Controls over use of Programs and Data To prevent use of incorrect program or data files 5.. Access Controls To prevent unauthorized acess/amendment to program and data files 6.. Access
Trang 1CHAPTER TWENTY
IT CONCEPTS AND CONTROLS
PART A – IT CONTROL
PART B – USE OF COMPUTERS IN AUDITING
LO 5 AUDITING AROUND THROUGH CO MPUTERS COMPUTERS VS. AUDITING 8.1.5
LO 6 COMPUTER AS ISTED AUDIT TE HNIQUES (CAATs) 7.1.2
PART C – F OWCHARTS
LO 11 APPROACH TO DRAWING A SUCC S FUL F OWCHART 6.2.4
LO 12 SYMBOL USED IN F OWCHARTS AND THEIR MEANINGS 6.2.4
PART D – OTHER CONC PTS
LO 14 OPEN COMMUNICATIONS PRO SYSTEM INTERCONNECTION TOCOL (OSI) MODEL AND 6.3.4 6.3.3
Trang 2PART A – IT CONTROLS
LO 1: IT CONTROL :
Control Activities in an organization could be either Manual or IT/Automated/Programmed
Manual Control:
A manual control is performed by people (e.g Authorization, Review, Reconciliations)
IT/Automated/Programmed Control:
A programmed control is performed by computer software (e.g validation checks)
IT Controls are further classified between two types i.e IT General Controls (ITGC) and IT
Application controls
LO 2: IT GENERAL CONTROL :
IT General Controls (ITGC):
IT General Controls are those controls that operate at entity level and relate to all or many applications General Controls help effective functioning of application controls by ensuring
continued proper operation of IT system
Examples of IT General Controls:
Following are main categories of IT General Controls:
1 Controls over System Acquisition (to ensure Computer based information system and application are developed consistent with entity’s objectives.)
2 Controls over System Maintenance (to ensure system is appropriately updated and changed)
3 Controls over Program Changes (To prevent/detect unauthorized program changes)
4 Controls over use of Programs and Data (To prevent use of incorrect program or data files)
5 Access Controls (To prevent unauthorized acess/amendment to program and data files)
6 Controls over Data Center and computer Operations (To ensure continuity of operations.)
Category of
Control Objective of Control Example of Control
Controls over Data
Center and
computer
Operations
To ensure continuity of operations
a) Security meansures for protection of equipment against fire, flood, power-failure, theft or other diasters
b) Disaster Recovery Plan/Contingency Plan e.g
Offsite storage of backup data
Standby arrangements with third parties to provide
“technical support” in the event of disaster
Insurance coverage for IT infrastructure
Access Controls
(over Programs
and Data)
Prevention of unauthorized acess/amendment to program and data files (by employees or by hackers)
To avoid unauthorized physical access:
Controlled single entry point with visitors’ logs
Door locks with log-in function (e.g passwords, access cards, biometric)
Identification badges
Alarm & CCTV System
Trang 3To avoid unauthorized logical access:
Each user has a unique Log-in ID and password (which is difficult to guess and is changed periodically)
There are access rights for every user which are peridoically reviewed (to ensure segregation of duties)
Inactive accounts are disabled after a pre-defined period of non-usage (e.g of terminated employees)
Audit-Trail and System-Logs are available for all important activities
Use of firewalls to prevent unauthorized acces via internet
Controls over
System
Acquisition
Computer based information system and application are developed consistent with entity’s objectives
Use of System Development Life Cycle for design, development, programming of new computer system
Full documentation of new systems
Testing of systems before implementation
Training of staff before “live” operation of new system
New system should be formally approved by system-user Controls over
System
Maintenance
Documentation and Testing of (authorized) Program Changes
(same controls as above in system acquisition)
Controls over
Program Changes
To prevent/detect unauthorized program
changes
Changes to program should be approved by appropriate level of mangement
There should be segregation of duties between tasks of prgorammer (who writes the program) and operator (who uses the program)
There should be full documentation of all program changes and their testing exercises
Controls over use
of Programs and
Data
To prevent use of incorrect program or data files
Training of computer operators with “Standard Operating Procedures” and “Job Scheduling” to specify which version
of the program should be used
Supervisors should monitor activities of staff
Management should carry out periodic reviews to ensure that correct versions program and correct data files are being used
Audit Trail:
Audit Trail is the ability of users to trace a transaction through all of its processing stages Audit trail can be provided by system-logs
System Log:
A log file is a file that records events taking place in the execution of a system Logs provide essential information that can assist in analyzing and improving system’s performance
Examples of system logs include:
When employees entered and left the building
Which users logged-in, when and from where
Failed log-in attempts
Who accessed and amended data file
Changes made to a program – what when and by whom
Attempted cyber intrusions
Trang 4LO 3: IT APPLICATION CONTROL :
IT Application controls:
IT Application Controls typically operate at a business process level and apply to the processing of
transactions in individual applications (e.g sales or purchases or expenses) Application controls
help to ensure that transactions are properly authorized, accurately processed and timely
distributed
Examples of IT Application controls:
Following are main categories of IT Application Controls:
1 Controls over Input
2 Controls over Processing
3 Controls over Output
4 Controls over Master File/Standing Data
Examples of IT Application Controls:
Category of
Control Objective of Control Example of Control
Controls over
Input
To ensure that data
to be used as input in information system is Authorized, Complete
and Accurate
1 Use of Log-in ID and password for operator
2 Authorization of source documents (used for input)
3 Source Data Automation (e.g Use of Bar Codes)
4 Data Validation Controls Following are different types of Data Validation Controls which are usually used:
a) Limit Test/Check (A check to ensure that a numerical value does not exceed some predetermined value)
b) Range/Reasonableness Test (A check to ensure that a numerical value does not fall outside the predetermined range of values e.g wages of employees fall within 10,000 to 25,000)
c) Sequence Test (A check to ensure that all entries in batch of input data are in proper numerical sequence e.g there is no missing purchase invoice)
d) Existence Test (A check to ensure that a code/number exists
by looking up the code in the valid record e.g whether a supplier exists.)
e) Format/Field Test (A check to ensure that format of a data in
a field is either alphabet or numeric or alphanumeric e.g that there are no alphabets in a sales invoice number field)
f) Check-digit (A check-digit is a digit that is calculated in a mathematical way from the original code and then is added to the end of the code as extra-digit e.g to detect transposition errors)
Controls over
Processing
To ensure there is no duplication or loss of data during processing
Control Totals: A Control Total is the sum of all input-transactions It may be sum of Number of transactions or Value of transactions on a batch/file A manually calculated number/value of records is compared with number/value of
Trang 5 Limit Test
Range Test
On-Screen Prompts: On-screen prompts are used to ensure that a transaction is not left partly processed A prompt displays on screen and guides users what to do next
Marking a file as read only
Checkpoint and recovery procedures
Controls over
Output
To ensure that computer output is not distributed or displayed to unauthorized users
Restriction on printing of confidential reports
Distribution of report restricted to relevant/authorized personnel only
A distribution-log should be kept (i.e when a report was prepared, list of its intended recipients and acknowledgement
of recipients)
Audit trail
Exception reports showing data that does not conform to specified criteria
Controls over
Master
File/Standing
Data
To ensure that data held on master files and standing files is correct
Record-counts in master file
Regular update of master files
Review of master file by management
LO 4: CONTROL OVER DATA TRANSMIS ION:
Controls over data transmission ensure that data is transmitted accurately, completely and with
confidentiality
Controls over data transmission include:
Data Encryption
Using secured Wi-Fi with password protection
Firewalls to prevent intrusion into the programs that send and receive data
Restricting access to source data that is transmitted
Using check sums and check digits to ensure that data received is accurate and complete
Programmed Control that ensure data is transmitted in the correct format
Data Encryption:
Encryption is the process of transforming information to make it unreadable to anyone except
those possessing special knowledge (called a key)
There are two methods of encryption:
1 Symmetric (in which same keys are used to encrypt and decrypt data.)
2 Asymmetric (in which different keys are used to encrypt and decrypt data; this is
sometimes knows as public-private key)
There are two types of symmetric encryption i.e
Block Ciphers (in which a fixed length block is encrypted)
Stream Ciphers (in which the data is encrypted one 'data unit', typically 1 byte, at a time in
the same order it was received in.)
Trang 6PART B – USE OF COMPUTERS IN AUDITING
LO 5: AUDITING AROUND COMPUTERS VS AUDI TING THROUGH CO MPUTERS:
Auditing Around Computers:
“Auditing Around Computers” means that client’s ‘internal’ software is not audited Auditor agrees inputs of the system with output and compares actual output with expected output
This method of auditing increases audit risk because:
The actual files and programs of computer system are not tested; the auditor has no direct evidence that the programs are working as documented
Where errors are found in reconciling inputs to outputs, it may be difficult or even impossible to determine how those errors occurred
Auditing Through Computers:
“Auditing Through Computers” means that the auditor uses various techniques (e.g CAATs) to evaluate client’s computerized information system to determine reliability of its operations (alongwith its output)
LO 6: COMPUTER AS ISTED AUDI T TE HNIQUES (CAATs):
Computer Assisted Audit Techniques (CAATs):
CAATs are the use of computer techniques by auditor to perform procedures and obtain audit evidence
There are two types of CAATs commonly used:
1 Test Data (used as Tests of Control)
2 Audit Softwares (used as Substantive Procedures)
Uses of CAATs by Auditor:
CAATs are usually performed by auditor where adequate audit trail is not available, or auditor wants to check the accuracy and completeness of processing e.g
1 In performing tests of controls e.g to ensure completeness of sales/purchase invoices
2 To ensure accuracy and completeness of schedules provided by client (e.g wages, depreciation)
3 In Analytical Procedures (e.g in variance analysis, turnover ratios)
4 In Sampling (e.g stratification, sample selection)
5 In detection of unusual items
Advantages of CAAT:
1 Enables auditor to test program controls (i.e “auditing through computers”) and not just copies or printouts
2 Enable auditors to test a large volume of data accurately and completely
3 Reduce level of human errors in performing audit procedures
4 Reduces efforts on routine work and gives opportunity to concentrate on judgmental areas
Disadvantages of CAAT:
1 Expensive to set up (High investment needed for infrastructure and training of staff )
2 Require co-operation of the client
Trang 73 Major changes in client systems often require major changes in CAATs, which is expensive
4 Client’s system may not be compatible with audit softwares
5 Checking client’s original files ‘lively’ may increase risk of files being corrupted
LO 7: TEST DATA AND EMBEDDED AUDIT FACILITIES:
Test Data:
Definition:
Test data is a set of dummy transactions developed by auditor and processed by client’s IT system and comparing the actual results with expected results to determine whether controls are operating effectively
Problem with Test data:
A problem with test data is that it provides evidence about operation of controls only at the time when test data is processed (its solution is use of Embedded Audit Facilities)
Embedded Audit Facilities (or “integrated audit facility” or “resident audit software”:
It is auditor’s computer programs that is built into the client’s IT system to allow the audit to carry out tests at the time transactions are processed in ‘real time’ In this approach, a dummy department is built into client’s accounting system (usually during its original design) that operates every time the ‘live’ process is run Information about processing and controls of client’s system is stored in a file called SCARF (System Control And Review File) Only auditor has access to such dummy department and its data
These facilities are used when:
1 Database is continually processed and updated in real time by client
2 Satisfactory Audit Trail is not available after the processing of transactions
LO 8: AUDIT SOFTWARES:
Audit Softwares are computer programs used by the auditor to interrogate a client’s computer files The principle objective is substantive testing
Following are main types of Audit Softwares:
Interrogation programs
These are used to access the client’s files and records and to extract data for auditing These could be:
Package programs (generalised audit software) – i.e pre-prepared programs
Purpose-written programs – perform specific functions of the auditor’s choosing
Interactive software:
These are used in interrogation of on-line IT systems
Embedded Audit Facilities (or “integrated audit facility” or “resident audit software”:
(defined above)
Trang 8PART C – FLOWCHARTS
LO 9: TYPES OF F OWCHARTS:
Linear Flowchart
A Linear Flowchart is a diagram that displays the sequence of activities that make up a process
This tool can help identify rework and redundant or unnecessary steps within a process
Opportunity Flowchart
An Opportunity Flowchart (a variation of the basic linear type) differentiates process activities that add value from those that add cost only
Value-added steps are essential for producing the required product or service Cost-added-only steps are not essential for producing the required product or service They are added
to a process to avoid something wrong e.g end-of-process review
Deployment Flowchart
A Deployment Flowchart shows the actual process flow and identifies the people or groups involved at each step
This type of chart shows where the people or groups fit into the process sequence, and how they relate to one another throughout the process
LO 10: LEVEL OF F OWCHARTS:
Macro level:
This is a “big picture” of flowchart for top level management
Generally, a macro-level Flowchart has six or fewer steps
Micro/Ground Level:
This provides detailed presentation of specific portion of the process by documenting every action and decision
Mini/Midi Level:
This is a flowchart between Macro and Micro
It focuses only on part of the Macro level flow chart
LO 11: APPROACH TO DRAWING A SUCC S FUL F OWCHART:
1 Observe the process to be documented (specially where to start and where to end)
2 Record steps in the process (in narrative form e.g step 1, step 2 etc.)
3 Arrange the sequence of steps (sequence may be different for different people but it should
be logical)
4 Draw flowchart suing standardized Symbols
5 Check accuracy and completeness of flowchart using a “test data”
Trang 9LO 12: SYMBOL USED IN F OWCHARTS AND THEIR MEANINGS:
Rectangular
Box This shows individual activity/process/instruction in the process i.e what to do Diamond This shows decision point Decision is in Yes/No Form (like ‘if’ command in excel) Arrow /
Circle Circle is a connector symbol used to show connection between two parts of a flow charts without drawing a connection line
A letter/number inside circle clarifies continuation
Pentagon
Pentagon is a connector symbol like circle to show connection between two parts of a flow charts without drawing a connection line However, it connects different steps on different pages
A letter/number inside circle clarifies continuation
APPENDIX: TIPS FOR DRAWING F OWCHART IN EXAM:
1 Start from the left section of the page (not from middle)
2 Use only four symbols i.e Oval, Box, Diamond, Flow-line (as described below)
3 Every symbol (except arrow) is to be filled with some words
4 The flow of sequence is generally from the top of the page to the bottom of the page This can vary with loops which need to flow back to an entry point
5 A flow chart should be presented and completed on one page It should not have more than
15 symbols (including START and STOP)
Oval
1 Every flowchart will have 2 Oval Shapes; one at starts and other at end
2 At start only one arrow comes out
3 At end, only one arrow comes in (however other arrows may merge with last arrow)
Rectangular Box
1 It is always in ‘verb’ form (as it shows an activity)
2 Only one arrow should come in Box
3 Only one arrow comes out from Box which leads to next activity or a decision table (except when End)
Diamond
1 Two arrows come out from Diamond one for yes and one for no (Yes arrow should go down; No arrow should go right)
2 These arrows can lead to a Box or another Diamond
3 You can use symbols like “>”, “=”, “<” in a diamond
Arrow / Flow-line
1 Usual direction is “Top to Down” or “Left to Right” However, sometimes it may also be from down to up
2 Only one arrow enters/comes out of a shape (except diamond from which 2 arrows will come out)
3 Give arrow a head at each turn
4 An arrow may join another arrow
5 An arrow may cross over another arrow (if not to be joined)
Trang 10PART D – OTHER CONTROLS
LO 13: MICRO COMPUTER SYSTEM VS ONLINE SYSTEM:
Micro-computers system:
Benefits of micro-computer system:
More efficient and cost effective
System can be operated by user’s operating staff
Audit risks in micro-computer system:
Difficult to ensure physical security of the IT equipment, data and storage media
Unauthorized amendments to program data and files can be made
There may be several processing problems
Online System:
Benefits of Online-system:
Immediate entry of the transactions into the system
Immediate updating of master file
Immediate response to Inquiry system
Controls in Online-System:
Application Controls:
Access Controls (to prevent unauthorized access)
Programming Controls (to prevent unauthorized changes to programs)
Audit Trail and System-Logs
Firewall
General Controls:
Authorization before processing of transactions
Data validation checks
Balancing/Checking of control totals before and after processing
LO 14: OPEN SYSTEM INTERCONNECTION (OSI) MODEL AND CO MMUNI CATIONS PROTO COL:
Open system interconnection (OSI) model:
OSI (Open Systems Interconnection) is reference model for how applications can communicate over
a network
There are 7 layers of OSI which are as follows:
1 Physical layer– defines physical specifications for devices – e.g copper vs fibre optic cable
2 Data link layer – This layer sets up links across the physical network
3 Network layer – This layer handles the addressing and routing of the data from a source on one network to a destination on other network
4 Transport layer – provides transparent transfer of data between users
5 Session layer – This layer sets up, coordinates and terminates conversation
6 Presentation layer – This layer is part of an operating system and converts incoming and outgoing data from one presentation format to another (e.g encryption and decryption)
7 Application layer – This is the layer at which communication partners are identified