AUDITING IN AN INFORMATION TECHNOLOGY ENVIRONMENT

It exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether the computer is operated by the entity or by a third party

IT Environment

Other terms used to refer IT environment

• Electronic Data Processing (EDP) Environment

• Computer Information Systems (CIS) Environment

Components of IT Environment

1. IT Infrastructure

2. IT Applications

3. IT Processes

It comprises the network, operating systems, and databases and their related hardware and software

IT Infrastructure

It is a program or set of program that are used in initiation, processing, recording, and reporting of transactions or information

IT Applications

Examples of IT Applications:

• Small and medium sized business

• Enterprise (ERP)

• Cloud or online

These are the entity’s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations

IT Processes

Controls of IT Processes

• General Controls

• Application Controls

Components of IT Infrastructure

1. Database System

2. Operating System

3. Network

4. Computer (hardware and software)

It enables data synchronization by maintaining one copy of important records locked in an organized file system which is shared by various users without the necessity of maintaining a copy of the file for themselves

Database System

It is a group of computer programs that monitor and control all the input, output, processing and storage devices and operations of a computer

Operating System

It is a group of interconnected computers and terminals.

Network

It is a communication system that enables users to share computer equipment’s, application software, data, and voice and video transmissions

Network Environment

Examples of Network

• LAN (Local Area Network) - Building

• MAN (Metropolitan Area Network) - City

• NAN (National Area Network) - Country

• WAN (Wide Area Network) - Continent

• Internet - Worldwide

It is the interpreter of program codes that will manipulate the data

Control Unit

It performs arithmetic and logic functions

Arithmetic and Logic Unit (ALU)

It refers to the susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.

Risks Arising from the use of IT (RAIT)

Categories of IT Controls

• General Control

• Application Control

Categories of General Controls

• Entity-wide

• General IT Control

It is embedded in its control environment, and designed to define the strategic direction and establish an organizational framework for IT Activities

Entity-wide

Entity-wide controls establishes the following activities:

S²PARTA

• Strategies and plans

• Segregation of incompatible duties

• Policies and Procedures

• Quality Assurance

• Risk Assessment Activities

• Training

• Internal Audit and Monitoring

These are controls over the entity’s IT processes that support the continuous and proper operation of the IT environment, including the continued effective functioning of information processing controls and integrity of information in the entity’s information system.

General IT Controls

Examples of General IT Controls:

COA

• Controls over IT Changes

• IT Operations controls

• Access controls

It is handled by a Chief Information Officer who supervises the operation of the department

Information System Management

They are responsible for designing the information systems. Focus on setting the goals of the information system and means of achieving them after considering the goals of the organization and the computer processing needs of the entity.

System Analysis

It codes the system specifications determined by system analysts using programming languages

Application Programming

It focuses on planning and administering the database by designing it and controlling its use

Database Administration

It prepares and verities input data for processing

Data Entry

Audit procedures for segregation of duties:

Inspection

• information security policy and procedures

• IT policies and procedures document

It provides reasonable assurance that access to equipment, files, and programs are limited only to authorized personnel

Access Controls

Examples of Access Controls

E PHD

• Electronic access control

• Physical access control

• Hardware control

• Data transmission control

It receives all data for processing, ensures complete recording, and follow up errors, determine that data are corrected and resubmitted by user departments and verify output distribution

Data Control Group

Contingency Processing

1. Reciprocal agreement or mutual aid pact - two entities with their own internal site will be allocating a portion for their counterpart

2. Internal site - backup system internally

3. Hot site - the back-up system is being managed by the service provider

4. Cold site - the back-up system is being managed by the entity but it is owned by the service provider

These controls form part of the business process applications that help the entity achieve its financial reporting objectives as to the completeness, accuracy, existence/authorization, and presentation of data

IT Application Controls

Common examples of controls over input:

• Key verification - 2 different output is being compared

• Limit test - ex: 0 to 1M; If entered 5M - notification to users

• Validity test - acceptable input based on the system

• Self-checking digit - ex: 13 digit bank number, if entered only 11 digits, it adds 2 zeros

• Completeness Check - info must be complete if not it will not proceed

• Control Totals

• Menu Driven Input - May choices

• Field Check - only numbers, if entered an alphanumeric it will not proceed

• Field Size Check - ex: password must be 8 characters

• Logic Tests - if not acceptable based on the program’s logic, it will not proceed

Group of related fields

Record

It is designed to provide reasonable assurance that:

• Transactions are processed accurately

• Transactions are not lost, added, excluded, duplicated, or improperly changed

• Processing errors are identified and corrected on a timely basis

Controls over processing

The overall objective and scope of an audit, including the auditor’s responsibilities, do not change in an IT environment (T/F)

True

An IT environment may affect:

• Auditor’s consideration of internal control which will include an assessment of computerized as well as manual controls

• Auditor’s assessment of control risk

• Procedures to be performed in considering internal control and performing substantive tests.

Risk Assessment Procedures

1. Obtain an understanding of the IT environment including entity-level IT controls

2. Identify relevant IT applications and other aspects of IT environment

3. Identify risks arising from the use of IT (RAIT)

4. Identify general IT controls

5. Evaluate the design and implementation of automated controls

The auditor's tests of controls vary depending on whether audit evidence generated by the computer is:

1. External to the computer, and therefore directly observable

2. Internal to the computer, and therefore not directly observable

	Black-Box Approach (Auditing around the computer)	White-Box Approach (Auditing through and/or with computer)
Consideration of computer
Focus area
Use of CAATs
IT expertise required

	Black-Box Approach (Auditing around the computer)	White-Box Approach (Auditing through and/or with computer)
Consideration of computer	The full potential of computers as an audit tool is not utilized	Computers are considered essential tools that aid the execution of audit procedures
Focus area	Input and output of controls	Input and processing of controls
Use of CAATs	Not applicable	Applicable
IT expertise required	No specific expertise required	Knowledge and skills in the software, programs, and techniques used

Factors Considered in Using CAATs:

• Degree of technical competence in IT

• Availability of CAATs and appropriate computer facilities

• Impracticability of manual tests

• Effectiveness and efficiency

• Timing of tests

The auditor used a set of dummy transactions and processed by the client’s computer programs to determine whether the controls which the auditor intends to test are operating effectively

Test Data

This method introduces dummy transactions into a system in the midst of live transactions and is usually built into the system during the original design. It integrates fictitious and actual data without management’s knowledge, allowing the auditor to compare the client’s output with the results expected by the auditor.

Integrate Test Facility (ITF)

It is a special type of test data, where it develops test data that purports to test every possible condition that an auditor expects a client’s software will confront. (Test data will be processed by the client’s personnel and by the auditor separately, then be compared)

Base Case System Evaluation (BSCE)

This technique processes actual client data through an auditor’s generalized audit software program and compares the output with the output obtained from the client

Parallel Simulation

This is only a variation of parallel simulation. Instead of using generalized audit software program to process actual client data, the auditor uses a copy of the client’s application program

Controlled Reprocessing

These techniques allow the auditor to gain an understanding of the client’s program

Program Analysis

This technique involves actual analysis of the logic of the program’s processing routines

Code review

These programs allow the auditor to compare computerized files

Comparison programs

This is used to produce a flowchart of a program’s logic and may be used in both in mainframe and microcomputer environments

Flowcharting software

It is a technique in which each instruction executed is listed along with control information affecting that instruction.

Program Tracing

It identifies sections of code that can be “entered” and thus are executable

Program Mapping

These are programmed routines incorporated into an application program that are designed to perform an audit function such as calculations, or logging activity. It is used to select client data for subsequent testing and analysis.

Embedded Audit Modules

It is a log, usually created by an embedded audit module, used to collect information for subsequent review and analysis

System Control Audit Review Files (SCARF)

It is an exit point in an application program that allows an auditor to subsequently add an audit module by activating the book to transfer control to an audit module. Auditor sometimes use this to accomplish transaction tagging.

Audit Hooks

It is a technique in which an identifier providing a transaction with a special designation is added to the transaction record. A transaction is “tagged” and then traced through critical control points in the information system.

Transaction tagging

This technique attaches additional data that would not otherwise be saved to regular historic records and thereby helps to provide a more complicated audit trail

Extended Records

These logs, created by either the operating system itself or additional software packages that track particular functions, include reports of the resources used by the computer system

Job Accounting Data/Operating System Logs

This software logs changes in programs, program modules, job control language, and other processing activities.

Library Management Software

This software supplements the physical and control measures relating to the computer and is particularly helpful in online environments or in systems with data communications because of difficulties of physically securing computers.

Access Control and Security Software