COURSE TITLE: Audit Practice and Procedures I
COURSE NUMBER: ACT300
UNIT: 9
Lecture: 9
LECTURE TITLE: The Impact of Information on the Audit Process
Information technology is rapidly transforming the way auditing functions are performed, while posing
new challenges to the profession. This week’s focus will be on the impact of information on the audit
process, particularly as it relates to technology. At the end of this lesson, you should be able to:
1. Describe how IT improves internal control.
2. Identify risks that arise from using an IT-based accounting system.
3. Explain how general controls and application controls reduce IT risks.
4. Describe how general controls affect the auditor’s testing of application controls.
5. Use test data, parallel simulation, and embedded audit module approaches when auditing
through the computer.
6. Identify issues for e-commerce systems and other specialized IT environments.
Read for this lecture:
Arens, Elder, Beasley: Auditing and Assurance Services, an Integrated Approach, fifteenth Edition:
Pearson: Prentice Hall. (Chapter 12)
Additional reading:
Kerr, Elder, Arens: Integrated Audit Practice Case: Third Edition: Armond Dalton Publishers, Inc. (Chapter
12)
Information technology and internal control
Due to the advances in information technology (IT), it is now much easier and cheaper to have control
systems that cover many areas and that are able to provide real-time feedback. Though this has
provided new opportunities for companies to manage their processes, it is still important that the areas
to control and the best controls are identified. In addition, the quick feedback time from computerized
controls allows management to spend its time in the areas where it already knows there is a problem.
The implementation of IT can also result in internal control improvements by substituting manually-
performed controls with computer-performed controls. Computer-performed controls can reduce the
likely would for human error by exchanging manual controls with programmed controls that apply
checks and balances to each transaction processed. The orderly nature of IT offers greater possibility to
minimise the risk of material misstatements resulting from random, human errors in processing. The
use of IT based accounting systems offers the prospect for value-added management decisions by
�providing more and greater quality information on a more timely basis than traditional manual systems.
IT-based accounting systems have the capacity to manage large volumes of difficult commercial
transactions efficiently.
Now that we have an appreciation of how information technology and internal control are connect, we
will now look at the drawbacks with IT based accounting systems.
Risks associated with IT based accounting system
The extensive use of computers in a company’s operations and accounting systems tends to increase
the company’s exposure to inaccuracies and fraud. Therefore, the information technology that is used
in a company is of particular interest to the auditors. Because computers apply the same steps to
similar transactions, if there is a mistake in the program itself, there will be an error in every
transaction that is processed using that defective program. Using a computerized accounting system
comes with other set of problems, such as the need to protect against data loss through power failure
or viruses, and the danger of hackers stealing data. Computer fraud is also a concern, and you need
to activate a system of controls for who has access to the information, particularly customer
information. If there is a security breach and data is stolen, management can be held personally liable
for the loss of data. You also need to make sure that the data has been correctly entered into the
system, as a mistake in data entry can throw off a whole set of data.
From a business perspective, the most common abuses, misuses and failure consequences, may include:
Financial loss as a result of a fraud: someone can transfer funds in a fraudulent way from one
account to another, or destroy important financial records.
Loss of valuable confidential information: an intrusion can reveal information to non-authorized
parties, resulting in significant damage.
Loss of business opportunities through a service discontinuity: electronically dependent
commercial services may be interrupted for unacceptable periods of time, as a result of
intentional attacks or accidental events. The costs can be catastrophic.
Non-authorized use of resources: an external attack can generate access to non-authorized
resources and misuse information for personal benefit.
Loss of confidentiality or client's respect: an organization may suffer significant losses as a result
of negative publicity from an intrusion or failure.
General controls and application controls
Controls within a computer system are broken down into two types: general controls, which relate to
the environment, and application controls, which are specific to individual applications. Both types of
controls are essential because the possibility of accident, error, and loss of data exists whenever data is
�stored, processed, rejected and reentered, copied from one medium to another, or transmitted from
one location to another.
General Controls
General controls relate to the general environment in which transaction processing takes place and are
designed to ensure that the company’s control environment is stable and well-managed. A stable and
well-managed control environment strengthens the effectiveness of the company’s application controls.
General controls include controls over the development, modification and maintenance of computer
programs.
General controls are broken down into the following categories:
Organization and operation of the computer facilities
•including provision for the segregation of duties within the data processing function as well as
segregation of the data processing function from other operations.
General operating procedures
•including written procedures and manuals. Operating procedures also specify the process to
follow in system development and system changes in order to provide reasonable assurance that
development of, and changes to, computer programs are authorized, tested and approved prior
to the use of the program.
Equipment and hardware controls
•including controls installed in computers that can identify incorrect data handling or improper
operation of the equipment.
Access controls to equipment and data
•such as controls over physical access to the computer system and over logical access to the data
that are adequate to protect the equipment and data files from damage or theft.
�Application Controls
Application controls are controls that are specific to individual applications. They are designed to
prevent, detect and correct errors in transactions as they flow through the input, processing and output
stages of work. Thus, they are broken down into three main categories: input controls, processing
controls and output controls.
Processing
Input controls Output controls
controls
• These should provide • These provide some • These provide some
reasonable assurance that reasonable assurance reasonable assurance
the data entered into the that processing has been that the processing result
system has proper properly completed as is accurate and that only
authorization, has been intended, without authorized personnel
converted to machine- programming errors or receive the output.
sensible form, and has clerical errors, and in a
been identified. timely manner.
Computer-Assisted Audit Techniques (CAATs)
The auditor may use three broad categories of computer-assisted techniques to test controls:
Auditing around the computer
Auditing with the computer
Auditing through the computer
Auditing Around the Computer
With this technique, auditors test the reliability of computer generated information by first calculating
expected results from the transactions entered into the system. Then, the auditors compare these
calculations to the processing or output results. If they prove to be accurate and valid, it is assumed that
the system of controls is effective and that the system is operating properly.
Auditing With the Computer
The auditing with the computer approach embraces a variety of techniques and often is referred to as
computer-assisted audit techniques (CAATs). Although the utilization of CAATs has radically improved
the capabilities and effectiveness of auditors, they are primarily used to perform substantive tests. One
widely used CAAT, known as general audit software (GAS), is frequently employed to perform
�substantive tests and may be used for limited testing of controls. For example, GAS can be used to test
the functioning of complex algorithms in computer programs, but it requires extensive experience in
using the software.
Auditing Through the Computer
These techniques focus on testing automated processing steps, programming logic, edit routines and
programmed controls. The approach assumes that, if the processing programs are soundly developed
and incorporate adequate edit routines and programmed checks, then errors and irregularities are not
likely to slip by undetected. If these programs are functioning as designed, the outputs can reasonably
be accepted as reliable. Auditing through the company approach employs the following techniques:
Test data - this involves the auditor submitting 'dummy' data into the client's system to ensure that the
system correctly processes it and that it prevents or detects and corrects misstatements. The objective
of this is to test the operation of application controls within the system. To be successful test data
should include both data with errors built into it and data without errors. Test data may be processed
during a normal operational cycle or during a special run at a point in time outside the normal
operational cycle.
Integrated test facilities - this involves the creation of dummy ledgers and records to which test data
can be sent. This enables more frequent and efficient test data procedures to be performed live and the
information can simply be ignored by the client when printing out their internal records; and
Embedded audit software - this requires a purpose written audit program to be embedded into the
client's accounting system. The program will be designed to perform certain tasks (similar to audit
software) with the advantage that it can be turned on and off at the auditor's wish throughout the
accounting year. This will allow the auditor to gather information on certain for later testing and will also
identify peculiarities that require attention during the final audit.
Parallel simulation – this attempt to simulate or duplicate the firm’s actual processing results. The
auditor’s objective is to use the software to input the firm’s actual data for a past period and generate
the same output as live production programs. The auditor’s simulated results and the actual processing
results are compared, and differences noted, investigated and corrected.
Electronic commerce introduces a new set of concerns for companies such as designing and positioning
a site to attract customers, making sales and purchase transactions secure, and ensuring customer
privacy. We will now look at some other concerns with electronic commerce.
Issues for e-commerce
Electronic commerce (e-commerce) is more than just buying and selling online. Broadly, it includes the
entire process of developing a product, marketing and selling it, delivering the product, servicing
customers, paying for products and services purchased, and receiving payment for products and services
�sold. All of this can be transacted in the global marketplace by using the Internet, intranets, extranets
and other technologies.
With e-commerce, sensitive data and information must be protected. Some of the security challenges in
e-environment are manipulating information, disclosing information to unauthorized people, stealing of
information and network resources, disrupting network services, wrongful claiming of services
administered/ not administered. In companies doing business electronically, there is a strong need for
Human Resource Accounting (HRA) as investment in human resource is very high.
Summary of Lecture
Information technology has now made it more economical to have control systems that cover many
areas and that are able to provide faster feedback. With the use of information technology, companies
are exposure to the risks of inaccuracies, fraud, loss of confidential information and other issues. The
electronic systems and infrastructure that support electronic commerce are subject to abuse, misuse
and failures in many ways. Some of these consequences can be minimized through adequate and
healthy practices of information technology internal control within the organization.
Terminology:
Information Technology (IT) – is the use of any computers, storage, networking and other physical
devices, infrastructure and processes to create, process, store, secure and exchange all forms of
electronic data.
General controls – these are controls that apply to all systems components, processes, and data for an
organization or information technology (IT) environment.
Application controls – these are controls over the input, processing, and output functions.
E-commerce - is the buying and selling of goods and services, or the transmitting of funds or data, over
the Internet.
Sources:
Arens, Elder, Beasley: Auditing and Assurance Services, an Integrated Approach, fifteenth Edition:
Pearson: Prentice Hall.
Bansal, S C; Sharma, Lata : New Challenges of Account and Auditing in E-environment in India, Revista
Universo Contábil, vol. 5, núm. 1, enero-marzo, 2009,
Kerr, Elder, Arens: Integrated Audit Practice Case: Third Edition: Armond Dalton Publishers, Inc.
http://wps.prenhall.com/bp_arens_audit_13/111/28515/7299955.cw/index.html
http://highered.mheducation.com/sites/0070880360/index.html
�Self-Assessment Quiz
Multiple Choices
1. The use of technology can improve a company's:
a) Employer-Employee relation
b) Paper trials
c) Internal controls
d) None of the above
2. The shift from manual to computer processes has led to:
a) Reduced responsibility on management to ensure financial information is accurate.
b) More responsibility on auditors to ensure financial information is accurate.
c) A reduction in segregation of duties.
d) None of the above.
3. Specific risks associated with IT systems include:
a) Loss of data
b) Systematic errors
c) Unauthorized access
d) All of the above
4. General controls relate to all aspects of the IT function. Application controls apply to the processing
of individual transactions. Which of the following should be classified as an application control?
a) Backup and contingency planning
b) Administration of the information technology (IT) function
c) Physical and online security
d) Input control
5. Which of the following examples of control should be classified as a general control?
a) Reasonableness tests review hours worked by employees.
b) Preformatted screens prompt data input personnel for information to be entered.
c) Responsibility for programming, operations and data control are separated.
d) The sales department performs post-processing review of sales transactions.
