Chapter 8

Consideration of
Internal Control in
an Information
Technology
Environment

McGraw-Hill/Irwin

Copyright 2010 by The McGraw-Hill Companies, Inc. All rights

reserved.

Nature of IT Based Systems

Many systems have developed away from
centralized systems with one main frame
computer using user developed software to a
combination of smaller computers using
commercially available software

Less expensive software

Electronic checkbooks (e.g., Quicken)

Moderate system
Basic general ledger system (e.g.., Quickbooks)

Expensive
ERP systems (e.g., SAP)
8-2

Nature of IT Systems
Usually

consists of:

Hardware
Digital computer and peripheral
equipment

Software
Various programs and routines for
operating the system
8-3

Computer Hardware

Input/Output Devices
Storage

Card Readers
Terminals
Electronic Cash

Optical Scanners
Magnetic Tape Drives
Magnetic Disk Drives
Optical Compact Disks

Central Processing Unit

Auxiliary

Arithmetic Unit
Control Unit
Primary Storage

Magnetic Disks
Magnetic Drums
Magnetic Tapes
Registers
Optical Compact
Disks

8-4

Software
Two

Types:

Systems software
Programs that control and coordinate hardware
components and provide support to application
software
Operating system (Examples: Unix, Windows)

Application software
Programs designed to perform a specific data
processing task
Written in programming language (Example: Java)
8-5

System Characteristics
Regardless

of size, system possesses

one or more of the following elements

Batch processing
On-line capabilities
Database storage
IT networks
End user computing
8-6

Batch Processing
Input

data gathered and processed

periodically in groups
Example: Accumulate all of a days sales
transactions and process them as a batch
at end of day
Often more efficient than other types of
systems but does not provide up-tominute information
8-7

Online Capabilities

Online systems allow users direct access to data

stored in the system
Two types (a company may use both)

Online transaction processing (OLTP)

Individual transactions entered from remote
locations
Online real time (Example: Bank balance at ATM)

Online analytical processing (OLAP)

Enables user to query a system for analysis
Example: Data warehouse, decision support
systems, expert systems
8-8

Database Storage
In

traditional-IT systems, each computer

application maintains separate master files

Redundant information stored in several files

Database

system allows users to access

same integrated database file

Eliminates data redundancy

Creates need for data administrator for security
against improper access
8-9

IT Networks

Networks
Computers linked together through
telecommunication links that enable computers to
communicate information back and forth

WAN, LAN
Internet, intranet, extranet
Electronic commerce
Involves electronic processing and transmission of
data between customer and client
Electronic Data Interchange (EDI)
8-10

End User Computing

User

departments are responsible for the

development and execution of certain IT
applications
Involves a decentralized processing
system
IT department generally not involved
Controls needed to prevent unauthorized
access
8-11

Internal Control in IT
Importance

of internal control not

diminished in computerized environment

Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer
programs

8-12

Audit Trail Impact

In

a traditional manual system, hard-copy

documentation available for accounting
cycle
In computerized environment, audit trail
ordinarily still exists, but often not in printed
form

Can affect audit procedures

Consulting auditors during design stage of ITbased system helps ultimate auditability
8-13

8-14

Responsibilities (1 of 2)

Information systems management

Supervise the operation of the department and report to vice

president of finance
Systems analysis
Responsible for designing the system
Application programming

Design flowcharts and write programming code

Database administration

Responsible for planning and administering the company

database
Data Entry
Prepare and verify input data for processing
8-15

Responsibilities (2 of 2)

IT Operations

Run and monitor central computers

Program and file library

Protect computer programs, master files and other records from

loss, damage and unauthorized use
Data Control

Reviews and tests all input procedures, monitors processes and

reviews IT logs
Telecommunications Specialists

Responsible for maintaining and enhancing IT networks

Systems Programming
Responsible for troubleshooting the operating system
8-16

Computer-Based Fraud

History shows the person responsible for frauds in many

situations set up the system and controlled its
modifications
Segregation of duties

Programming separate from controlling data entry

Computer operator from custody or detailed

knowledge of programs
If segregation not possible need:

Compensating controls like batch totals

Organizational controls not effective in mitigating
collusion
8-17

Internal Auditing in IT

Interested in evaluating the overall efficiency and

effectiveness of information systems operations
and related controls throughout the company
Should participate in design of IT-based system
Perform tests to ensure no unauthorized
changes, adequate documentation, control
activities functioning and data group performing
duties.

8-18

8-19

IT Control Activities
General Control Activities

Developing new programs and systems

Changing existing programs and systems

Access to programs and data

IT operations controls

8-20

Application Control Activities

Programmed Control Activities

Input validation checks

Limit test
Validity test
Self-checking number
Batch controls
Item count
Control total
Hash total
Processing controls
Input controls plus file labels

Manual Follow-up Activities

Exception reports follow-up

8-21

User Control Activities

Designed

to test the completeness and

accuracy of IT-processed transactions
Designed to ensure reliability
Reconciliation of control totals generated
by system to totals developed at input
phase

Example: Sales invoices generated by ITbased system tested for clerical accuracy and
pricing by the accounting clerk
8-22

Control in Decentralized and

Single Workstation Systems
Involves

use of one or more user operated

workstations to process data
Needed controls

Train users
Document computer processing procedures
Backup files stored away from originals
Authorization controls
Prohibit use of unauthorized programs
Use antivirus software
8-23

Steps 1 and 2 of audit--Plan audit

and Obtain an Understanding
Step

1 Consider IT system in planning

Step 2 Obtain an understanding of the
client and its environment

Documentation of clients IT-based system

depends on complexity of system

Narrative
Systems flowchart
Program flowchart
Internal control questionnaires
8-24

Step 3 of Audit: Assess the Risks

of Material Misstatement

Identify risks
Relate the identified risks to what can go wrong at
the relevant assertion level
Consider whether the risks are of a magnitude
that could result in a material misstatement
Consider the likelihood that the risks could result
in a material misstatement

Evaluate effectiveness of related controls in mitigating

risks
Test of controls over IT-based systems
8-25

Techniques for Testing

Application Controls

Auditing Around the Computer--Manually processing

selected transactions and comparing results to computer
output

Manual Tests of Computer Controls--Inspection of

computer control reports and evidence of manual followup on exceptions

Auditing Through the Computer--Computer assisted

techniques

Test Data
Integrated Test Facility
Controlled Programs
Program Analysis Techniques
Tagging and Tracing Transactions
Generalized audit software parallel simulation

8-26

Using Generalized Audit Software to

Perform Substantive Procedures
In general, using client data and generalized
audit software

Examine clients records for overall quality,

completeness and valid conditions
Rearrange data and perform analyses
Select audit samples
Compare data on separate files
Compare results of audit procedures with
clients records
8-27

Typical Inventory Audit Procedures

Using Generalized Audit Software

8-28

Service Organizations
Computer

service centers provide

processing services to customers who
decide not to invest in their own
processing of particular data
Outsourcing companies run computer
centers and provide a range of computer
processing services to companies

8-29

Service Organizations

Auditor concerned if service provided are part of

the clients information system. Part of system if
service organization affect:

How clients transactions are initiated

The accounting records, supporting information
The accounting processes from initiation to inclusion in
financial statements
The financial reporting process

Can

obtain service auditors report

SAS 70 report
8-30