow-up on exceptions
-
Techniques for Testing Application Controls-Auditing through the computer
- Test data
- Integrated Test Facility
- Controlled programs
- Program Analysis Techniques
- Tagging and Tracing transactions
- Generalized audit software-paralles simulation
-
Using Generalized Audit Software to perform Substantive Procedures
- Examine client's records for overall quality, completeness and valid conditions
- Rearrange data and perform analyses
- Select audit samples
- Compare data on separate files
- Compare results of audit procedures with client's records
-
Inventory Audit Procedures Using Generalized Audit Software-Pic
-
Service Organizations (SAS 70)
- Computer service centers provide processing services (payroll, benefits, accounting)
- Outsourcing companies (IBM, EDS) run computer centers and provide IT personnel
- Cloud Computing
- Internet Services (ASP-Application service providers)
-
Audit Concern when service is are part of the clients information system: (SAS 70)
- How clients transactions are initiated
- The accounting records, supporting information
- The accounting proces for initiation to inclusion in FS
- The financial reporting process
-
SAS 70- Gives Auditor Guidance
If no SAS 70 report, audit must include service organization in audit scope
|
|