Tải bản đầy đủ

Audit book by m asif chapter 20 IT concepts and controls

Auditing – Study Notes

Chapter 20 IT Concepts and Controls

CHAPTER TWENTY
IT CONCEPTS AND CONTROLS
LO #

LEARNING OBJCTIVE

REFERENCE

PART A – IT CONTROLS
LO 1

IT CONTROLS

LO 2

IT GENERAL CONTROLS


LO 3

IT APPLICATION CONTROLS

LO 4

CONTROLS OV ER DATA TRANSMISSION

PART B – USE OF COMPUTERS IN AUDITING
AUDITING AROUND COMPUTERS VS. AUDITING
LO 5
THROUGH COMPUTERS

5.2.7, 5.2.11
5.2.7, 5.2.11, 6.3.5
5.2.7, 5.2.11
6.3.6

8.1.5

LO 6

COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs)

7.1.2

LO 7

TEST DATA AND EMBEDDED AUDIT FACILITIES

8.1.4

LO 8

AUDIT SOFTWARES

8.1.4

PART C – FLOWCHARTS
LO 9



TYPES OF FLOWCHARTS

6.2.3

LO 10

LEVELS OF FLOWCHARTS

6.2.2

LO 11

APPROACH TO DRAWING A SUCCESSFUL FLOWCHART

6.2.4

LO 12

SYMBOLS USED IN FLOWCHARTS AND THEIR MEANINGS

6.2.4

TIPS FOR DRAWING FLOWCHART IN EXAM

N/A

APPENDIX

PART D – OTHER CONCEPTS
LO 13
LO 14

1

MICRO COMPUTER SYSTEM VS ONLINE SYSTEM
OPEN SYSTEM INTERCONNECTION (OSI) MODEL AND
COMMUNICATIONS PROTOCOL

5.5.1
6.3.4
6.3.3


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

PART A – IT CONTROLS
LO 1: IT CONTROLS:

Control Activities in an organization could be either Manual or IT/Automated/Programmed.
Manual Control:
A manual control is performed by people (e.g. Authorization, Review, Reconciliations).
IT/Automated/Programmed Control:
A programmed control is performed by computer software (e.g. validation checks).

IT Controls are further classified between two types i.e. IT General Controls (ITGC) and IT
Application controls.

LO 2: IT GENERAL CONTROLS:

IT General Controls (ITGC):
IT General Controls are those controls that operate at entity level and relate to all or many
applications. General Controls help effective functioning of application controls by ensuring
continued proper operation of IT system.
Examples of IT General Controls:
Following are main categories of IT General Controls:
1. Controls over System Acquisition (to ensure Computer based information system and
application are developed consistent with entity’s objectives.)
2. Controls over System Maintenance (to ensure system is appropriately updated and
changed)
3. Controls over Program Changes (To prevent/detect unauthorized program changes)
4. Controls over use of Programs and Data (To prevent use of incorrect program or data files)
5. Access Controls (To prevent unauthorized acess/amendment to program and data files)
6. Controls over Data Center and computer Operations (To ensure continuity of operations.)

Category of
Control

Controls over Data
Center and
computer
Operations
Access Controls
(over Programs
and Data)
2

Objective of Control

Example of Control

a) Security meansures for protection of equipment against fire,
flood, power-failure, theft or other diasters.
b) Disaster Recovery Plan/Contingency Plan e.g.
To ensure continuity of
 Offsite storage of backup data.
operations.
 Standby arrangements with third parties to provide
“technical support” in the event of disaster.
 Insurance coverage for IT infrastructure.
Prevention of
To avoid unauthorized physical access:
unauthorized
 Controlled single entry point with visitors’ logs.
acess/amendment to
 Door locks with log-in function (e.g. passwords, access cards,
program and data files
biometric).
(by employees or by
 Identification badges
hackers)
 Alarm & CCTV System.


Auditing – Study Notes

Controls over
System
Acquisition
Controls over
System
Maintenance

Computer based
information system
and application are
developed consistent
with entity’s
objectives.
Documentation and
Testing of (authorized)
Program Changes

Controls over
Program Changes

To prevent/detect
unauthorized program
changes

Controls over use
of Programs and
Data

To prevent use of
incorrect program or
data files

Chapter 20 IT Concepts and Controls

To avoid unauthorized logical access:
 Each user has a unique Log-in ID and password (which is
difficult to guess and is changed periodically).
 There are access rights for every user which are peridoically
reviewed (to ensure segregation of duties)
 Inactive accounts are disabled after a pre-defined period of
non-usage (e.g. of terminated employees).
 Audit-Trail and System-Logs are available for all important
activities.
 Use of firewalls to prevent unauthorized acces via internet.
 Use of System Development Life Cycle for design,
development, programming of new computer system.
 Full documentation of new systems.
 Testing of systems before implementation.
 Training of staff before “live” operation of new system.
 New system should be formally approved by system-user.
(same controls as above in system acquisition).
 Changes to program should be approved by appropriate
level of mangement.
 There should be segregation of duties between tasks of
prgorammer (who writes the program) and operator (who
uses the program).
 There should be full documentation of all program changes
and their testing exercises.
 Training of computer operators with “Standard Operating
Procedures” and “Job Scheduling” to specify which version
of the program should be used.
 Supervisors should monitor activities of staff.
 Management should carry out periodic reviews to ensure
that correct versions program and correct data files are
being used.

Audit Trail:
Audit Trail is the ability of users to trace a transaction through all of its processing stages. Audit
trail can be provided by system-logs.

System Log:
A log file is a file that records events taking place in the execution of a system. Logs provide
essential information that can assist in analyzing and improving system’s performance.
Examples of system logs include:
 When employees entered and left the building
 Which users logged-in, when and from where
 Failed log-in attempts
 Who accessed and amended data file.
 Changes made to a program – what when and by whom
 Attempted cyber intrusions.
3


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

LO 3: IT APPLICATION CONTROLS:

IT Application controls:
IT Application Controls typically operate at a business process level and apply to the processing of
transactions in individual applications (e.g. sales or purchases or expenses). Application controls
help to ensure that transactions are properly authorized, accurately processed and timely
distributed.
Examples of IT Application controls:
Following are main categories of IT Application Controls:
1. Controls over Input
2. Controls over Processing
3. Controls over Output
4. Controls over Master File/Standing Data
Examples of IT Application Controls:
Category of
Control

Objective of Control
1.
2.
3.
4.

Controls over
Input

To ensure that data
to be used as input in
information system is
Authorized, Complete
and Accurate.

Controls over
Processing

To ensure there is no
duplication or loss of
data
during
processing

4

Example of Control
Use of Log-in ID and password for operator.
Authorization of source documents (used for input).
Source Data Automation (e.g. Use of Bar Codes)
Data Validation Controls

Following are different types of Data Validation Controls which are
usually used:
a) Limit Test/Check (A check to ensure that a numerical value
does not exceed some predetermined value)
b) Range/Reasonableness Test (A check to ensure that a
numerical value does not fall outside the predetermined
range of values e.g. wages of employees fall within 10,000 to
25,000)
c) Sequence Test (A check to ensure that all entries in batch of
input data are in proper numerical sequence e.g. there is no
missing purchase invoice)
d) Existence Test (A check to ensure that a code/number exists
by looking up the code in the valid record e.g. whether a
supplier exists.)
e) Format/Field Test (A check to ensure that format of a data in
a field is either alphabet or numeric or alphanumeric e.g. that
there are no alphabets in a sales invoice number field)
f) Check-digit (A check-digit is a digit that is calculated in a
mathematical way from the original code and then is added to
the end of the code as extra-digit e.g. to detect transposition
errors)
 Control Totals: A Control Total is the sum of all inputtransactions. It may be sum of Number of transactions or
Value of transactions on a batch/file. A manually calculated
number/value of records is compared with number/value of
record processed by computer to ensure that they agree.


Auditing – Study Notes

Controls over
Output

To
ensure
that
computer output is
not distributed or
displayed
to
unauthorized users.

Controls over
Master
File/Standing
Data

To ensure that data
held on master files
and standing files is
correct.

Chapter 20 IT Concepts and Controls
 Limit Test
 Range Test.
 On-Screen Prompts: On-screen prompts are used to ensure
that a transaction is not left partly processed. A prompt
displays on screen and guides users what to do next.
 Marking a file as read only.
 Checkpoint and recovery procedures
 Restriction on printing of confidential reports
 Distribution of report restricted to relevant/authorized
personnel only.
 A distribution-log should be kept (i.e. when a report was
prepared, list of its intended recipients and acknowledgement
of recipients)
 Audit trail
 Exception reports showing data that does not conform to
specified criteria.
 Record-counts in master file
 Regular update of master files.
 Review of master file by management.

LO 4: CONTROLS OVER DATA TRANSMISSION:

Controls over data transmission ensure that data is transmitted accurately, completely and with
confidentiality.
Controls over data transmission include:
 Data Encryption
 Using secured Wi-Fi with password protection
 Firewalls to prevent intrusion into the programs that send and receive data.
 Restricting access to source data that is transmitted.
 Using check sums and check digits to ensure that data received is accurate and complete.
 Programmed Control that ensure data is transmitted in the correct format.

Data Encryption:
Encryption is the process of transforming information to make it unreadable to anyone except
those possessing special knowledge (called a key).

There are two methods of encryption:
1. Symmetric (in which same keys are used to encrypt and decrypt data.)
2. Asymmetric (in which different keys are used to encrypt and decrypt data; this is
sometimes knows as public-private key).
There are two types of symmetric encryption i.e.
 Block Ciphers (in which a fixed length block is encrypted)
 Stream Ciphers (in which the data is encrypted one 'data unit', typically 1 byte, at a time in
the same order it was received in.)
5


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

PART B – USE OF COMPUTERS IN AUDITING
LO 5: AUDITING AROUND COMPUTERS VS. AUDITING THROUGH COMPUTERS :

Auditing Around Computers:
“Auditing Around Computers” means that client’s ‘internal’ software is not audited. Auditor agrees
inputs of the system with output and compares actual output with expected output.

This method of auditing increases audit risk because:
 The actual files and programs of computer system are not tested; the auditor has no direct
evidence that the programs are working as documented.
 Where errors are found in reconciling inputs to outputs, it may be difficult or even
impossible to determine how those errors occurred.

Auditing Through Computers:
“Auditing Through Computers” means that the auditor uses various techniques (e.g. CAATs) to
evaluate client’s computerized information system to determine reliability of its operations
(alongwith its output).

LO 6: COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs):

Computer Assisted Audit Techniques (CAATs):
CAATs are the use of computer techniques by auditor to perform procedures and obtain audit
evidence.
There are two types of CAATs commonly used:
1. Test Data (used as Tests of Control)
2. Audit Softwares (used as Substantive Procedures)

Uses of CAATs by Auditor:
CAATs are usually performed by auditor where adequate audit trail is not available, or auditor
wants to check the accuracy and completeness of processing e.g.
1. In performing tests of controls e.g. to ensure completeness of sales/purchase invoices.
2. To ensure accuracy and completeness of schedules provided by client (e.g. wages,
depreciation)
3. In Analytical Procedures (e.g. in variance analysis, turnover ratios)
4. In Sampling (e.g. stratification, sample selection)
5. In detection of unusual items.
Advantages of CAAT:
1. Enables auditor to test program controls (i.e. “auditing through computers”) and not just
copies or printouts.
2. Enable auditors to test a large volume of data accurately and completely.
3. Reduce level of human errors in performing audit procedures.
4. Reduces efforts on routine work and gives opportunity to concentrate on judgmental areas.
Disadvantages of CAAT:
1. Expensive to set up (High investment needed for infrastructure and training of staff )
2. Require co-operation of the client.
6


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

3. Major changes in client systems often require major changes in CAATs, which is expensive.
4. Client’s system may not be compatible with audit softwares.
5. Checking client’s original files ‘lively’ may increase risk of files being corrupted.

LO 7: TEST DATA AND EMBEDDED AUDIT FACILITIES :

Test Data:
Definition:
Test data is a set of dummy transactions developed by auditor and processed by client’s IT system
and comparing the actual results with expected results to determine whether controls are
operating effectively.
Problem with Test data:
A problem with test data is that it provides evidence about operation of controls only at the time
when test data is processed. (its solution is use of Embedded Audit Facilities).

Embedded Audit Facilities (or “integrated audit facility” or “resident audit software”:
It is auditor’s computer programs that is built into the client’s IT system to allow the audit to carry
out tests at the time transactions are processed in ‘real time’. In this approach, a dummy
department is built into client’s accounting system (usually during its original design) that operates
every time the ‘live’ process is run. Information about processing and controls of client’s system is
stored in a file called SCARF (System Control And Review File). Only auditor has access to such
dummy department and its data.
These facilities are used when:
1. Database is continually processed and updated in real time by client.
2. Satisfactory Audit Trail is not available after the processing of transactions.

LO 8: AUDIT SOFTWARES:

Audit Softwares are computer programs used by the auditor to interrogate a client’s computer files.
The principle objective is substantive testing.

Following are main types of Audit Softwares:

Interrogation programs
These are used to access the client’s files and records and to extract data for auditing. These could
be:
 Package programs (generalised audit software) – i.e. pre-prepared programs.
 Purpose-written programs – perform specific functions of the auditor’s choosing.
Interactive software:
These are used in interrogation of on-line IT systems.

Embedded Audit Facilities (or “integrated audit facility” or “resident audit software”:
(defined above)
7


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

PART C – FLOWCHARTS
LO 9: TYPES OF FLOWCHARTS:

Linear Flowchart.
 A Linear Flowchart is a diagram that displays the sequence of activities that make up a
process.
 This tool can help identify rework and redundant or unnecessary steps within a process
Opportunity Flowchart
 An Opportunity Flowchart (a variation of the basic linear type) differentiates process
activities that add value from those that add cost only.
 Value-added steps are essential for producing the required product or service. Cost-addedonly steps are not essential for producing the required product or service. They are added
to a process to avoid something wrong e.g. end-of-process review.

Deployment Flowchart.
 A Deployment Flowchart shows the actual process flow and identifies the people or groups
involved at each step.
 This type of chart shows where the people or groups fit into the process sequence, and how
they relate to one another throughout the process.

LO 10: LEV ELS OF FLOWCHARTS:

Macro level:
 This is a “big picture” of flowchart for top level management.
 Generally, a macro-level Flowchart has six or fewer steps.

Micro/Ground Level:
 This provides detailed presentation of specific portion of the process by documenting every
action and decision.
Mini/Midi Level:
 This is a flowchart between Macro and Micro.
 It focuses only on part of the Macro level flow chart.

LO 11: APPROACH TO DRAWING A SUCCESSFUL FLOWCHART :

1. Observe the process to be documented (specially where to start and where to end)
2. Record steps in the process (in narrative form e.g. step 1, step 2 etc.)
3. Arrange the sequence of steps (sequence may be different for different people but it should
be logical)
4. Draw flowchart suing standardized Symbols.
5. Check accuracy and completeness of flowchart using a “test data”.

8


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

LO 12: SYMBOLS USED IN FLOWCHARTS AND THEIR MEANINGS :
Shape

Symbol

Oval

Function/When to use

This shows Start Point, and End Point of flowchart.

Rectangular
Box

This shows individual activity/process/instruction in the process
i.e. what to do.
This shows decision point. Decision is in Yes/No Form (like ‘if’
command in excel).

Diamond

Arrow / Flowline

This shows direction of the flow.

Circle is a connector symbol used to show connection between
two parts of a flow charts without drawing a connection line.
A letter/number inside circle clarifies continuation.
Pentagon is a connector symbol like circle to show connection
between two parts of a flow charts without drawing a connection
line. However, it connects different steps on different pages.
A letter/number inside circle clarifies continuation.

Circle

Pentagon

APPENDIX: TIPS FOR DRAWING FLOWCHART IN EXAM:
1.
2.
3.
4.

Start from the left section of the page (not from middle).
Use only four symbols i.e. Oval, Box, Diamond, Flow-line (as described below).
Every symbol (except arrow) is to be filled with some words.
The flow of sequence is generally from the top of the page to the bottom of the page. This
can vary with loops which need to flow back to an entry point.
5. A flow chart should be presented and completed on one page. It should not have more than
15 symbols (including START and STOP).
Shape
Oval

Rectangular Box
Diamond

Arrow / Flow-line

9

1.
2.
3.
1.
2.
3.
1.
2.
3.
1.
2.

3.
4.
5.

Tips
Every flowchart will have 2 Oval Shapes; one at starts and other at end..
At start only one arrow comes out.
At end, only one arrow comes in (however other arrows may merge with
last arrow).
It is always in ‘verb’ form (as it shows an activity).
Only one arrow should come in Box.
Only one arrow comes out from Box which leads to next activity or a
decision table (except when End).
Two arrows come out from Diamond one for yes and one for no. (Yes arrow
should go down; No arrow should go right).
These arrows can lead to a Box or another Diamond.
You can use symbols like “>”, “=”, “<” in a diamond.
Usual direction is “Top to Down” or “Left to Right”. However, sometimes it
may also be from down to up.
Only one arrow enters/comes out of a shape (except diamond from which 2
arrows will come out).
Give arrow a head at each turn.
An arrow may join another arrow.
An arrow may cross over another arrow (if not to be joined).


Auditing – Study Notes

Chapter 20 IT Concepts and Controls

PART D – OTHER CONTROLS
LO 13: MICRO COMPUTER SYSTEM VS ONLINE SYSTEM :
Micro-computers system:
Benefits of micro-computer system:
 More efficient and cost effective
 System can be operated by user’s operating staff

Audit risks in micro-computer system:
 Difficult to ensure physical security of the IT equipment, data and storage media.
 Unauthorized amendments to program data and files can be made.
 There may be several processing problems.

Online System:
Benefits of Online-system:
 Immediate entry of the transactions into the system.
 Immediate updating of master file.
 Immediate response to Inquiry system

Controls in Online-System:
Application Controls:
 Access Controls (to prevent unauthorized access)
 Programming Controls (to prevent unauthorized changes to programs)
 Audit Trail and System-Logs
 Firewall
General Controls:
 Authorization before processing of transactions.
 Data validation checks
 Balancing/Checking of control totals before and after processing.

LO 14: OPEN SYSTEM INTERCONNECTION (OSI) MODEL AND COMMUNICATIONS PROTOCOL:

Open system interconnection (OSI) model:
OSI (Open Systems Interconnection) is reference model for how applications can communicate over
a network.

There are 7 layers of OSI which are as follows:
1. Physical layer– defines physical specifications for devices – e.g. copper vs. fibre optic cable
2. Data link layer – This layer sets up links across the physical network.
3. Network layer – This layer handles the addressing and routing of the data from a source on
one network to a destination on other network.
4. Transport layer – provides transparent transfer of data between users
5. Session layer – This layer sets up, coordinates and terminates conversation.
6. Presentation layer – This layer is part of an operating system and converts incoming and
outgoing data from one presentation format to another (e.g. encryption and decryption).
7. Application layer – This is the layer at which communication partners are identified.
10



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×