1 / 29

Consideration of Internal Control in an IT Environment

Consideration of Internal Control in an IT Environment. Why? Assess Control Risk Plan the Audit (nature, timing & extent of further audit procedures). Computer-Based Fraud. History shows the person responsible for frauds in many situations set up the system and controlled its modifications.

jerrod
Download Presentation

Consideration of Internal Control in an IT Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Consideration of Internal Control in an IT Environment Why? • Assess Control Risk • Plan the Audit (nature, timing & extent of further audit procedures)

  2. Computer-Based Fraud History shows the person responsible for frauds in many situations set up the system and controlled its modifications. Segregation of duties Programming separate from controlling data entry Computer operator from custody or detailed knowledge of programs If segregation not possible need: Compensating controls like batch totals Organizational controls not effective in mitigating collusion

  3. Nature of IT Systems for Accounting Smaller Organizations: Standalone systems for accounting and financial reporting with some outsourcing (e.g., ADP for Payroll): Electronic checkbooks (e.g., Quicken) Basic general ledger system (e.g., QuickBooks) Larger Organizations: Centralized integrated systems encompassing more than accounting: ERP systems (e.g., SAP, Oracle/PeopleSoft)

  4. Processing Locations • Internal • Centralized Processing • Distributed Processing • End User Computing • External • Outside Service Bureau • Time Sharing/Block Time • Combination • Value Added Networks (EDI, E-Commerce)

  5. End User Computing User departments are responsible for the development and execution of certain IT applications Involves a decentralized processing system IT department generally not involved Controls needed to prevent unauthorized access

  6. Processing Methods • Batch Processing • On-line (Real-Time) (OLRT) Processing

  7. Batch Processing • Records are updated for a group or “batch” of transactions at one time, e.g., weekly or monthly. • Examples: • Payroll • Legacy General Ledger

  8. OLRT Processing • Records are updated immediately after data input for individual transaction. • Examples: • ATM Transactions • “Point of Sale” Sales & Inventory Transactions • Airline Ticket Sales • Many ERP Transactions

  9. 8-4 On-Line, Real-Time Processing TRANSACTION Central Processing Unit Master Files Terminal COMMUNICATION User Computer Enters identification number and/or password Validates that user is authorized to enter this type of transaction. Enters Transaction Validates transaction and sends error/validation message to user. Corrects transaction if necessary Processes transaction and sends results to user. Takes any necessary action based on results

  10. IT Internal Controls Importance of internal control not diminished in computerized environment: Separation of duties still important Clearly defined responsibilities Augmented by controls written into computer programs

  11. Audit Trail Impact In a traditional manual system, hard-copy documentation available for accounting cycle. In computerized environment, audit trail ordinarily still exists, but often not in printed form, which can affect the nature of test of controls and substantive audit procedures.

  12. IT Control Activities General Control Activities • Developing new programs and systems • Changing existing programs and systems • Access to programs and data • Computer operations Application Control Activities • Programmed application control activities • Manual application control activities User Control Activities • Manual testing of output • Reconciliation to input documents

  13. Application Controls • Input Controls • Ensures all, but only valid, transactions are accepted for processing. • Processing Controls • Ensures all transactions are processed or reported as suspended. • Output Controls • Ensures output is complete & sent to authorized user.

  14. Application Control Activities Programmed Control Activities Input Validation Checks (input authorization, limit test, code validity test) Batch Controls (item count, control totals, hash (no meaning) totals) Processing controls (input controls plus file labels) Manual Follow-up Activities Exception reports follow-up

  15. User Control Activities Designed to test the completeness and accuracy of IT-processed transactions Designed to ensure reliability Reconciliation of control totals generated by system to totals developed at input phase Example: System-generated totals for sales invoices reconciled by the accounting clerk to input control totals.

  16. Output Controls - Examples • Control Totals - Comparison by Control Group or User Department • Scanning Output • Testing Output to Source Documents • Output to Only Authorized Users

  17. Programmed vs Manual Application Controls • Programmed - Various edit checks to test for validity, completeness, accuracy and reasonableness embedded in the application software. • Manual - Library (file loading), in process approvals and error reporting AND correction.

  18. Techniques for Testing Application Controls • Auditing Around or Without the Computer • Manually processing selected transactions and comparing results to computer output • Relying on exception reports/error listings • Possibly includes review of source code • Auditing Through or With the Computer • Testing existence of programmed controls • Testing to ensure we know the programs which are actually used for processing transactions

  19. Testing Existence ofProgrammed Controls • Test Decks/Test Data - Use fictitious data to test if controls are working at one or more times. • Integrated Test Facility - Use fictitious data for a fictitious division or product line to test if controls are working continuously. • Tracing - Obtain listing of program instructions which were actually executed. • Tagging - Selected transactions are marked or tagged for which additional details will be provided to see processing controls performed.

  20. Testing ApplicationProgram Authenticity • Parallel Simulation - Uses auditor or controlled copy of the application program to re-process “live” data or transactions to compare results with a production run. • Program Comparison - Auditor does a comparison of an auditor controlled copy of the application program with the one the client is actually using on a surprise basis.

  21. Client Use of an Outside Service Organization Example: ADP for Payroll Processing • Usually some input and output controls performed by client. • But, most general and application controls performed at service organization. • Therefore, we usually need assistance from service organization’s external auditors to assess CR below maximum or even gain a sufficient understanding.

  22. Service Auditor’s Reports • Suitability of the Design of Controls(type 1) Only allows “User Auditors” to document their understanding of internal controls and not to reduce Control Risk. • Suitability of the Design AND Effectiveness of Controls(type 2) Allows “User Auditors” to document their understanding of internal controls and to reduce Control Risk.

  23. User Auditor’s Responsibilities • Confirm with service auditor that user entity management responded to qustion as to whether the entity did or did not report any fraud or noncompliances with laws & regulations or had any uncorrected misstatements. • Assess adequacy of standards used by the service auditor [generally SSAE 16 (AT)].

  24. Processing on a PC • Generally, there is little or no segregation of duties since the programmer, operator and user are considered the same person since the operator can possibly modify the program or destroy error detection output. • Therefore, we usually cannot reduce Control Risk without compensating manual controls.

  25. EDP/IT Impact on the Audit • Audit objectives are the same. • Techniques to test controls, and even transaction or balances, may be different • Some of the audit trail may only be in electronic or machine readable form. (esp., EDI, E-Commerce, but more now than ever before) • Some of the audit trail may only be available for short period of time. • Harder to detect data alterations.

  26. Generalized Audit Software General Characteristic: Can be used at a variety of clients Can Be Used To: • Perform analytical procedures • Test computations • Compare data in separate files • Sort & analyze details of individual accounts • Select & analyze samples

  27. Engagement Planning Analytical Procedures Client & Industry Research Understand/Consider ICS Word Processing Flowcharting ICQ Forms Testing Controls Developing A/Ps Audit Program Generator CAATs = Computer Assisted Substantive Testing Sampling Data Retrieval (Sample or Specific Criteria) Spreadsheets (Depr., Interest, Inventory) Electronic W/Ps Deferred Taxes Computation Reporting Engagement Admin AICPA Engagement Mgr Audit Techniques Auditing With Computers(CAATs)

More Related