8-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education

8-1

Chapter 08

Consideration of Internal Control in a Information Technology Environment

Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

8-2

Nature of IT Based Systems

Many systems have developed away from centralized systems with one main frame computer using user developed software to a combination of smaller computers using commercially available software Less expensive software

Electronic checkbooks (e.g., Quicken) Moderate system

Basic general ledger system (e.g.., QuickBooks) Expensive

ERP systems (e.g., SAP)Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

8-3

Nature of IT Systems

Usually consists of:Hardware

Digital computer and peripheral equipment

Software Various programs and routines for operating the system


8-4

Computer Hardware

Input/Output Devices Central Processing Unit Auxiliary Storage

Card Readers Arithmetic Unit Magnetic Disks Terminals Control Unit Magnetic DrumsElectronic Cash Magnetic Tapes Registers Optical Compact Disks Optical Scanners

Magnetic Tape DrivesMagnetic Disk DrivesOptical Compact Disks


8-5

Software

Two Types: Systems software

Programs that control and coordinate hardware components and provide support to application software

Operating system (Examples: Unix, Windows) Application software

Programs designed to perform a specific data processing task

Written in programming language (Example: Java)


8-6

System Characteristics

Regardless of size, system possesses one or more of the following elements Batch processing On-line capabilities Database storage IT networks End user computing


8-7

Batch Processing

Input data gathered and processed periodically in groups

Example: Accumulate all of a day’s sales transactions and process them as a batch at end of day

Often more efficient than other types of systems but does not provide up-to-minute information


8-8

Online Capabilities

Online systems allow users direct access to data stored in the system

Two types (a company may use both) Online transaction processing (OLTP)

Individual transactions entered from remote locations

Online real time (Example: Bank balance at ATM)

Online analytical processing (OLAP) Enables user to query a system for analysis Example: Data warehouse, decision support

systems, expert systems


8-9

Database Storage

In traditional-IT systems, each computer application maintains separate master files Redundant information stored in several files

Database system allows users to access same integrated database file Eliminates data redundancy Creates need for data administrator for

security against improper access


8-10

IT Networks

Networks Computers linked together through

telecommunication links that enable computers to communicate information back and forth

WAN, LAN Internet, intranet, extranet

Electronic commerce Involves electronic processing and

transmission of data between customer and client

Electronic Data Interchange (EDI)Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

8-11

End User Computing

User departments are responsible for the development and execution of certain IT applications

Involves a decentralized processing system

IT department generally not involved Controls needed to prevent unauthorized

access


8-12

Internal Control in IT

Importance of internal control not diminished in computerized environment Separation of duties Clearly defined responsibilities Augmented by controls written into computer

programs


8-13

Audit Trail Impact

In a traditional manual system, hard-copy documentation available for accounting cycle

In computerized environment, audit trail ordinarily still exists, but often not in printed form Can affect audit procedures Consulting auditors during design stage of IT-

based system helps ultimate auditability


8-14Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Organization of Information Systems Department Figure 8.1

8-15

Responsibilities (1 of 2)

Information systems management Supervise the operation of the department and report

to vice president of finance Systems analysis

Responsible for designing the system Application programming

Design flowcharts and write programming code Database administration

Responsible for planning and administering the company database

Data Entry Prepare and verify input data for processing


8-16

Responsibilities (2 of 2)

IT Operations Run and monitor central computers

Program and file library Protect computer programs, master files and other

records from loss, damage and unauthorized use Data Control

Reviews and tests all input procedures, monitors processes and reviews IT logs

Telecommunications Specialists Responsible for maintaining and enhancing IT networks

Systems Programming Responsible for troubleshooting the operating system


8-17

Computer-Based Fraud

History shows the person responsible for frauds in many situations set up the system and controlled its modifications

Segregation of duties Programming separate from controlling data

entry Computer operator from custody or detailed

knowledge of programs If segregation not possible need:

Compensating controls like batch totals Organizational controls not effective in mitigating

collusion


8-18

Internal Auditing in IT

Interested in evaluating the overall efficiency and effectiveness of information systems operations and related controls throughout the company

Should participate in design of IT-based system

Perform tests to ensure no unauthorized changes, adequate documentation, control activities functioning and data group performing duties.


8-19Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

IT Control Activities Figure 8.2

8-20

IT Control Activities

General Control Activities

Developing new programs and systems

Changing existing programs and systems

Access to programs and data

IT operations controls


8-21

Application Control Activities Programmed Control Activities

Input validation checks Limit test Validity test Self-checking number

Batch controls Item count Control total Hash total

Processing controls Input controls plus file labels

Manual Follow-up Activities Exception reports follow-up


8-22

User Control Activities

Designed to test the completeness and accuracy of IT-processed transactions

Designed to ensure reliability Reconciliation of control totals generated

by system to totals developed at input phase Example: Sales invoices generated by IT-

based system tested for clerical accuracy and pricing by the accounting clerk


8-23

Control in Decentralized and Single Workstation Systems

Involves use of one or more user operated workstations to process data

Needed controls Train users Document computer processing procedures Backup files stored away from originals Authorization controls Prohibit use of unauthorized programs Use antivirus software


8-24

Steps 1 and 2 of audit—Plan audit and Obtain an Understanding

Step 1 – Consider IT system in planning Step 2 – Obtain an understanding of the

client and its environment Documentation of client’s IT-based system

depends on complexity of system Narrative Systems flowchart Program flowchart Internal control questionnaires


8-25

Step 3 of Audit: Assess the Risks of Material Misstatement

Identify risks Relate the identified risks to what can go

wrong at the relevant assertion level Consider whether the risks are of a

magnitude that could result in a material misstatement

Consider the likelihood that the risks could result in a material misstatement Evaluate effectiveness of related controls in

mitigating risks Test of controls over IT-based systems


8-26

Techniques for Testing Application Controls

Auditing Around the Computer--Manually processing selected transactions and comparing results to computer output

Manual Tests of Computer Controls--Inspection of computer control reports and evidence of manual follow-up on exceptions

Auditing Through the Computer--Computer assisted techniques Test Data Integrated Test Facility Controlled Programs Program Analysis Techniques Tagging and Tracing Transactions Generalized audit software – parallel simulation


8-27

Using Generalized Audit Software to Perform Substantive Procedures

In general, using client data and generalized audit software Examine client’s records for overall quality,

completeness and valid conditions Rearrange data and perform analyses Select audit samples Compare data on separate files Compare results of audit procedures with

client’s records


8-28

Typical Inventory Audit Procedures Using Generalized Audit Software Figure 8.6


Documents

8-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education