Addthis Arens Chapter12
The Impact of Information
Technology on the Audit
Process
Chapter 12
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
12 - 1
Learning Objective 1
Describe how IT improves
internal control.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 2
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 3
Learning Objective 2
Identify risks that arise from using
an IT-based accounting system.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 4
Assessing Risks of
Information Technologies
Risks to hardware and data
Reduced audit trail
Need for IT experience and
separation of IT duties
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 5
Risks to Hardware and Data
Reliance
Relianceon
onthe
thefunctioning
functioningcapabilities
capabilities
of
ofhardware
hardwareand
andsoftware
software
Systematic
Systematicversus
versusrandom
randomerrors
errors
Unauthorized
Unauthorizedaccess
access
Loss
Lossof
ofdata
data
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 6
Reduced Audit Trail
Visibility of audit trail
Reduced human involvement
Lack of traditional authorization
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 7
Need for IT Experience and
Separation of Duties
Reduced separation of duties
Need for IT experience
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 8
Learning Objective 3
Explain how general controls
and application controls
reduce IT risks.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 9
Internal Controls Specific to
Information Technology
General controls
Application controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 10
Relationship Between General
and Application Controls
Risk of unauthorized change
to application software
Risk of system crash
Cash receipts
application
controls
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
Risk of unauthorized
master file update
GENERAL CONTROLS
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Risk of unauthorized
processing
12 - 11
General Controls
Administration of the IT function
Separation of IT duties
Systems development
Physical and online security
Backup and contingency planning
Hardware controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 12
Administration of the IT Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 13
Segregation of IT Duties
Chief Information Officer or IT Manager
Security Administrator
Systems
Development
Operations
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Data
Control
12 - 14
Systems Development
Typical test
strategies
Pilot testing
Parallel testing
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 15
Physical and Online Security
Physical Controls:
Keypad entrances
Badge-entry systems
Security cameras
Security personnel
Online Controls:
User ID control
Password control
Separate add-on
security software
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 16
Backup and Contingency
Planning
One key to a backup and contingency plan
is to make sure that all critical copies of
software and data files are backed up
and stored off the premises.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 17
Hardware Controls
These controls are built into computer
equipment by the manufacturer to
detect and report equipment failures.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 18
Application Controls
Input controls
Processing controls
Output controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 19
Input Controls
These controls are designed by an
organization to ensure that the
information being processed is
authorized, accurate, and complete.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 20
Batch Input Controls
Financial total
Hash total
Record count
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 21
Processing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 22
Output Controls
These controls focus on detecting errors
after processing is completed rather
than on preventing errors.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 23
Learning Objective 4
Describe how general controls
affect the auditor’s testing
of application controls.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 24
Impact of Information Technology on
the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk and
substantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 25
Learning Objective 5
Use test data, parallel simulation,
and embedded audit module
approaches when auditing
through the computer.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 26
Test Data Approach
1. Test data should include all relevant
conditions that the auditor wants tested.
2. Application programs tested by the
auditors’ test data must be the same as
those the client used throughout the year.
3. Test data must be eliminated from the
client’s records.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 27
Test Data Approach
Input test
transactions to test
key control
procedures
Master files
Contaminated
master files
Application programs
(assume batch system)
Transaction files
(contaminated?)
Control test
results
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 28
Test Data Approach
Control test
results
Auditor makes
comparisons
Auditor-predicted results
of key control procedures
based on an understanding
of internal control
Differences between
actual outcome and
predicted result
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 29
Parallel Simulation
The auditor uses auditor-controlled software
to perform parallel operations to the client’s
software by using the same data files.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 30
Parallel Simulation
Production
transactions
Master
file
Auditor-prepared
program
Client application
system programs
Auditor
results
Client
results
Auditor makes comparisons between
client’s application system output and
the auditor-prepared program output
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Exception report
noting differences
12 - 31
Embedded Audit Module
Approach
Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 32
Learning Objective 6
Identify issues for e-commerce
systems and other specialized
IT environments.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 33
Issues for Different IT
Environments
Issues for network environments
Issues for database management systems
Issues for e-commerce systems
Issues when clients outsource IT
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 34
End of Chapter 12
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
12 - 35
Technology on the Audit
Process
Chapter 12
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
12 - 1
Learning Objective 1
Describe how IT improves
internal control.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 2
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 3
Learning Objective 2
Identify risks that arise from using
an IT-based accounting system.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 4
Assessing Risks of
Information Technologies
Risks to hardware and data
Reduced audit trail
Need for IT experience and
separation of IT duties
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 5
Risks to Hardware and Data
Reliance
Relianceon
onthe
thefunctioning
functioningcapabilities
capabilities
of
ofhardware
hardwareand
andsoftware
software
Systematic
Systematicversus
versusrandom
randomerrors
errors
Unauthorized
Unauthorizedaccess
access
Loss
Lossof
ofdata
data
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 6
Reduced Audit Trail
Visibility of audit trail
Reduced human involvement
Lack of traditional authorization
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 7
Need for IT Experience and
Separation of Duties
Reduced separation of duties
Need for IT experience
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 8
Learning Objective 3
Explain how general controls
and application controls
reduce IT risks.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 9
Internal Controls Specific to
Information Technology
General controls
Application controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 10
Relationship Between General
and Application Controls
Risk of unauthorized change
to application software
Risk of system crash
Cash receipts
application
controls
Sales
application
controls
Payroll
application
controls
Other cycle
application
controls
Risk of unauthorized
master file update
GENERAL CONTROLS
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Risk of unauthorized
processing
12 - 11
General Controls
Administration of the IT function
Separation of IT duties
Systems development
Physical and online security
Backup and contingency planning
Hardware controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 12
Administration of the IT Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 13
Segregation of IT Duties
Chief Information Officer or IT Manager
Security Administrator
Systems
Development
Operations
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Data
Control
12 - 14
Systems Development
Typical test
strategies
Pilot testing
Parallel testing
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 15
Physical and Online Security
Physical Controls:
Keypad entrances
Badge-entry systems
Security cameras
Security personnel
Online Controls:
User ID control
Password control
Separate add-on
security software
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 16
Backup and Contingency
Planning
One key to a backup and contingency plan
is to make sure that all critical copies of
software and data files are backed up
and stored off the premises.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 17
Hardware Controls
These controls are built into computer
equipment by the manufacturer to
detect and report equipment failures.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 18
Application Controls
Input controls
Processing controls
Output controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 19
Input Controls
These controls are designed by an
organization to ensure that the
information being processed is
authorized, accurate, and complete.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 20
Batch Input Controls
Financial total
Hash total
Record count
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 21
Processing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 22
Output Controls
These controls focus on detecting errors
after processing is completed rather
than on preventing errors.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 23
Learning Objective 4
Describe how general controls
affect the auditor’s testing
of application controls.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 24
Impact of Information Technology on
the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk and
substantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 25
Learning Objective 5
Use test data, parallel simulation,
and embedded audit module
approaches when auditing
through the computer.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 26
Test Data Approach
1. Test data should include all relevant
conditions that the auditor wants tested.
2. Application programs tested by the
auditors’ test data must be the same as
those the client used throughout the year.
3. Test data must be eliminated from the
client’s records.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 27
Test Data Approach
Input test
transactions to test
key control
procedures
Master files
Contaminated
master files
Application programs
(assume batch system)
Transaction files
(contaminated?)
Control test
results
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 28
Test Data Approach
Control test
results
Auditor makes
comparisons
Auditor-predicted results
of key control procedures
based on an understanding
of internal control
Differences between
actual outcome and
predicted result
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 29
Parallel Simulation
The auditor uses auditor-controlled software
to perform parallel operations to the client’s
software by using the same data files.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 30
Parallel Simulation
Production
transactions
Master
file
Auditor-prepared
program
Client application
system programs
Auditor
results
Client
results
Auditor makes comparisons between
client’s application system output and
the auditor-prepared program output
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
Exception report
noting differences
12 - 31
Embedded Audit Module
Approach
Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 32
Learning Objective 6
Identify issues for e-commerce
systems and other specialized
IT environments.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 33
Issues for Different IT
Environments
Issues for network environments
Issues for database management systems
Issues for e-commerce systems
Issues when clients outsource IT
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley
12 - 34
End of Chapter 12
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley
12 - 35