ACCT3014_lecture IT Part 1 s1 2013

8/22/2019 ACCT3014_lecture IT Part 1 s1 2013

1/23

Business School

Auditing and Assurance

The University of Sydney

Business SchoolACCT3014 - Auditing and Assurance

Semester 1, 2013

Eric Clubb

Week 9 Lecture

Auditing in an IT Environment

Auditing risking only increase

General Controls vs Application Controls

Testing Internal Controls


2/23

IT Audit Environment

Lecture Outline- Critical Nature of IT Systems to the Business enterprise of any size

- Increased Reliance on IT Systems both Business and Personal brings New

Risks for the Auditor

- Understanding the difference with Business implemented IT Controls:

- General Controls (IT System Wide)

- Application Controls (Detailed Focus on a specific application, Payroll. Sales

etc)

- Working examples of these controls

- Introduction: How does the Auditor evaluate and test the control environment

2


3/23

e-Commerce Considerations

Relationships with e partners - issues of reliability and ongoing support?

Recording & processing of transactions

Fraud

Privacy

Transaction integrity

Competition & transparency

Terms of trade

Reputation

Security

System failures reliance on 3rd parties


4/23

Examples of IT Risks Relevant to the Auditor

Planning and Organisation- IT strategy not aligned with the business strategy unable to support business

information needs / accounting processes and increasing risk of errors

Acquisition, Implementation and Maintenance

- implementation of new accounting application under time pressure

e.g. inadequate testing may lead to operation problems and processing errors

- unauthorised changes to programs

increase risk of processing and reporting errors

- interface problems

loss, duplication or corruption of data


5/23

Examples of IT Risks Relevant to the Auditor (cont.)

Delivery and Support

- unauthorised access to application, operating systems and data

improper initiation, approval or execution of transactions

- inadequate backup and recovery procedures

loss of data

Monitoring

- access violations not monitored

difficult to enforce responsibility and accountability


6/23

IT And Non IT Audit Environments

6

IT RisksLoss of Data

Hacking

Business Interruption

&

Legal Claims

Non IT Business Risks

And presence of Fraud

The Auditor

Evaluate Internal

Controls

Evaluate Internal

Controls

Use of IT

Tools during

Evaluation &

testingDetermine type & volumeof Substantive Tests

Determine type &

volume of Substantive

Tests


7/23

IT - General Controls

Are manual and computercontrols surrounding the environment in

which computer systems operate and relate to all or many

computerised accounting applications; and

Provide a reasonable level of assurance that overall objectives of

internal controlare achieved (i.e. proper recording, prevent and

detect errors)

Provide a control framework(i.e. address technology, people and

processes)


8/23

Categories of General Controls

General controls address:

- segregation of duties

- control over hardware

- control over software

- control over data


9/23

Segregation of Duties

Auditor interested in:

- separation between IT and user department functions (e.g. users are not

programmers); and

- separation ofincompatible functions within IT department, especially

separating those with an understanding of system from those with access to

system (e.g. operators are not programmers)


10/23

Control Over Software System Wide Processes

Includes control over:

- development or acquisition of new programs

- Must be authorised and linked to a business case

- The higher the degree of specialisation the greater the RISK

- Documentation a must

- Access to the Source Code (third party providers, the use of ESCROW)

- Level of testing:

- The data flow

- Integration with over systems

- Security


11/23

Control Over Software

- changes to existing programs

- Authorisation and documentation

- Testing (off line and Parallel)

- access to programs (e.g. via passwords or physical access restriction to

software)

- Administrator vs user

- Administrators should not also act user of a system or at application level !

- Why?

- Breach of Segregation of duties as an administrator the person is in a

position to over-ride internal controls and manipulate data

11


12/23

Other General Controls

These controls back-up hardware, software and files and ensure

recoverywhen computer installation or particular files or programs are

damaged

General IT expectations Unless it is backup in three separate ways it

is not backed up!

Also back up of little protection is located next to the computer or

server.

These do not normally have an effect on control risk assessment

Althoughdont underestimate the significance

of secure back up and disaster

recovery / business interruption plans

may be critical to the Auditors evaluation of Going Concern


13/23

Testing of General Controls

There is no change in the Auditors approachto testing, as these are mainly manual:

inquiry

inspection

Observation

Physical Testing (playing the part of a staffmember)

Re-performance


14/23

IT - Application Controls

Relate to individualcomputerised accounting applications May beprogrammedormanual, and located in either the user

departments or IT department

Can bepreventative ordetective in nature and ensure that transactions

occurred, are authorised and are completely and accurately recorded and

processed

Have the application controls been correctly amended to reflect software

modifications?

Consider staff relevance to:

reluctance to change,

Over-ride of controls to maintain productivity

Non reporting software faults


15/23

IT Application Controls

Usually classified under the following

categories:

- input

- file

- processing

- output


16/23

Input Application Controls

Ensure all authorised data is completely and

accurately converted into machine readable

form, e.g:

- Pre-numbering of documents/sequence and/or duplication check

- control totals (e.g. batch controls/totals)

- key verification links to data in master files

- key entry verification duplication of the input, not widely used


17/23

Automated/Programmed Input Application Controls

We Shall work through some practical examples of each of:

Self-checking digits (e.g. only transactions with valid employeenumbers will be processed)

Limit / reasonableness / range check (e.g. all hourly rates ornumber of hours worked for payroll transactions are within authorisedlimits)

Field checks(e.g. all relevant information for purchase transaction has

been input, i.e. check for missing fields/data; alphanumeric check)

Valid code test / validity checks (e.g. supplier details confirmedfrom master file when customer number is input into the system; data

takes on valid values; valid combination of items)


18/23

File and Processing Application Controls

Ensure all input data is completely andaccurately processed onto master files, e.g:

- internal file labels computer-readable data that identifies content of the file

- external file labels printed or handwritten labels attached to disk or tape

- programmed control procedures:- checking numerical sequence of records

- comparing related fields

- run-to-run control totals


19/23

Output Application Controls

Ensure complete and accurate output isdistributed only to authorised persons, e.g:

- restricted distribution

- Restricted print access (screen only)

- automatic dating of reports- page numbering

- end-of-report messages


20/23

Relationship Between IT General Controlsand Application Controls

Should start internal control evaluation by looking at

general controls.

If these controls are unreliable, auditor can have little

confidence in programmed application controls andreduced confidence in manual application controls.

Auditor must take more substantive approach to the audit.

If general controls are reliable, auditor makes preliminary

evaluation of application controls, and, if appropriate, amore detailed evaluation of application controls is made.

Auditor determines appropriate degree of tests of controls

and substantive testing.


21/23

Auditing IT Systems

Planning:- level of IT dependence / IT business related risks

- IT related IC strengths and weaknesses

Audit Evidence:

- use of CAATs for

- tests of controls

- substantive testing

CAAT refers to computer-assisted audit technique. This implies that an auditor's

use of a computer-assisted audit technique is something special- normally thetechniques used by an auditor are not computer assisted. Today, in most large

and medium-sized enterprises, there are few business processes that are not

driven by computers. The business does not refer to them as computer-

assisted business processing.


22/23

Lecture Discussion Question 1

When reviewing an IT environment, the auditor distinguishes

between general controls (i.e. overall control environment) and

application controls (input, processing, output at an account assertion level).

For the following separate situations identify whether it is a general

or an application control.

(a) A trade receivables listing is produced and distributed to the Finance Manager,

Sales Manager, Accountant and Account Managers.

(b) A new accounts receivable system has been developed by employee

programmers and is currently being tested to ensure that it is compatible with

the rest of the IT system.

(c) Significant number of sales invoices that are contained in a batch are not

properly authorised.

(d) When a desktop PC is inactive for 5mins the computer will go into auto logoff

mode


23/23

Lecture Discussion Question 1

e) When processing a customer order for goods the inventory system rejects the

quantity if the remaining balance would be negative

f) Only the Senior accountant can amend the table of depreciation rates

contained in the Fixed Asset System.

g) A payroll transaction is rejected as the number of overtime hours for the pay

period exceeds 15 hours.

h) Staff are required to wear their staff ID badge while working in the Server Room

i) The Firewall log is reviewed each morning by a senior program analysis

ACCT3014_lecture IT Part 1 s1 2013

Documents

Transcript of ACCT3014_lecture IT Part 1 s1 2013