Student Chap008 20thP

Chapter 08
Consideration of
Internal Control in
a Information
Technology
Environment
Copyright 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8-1
Nature of IT Based Systems

Many systems have developed away
from centralized systems with one
main frame computer using user
developed software to a combination
of smaller computers using
commercially available software
Less expensive software

Electronic checkbooks (e.g., Quicken)
Moderate system
Basic general ledger system (e.g.., QuickBooks)
Expensive
ERP systems (e.g., SAP)
8-2
Nature of IT Systems
Usually consists of:

Hardware
Digital computer and peripheral
equipment
Software
Various programs and routines
for operating the system
8-3
Computer Hardware
Input/Output Devices
Auxiliary Storage
Card Readers
Central Processing Unit
Arithmetic Unit
Magnetic Disks
Terminals
Magnetic Drums
Magnetic
Control Unit
Electronic Cash
Tapes
Registers
Compact Disks Optical Scanners
Magnetic Tape Drives
Magnetic Disk Drives
Optical Compact Disks
Optical
8-4
Software
Two Types:
Systems software
Programs that control and coordinate hardware
components and provide support to application

software
Operating system (Examples: Unix, Windows)
Application software
Programs designed to perform a specific data
processing task
Written in programming language (Example:
Java)
8-5
System Characteristics
Regardless of size, system possesses

one or more of the following elements
Batch processing
On-line capabilities
Database storage
IT networks
End user computing
8-6
Batch Processing
Input data gathered and processed

periodically in groups
Example: Accumulate all of a days sales
transactions and process them as a batch
at end of day
Often more efficient than other types of
systems but does not provide up-tominute information
8-7
Online Capabilities
Online systems allow users direct access

to data stored in the system
Two types (a company may use both)
Online transaction processing (OLTP)

Individual transactions entered from remote
locations
Online real time (Example: Bank balance at
ATM)
Online analytical processing (OLAP)

Enables user to query a system for analysis
Example: Data warehouse, decision support
systems, expert systems

8-8
Database Storage
In traditional-IT systems, each computer

application maintains separate master
files
Redundant information stored in several files
Database system allows users to access

same integrated database file
Eliminates data redundancy
Creates need for data administrator for
security against improper access
8-9
IT Networks
Networks
Computers linked together through
telecommunication links that enable
computers to communicate information back
and forth
WAN, LAN
Internet, intranet, extranet
Electronic commerce
Involves electronic processing and
transmission of data between customer and
client
Electronic Data Interchange (EDI)
8-10
End User Computing
User departments are responsible for the

development and execution of certain IT
applications
Involves a decentralized processing
system
IT department generally not involved
Controls needed to prevent unauthorized
access
8-11
Internal Control in IT
Importance of internal control not

diminished in computerized environment
Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer
programs
8-12
Audit Trail Impact
In a traditional manual system, hard-copy

documentation available for accounting
cycle
In computerized environment, audit trail
ordinarily still exists, but often not in
printed form
Can affect audit procedures
Consulting auditors during design stage of ITbased system helps ultimate auditability
8-13
Organization of Information Systems

Department Figure 8.1
8-14
Responsibilities
(1 of 2)
Information systems management

Supervise the operation of the department and report
to vice president of finance
Systems analysis
Responsible for designing the system
Application programming
Design flowcharts and write programming code
Database administration
Responsible for planning and administering the
company database
Data Entry
Prepare and verify input data for processing
8-15
Responsibilities
(2 of 2)
IT Operations
Run and monitor central computers
Program and file library
Protect computer programs, master files and other
records from loss, damage and unauthorized use
Data Control
Reviews and tests all input procedures, monitors
processes and reviews IT logs
Telecommunications Specialists
Responsible for maintaining and enhancing IT networks
Systems Programming
Responsible for troubleshooting the operating system
8-16
Computer-Based Fraud
History shows the person responsible for frauds in

many situations set up the system and controlled its
modifications
Segregation of duties
Programming separate from controlling data entry
Computer operator from custody or detailed
knowledge of programs
If segregation not possible need:
Compensating controls like batch totals
Organizational controls not effective in mitigating
collusion
8-17
Internal Auditing in IT
Interested in evaluating the overall

efficiency and effectiveness of
information systems operations and
related controls throughout the company
Should participate in design of IT-based
system
Perform tests to ensure no unauthorized
changes, adequate documentation,
control activities functioning and data
group performing duties.
8-18
IT Control Activities Figure

8.2
8-19
IT Control Activities
General Control Activities
Developing new programs and systems
Changing existing programs and systems
Access to programs and data
IT operations controls
8-20
Application Control Activities
Programmed Control Activities
Input validation checks

Limit test
Validity test
Self-checking number
Batch controls
Item count
Control total
Hash total
Processing controls
Input controls plus file labels
Manual Follow-up Activities
Exception reports follow-up
8-21
User Control Activities
Designed to test the completeness and

accuracy of IT-processed transactions
Designed to ensure reliability
Reconciliation of control totals generated
by system to totals developed at input
phase
Example: Sales invoices generated by ITbased system tested for clerical accuracy and
pricing by the accounting clerk
8-22
Control in Decentralized and

Single Workstation Systems
Involves use of one or more user

operated workstations to process data
Needed controls
Train users
Document computer processing procedures
Backup files stored away from originals
Authorization controls
Prohibit use of unauthorized programs
Use antivirus software
8-23
Steps 1 and 2 of auditPlan audit

and Obtain an Understanding
Step 1 Consider IT system in planning

Step 2 Obtain an understanding of the
client and its environment
Documentation of clients IT-based system

depends on complexity of system
Narrative
Systems flowchart
Program flowchart
Internal control questionnaires
8-24
Step 3 of Audit: Assess the Risks

of Material Misstatement
Identify risks
Relate the identified risks to what can go
wrong at the relevant assertion level
Consider whether the risks are of a
magnitude that could result in a material
misstatement
Consider the likelihood that the risks
could result in a material misstatement
Evaluate effectiveness of related controls in
mitigating risks
Test of controls over IT-based systems
8-25
Techniques for Testing

Application Controls
Auditing Around the Computer--Manually

processing selected transactions and
comparing results to computer output
Manual Tests of Computer Controls--Inspection

of computer control reports and evidence of
manual follow-up on exceptions
Auditing Through the Computer--Computer

assisted techniques
Test Data
Integrated Test Facility
Controlled Programs
Program Analysis Techniques
Tagging and Tracing Transactions
Generalized audit software parallel simulation
8-26
Using Generalized Audit Software

to Perform Substantive Procedures
In general, using client data and
generalized audit software
Examine clients records for overall quality,
completeness and valid conditions
Rearrange data and perform analyses
Select audit samples
Compare data on separate files
Compare results of audit procedures with
clients records
8-27
Typical Inventory Audit Procedures Using Generalized Audit

Software Figure 8.6
8-28

Student Chap008 20thP

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Student Chap008 20thP

Încărcat de

Drepturi de autor:

Formate disponibile

Chapter 08

Nature of IT Based Systems

Less expensive software

Usually consists of:

Digital computer and peripheral

Central Processing Unit

components and provide support to application

Regardless of size, system possesses

Input data gathered and processed

Online systems allow users direct access

Online transaction processing (OLTP)

Online analytical processing (OLAP)

systems, expert systems

In traditional-IT systems, each computer

Redundant information stored in several files

Database system allows users to access

End User Computing

User departments are responsible for the

Importance of internal control not

Audit Trail Impact

In a traditional manual system, hard-copy

Organization of Information Systems

Information systems management

History shows the person responsible for frauds in

Interested in evaluating the overall

IT Control Activities Figure

Developing new programs and systems

Changing existing programs and systems

Access to programs and data

Application Control Activities

Programmed Control Activities

Input validation checks

Input controls plus file labels

Manual Follow-up Activities

Exception reports follow-up

User Control Activities

Designed to test the completeness and

Control in Decentralized and

Involves use of one or more user

Steps 1 and 2 of auditPlan audit

Step 1 Consider IT system in planning

Documentation of clients IT-based system

Step 3 of Audit: Assess the Risks

Techniques for Testing

Auditing Around the Computer--Manually

Manual Tests of Computer Controls--Inspection

Auditing Through the Computer--Computer

Using Generalized Audit Software

Typical Inventory Audit Procedures Using Generalized Audit

S-ar putea să vă placă și