Audit around the computer
The use of IT in audit is a choose.
- Ignore computer processing
- Select source document (for example: purchase order) to match output
- Is often within smaller clients, private firms
Audit through the computer
- Review and evaluate internal controls in an electronic data system
Two types of controls
- Phyiscal
- IT controls
Two types of IT controls:
- General controls
- Application controls
IT-general controls
TGC Apply to all the system components, processes,
and data present in an organization
Example controls:
- Logical acces controls over infrastructure,
applications, and data
- Program Change Management
- System development
- Conputer Operations
- Physical security controls over data centers
- Backup and recovery controls
Testing of control is usually on a sample basis
IT-general controls categories
o Separation of IT duties
o Physical controls
o Change management
o Back-up and contingency (recovery)
Three key aspects to seperate
- Development of application (internal or external)
- Operations
- Data controls
What are Application controls?
Application controls relate to transactions and data pertaining to
each application and are specific to each application
‘Rules’ of application controls can be
o Embedded – the application control is already part of or program/logic within the application software (e.g., 2 or 3-way match capabilities)
o Configured – the application control is performed depending on how the application is setup/configured or workflow is designed (e.g. accounts payable tolerance levels)
Input application control
- To ensure that the information being processed is authorized, accurate, and complete
- Data capture/Data validation
- For example:
o Financial total total for all records in a batch
o Hash total total of codes from all batch records
o Record count total of records in a batch
Proccessing application controls
rocessing
- Validation test (check digit; existence) correct file, database, or program?
- Sequence test correct processing order?
- Arithmetic accuracy test accuracy of processed data?
- Data reasonableness test (range/limit) data exceeds preset amounts?
- Completeness test field test completeness of record fields?
Output application controls
Detect errors after processing is completed
- Output controls (highlight transactions)
- Error controls (suspense accounts)
how to Test application controls
Typically, they can be tested as an example by using the
master file and the application of the client. The auditor
produces some transactions and pushes them through the
system. The auditor has its own program to see what the
results should be using the master file and subset of
transactions. And see whether the results of auditor match
with what the client has.
Pervasive nature of It controls – Canada, Sutton, Kuhn, IJAT (2009)
Hypotheses
- Increase in audit fees positively associated with IT material weaknesses
- Increase in audit fees greater for firms reporting IT material weaknesses
Both true
The remote audit – Teeter, Alles Vasarhalyi, JETA (2010)
Deterrence Effect: In the context of the screenshot, the deterrence effect is enhanced by remote auditing. Since the auditors can potentially review the client’s systems and transactions at any time, and the client is not certain when the audit will occur, there is a continuous presence of the audit threat. This constant possibility of an audit may deter the client from committing irregularities or fraud because they must always be prepared for the auditor to review their transactions. The continuous monitoring environment essentially expands the deterrence effect because the “audit risk” is present throughout the year rather than just at scheduled audit times.
Efficiency Effect: The efficiency effect here seems to be related to the reduction in latency between when transactions occur and when they are audited. Traditional audits, which may occur annually or semi-annually, can have a longer latency between the occurrence of transactions and their examination by auditors. With remote auditing, especially when continuous auditing techniques are used, this latency can be significantly reduced. The transaction can be recorded, and almost immediately, the auditor can review it, leading to more timely audits and potentially more efficient business processes and decision-making.
