12 - 1 ©2006 prentice hall business publishing, auditing 11/e, arens/beasley/elder the impact of...
Post on 19-Dec-2015
216 views
TRANSCRIPT
12 - 1©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
The Impact of The Impact of InformationInformationTechnology on theTechnology on theAudit ProcessAudit Process
Chapter 12Chapter 12
12 - 2©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Learning Objective 1Learning Objective 1
Describe how IT improvesDescribe how IT improves
internal control.internal control.
12 - 3©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
How Information Technologies How Information Technologies Enhance Internal ControlEnhance Internal Control
Computer controlsComputer controlsreplace manual controls.replace manual controls.
Computer controlsComputer controlsreplace manual controls.replace manual controls.
Higher-qualityHigher-qualityinformation is available.information is available.
Higher-qualityHigher-qualityinformation is available.information is available.
12 - 4©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Learning Objective 2Learning Objective 2
Identify risks that arise from usingIdentify risks that arise from using
an IT-based accounting system.an IT-based accounting system.
12 - 5©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Assessing Risks ofAssessing Risks ofInformation TechnologiesInformation Technologies
Reliance on the capabilities of hardwareReliance on the capabilities of hardwareand softwareand software
Reliance on the capabilities of hardwareReliance on the capabilities of hardwareand softwareand software
Visibility of audit trailVisibility of audit trailVisibility of audit trailVisibility of audit trail
Reduced human involvementReduced human involvementReduced human involvementReduced human involvement
Systematic versus random errorsSystematic versus random errorsSystematic versus random errorsSystematic versus random errors
12 - 6©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Assessing Risks ofAssessing Risks ofInformation TechnologiesInformation Technologies
Unauthorized accessUnauthorized access Unauthorized accessUnauthorized access
Loss of dataLoss of dataLoss of dataLoss of data
Reduced segregation of dutiesReduced segregation of duties Reduced segregation of dutiesReduced segregation of duties
Lack of traditional authorizationLack of traditional authorizationLack of traditional authorizationLack of traditional authorization
Need for IT experienceNeed for IT experienceNeed for IT experienceNeed for IT experience
12 - 7©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Learning Objective 3Learning Objective 3
Explain how general controlsExplain how general controls
and application controlsand application controls
reduce IT risks.reduce IT risks.
12 - 8©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Internal Controls Specific to Internal Controls Specific to Information TechnologyInformation Technology
General controlsGeneral controlsGeneral controlsGeneral controls
Application controlsApplication controlsApplication controlsApplication controls
12 - 9©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Relationship Between GeneralRelationship Between Generaland Administrative Controlsand Administrative Controls
Cash receiptsCash receiptsapplicationapplication
controlscontrols
Cash receiptsCash receiptsapplicationapplication
controlscontrols
SalesSalesapplicationsapplications
controlscontrols
SalesSalesapplicationsapplications
controlscontrols
PayrollPayrollapplicationapplication
controlscontrols
PayrollPayrollapplicationapplication
controlscontrols
Other cycleOther cycleapplicationapplication
controlscontrols
Other cycleOther cycleapplicationapplication
controlscontrols
GENERAL CONTROLSGENERAL CONTROLS
Risk of unauthorized changeRisk of unauthorized changeto application softwareto application software
Risk of unauthorized changeRisk of unauthorized changeto application softwareto application software Risk of system crashRisk of system crashRisk of system crashRisk of system crash
Risk of unauthorizedRisk of unauthorizedmaster file updatemaster file update
Risk of unauthorizedRisk of unauthorizedmaster file updatemaster file update Risk of unauthorizedRisk of unauthorized
processingprocessing
Risk of unauthorizedRisk of unauthorizedprocessingprocessing
12 - 10©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
General ControlsGeneral Controls
Administration of the IT functionAdministration of the IT functionAdministration of the IT functionAdministration of the IT function
Segregation of IT dutiesSegregation of IT dutiesSegregation of IT dutiesSegregation of IT duties
Systems developmentSystems developmentSystems developmentSystems development
Physical and online securityPhysical and online securityPhysical and online securityPhysical and online security
Backup and contingency planningBackup and contingency planningBackup and contingency planningBackup and contingency planning
Hardware controlsHardware controlsHardware controlsHardware controls
12 - 11©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Administration of the IT FunctionAdministration of the IT Function
The perceived importance of IT within anThe perceived importance of IT within anorganization is often dictated by the attitude oforganization is often dictated by the attitude ofthe board of directors and senior management.the board of directors and senior management.
The perceived importance of IT within anThe perceived importance of IT within anorganization is often dictated by the attitude oforganization is often dictated by the attitude ofthe board of directors and senior management.the board of directors and senior management.
12 - 12©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Segregation of IT DutiesSegregation of IT Duties
Chief Information Officer or IT ManagerChief Information Officer or IT ManagerChief Information Officer or IT ManagerChief Information Officer or IT Manager
SystemsSystemsDevelopmentDevelopment
SystemsSystemsDevelopmentDevelopment OperationsOperationsOperationsOperations DataData
ControlControlDataData
ControlControl
Security AdministratorSecurity AdministratorSecurity AdministratorSecurity Administrator
12 - 13©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Systems DevelopmentSystems Development
Typical testTypical teststrategiesstrategies
Typical testTypical teststrategiesstrategies
Pilot testingPilot testingPilot testingPilot testing Parallel testingParallel testingParallel testingParallel testing
12 - 14©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Physical and Online SecurityPhysical and Online Security
Physical Controls:Physical Controls: Keypad entrancesKeypad entrances Badge-entry systemsBadge-entry systems Security camerasSecurity cameras Security personnelSecurity personnel
Physical Controls:Physical Controls: Keypad entrancesKeypad entrances Badge-entry systemsBadge-entry systems Security camerasSecurity cameras Security personnelSecurity personnel
Online Controls:Online Controls: User ID controlUser ID control Password controlPassword control Separate add-onSeparate add-on
security softwaresecurity software
Online Controls:Online Controls: User ID controlUser ID control Password controlPassword control Separate add-onSeparate add-on
security softwaresecurity software
12 - 15©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Backup and Contingency PlanningBackup and Contingency Planning
One key to a backupOne key to a backupand contingency planand contingency planis to make sure thatis to make sure thatall critical copies ofall critical copies ofsoftware and data filessoftware and data filesare backed up andare backed up andstored off the premises.stored off the premises.
One key to a backupOne key to a backupand contingency planand contingency planis to make sure thatis to make sure thatall critical copies ofall critical copies ofsoftware and data filessoftware and data filesare backed up andare backed up andstored off the premises.stored off the premises.
12 - 16©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Hardware ControlsHardware Controls
These controls are built into computerThese controls are built into computerequipment by the manufacturer toequipment by the manufacturer todetect and report equipment failures.detect and report equipment failures.
These controls are built into computerThese controls are built into computerequipment by the manufacturer toequipment by the manufacturer todetect and report equipment failures.detect and report equipment failures.
12 - 17©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Application ControlsApplication Controls
Input controlsInput controlsInput controlsInput controls
ProcessingProcessingcontrolscontrols
ProcessingProcessingcontrolscontrols
Output controlsOutput controlsOutput controlsOutput controls
12 - 18©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Input ControlsInput Controls
These controls are designed by anThese controls are designed by anorganization to ensure that theorganization to ensure that theinformation being processed isinformation being processed isauthorized, accurate, and complete.authorized, accurate, and complete.
These controls are designed by anThese controls are designed by anorganization to ensure that theorganization to ensure that theinformation being processed isinformation being processed isauthorized, accurate, and complete.authorized, accurate, and complete.
12 - 19©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Batch Input ControlsBatch Input Controls
Financial totalFinancial totalFinancial totalFinancial total
Hash totalHash totalHash totalHash total
Record countRecord countRecord countRecord count
12 - 20©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Processing ControlsProcessing Controls
Validation testValidation testValidation testValidation test
Sequence testSequence testSequence testSequence test
Arithmetic accuracy testArithmetic accuracy testArithmetic accuracy testArithmetic accuracy test
Data reasonableness testData reasonableness testData reasonableness testData reasonableness test
Completeness testCompleteness testCompleteness testCompleteness test
12 - 21©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Output ControlsOutput Controls
These controls focus on detecting errorsThese controls focus on detecting errorsafter processing is completed ratherafter processing is completed ratherthan on preventing errors.than on preventing errors.
These controls focus on detecting errorsThese controls focus on detecting errorsafter processing is completed ratherafter processing is completed ratherthan on preventing errors.than on preventing errors.
12 - 22©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Learning Objective 4Learning Objective 4
Describe how general controlsDescribe how general controls
affect the auditor’s testingaffect the auditor’s testing
of application controls.of application controls.
12 - 23©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Impact of Information Technology Impact of Information Technology on the Audit Processon the Audit Process
Effects of general controls on control riskEffects of general controls on control riskEffects of general controls on control riskEffects of general controls on control risk
Effects of IT controls on controlEffects of IT controls on controlrisk and substantive testsrisk and substantive tests
Effects of IT controls on controlEffects of IT controls on controlrisk and substantive testsrisk and substantive tests
Auditing in less complex IT environmentsAuditing in less complex IT environmentsAuditing in less complex IT environmentsAuditing in less complex IT environments
Auditing in more complex IT environmentsAuditing in more complex IT environmentsAuditing in more complex IT environmentsAuditing in more complex IT environments
12 - 24©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Learning Objective 5Learning Objective 5
Use test data, parallel simulation,Use test data, parallel simulation,
and embedded audit moduleand embedded audit module
approaches when auditingapproaches when auditing
through the computer.through the computer.
12 - 25©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Test Data ApproachTest Data Approach
1111Test data should include all relevantTest data should include all relevantconditions that the auditor wants tested.conditions that the auditor wants tested.
Test data should include all relevantTest data should include all relevantconditions that the auditor wants tested.conditions that the auditor wants tested.
2222Application programs tested by theApplication programs tested by theauditor’s test data must be the same asauditor’s test data must be the same asthose the client used throughout the year.those the client used throughout the year.
Application programs tested by theApplication programs tested by theauditor’s test data must be the same asauditor’s test data must be the same asthose the client used throughout the year.those the client used throughout the year.
3333Test data must be eliminated from theTest data must be eliminated from theclient’s records.client’s records.
Test data must be eliminated from theTest data must be eliminated from theclient’s records.client’s records.
12 - 26©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Test Data ApproachTest Data Approach
Application ProgramsApplication Programs(Assume Batch System)(Assume Batch System)
Application ProgramsApplication Programs(Assume Batch System)(Assume Batch System)
Control testControl testresultsresults
Control testControl testresultsresults
Master filesMaster files
ContaminatedContaminatedmaster filesmaster files
Transaction filesTransaction files(contaminated?)(contaminated?)
Input testInput testTransactions to testTransactions to test
Key controlKey controlProceduresProcedures
Input testInput testTransactions to testTransactions to test
Key controlKey controlProceduresProcedures
12 - 27©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Test Data ApproachTest Data Approach
Auditor-predicted resultsAuditor-predicted resultsof key control proceduresof key control proceduresbased on an understandingbased on an understandingof internal controlof internal control
Auditor-predicted resultsAuditor-predicted resultsof key control proceduresof key control proceduresbased on an understandingbased on an understandingof internal controlof internal control
Control testControl testresultsresults
Control testControl testresultsresults
Auditor makesAuditor makescomparisonscomparisons
Auditor makesAuditor makescomparisonscomparisons
Differences betweenDifferences betweenactual outcome andactual outcome and
predicted resultpredicted result
Differences betweenDifferences betweenactual outcome andactual outcome and
predicted resultpredicted result
12 - 28©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Parallel SimulationParallel Simulation
The auditor uses auditor-controlled softwareThe auditor uses auditor-controlled softwareto perform parallel operations to the client’sto perform parallel operations to the client’ssoftware by using the same data files.software by using the same data files.
The auditor uses auditor-controlled softwareThe auditor uses auditor-controlled softwareto perform parallel operations to the client’sto perform parallel operations to the client’ssoftware by using the same data files.software by using the same data files.
12 - 29©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Parallel SimulationParallel Simulation
Auditor makes comparisons betweenAuditor makes comparisons betweenclient’s application system output andclient’s application system output andthe auditor-prepared program outputthe auditor-prepared program output
Auditor makes comparisons betweenAuditor makes comparisons betweenclient’s application system output andclient’s application system output andthe auditor-prepared program outputthe auditor-prepared program output
Exception reportException reportnoting differencesnoting differences
Exception reportException reportnoting differencesnoting differences
ProductionProductiontransactionstransactions
Auditor-preparedAuditor-preparedprogramprogram
Auditor-preparedAuditor-preparedprogramprogram
AuditorAuditorresultsresults
MasterMasterfilefile
Client applicationClient applicationsystem programssystem programs
Client applicationClient applicationsystem programssystem programs
ClientClientresultsresults
12 - 30©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Embedded Audit Module Embedded Audit Module ApproachApproach
Auditor inserts an audit module in theAuditor inserts an audit module in theclient’s application system to captureclient’s application system to capturetransactions with characteristics thattransactions with characteristics thatare of specific interest to the auditor.are of specific interest to the auditor.
Auditor inserts an audit module in theAuditor inserts an audit module in theclient’s application system to captureclient’s application system to capturetransactions with characteristics thattransactions with characteristics thatare of specific interest to the auditor.are of specific interest to the auditor.
12 - 31©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Learning Objective 6Learning Objective 6
Identify issues for e-commerceIdentify issues for e-commerce
systems and other specializedsystems and other specialized
IT environments.IT environments.
12 - 32©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
Issues for Different IT Issues for Different IT EnvironmentsEnvironments
Issues for microcomputer environmentsIssues for microcomputer environmentsIssues for microcomputer environmentsIssues for microcomputer environments
Issues for network environmentsIssues for network environmentsIssues for network environmentsIssues for network environments
Issues for database management systemsIssues for database management systemsIssues for database management systemsIssues for database management systems
Issues for e-commerce systemsIssues for e-commerce systemsIssues for e-commerce systemsIssues for e-commerce systems
Issues when clients outsource ITIssues when clients outsource ITIssues when clients outsource ITIssues when clients outsource IT
12 - 33©2006 Prentice Hall Business Publishing, ©2006 Prentice Hall Business Publishing, Auditing 11/e,Auditing 11/e, Arens/Beasley/Elder Arens/Beasley/Elder
End of Chapter 12End of Chapter 12