Chapter 12 The Impact of Information Technology on the Audit Process Dr. Mohamed A. Hamada
Dec 24, 2015
Chapter 12The Impact of Information
Technology on the Audit Process
Dr. Mohamed A. Hamada
1. What Are Differences Between Manual & Computerized Accounting?
Manual accounting requires that all journal entries, invoices and other financial documents be created by hand.
Computerized accounting allows users to input information into accounting software programs.
• Speed Computerized accounting produces information
much faster than manual accounting. Accounting software packages, such as QuickBooks and
Peachtree, come with built-in databases that allow users to input data.
• Accuracy Manual accounting systems are prone to
mathematical errors and misplaced numbers. With a computerized accounting system, your company data is automatically calculated based on numbers you input.
• Financial Statements Computerized accounting systems allow financial
statements to be created from information stored in the database.
• Cost The cost of computerized accounting systems can range from
hundreds to thousands of dollars for large businesses. A computerized accounting system may save on man hours used
for creating financial statements and other reports. For this reason, many small and mid-sized businesses use computerized accounting software.
• Reports Reports are created in a timely manner when using a
computerized accounting system. Reports generated from computerized accounting
software allow managers to run the company in a more efficient manner.
• Safety Accounting records kept on the manual system can be
lost or damaged easily, such as by coffee spills. On the other hand, records kept by a computer are likely to be safer because many systems are backed up often.
If you lose pages in a paper pad, you may have to recreate the transactions by conducting research and writing them in again.
In a computerized system, you simply restore the latest backup and add a few transactions that were not saved.
• Organization Data processed through software is organized and
easy to find. Accounting programs organize the information in one
place, classified by type. For instance, if you want to find certain data about a vendor, you can go to the accounts payable section of the software, usually by clicking a link or tab, and conduct a search for the vendor.
If you conduct the same process on a manual system, you may have to go through several pages and take your time to find what you're looking for.
Main feature of Computerized Auditing Environment
• All tasks are performed electronically. In other words, the transactions and events are recorded in electronic records with electronic evidence
• Electronic data interchange and online transaction are expanded
• The auditing process is carried out during the year in continuously form not at the end of the year.
• Technological techniques such as neural networks to detect fraud and errors in financial statements, and expert systems
• Furthermore, software agent could be used to collect the electronic audit evidence
Main differences between traditional and computerized auditing
• The way in which transactions are recorded• The way in which such recording must be
controlled and authenticated• The training, skills needed and attitudes of
responsible staff, on both the management and technical levels
• The way in which the process and its results must be audited.
Learning Objective 1
• Describe how IT improves internal control.
How Information Technologies Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
Internal Control • Is a process affected by the company’s board of
directors , management and other personnel.• It provides reasonable assurance regarding the
achievement of the following objectives:- Economy, efficiency and effectiveness of operations- Internal financial control - Compliance with applicable lows and regulations
Main objectives of the Internal Control
Safeguard assets of the organizationEnsure the accuracy and reliability of
accounting records and information Promote the efficiency in the firm’s
operations Measure compliance with management’s
prescribed policies and procedures
Classifications of system controls in Computerized systems
• General controls
• Application controls
General controls• Organizational and operating controls • Business continuity and disaster recovery planning • Program development and documentation controls • Hardware controls • Access controls
Application controls
Input controls Processing controls Output controls
General controls
• Concern all computer activities. They relate to all many computerized accounting activities
• They include control over the development, modification and maintenance of computer programs
Application controls
• are controls involved inside the system to ensure that all data that be entered into the system are valid and will not cause the system failure, controls that ensure proper processing of transactions and controls that include reports, checks, documents, and other printed or displayed information
Learning Objective 2
• Identify risks that arise from using an IT-based accounting system.
Assessing Risks ofInformation Technologies
Risks to hardware and data
Reduced audit trail
Need for IT experience andseparation of IT duties
Risks to Hardware and Data
Reliance on the functioning capabilitiesof hardware and software
Systematic versus random errors
Unauthorized access
Loss of data
Reduced Audit Trail
Visibility of audit trail
Reduced human involvement
Lack of traditional authorization
Need for IT Experience and Separation of Duties
Reduced separation of duties
Need for IT experience
Learning Objective 3
• Explain how general controls and application controls can reduce IT risks.
General Controls
Administration of IT function
Separation of IT duties
Systems development
Physical and online security
Backup and planning
Hardware controls
Administration of the IT Function
The perceived importance of IT within anorganization is often dictated by the attitude ofthe board of directors and senior management.
Segregation of IT Duties
Chief Information Officer or IT Manager
SystemsDevelopment Operations Data
Control
Security Administrator
Systems Development
Typical teststrategies
Pilot testing Parallel testing
Physical and Online Security
Physical Controls: Keypad entrances Badge-entry systems Security cameras Security personnel
Online Controls: User ID control Password control Separate add-on
security software
Backup and Contingency Planning
One key to a backup and contingency planis to make sure that all critical copies ofsoftware and data files are backed upand stored off the premises.
Hardware Controls
These controls are built into computerequipment by the manufacturer todetect and report equipment failures.
Application Controls
Input controls
Processing controls
Output controls
Input Controls
These controls are designed by anorganization to ensure that theinformation being processed isauthorized, accurate, and complete.
Batch Input Controls
Financial total
Hash total
Record count
Processing Controls
Validation test
Sequence test
Arithmetic accuracy test
Data reasonableness test
Completeness test
Output Controls
These controls focus on detecting errorsafter processing is completed ratherthan on preventing errors.
Learning Objective 4
• Describe how general controls affect the auditor’s testing of application controls.
Impact of Information Technology on the Audit Process
Effects of general controls on control risk
Effects of IT controls on control risk andsubstantive tests
Auditing in less complex IT environments
Auditing in more complex IT environments
A. Phases of the Information Systems Audit
1. Initial review and evaluation of the area to be audited, and the audit plan preparation
2. Detailed review and evaluation of controls
3. Compliance testing4. Analysis and reporting of
results
B. Structure of the Financial Statement Audit
TransactionsTransactions AccountingSystem
AccountingSystem
FinancialReportsFinancialReports
Interim Audit
Compliance Testing
Financial Statement Audit Substantive Testing
B1. Compliance Testing
Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned. This is known as compliance testing.
B2. Substantive Testing
Substantive testing is the direct verification of financial statement figures. Examples would
include reconciling a bank account and confirming accounts receivable.
Audit Confirmation
To ABC Co. Customer:
Please confirm that the balance of your account
on Dec. 31 is _____ .
C. Auditing Around the Computer
The auditor ignores computer processing. Instead, the auditor selects source documents
that have been input into the system and summarizes them manually to see if they match
the output of computer processing.
Processing
D. Auditing With The Computer
The utilization of the computer by an auditor to perform some audit work that would otherwise
have to be done manually.
E. Auditing Through the Computer
The process of reviewing and evaluating the internal controls in an electronic data
processing system.
Audit
Audit Software Techniques
Information technology gives auditors a new set of techniques for examining the automated business environment, Audit software provides auditors with the ability to extract information from several files, with different database management systems, in order to search for underlying patterns or relationships among data. Audit software is computer programs that help auditors achieve the various tasks of auditing process.
Computer Assisted Audit Techniques (CAATs),
Consist of package of programs; purpose written programs, utility programs or system management programs• Generalized Audit Software (GAS)• Test data• Integrated Test Facilities (ITF)• Parallel Simulation• Snapshot• Mapping• Embedded audit module EAM
A. Review of Systems Documentation
The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings. In desk checking the auditor processes
test or real data through the program logic.
B. Test Data
The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like.
The auditor then compares the computer-processed output with the manually processed
results.
Illustration of Test Data ApproachComputer Operations
Prepare TestTransactionsAnd Results
Prepare TestTransactionsAnd Results
Auditors
ComputerApplication
System
ComputerApplication
System
ComputerOutput
ComputerOutput
Auditor Compares
TransactionTest Data
TransactionTest Data
Manually Processed
Results
Manually Processed
Results
Test Data Approach
1. Test data should include all relevantconditions that the auditor wants tested.
2. Application programs tested by theauditors’ test data must be the same asthose the client used throughout the year.
3. Test data must be eliminated from theclient’s records.
Test Data Approach
Application programs(assume batch system)
Control testresults
Master files
Contaminatedmaster files
Transaction files(contaminated?)
Input testtransactions to test
key controlprocedures
Test Data Approach
Auditor-predicted resultsof key control proceduresbased on an understandingof internal control
Control testresults
Auditor makescomparisons
Differences betweenactual outcome and
predicted result
C. Integrated Test Facility (ITF) Approach
A common form of an ITF is as follows:1. A dummy ITF center is created for the auditors.2. Auditors create transactions for controls they
want to test.3. Working papers are created to show expected
results from manually processed information.4. Auditor transactions are run with actual
transactions.5. Auditors compare ITF results to working papers.
Illustration of ITF Approach
ComputerApplication
System
ComputerApplication
System
ReportsWith Only Actual Data
ReportsWith Only Actual Data
AuditorsComputer Operations
Prepare ITFTransactionsAnd Results
Prepare ITFTransactionsAnd Results
ActualTransactions
ActualTransactions
ITFTransactions
ITFTransactions
Data FilesData FilesITF Data
ReportsWith Only
ITF Data
ReportsWith Only
ITF Data
Manually Processed
Results
Manually Processed
Results
Auditor
Compares
Parallel Simulation
The auditor uses auditor-controlled softwareto perform parallel operations to the client’ssoftware by using the same data files.
Parallel Simulation
Auditor makes comparisons betweenclient’s application system output andthe auditor-prepared program output
Exception reportnoting differences
Productiontransactions
Auditor-preparedprogram
Auditorresults
Masterfile
Client applicationsystem programs
Clientresults
Illustration of Parallel SimulationComputer Operations Auditors
ActualTransactions
ActualTransactions
ComputerApplication
System
ComputerApplication
System
Auditor’sSimulationProgram
Auditor’sSimulationProgram
Actual ClientReport
Actual ClientReport
Auditor Simulation
Report
Auditor Simulation
Report
Auditor Compares
Embedded Audit Module Approach
Auditor inserts an audit module in theclient’s application system to identifyspecific types of transactions.
Embedded Audit Modules. EAMs are subroutines embedded in the client’s information system that perform control and audit procedures at the same time as the normal application processing
Example of EAMs : (Debreceny et, al., 2005)
JOIN INVENTORY to SUPPLIER, PURCHASES SELECT supplier ID, [(purchase Price- standard Price)
purchase Volume] FROM INVENTORY-SUPPLIER-PURCHASES IF purchase Price/standard Price > 1.05 OR purchase
Price/standard Price < 0.95 RUN E-mail trigger
End of Chapter 12