Auditing

in an
Information Technology
System Environment
- Part II-
Expected Learning Outcomes
1. Understand the effects of computers on the audit process.
2. Know the impact of computers on accounting systems.
3. Understand the basic audit procedures applied in evaluating the
internal control and substantive testing in a CIS environment.
4. Describe the major types of computer fraud.
5. Describe the effects of computers on the audit process.
6. Know how audit planning is done in an IT environment.
7. Be familiar with the previous audit techniques using computers.
8. Familiarize yourself with specialized audit programs and
additional techniques in the audit of clients using IT Systems.
 Introduction
As computer systems became more complex and
integrated, auditors found it challenging to audit
around them. Consequently, they began to audit
through the computer by investigating the data
processing system and its controls. This approach
involves feeding hypothetical transactions into the
computer to check the accuracy of the system.
IMPACT OF COMPUTERS ON ACCOUNTING SYSTEM

1. Documents are not maintained in readable form.

Manual and batch systems use controls that require

employees to record their authorization or approval
of transactions on paper documents. In a manual
system, a sales invoice is prepared manually for entry
into the accounting system. In small businesses,
invoices can be prepared either manually or using an
electronic system.
2. Processing of transactions is more consistent

In a manual system which is run by people,

transactions may not be consistently processed.
Errors may occur because employees are not
adequately trained, fail to pay attention to work, or
become Ili or fatigued.
3. Duties are consolidated

Companies using manual systems separate

duties involving authorization you f
transactions, recording of transactions, and
custody of assets to ensure the validity of the
financial statement assertions.
4. Report can be generated easily.

Computerized systems provide for, or alloy, users to

generate, necessary reports about the status of
transactions or accounts in a minimal amount of
time.
Major types of Computer Fraud
SALAMI TECHNIQUE

-computer programs are modified to inappropriately round off

calculations to the benefit of the fraud peneprator. The amounts
available from rounding are then placed in an account of controlled.

TROJAN HAN

-an unauthorized program placed within an authorized one. Trojan

horses typically are designed to wait until a specific time, when
they act and then erase all evidence of their existence.
Major types of Computer Fraud
VIRUS PROGRAMS

-these are programs with unauthorized information or instructions.

TRAPDOORS

-these are unauthorized entry points into programs or database.

through a trapdoors individuals can change data or instructions
without approval.
EFFECTS OF COMPUTERS ON THE AUDIT PROCESS
ACCORDINGLY, AN IT ENVIRONMENT MAY AFFECT:

THE PROCEDURES FOLLOWED BY THE AUDITOR IN

OBTAINING A SUFFICIENT UNDERSTANDING OF THE
ACCOUNTING AND INTERNAL CONTROL SYSTEMS.
THE CONSIDERATION OF INHERENT RISK AND CONTROL
RISK THROUGH WHICH THE AUDITOR ARRIVES AT THE
RISK ASSESSMENT.
THE AUDITOR'S DESIGN AND PERFORMANCE OF TESTS
OF CONTROL AND SUBSTANTIVE PROCEDURES
APPROPRIATE TO MEET THE AUDIT OBJECTIVE.
 THE AUDITOR SHOULD CONSIDER WHETHER
SPECIALIZED IT SKILLS ARE NEEDED IN AN AUDIT.
THESE MAY BE NEEDED TO:

Obtain a sufficient understanding of the

accounting and internal control systems
affected by the IT environment.
Determine the effect of the IT environment on
the assessment of overall risk and of risk at
the account balance and class of transactions
level.
Design and perform appropriate tests of
control and substantive procedures.
 PLANNING IN ACCORDANCE WITH PSA 315
“UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT”
In planning the portions of the audit which may be affected by the client’s IT
environment, the auditor should obtain an understanding of the significant
influence and complexity of the IT activities and the availability of data for
use in the audit.

This understanding would include such matters as:

The significance and complexity of computer processing in

each significant accounting application.

The organizational structure of the client’s IT activities and

the extent of concentration of distribution of computer
processing throughout the entity.

The availability of data.

 PSA 315 “UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT”

When the IT are significant, the audit should also

obtain in an understanding of the IT environment
and whether it may influence the assessment of
inherent and control risk.

The nature of the risks and the internal control

characteristics in IT environment include the
following:
Lack of transactions trails.
Uniform processing of transactions.
 Lack of segregation of functions.
Potential for errors and irregularities.

In addition, decreased human involvement in handling

transactions processed IT can reduce the potential for
observing errors and irregularities. Errors or irregularities
occurring during the design or modification of application
programs or systems software can remain undetected for long
periods of time.

Initiation or execution of transactions

Dependence of other controls over computer processing..
Potential for increased management supervision.
Potential for the use of computer-assisted audit techniques.
Both the risks and the controls introduced as a result of these
characteristics of as have potential impact on the auditor's
assessment of risk and the nature, timing and extent of audit
procedures.
 Assessment of Risk
The inherent risks and control risks in a IT environment may
have both a pervasive effect and an account-specific effect
on the likelihood of material misstatements, as follows:

The risks may result from deficiencies in pervasive IT

activities such as program development and maintenance,
systems software support, operations, physical IT security,
and control over access to networks, operating systems,
programs and databases.
The risks may increase the potential for errors or
fraudulent activities in specific applications, in specific
data bases or master files, or in specific processing
activities.
 AUDITING CLIENTS USING
INFORMATION TECHNOLOGY (IT)
SYSTEMS

The auditor's specific audit objectives do not change

whether accounting data is processed manually or
by computer. However, the methods of applying
audit procedures to gather evidence may be
influenced by the methods of computer processing.

The audit procedures applicable to evaluating

the internal controls in IT systems are:

1. Review of the system

2. Tests of compliance
3. Evaluation to determine the extent of the
substantive tests

A. Review of the System- If a client uses IT,

the auditor must be capable of understanding
the entire system to evaluate the client's
internal control.
B. Compliance Testing of IT Controls- After
reviewing the IT controls, the auditor attempts
to gather evidence to provide reasonable
assurance that the prescribed controls are
functioning properly.
a. Audit around the computer or
b. Audit through the computer.
Auditing around (without using) the computer means the
auditor does not use the computer to perform tests, select
samples, etc. If there is an adequate audit trail, the auditor
can do the following:

a) Examine for evidence of controls ie, error logs, band

control records, etc.
b) Trace transactions using printouts to follow input
documents through to final report.
c) Process sample transactions manually, process a batch of
transaction and compare with the printouts
 Auditing through (with the use of)
computer. Computer are useful in
performing the audit. The auditor can
use A computer program (provided by
the client or prepared by the auditor) to
examine data files and perform many of
the clerical tasks previously performed
by a junior auditor.
C. Substantive Testing of Computer-based
Records
SUBSTANTIVE TESTING LIKE COMPLIANCE TESTING
CAN BE PERFORMED WITH OR WITHOUT THE USE
OF COMPUTER

1. SUBSTANTIVE TESTING WITHOUT USING THE

COMPUTER

Printouts are used to test the correctness of

accounts and as a basis from which samples
will be selected for further testing or
confimation.
 2. SUBSTANTIVE TESTING WITH THE USE OF
(THROUGH) A COMPUTER

Auditor uses a program written to gain access to the

Computer-based records. Once access has been
achieved, the auditor can use the computer to perform
those procedures which are clerical in nature.

Sources of programs are:

A.) Auditor written programs

- specifically written to client's tiles

b) Auditee programs
- Coded by the company's own programmer to meet the auditor's
needs. This will require additional precautions on the part of the auditor.

c) Utility programs
- Provided by software vendors and used to obtain data.

d) Generalized computer audit programs

-These programs offer audit-oriented functions for use in accessing
and testing records.

 AUDIT TECHNIQUES USING COMPUTERS

a. Audit Software - The auditor may use various types

of software on either microcomputers or mainframe
computers.

 Some of the audit procedures that may be performed by

generalized audit software include:

(1) Testing client calculations

(2) Making additional calculations
(3) Extracting data from the client files
(4) Examining records which meet criteria specified by the auditor
(5)Selecting audit samples
(6)Comparing data that exist on separate files
(7) Summarizing data
8 Comparing data obtained through other audit procedures with client
records.

9 Identify weaknesses in internal control.

10 Prepare flowcharts of client transaction cycles and of client programs.

11 Prepare graphic displays of data for easier analysis.

12 Correspondence (engagement letters, representation letters, attorney's

letters)
b. Test Data - A set of dummy transactions is developed by the auditor and
processed by the client's computer programs to determine whether the
controls which the auditor intends to rely on are functioning as expected.
Several possible problems associated with test data are that the auditor
must:

1 2 3
Make certain the test Make certain the test Devote the necessary
data is not included data is not included time to develop
in the client's in the client's adequate data to test
accounting records. accounting records. key controls.

 c. Concurrent Audit Techniques - These techniques collect evidence as

transactions are processed, immediately reporting information requested
by the auditor or storing it for later access.

Integrated Test Facility (ITF) - This method

1 introduces dummy transactions into a system in
the midst of live transactions and is usually built
into the system during the original design.
2. Snapshots

auditors embed software routines at different

points within an application to capture and report
images called snapshots of a selected transaction
as it is processed at preselected points in a
program.

3. System Control Audit Review File (SCARF)

this uses audit software embedded in the client’s

system, called an embedded audit module, to
gather information at predetermined points in a
system. This information is stored in special file
and is reported only to the auditors at
predetermined intervals.
d. Parallel Simulation (also known as controlled
processing/reprocessing) – this method
processes actual client data through an auditor’s
software program (and frequently, although not
necessarily, the auditor’s computer.

The limitations of this method include:

(1)The time it takes the auditor to build an exact

duplicate of the client system
(2)Incomparability between auditor and client
software
(3)The involved in reprocessing large quantities
of data
e. Code Comparison – in the performance of
code comparison, an auditor examines two
version of a program to determine whether
they are identical.

f. Audit Workstation 1. Determine data needed

More internal audit
departments and a few 2. Write extract routine
external auditing firms
are ending their 3. Run extract program
dependence on audit
software programs run
4. Download extracted file
on a mainframe by
using an audit
workstation. 5. Perform analysis

There are seven steps 6. Prepare report

in the use of an audit
workstation. 7. Workpapers
Specialized Audit Program and
Additional Techniques
Special Audit Programs A trained auditor can examine the
flowcharts to test the logic of
may be developed to
application programs and to ensure
perform specific audit
that the client's documentation
tasks. describes the program that is
actually eing used.
Tagging and Tracing
Transactions
Internal Control
Considerations
Internal controls can be used to mitigate The following aspects of internal control are
many of the risk associated with e-commerce particularly relevant when the entity engages
activities. The auditors considers the control in e-commerce:
environment and control procedures the Maintaining the integrity of control
entity has applied to its e-commerce procedures in the quickly changing e-
activities to the extent they are relevant to commerce environment;
the financial statement assertions. Ensuring access to relevant records for
the entity's needs and for audit purposes.
 Security
IT IS THE PROTECTION OF INFORMATION, DATA,
PROPERTY AND/OR PERSONNEL THAT IS EITHER
DIGITAL OR PHYSICAL. IT IS A PROCESS THAT
INVOLVES PROTECTING INFORMATION FROM
UNAUTHORIZED ACCESS, USE, DISCLOSURE OR
DESTRUCTION.

xxx
TO THE EXTENT THEY ARE RELEVANT TO THE FINANCIAL STATEMENT
ASSERTIONS THE AUDITOR CONSIDERS SUCH MATTERS AS:

The effective use of firewalls and virus protection software to protect its
systems from the introduction of unauthorized or harmful software, data,
or other material in electronic form,
The effective use of encryption, including both:
- Maintaining the privacy and security of transmissions and
- Preventing the misuse of encryption technology
Controls over the development and implementation of systems used to
support e-commerce activities;
Whether security controls in place continue to be effective as new
technologies that can be used to attack Internet security become
available;
Whether the control environment supports the control procedures
implemented.
 Transaction Integrity
The auditor considers the completeness,
accuracy, timeliness, and authorization of
information provided for recording and
processing in the entity's financial records.

The nature and the level of sophistication of an

entity's e-commerce activities influence the nature
and extent of risks related to the recording and
processing of e-commerce transactions.
CONTROLS RELATING TO TRANSACTION INTEGRITY
ARE OFTEN DESIGNED TO, FOR EXAMPLE:

Validate input;
Prevent duplication or omission of transactions;
Ensure the terms of trade have been agreed
before an order is processed;
Distinguish between customer browsing and orders
placed;
Prevent incomplete processing by ensuring all
steps are completed and recorded;
Ensure the per distribution of transaction details
across multiple systems in a network;
Ensure records are properly retained, backed-up,
and secured.
Process Alignment
Process alignment refers to the way various IT
systems are integrated with one another and
thus operate, in effect, as one system. In the e-
commerce environment, it is important that
transactions generated from an entity's web site
are processed properly by the entity's internal
systems.
The way e-commerce transactions are captured
and transferred to the entity's accounting
system may affect such matters as:

The completeness and information storage:

accuracy of transaction processing and
information storage
The timing of the recognition of sales
revenues, purchases and other transaction
The Effect of Electronic Records on Audit Evidence

There may not be any paper records for e-

commerce transactions, and electronic records
may be more easily destroyed or altered than
paper records without leaving evidence of such
destruction or alteration.The timing of the
recognition of sales revenues, purchases and
other transaction
The auditor may test automated controls, such
as record integrity checks, electronic date
stamps, digital signatures, and version controls
when considering the integrity of electronic
evidence.
Group II
CRUZADO, HANNAH MAE
ALI, JUNAID
RASAY, FRANCES NICOLE
DIMACULANGAN, PHILIP
BEREDO, ELLAQUIM
SULTAN, ASLANIE
DE TORRES, CECILLE
DE CHAVEZ, MAY ANN
MARCUAP, FLORA MEL JOY
ISLES, MHARTINA AALIYAH
LINAO, MYKAELA
PLATA, MARK STEPHEN
DIZON, RAE STEPHANIE
DIMAYACYAC, MEZIAH
PASAHOL, ANGELICA
DALANGIN, AHRITCH
VALDERAMA, YSTEFANI
Thank
you