The Auditors Consideration of the IT System

Per the Old PSA 401, an IT

environment exists when a computer
of any type or size is involved in the
processing by the entity of financial
information of significance to the
audit, whether that computer is
operated by the entity or by a third
party.

Skills and Competence

The auditor should obtain an
understanding of how the entity has
responded to risks arising from IT
(PSA 315 par 93)
The auditor should consider whether
specialized IT skills are needed in an
audit. PSA 620 Using the work of an
Expert provides additional guidance
The overall objective and scope of an
audit does not change in an IT
Environment. The Procedures,

COSO (Control Activities)

5

Physical Controls

Transaction authorization
Example:

Sales only to authorized customer

Sales only if available credit limit

Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP
of inventory]
Fraud requires collusion [e.g., separate various steps in
process]

Supervision
Serves as compensating control when lack of
segregation of duties exists by necessity

Physical Controls

Accounting records (audit trails;

examples)
Access controls

Direct (the assets)

Indirect (documents that control the assets)
Fraud
Disaster Recovery

Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records

IT General Controls
These are policies and procedures
that relate to many applications and
support the effective functioning of
application controls by helping to
ensure the continued proper
operation of the information system.
These include controls over:
IT governance
IT infrastructure
Security and access to operating
systems and databases
Application acquisition and development

Application Controls
These are procedures used to
initiate, record, process and
report transactions or other
financial data. These controls
help ensure validity,
completeness, and accuracy of
financial transactions

Internal Control Study and Evaluation Process

1. Obtain an understanding
2. Make a preliminary assessment of
the risk of material misstatement
3. Determine the procedures to perform
in response to assessed risk
4. Revise the preliminary risk
assessment as necessary
5. Finalize the audit strategy, audit plan
and audit program

Step one: Obtain and Understanding

Design
IT General Controls
Application Controls

Operation (if implemented)

Significance relates to materiality of the FS
assertions affected by the computer
processing.
Significant areas (fraud)
Complexity
voluminous data
auto-generated transactions
complex systems

Step two: Make a Preliminary Assessment of the Risk

of Material Misstatement

Consider if the IT Controls enable the entity:

Consistency in application
Accuracy of financial data
Timeliness of information
Analysis of information
Monitoring of Performance

Identify and assess risks of material

misstatement at the FS Level and at the
assertion Level.

Step two: Make a Preliminary Assessment of the Risk

of Material Misstatement

Evaluate the design and determine the

implementation of controls over risks for
which in the auditors judgment, substantive
procedures alone do not provide sufficient
appropriate audit evidence

Summary of Responses to the Preliminary Risk

Assessment

If the preliminary control risk assessment is

High = no test of controls, proceed to Step
5 (Finalize the audit strategy, audit plan and
audit program)
If less than high = perform test of controls
to determine whether the PRA is appropriate

PAPS 1008 Risk Considerations

Dependence of other Controls over
Computer Processing
Uniform Processing of Transactions
Segregation of Duties is lacking
Transaction trail being foregone
Management Supervision
Initiation or Execution of Transactions
CAATS testing
Errors and Irregularities

the procedures to
perform in response to
assessed risk
External to the CPU = observable
Inspection of documents (with Trail)
Inquiries + Observation (if there is no audit trail)

Internal to the CPU = Not observable

CAATS

Common Types of CAATS

approaches
Test data method
Client software is provided to auditor
Auditor test data
Includes valid and invalid transactions

Integrated test facility

Live operations
Auditor test data (mixed with actual data)

Parallel simulation
Auditor-written program that simulates features
Actual data used

Common test
procedures

Authenticity tests
Accuracy tests
Completeness tests
Redundancy tests
Access tests
Audit trail tests
Rounding error tests

Documentation
Test of controls may include:
Inspection of documents
Inquiries + Observation (if there is no audit trail)
Reperformance of internal controls

Common documentation techniques include:

Narrative descriptions
Questionnaires
Checklists
Flowcharts

Step four: Revise the PRA, as necessary

Situation 1:
PRA = less than high
TOC confirm that the controls are working effectively
No revision of PRA

Situation 2
PRA = less than high
TOC reveals that results are not working effectively
Revise Risk assessment from less than high to high.

Step five: Finalize the audit strategy, audit plan and

audit program

Factors to consider in using CAATS

Degree of technical competence in IT
Availability of CAATs and Appropriate
computer facilities
Impracticability of manual tests
Effectiveness and efficiency
Timing of tests

What is the Focus of IT Audit?

Audit of IT Environment (Audit of IT
General Controls)
Audit of IT Governance Controls
Audit of Operating Systems and
Networks
Audit of Database Systems
Audit of the System Development
and Program Change Activities
Audit of the Information Processing
(Audit of Application Controls)

Focus of IT Audit: ITGC

ITGCs do not directly prevent or
detect material misstatements in the
FS, but the proper and consistent
operation of automated application
controls usually depends on effective
ITGCs.
ITGCs do not generally provide direct
evidence in respect of a specific
assertion for an FSLI. Rather they
generally contribute indirectly by
supporting the reliability of

Documenting ITGCs
When ITGCs are evaluated in an
audit, document a clear link between
those ITGC and:
Key automated application controls and
interfaces
Key automated accounting procedures
System generated data and reports used
in key manual controls or in generation of
manual journal entries

Corporate Governance
Governance is the combination of processes
and structures implemented by the board to
inform, direct, manage, and monitor
the activities of the organization toward the
achievement of its objectives
Help ensure organizations operate within
certain regulatory and ethical standards,
manage resources optimally, and mitigate
business risks
Focused primarily on leadership,
management, ethics and reporting.

IT Governance Defined
Per International Professional Practices
Framework (IPPF), IT Governance consists
of leadership, organizational
structures, and processes that ensure
that the Enterprises IT supports the
organizations strategies and objectives.
Proper alignment between IT and the
Entity mean:
Entity understands the potential and limitation
of IT
The IT function understands the objectives and
needs of the organization
This understanding is applied and monitored

31

Importance of IT
Governance

While IT supports the financial and human capital

governance areas, it plays a much more
significant role with respect to organizational
information.
The information and technological
components of an organization are among
its important assets.
A lack of appropriate governance over information
stored, processed, or produced by IT systems can
have a significant negative impact on an
organization, ranging from fines and penalties to
damaged reputation that can take time, energy
and money to rebuild.

Importance of IT
Governance

In many organizations, there is a disconnect

between senior management and IT due to the
view that IT solely exists to deliver day-to-day
services.
Research show that proper alignment of
organizational objectives and IT result in as much
as 20% higher on ROI.
Alignment of organizational objectives and IT is
more about governance and less about
technology. Governance assures alternatives are
evaluated, execution is appropriately directed,
and performance is monitored, and these same
concepts apply to IT Governance

IT Governance Roles, Standards

and Frameworks

34

IT Governance Objectives

IT Resource Management

deals with monitoring the inventory and

effective use of IT resources.

Performance Measurement
focuses on measuring the performance of
IT resources and helps gauge whether the
resources are adding the expected level of
value to the business. This process also
helps to identify and mitigate risks

Compliance Management
institutionalizing legal and regulatory
compliance processes.

IT Governance
Components

1. Executive Leadership
and Support Issues

39

2. Strategic and Operational

Planning Issues

40

3. Service Delivery and

Measurement Issues

41

4. IT Organization and Risk

Management

42

5. Organization and
Governance Structures Issues
Organization Operating Model (CDP vs
DDP)
Computer Controls Center
Disaster Recovery Planning / Business
Continuity Management
Outsourcing IT Services
Governance Accountability
Operations vs Projects

43

5. Organization and
Governance Structures Issues

44

a. Organization Operating Model (CDP vs DDP)

a. Organization Operating Model (CDP vs DDP)

46

Centralized vs Distributed

Centralized
Data processing is
performed by one or
more large computers
housed at a central site
that services throughout
the organization.

Distributed
Small IT units

IT services activities are

consolidated and
managed as a shared
organization resource

IT services activities
distributed locally.

End users compete for

these resources on the
basis of need
> DBA

Placed under the control

of the users

Control Objectives: CDP

Segregation of incompatible IT functions
Segregate transaction authorization from
transaction processing
Segregate record keeping from asset custody
Divide transaction processing steps among
individuals to force collusion to perpetrate
fraud

50

Control Objectives: CDP

Segregation of incompatible IT functions
Separating systems development from
computer operations
[see Figure 2-2]

51

Control Objectives: CDP

Segregation of incompatible IT
functions
Separating DBA from other
functions
DBA is responsible for several critical
tasks:
Database security
Creating database schema and
user views
Assigning database access authority to
users
Monitoring database usage
52

Control Objectives: CDP

Segregation of incompatible IT functions
in Systems Development
Alternative 1: segregate systems analysis
from programming [see Figure 2-3]
Two types of control problems from this
approach:
Inadequate documentation
Is a chronic problem. Why?
Not interesting
Lack of documentation provides job security
Assistance: Use of CASE tools
Potential for fraud
Example: Salami slicing, trap doors
53

Control Objectives: CDP

Segregation of incompatible IT
functions
Alternative 2: segregate systems
development from maintenance

[see Figure 2-2]

Two types of improvements from this
approach:
Better documentation standards
Necessary for transfer of responsibility
Deters fraud
Possibility of being discovered
54

Control Objectives: CDP

Segregation of incompatible IT
functions
Segregate data library from operations
Physical security of off-line data files
Implications of modern systems on use of
data library:
Real-time/online vs. batch processing
Volume of tape files is insufficient to justify fulltime librarian
Alternative: rotate on ad hoc basis
Custody of on site data backups
Custody of original commercial software and
licenses
55

Audit Objectives: CDP

Audit objectives
Risk assessment
Verify incompatible areas are properly
segregated
How would an auditor accomplish this
objective?

Verify incompatible areas are properly

segregated
Verify formal vs. informal relationships
exist between incompatible tasks
Why does it matter?

56

Auditing Procedures: CDP

Segregation of incompatible IT
functions
Audit procedures:
Obtain and review security policy
Verify policy is communicated
Review relevant documentation (org. chart,
mission statement, key job descriptions)
Review systems documentation and
maintenance records (using a sample)
Verify whether maintenance programmers are
also original design programmers
Observe segregation policies in practice
Review operations room access log
Review user rights and privileges
57

The Distributed Model

Distributed Data Processing (DDP)
involves reorganizing the central IT
function into small IT units that are
placed under the control of end users
Two alternatives shown in [figure 2-4]
Alternative A: centralized
Alternative B: decentralized / network

59

Risks Associated with DDP

Inefficient use of resources
Mismanagement of resources by end users
Redundant tasks
Hardware and software incompatibility

Destruction of audit trails

Inadequate segregation of duties
Hiring qualified professionals
Increased potential for errors
Programming errors and system failures

Lack of standards
60

Advantages of DDP
Cost reduction
Development and maintenance costs reduced
End user data entry vs. data control group
Application complexity reduced

Improved cost control responsibility

IT critical to success then managers must
control the technologies

Improved user satisfaction

Increased morale and productivity

Backup flexibility
Excess capacity for DRP
61

Controlling the DDP

Environment
Need for careful analysis
Implement a corporate IT function
Central systems development

Acquisition, testing, and implementation of

commercial software and hardware
User services

Help desk: technical support, FAQs, chat

room, etc.
Standard-setting body
Personnel review

IT staff
62

Audit Objectives: DDP

Environment
Verify that the structure of the IT
function is such that individuals in
incompatible areas are segregated:
In accordance with the level of potential
risk
And in a manner that promotes a
working environment

Verify that formal relationships needs

to exist between incompatible tasks
63

Audit Objectives: DDP

Environment
Review the corporate policy on
computer security
Verify that the security policy is communicated
to employees

Review documentation to determine if

individuals or groups are performing
incompatible functions
Review systems documentation and
maintenance records
Verify that maintenance programmers are not
also design programmers
64

b. The Computer Controls

Center
The objective of this section is to present
computer center risks and the controls that
help to mitigate risk and create a secure
environment
Potential exposure that can impact the
quality of information, accounting records,
transaction processing, and the effectiveness
of other more conventional internal controls

65

b. The Computer Controls

Center
Physical location
Avoid human-made and natural hazards
Example: Chicago Board of Trade
Construction
Ideally: single-story, underground utilities,
windowless, use of filters
If multi-storied building, use top floor (away
from traffic flows, and potential flooding in a
basement)
Access
Physical: Locked doors, cameras
Manual: Access log of visitors
66

b. The Computer Controls

Center
Air conditioning
Especially mainframes
Amount of heat even from a group of PCs

Fire suppression
Automatic: usually sprinklers
Gas, such as halon, that will smother fire by
removing oxygen can also kill anybody trapped
there
Sprinklers and certain chemicals can destroy the
computers and equipment
Manual methods

Power supply
Need for clean power, at a acceptable level
Uninterrupted power supply
67

Audit Objectives: The

Computer Center
physical security IC protects the
computer center from physical
exposures
insurance coverage compensates the
organization for damage to the
computer center
operator documentation addresses
routine operations as well as system
failures
68

Considerations: The Computer

Center Controls
man-made threats and natural hazards
underground utility and communications
lines
air conditioning and air filtration systems
access limited to operators and computer
center workers; others required to sign in
and out
fire suppression systems installed
fault tolerance
redundant disks and other system
69
components

Audit Procedures: The

Computer Center
Review insurance coverage on hardware,
software, and physical facility
Review operator documentation, run
manuals, for completeness and accuracy
Verify that operational details of a
systems internal logic are not in the
operators documentation

70

c. Disaster Recovery
Planning
Disaster recovery plans (DRP) identify:
actions before, during, and after the
disaster
disaster recovery team
priorities for restoring critical
applications
Audit objective verify that DRP is
adequate and feasible for dealing with
disasters
71

Disaster Recovery Planning

Major IC concerns:
second-site backups
critical applications and databases
including supplies and documentation

back-up and off-site storage

procedures
disaster recovery team
testing the DRP regularly
73

DRP Audit Procedures

Evaluate adequacy of second-site
backup arrangements
Review list of critical applications
for completeness and currency
Verify that procedures are in place
for storing off-site copies of
applications and data
Check currency back-ups and
copies

75

DRP Audit Procedures

Verify that documentation,
supplies, etc., are stored off-site
Verify that the disaster recovery
team knows its responsibilities

Check frequency of testing the DRP

76

d. Benefits of IT Outsourcing
(new)
Improved core business processes
Improved IT performance
Reduced IT costs

77

Risks of IT Outsourcing

Failure to perform
Vendor exploitation
Costs exceed benefits
Reduced security
Loss of strategic advantage

78

Audit Implications of IT Outsourcing

Management retains SOX

responsibilities
SAS No. 70 report or audit of
vendor will be required

79

IT Governance Control Points

80

Documentation
Particulars

Attachment

COBIT Control Objectives

COBIT Control
Objectives

IT Governance Engagement
Planning Checklist

IT Governance
Engagement Planning Checkli

IT Governance Charter
IT Governance
Charter

COBIT Case Study

COBIT Case Study

COBIT Documentation
Questionnaire

COBIT Controls
Documentation Template

81