Upload
suzanna-mckenzie
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
8-1
Chapter 08
Consideration of Internal Control in a Information Technology Environment
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-2
Nature of IT Based Systems
Many systems have developed away from centralized systems with one main frame computer using user developed software to a combination of smaller computers using commercially available software Less expensive software
Electronic checkbooks (e.g., Quicken) Moderate system
Basic general ledger system (e.g.., QuickBooks) Expensive
ERP systems (e.g., SAP)Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-3
Nature of IT Systems
Usually consists of:Hardware
Digital computer and peripheral equipment
Software Various programs and routines for operating the system
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-4
Computer Hardware
Input/Output Devices Central Processing Unit Auxiliary Storage
Card Readers Arithmetic Unit Magnetic Disks Terminals Control Unit Magnetic DrumsElectronic Cash Magnetic Tapes Registers Optical Compact Disks Optical Scanners
Magnetic Tape DrivesMagnetic Disk DrivesOptical Compact Disks
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-5
Software
Two Types: Systems software
Programs that control and coordinate hardware components and provide support to application software
Operating system (Examples: Unix, Windows) Application software
Programs designed to perform a specific data processing task
Written in programming language (Example: Java)
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-6
System Characteristics
Regardless of size, system possesses one or more of the following elements Batch processing On-line capabilities Database storage IT networks End user computing
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-7
Batch Processing
Input data gathered and processed periodically in groups
Example: Accumulate all of a day’s sales transactions and process them as a batch at end of day
Often more efficient than other types of systems but does not provide up-to-minute information
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-8
Online Capabilities
Online systems allow users direct access to data stored in the system
Two types (a company may use both) Online transaction processing (OLTP)
Individual transactions entered from remote locations
Online real time (Example: Bank balance at ATM)
Online analytical processing (OLAP) Enables user to query a system for analysis Example: Data warehouse, decision support
systems, expert systems
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-9
Database Storage
In traditional-IT systems, each computer application maintains separate master files Redundant information stored in several files
Database system allows users to access same integrated database file Eliminates data redundancy Creates need for data administrator for
security against improper access
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-10
IT Networks
Networks Computers linked together through
telecommunication links that enable computers to communicate information back and forth
WAN, LAN Internet, intranet, extranet
Electronic commerce Involves electronic processing and
transmission of data between customer and client
Electronic Data Interchange (EDI)Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-11
End User Computing
User departments are responsible for the development and execution of certain IT applications
Involves a decentralized processing system
IT department generally not involved Controls needed to prevent unauthorized
access
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-12
Internal Control in IT
Importance of internal control not diminished in computerized environment Separation of duties Clearly defined responsibilities Augmented by controls written into computer
programs
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-13
Audit Trail Impact
In a traditional manual system, hard-copy documentation available for accounting cycle
In computerized environment, audit trail ordinarily still exists, but often not in printed form Can affect audit procedures Consulting auditors during design stage of IT-
based system helps ultimate auditability
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-14Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Organization of Information Systems Department Figure 8.1
8-15
Responsibilities (1 of 2)
Information systems management Supervise the operation of the department and report
to vice president of finance Systems analysis
Responsible for designing the system Application programming
Design flowcharts and write programming code Database administration
Responsible for planning and administering the company database
Data Entry Prepare and verify input data for processing
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-16
Responsibilities (2 of 2)
IT Operations Run and monitor central computers
Program and file library Protect computer programs, master files and other
records from loss, damage and unauthorized use Data Control
Reviews and tests all input procedures, monitors processes and reviews IT logs
Telecommunications Specialists Responsible for maintaining and enhancing IT networks
Systems Programming Responsible for troubleshooting the operating system
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-17
Computer-Based Fraud
History shows the person responsible for frauds in many situations set up the system and controlled its modifications
Segregation of duties Programming separate from controlling data
entry Computer operator from custody or detailed
knowledge of programs If segregation not possible need:
Compensating controls like batch totals Organizational controls not effective in mitigating
collusion
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-18
Internal Auditing in IT
Interested in evaluating the overall efficiency and effectiveness of information systems operations and related controls throughout the company
Should participate in design of IT-based system
Perform tests to ensure no unauthorized changes, adequate documentation, control activities functioning and data group performing duties.
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-19Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
IT Control Activities Figure 8.2
8-20
IT Control Activities
General Control Activities
Developing new programs and systems
Changing existing programs and systems
Access to programs and data
IT operations controls
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-21
Application Control Activities Programmed Control Activities
Input validation checks Limit test Validity test Self-checking number
Batch controls Item count Control total Hash total
Processing controls Input controls plus file labels
Manual Follow-up Activities Exception reports follow-up
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-22
User Control Activities
Designed to test the completeness and accuracy of IT-processed transactions
Designed to ensure reliability Reconciliation of control totals generated
by system to totals developed at input phase Example: Sales invoices generated by IT-
based system tested for clerical accuracy and pricing by the accounting clerk
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-23
Control in Decentralized and Single Workstation Systems
Involves use of one or more user operated workstations to process data
Needed controls Train users Document computer processing procedures Backup files stored away from originals Authorization controls Prohibit use of unauthorized programs Use antivirus software
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-24
Steps 1 and 2 of audit—Plan audit and Obtain an Understanding
Step 1 – Consider IT system in planning Step 2 – Obtain an understanding of the
client and its environment Documentation of client’s IT-based system
depends on complexity of system Narrative Systems flowchart Program flowchart Internal control questionnaires
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-25
Step 3 of Audit: Assess the Risks of Material Misstatement
Identify risks Relate the identified risks to what can go
wrong at the relevant assertion level Consider whether the risks are of a
magnitude that could result in a material misstatement
Consider the likelihood that the risks could result in a material misstatement Evaluate effectiveness of related controls in
mitigating risks Test of controls over IT-based systems
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-26
Techniques for Testing Application Controls
Auditing Around the Computer--Manually processing selected transactions and comparing results to computer output
Manual Tests of Computer Controls--Inspection of computer control reports and evidence of manual follow-up on exceptions
Auditing Through the Computer--Computer assisted techniques Test Data Integrated Test Facility Controlled Programs Program Analysis Techniques Tagging and Tracing Transactions Generalized audit software – parallel simulation
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-27
Using Generalized Audit Software to Perform Substantive Procedures
In general, using client data and generalized audit software Examine client’s records for overall quality,
completeness and valid conditions Rearrange data and perform analyses Select audit samples Compare data on separate files Compare results of audit procedures with
client’s records
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-28
Typical Inventory Audit Procedures Using Generalized Audit Software Figure 8.6
Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.