ACCT3014_lecture IT Part 1 s1 2013
-
Upload
thomashong313 -
Category
Documents
-
view
213 -
download
0
Transcript of ACCT3014_lecture IT Part 1 s1 2013
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
1/23
Business School
Auditing and Assurance
The University of Sydney
Business SchoolACCT3014 - Auditing and Assurance
Semester 1, 2013
Eric Clubb
Week 9 Lecture
Auditing in an IT Environment
Auditing risking only increase
General Controls vs Application Controls
Testing Internal Controls
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
2/23
IT Audit Environment
Lecture Outline- Critical Nature of IT Systems to the Business enterprise of any size
- Increased Reliance on IT Systems both Business and Personal brings New
Risks for the Auditor
- Understanding the difference with Business implemented IT Controls:
- General Controls (IT System Wide)
- Application Controls (Detailed Focus on a specific application, Payroll. Sales
etc)
- Working examples of these controls
- Introduction: How does the Auditor evaluate and test the control environment
2
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
3/23
e-Commerce Considerations
Relationships with e partners - issues of reliability and ongoing support?
Recording & processing of transactions
Fraud
Privacy
Transaction integrity
Competition & transparency
Terms of trade
Reputation
Security
System failures reliance on 3rd parties
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
4/23
Examples of IT Risks Relevant to the Auditor
Planning and Organisation- IT strategy not aligned with the business strategy unable to support business
information needs / accounting processes and increasing risk of errors
Acquisition, Implementation and Maintenance
- implementation of new accounting application under time pressure
e.g. inadequate testing may lead to operation problems and processing errors
- unauthorised changes to programs
increase risk of processing and reporting errors
- interface problems
loss, duplication or corruption of data
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
5/23
Examples of IT Risks Relevant to the Auditor (cont.)
Delivery and Support
- unauthorised access to application, operating systems and data
improper initiation, approval or execution of transactions
- inadequate backup and recovery procedures
loss of data
Monitoring
- access violations not monitored
difficult to enforce responsibility and accountability
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
6/23
IT And Non IT Audit Environments
6
IT RisksLoss of Data
Hacking
Business Interruption
&
Legal Claims
Non IT Business Risks
And presence of Fraud
The Auditor
Evaluate Internal
Controls
Evaluate Internal
Controls
Use of IT
Tools during
Evaluation &
testingDetermine type & volumeof Substantive Tests
Determine type &
volume of Substantive
Tests
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
7/23
IT - General Controls
Are manual and computercontrols surrounding the environment in
which computer systems operate and relate to all or many
computerised accounting applications; and
Provide a reasonable level of assurance that overall objectives of
internal controlare achieved (i.e. proper recording, prevent and
detect errors)
Provide a control framework(i.e. address technology, people and
processes)
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
8/23
Categories of General Controls
General controls address:
- segregation of duties
- control over hardware
- control over software
- control over data
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
9/23
Segregation of Duties
Auditor interested in:
- separation between IT and user department functions (e.g. users are not
programmers); and
- separation ofincompatible functions within IT department, especially
separating those with an understanding of system from those with access to
system (e.g. operators are not programmers)
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
10/23
Control Over Software System Wide Processes
Includes control over:
- development or acquisition of new programs
- Must be authorised and linked to a business case
- The higher the degree of specialisation the greater the RISK
- Documentation a must
- Access to the Source Code (third party providers, the use of ESCROW)
- Level of testing:
- The data flow
- Integration with over systems
- Security
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
11/23
Control Over Software
- changes to existing programs
- Authorisation and documentation
- Testing (off line and Parallel)
- access to programs (e.g. via passwords or physical access restriction to
software)
- Administrator vs user
- Administrators should not also act user of a system or at application level !
- Why?
- Breach of Segregation of duties as an administrator the person is in a
position to over-ride internal controls and manipulate data
11
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
12/23
Other General Controls
These controls back-up hardware, software and files and ensure
recoverywhen computer installation or particular files or programs are
damaged
General IT expectations Unless it is backup in three separate ways it
is not backed up!
Also back up of little protection is located next to the computer or
server.
These do not normally have an effect on control risk assessment
Althoughdont underestimate the significance
of secure back up and disaster
recovery / business interruption plans
may be critical to the Auditors evaluation of Going Concern
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
13/23
Testing of General Controls
There is no change in the Auditors approachto testing, as these are mainly manual:
inquiry
inspection
Observation
Physical Testing (playing the part of a staffmember)
Re-performance
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
14/23
IT - Application Controls
Relate to individualcomputerised accounting applications May beprogrammedormanual, and located in either the user
departments or IT department
Can bepreventative ordetective in nature and ensure that transactions
occurred, are authorised and are completely and accurately recorded and
processed
Have the application controls been correctly amended to reflect software
modifications?
Consider staff relevance to:
reluctance to change,
Over-ride of controls to maintain productivity
Non reporting software faults
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
15/23
IT Application Controls
Usually classified under the following
categories:
- input
- file
- processing
- output
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
16/23
Input Application Controls
Ensure all authorised data is completely and
accurately converted into machine readable
form, e.g:
- Pre-numbering of documents/sequence and/or duplication check
- control totals (e.g. batch controls/totals)
- key verification links to data in master files
- key entry verification duplication of the input, not widely used
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
17/23
Automated/Programmed Input Application Controls
We Shall work through some practical examples of each of:
Self-checking digits (e.g. only transactions with valid employeenumbers will be processed)
Limit / reasonableness / range check (e.g. all hourly rates ornumber of hours worked for payroll transactions are within authorisedlimits)
Field checks(e.g. all relevant information for purchase transaction has
been input, i.e. check for missing fields/data; alphanumeric check)
Valid code test / validity checks (e.g. supplier details confirmedfrom master file when customer number is input into the system; data
takes on valid values; valid combination of items)
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
18/23
File and Processing Application Controls
Ensure all input data is completely andaccurately processed onto master files, e.g:
- internal file labels computer-readable data that identifies content of the file
- external file labels printed or handwritten labels attached to disk or tape
- programmed control procedures:- checking numerical sequence of records
- comparing related fields
- run-to-run control totals
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
19/23
Output Application Controls
Ensure complete and accurate output isdistributed only to authorised persons, e.g:
- restricted distribution
- Restricted print access (screen only)
- automatic dating of reports- page numbering
- end-of-report messages
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
20/23
Relationship Between IT General Controlsand Application Controls
Should start internal control evaluation by looking at
general controls.
If these controls are unreliable, auditor can have little
confidence in programmed application controls andreduced confidence in manual application controls.
Auditor must take more substantive approach to the audit.
If general controls are reliable, auditor makes preliminary
evaluation of application controls, and, if appropriate, amore detailed evaluation of application controls is made.
Auditor determines appropriate degree of tests of controls
and substantive testing.
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
21/23
Auditing IT Systems
Planning:- level of IT dependence / IT business related risks
- IT related IC strengths and weaknesses
Audit Evidence:
- use of CAATs for
- tests of controls
- substantive testing
CAAT refers to computer-assisted audit technique. This implies that an auditor's
use of a computer-assisted audit technique is something special- normally thetechniques used by an auditor are not computer assisted. Today, in most large
and medium-sized enterprises, there are few business processes that are not
driven by computers. The business does not refer to them as computer-
assisted business processing.
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
22/23
Lecture Discussion Question 1
When reviewing an IT environment, the auditor distinguishes
between general controls (i.e. overall control environment) and
application controls (input, processing, output at an account assertion level).
For the following separate situations identify whether it is a general
or an application control.
(a) A trade receivables listing is produced and distributed to the Finance Manager,
Sales Manager, Accountant and Account Managers.
(b) A new accounts receivable system has been developed by employee
programmers and is currently being tested to ensure that it is compatible with
the rest of the IT system.
(c) Significant number of sales invoices that are contained in a batch are not
properly authorised.
(d) When a desktop PC is inactive for 5mins the computer will go into auto logoff
mode
-
8/22/2019 ACCT3014_lecture IT Part 1 s1 2013
23/23
Lecture Discussion Question 1
e) When processing a customer order for goods the inventory system rejects the
quantity if the remaining balance would be negative
f) Only the Senior accountant can amend the table of depreciation rates
contained in the Fixed Asset System.
g) A payroll transaction is rejected as the number of overtime hours for the pay
period exceeds 15 hours.
h) Staff are required to wear their staff ID badge while working in the Server Room
i) The Firewall log is reviewed each morning by a senior program analysis