[go: up one dir, main page]
Scribd
Upload
22 views13 pages

Auditing in An IT Environment

The document discusses auditing in a computerized environment. It outlines the auditor's responsibility to understand the entity's internal controls over information systems. It then describes characteristics of computerized systems like lack of visible trails and vulnerabilities. The document details general controls like access controls and application controls over input, processing, and output. It explains how auditors can test controls by auditing around the computer or using computer-assisted techniques such as test data and parallel simulation.

Uploaded by

bangtan ' licious
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
22 views13 pages

Auditing in An IT Environment

The document discusses auditing in a computerized environment. It outlines the auditor's responsibility to understand the entity's internal controls over information systems. It then describes characteristics of computerized systems like lack of visible trails and vulnerabilities. The document details general controls like access controls and application controls over input, processing, and output. It explains how auditors can test controls by auditing around the computer or using computer-assisted techniques such as test data and parallel simulation.

Uploaded by

bangtan ' licious
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

AUDITING IN AN I.T.

ENVIRONMENT
AUDITING IN A COMPUTERIZED
ENVIRONMENT

• With the rapid development in technology in recent years, computer information systems have become
feasible, perhaps essential, for use even in small scale business operations.
• Regardless of the extent of computerization or the methods of data processing being used, the
responsibility for the establishment and implementation of appropriate internal controls rests with the
management and those charged with governance.
• The auditor’s responsibility is to obtain an understanding of the entity’s internal control system to be
able to assess control risk and determine the nature, timing and extend of tests to be performed.
CHARACTERISTICS OF COMPUTERIZED
INFORMATION SYSTEMS

• Lack of visible transaction trails


• Consistency of performance
• Ease of access to data and computer programs
• Concentration of duties
• System generated transactions
• Vulnerability of data and program storage media
INTERNAL CONTROL IN A CIS ENVIRONMENT

• General Controls
• Control policies and procedures that relate to the overall computer information system.

• Application Controls
• Policies and procedures that relate to specific use of the system.
GENERAL CONTROLS
• Organizational controls
• A written plan of the organization, with clear assignment of authority and responsibility.
• Includes segregation of duties between the CIS department and the user department, and segregation of duties within the CIS
department.
• Systems development and documentation controls
• Software development, as well as changes thereof, must be approved by the appropriate level of management and the user department.
• Access controls
• Adequate security controls to protect equipment, files and programs (i.e. using passwords).
• Data recovery controls
• Provides for the maintenance of back up files and off-site storage procedures.
• Monitoring controls
• Designed to ensure that CIS controls are working effectively as planned.
APPLICATION CONTROLS

• Controls over input


• Designed to provide reasonable assurance that the data submitted for processing are complete, authorized and
accurately translated into machine readable form.
• Example includes: key verification, field check, validity check, self checking digit, limit check and control totals.
• Controls over processing
• Designed to provide reasonable assurance that input data are processed accurately, and that data are not lost,
added, excluded, duplicated or improperly changed.
• Controls over output
• Designed to provide reasonable assurance that the results of processing are complete, accurate and that these
outputs are distributed only to authorized personnel.
TEST OF CONTROLS IN A CIS ENVIRONMENT

• Involves evaluating the client’s internal control policies and procedures to determine if they are
functioning as intended.
• The auditor may either: audit around the computer or use Computer-Assisted Audit Techniques.
AUDITING AROUND THE COMPUTER

• The auditor ignores the client’s data processing procedures, focusing solely on the input documents and
the CIS output.
• This can be used only if there are visible input documents and detailed output that will enable the
auditor to trace individual transactions back and forth.
• Also known as the black box approach.
COMPUTER ASSISTED AUDIT TECHNIQUES

• These are computer programs and data which the auditor uses as part of the audit procedures to
process data of audit significance contained in an entity’s information systems.
• Also known as the white box approach.
• This includes:
• Test data
• Integrated test facilities
• Parallel simulation
TEST DATA

• Primarily designed to test the effectiveness of the internal control procedures which are incorporated in
the client’s computer programs.
• The auditor prepares test data (fictitious transactions) that consists of valid and invalid conditions. The
auditor enters the test data into the system and have the data processed by the client’s computer
programs.
• The auditor then compares the processing results with his predetermined output. If the output
generated by the client’s program is the same as the auditor’s expected output, the auditor may
conclude that the clients program is reliable.
INTEGRATED TEST FACILITY

• When using the ITF, the auditor creates a dummy or fictitious employee or other appropriate unit for
testing within the entity’s computer system.
• The ITF integrates the processing of test data with the actual processing of ordinary transactions
without management being aware of the testing process. The resultant output, relating to the dummy
unit, is then compared with the predetermined results to evaluate the reliability of the client’s program.
• Unlike test data, ITF provides assurance that the program tested by the auditor is the same program
used by the client in the processing of transactions.
PARALLEL SIMULATION

• This requires the auditor to write a program that simulates key features or processes of the program
under review.
• The simulated program is then used to reprocess transactions that were previously processed by the
client’s programs. The auditor compares the results obtained from the simulation with the client’s
output to be able to draw conclusion about the reliability or the client’s program.
OTHER COMPUTER ASSISTED AUDIT
TECHINIQUES

• Snapshots
• This involves the use of audit software routines to take a picture of a transaction as it flows through computer
systems. This permits the auditor to track data and evaluate the computer processes applied to the data.
• System control audit review files (SCARF)
• This involves embedding audit software modules within an application system to provide continuous
monitoring of the systems transactions. The information is collected into a special computer file that the auditor
can examine.

You might also like