Information Technology (IT)
Audit
� Information System (IS)
A set of interrelated subsystems that work
together to collect, process, store, transform
and distribute information for planning,
decision-making and control.
� Components of an IS
• Inputs Processes Outputs
• Inputs – data from internal/external
sources
• Processes – sort, organize, calculate
• Outputs – information for internal/external
decision makers
•
� Accounting Information
System (AIS)
The information subsystem within an
organization that accumulates financial
information from the entity’s various
subsystems and communicates it to the
organization’s information processing
system.
� Information that an AIS can
provide the organization
• Finance
• Marketing
• Human Resources
• Production
� Think, Pair and Share J
• Share a benefit and a challenge
experienced from using information
technology.
�Changes in Auditing because of the
developments in EDP
Use of computers for auditors:
•As a tool of the auditor in the performance
of the audit
�Changes in Auditing because of the
developments in EDP
Use of computers for auditors:
•As the target of the audit where data are
submitted to the computer and the results
are analyzed for processing reliability and
accuracy of the computer program
� IT Audit
• Provides audit
services where
processes or data,
or both, are
embedded in
technologies.
� IT Audit
• Subject to ethics, guidelines, and standards
of the profession
• Performed with internal, external, and fraud
audits
• Scope of IT audit coverage is increasing
• Characterized by CAATTs
• IT governance as part of corporate
governance
� The IT Environment
• The I.T. Environment complicates the
paper systems of the past.
ØConcentration of data
ØExpanded access and linkages
ØIncrease in malicious activities in systems vs.
paper
ØOpportunity that can cause management fraud
(i.e., override)
� The IT Environment
• There has always been a need for an
effective internal control system.
• The design and oversight of that system
has typically been the responsibility of
accountants.
� PSA 401
AUDITING IN A COMPUTER
INFORMATION SYSTEMS
ENVIRONMENT
�CIS environment may affect:
•The procedures followed by the auditor in
obtaining a sufficient understanding of the
accounting and internal control systems.
•The consideration of inherent risk and
control risk through which the auditor arrives
at the risk assessment.
•The auditor’s design and performance of
test of control and substantive procedures
appropriate to meet the audit objectives.
�CIS skills are needed to:
•Obtain a sufficient understanding of the
accounting and internal control systems
affected by the CIS environment.
•Determine the effect of the CIS
environment on the assessment of overall
risk and of risk at the account balances and
class of transactions level.
•Design and perform appropriate tests of
control and substantive procedures.
�Knowledge required of the computer auditor:
•Systems concepts
•File structure and organization concepts
•Techniques for depicting the flow of data
through a computer system
� Understanding of CIS Environment
•The significance and complexity of
computer processing in each significant
accounting application.
•The availability of data for use in the audit.
•The organizational structure of the client’s
CIS activities and the extent of concentration
or distribution of computer processing
throughout the entity, particularly as they
may affect segregation of duties.
� Considerations on the CIS environment and
the assessment of inherent and control risk:
•Lack of transaction trails
•Uniform processing of transactions
•Lack of segregation of functions
•Potential for errors and irregularities
•Initiation or execution of transactions
� Considerations on the CIS environment and
the assessment of inherent and control risk:
•Dependence of other controls over
computer processing
•Potential for increased management
supervision
•Potential for the use of computer-assisted
audit techniques
�Internal Control System
� Exposures and Risk
•Exposure: absence or weakness of
a control
•Risks: potential threat to
compromise use or value of
organizational assets
� Audit Risk
The probability that the auditor will render an
unqualified opinion on financial statements
that are, in fact, materially misstated.
� Audit Risk Components
• Inherent risk – is associated with the
unique characteristics of the business or
industry by the clients.
• Control risk – is the likelihood that the
control structure is flawed because
controls are either absent or inadequate to
prevent or detect misstatements in the
accounts.
� Audit Risk Components
•Detection risk – is the risk that errors not
detected or prevented by the control
structure will also not be detected by the
auditor.
�� Internal Control System
•Comprises policies, practices, and
procedures to achieve four broad objectives:
– To safeguard assets of the firm
– To ensure the accuracy and reliability of
accounting records and information
– To promote efficiency in the firm’s operations
– To measure compliance with management’s
prescribed policies and procedures.
� Modifying Principles
1. Management responsibility
2. Methods of data processing
Ø Objectives same regardless of DP method
Ø Specific controls vary with different
technologies
3. Limitations
4. Reasonable assurance
� Modifying Principles
Limitations:
Ø Possibility of error
Ø Possibility of circumvention
Ø Management override
Ø Changing conditions
� The PDC Model
Types of controls:
•Preventive controls – are passive
techniques designed to reduce the
frequency of occurrence of undesirable
events.
� The PDC Model
Types of controls:
•Detective controls – are devices,
techniques, and procedures designed to
identify and expose undesirable events that
elude preventive controls.
� The PDC Model
Types of controls:
•Corrective controls – taken to reverse the
effects of detected errors.
