Auditing – Study Notes Chapter 20 IT Concepts and Controls CHAPTER TWENTY IT CONCEPTS AND CONTROLS LO # LEARNING OBJCTIVE REFERENCE PART A – IT CONTROLS LO IT CONTROLS LO IT GENERAL CONTROLS LO IT APPLICATION CONTROLS LO CONTROLS OV ER DATA TRANSMISSION PART B – USE OF COMPUTERS IN AUDITING AUDITING AROUND COMPUTERS VS AUDITING LO THROUGH COMPUTERS 5.2.7, 5.2.11 5.2.7, 5.2.11, 6.3.5 5.2.7, 5.2.11 6.3.6 8.1.5 LO COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs) 7.1.2 LO TEST DATA AND EMBEDDED AUDIT FACILITIES 8.1.4 LO AUDIT SOFTWARES 8.1.4 PART C – FLOWCHARTS LO TYPES OF FLOWCHARTS 6.2.3 LO 10 LEVELS OF FLOWCHARTS 6.2.2 LO 11 APPROACH TO DRAWING A SUCCESSFUL FLOWCHART 6.2.4 LO 12 SYMBOLS USED IN FLOWCHARTS AND THEIR MEANINGS 6.2.4 TIPS FOR DRAWING FLOWCHART IN EXAM N/A APPENDIX PART D – OTHER CONCEPTS LO 13 LO 14 MICRO COMPUTER SYSTEM VS ONLINE SYSTEM OPEN SYSTEM INTERCONNECTION (OSI) MODEL AND COMMUNICATIONS PROTOCOL 5.5.1 6.3.4 6.3.3 Auditing – Study Notes Chapter 20 IT Concepts and Controls PART A – IT CONTROLS LO 1: IT CONTROLS: Control Activities in an organization could be either Manual or IT/Automated/Programmed Manual Control: A manual control is performed by people (e.g Authorization, Review, Reconciliations) IT/Automated/Programmed Control: A programmed control is performed by computer software (e.g validation checks) IT Controls are further classified between two types i.e IT General Controls (ITGC) and IT Application controls LO 2: IT GENERAL CONTROLS: IT General Controls (ITGC): IT General Controls are those controls that operate at entity level and relate to all or many applications General Controls help effective functioning of application controls by ensuring continued proper operation of IT system Examples of IT General Controls: Following are main categories of IT General Controls: Controls over System Acquisition (to ensure Computer based information system and application are developed consistent with entity’s objectives.) Controls over System Maintenance (to ensure system is appropriately updated and changed) Controls over Program Changes (To prevent/detect unauthorized program changes) Controls over use of Programs and Data (To prevent use of incorrect program or data files) Access Controls (To prevent unauthorized acess/amendment to program and data files) Controls over Data Center and computer Operations (To ensure continuity of operations.) Category of Control Controls over Data Center and computer Operations Access Controls (over Programs and Data) Objective of Control Example of Control a) Security meansures for protection of equipment against fire, flood, power-failure, theft or other diasters b) Disaster Recovery Plan/Contingency Plan e.g To ensure continuity of  Offsite storage of backup data operations  Standby arrangements with third parties to provide “technical support” in the event of disaster  Insurance coverage for IT infrastructure Prevention of To avoid unauthorized physical access: unauthorized  Controlled single entry point with visitors’ logs acess/amendment to  Door locks with log-in function (e.g passwords, access cards, program and data files biometric) (by employees or by  Identification badges hackers)  Alarm & CCTV System Auditing – Study Notes Controls over System Acquisition Controls over System Maintenance Computer based information system and application are developed consistent with entity’s objectives Documentation and Testing of (authorized) Program Changes Controls over Program Changes To prevent/detect unauthorized program changes Controls over use of Programs and Data To prevent use of incorrect program or data files Chapter 20 IT Concepts and Controls To avoid unauthorized logical access:  Each user has a unique Log-in ID and password (which is difficult to guess and is changed periodically)  There are access rights for every user which are peridoically reviewed (to ensure segregation of duties)  Inactive accounts are disabled after a pre-defined period of non-usage (e.g of terminated employees)  Audit-Trail and System-Logs are available for all important activities  Use of firewalls to prevent unauthorized acces via internet  Use of System Development Life Cycle for design, development, programming of new computer system  Full documentation of new systems  Testing of systems before implementation  Training of staff before “live” operation of new system  New system should be formally approved by system-user (same controls as above in system acquisition)  Changes to program should be approved by appropriate level of mangement  There should be segregation of duties between tasks of prgorammer (who writes the program) and operator (who uses the program)  There should be full documentation of all program changes and their testing exercises  Training of computer operators with “Standard Operating Procedures” and “Job Scheduling” to specify which version of the program should be used  Supervisors should monitor activities of staff  Management should carry out periodic reviews to ensure that correct versions program and correct data files are being used Audit Trail: Audit Trail is the ability of users to trace a transaction through all of its processing stages Audit trail can be provided by system-logs System Log: A log file is a file that records events taking place in the execution of a system Logs provide essential information that can assist in analyzing and improving system’s performance Examples of system logs include:  When employees entered and left the building  Which users logged-in, when and from where  Failed log-in attempts  Who accessed and amended data file  Changes made to a program – what when and by whom  Attempted cyber intrusions Auditing – Study Notes Chapter 20 IT Concepts and Controls LO 3: IT APPLICATION CONTROLS: IT Application controls: IT Application Controls typically operate at a business process level and apply to the processing of transactions in individual applications (e.g sales or purchases or expenses) Application controls help to ensure that transactions are properly authorized, accurately processed and timely distributed Examples of IT Application controls: Following are main categories of IT Application Controls: Controls over Input Controls over Processing Controls over Output Controls over Master File/Standing Data Examples of IT Application Controls: Category of Control Objective of Control Controls over Input To ensure that data to be used as input in information system is Authorized, Complete and Accurate Controls over Processing To ensure there is no duplication or loss of data during processing Example of Control Use of Log-in ID and password for operator Authorization of source documents (used for input) Source Data Automation (e.g Use of Bar Codes) Data Validation Controls Following are different types of Data Validation Controls which are usually used: a) Limit Test/Check (A check to ensure that a numerical value does not exceed some predetermined value) b) Range/Reasonableness Test (A check to ensure that a numerical value does not fall outside the predetermined range of values e.g wages of employees fall within 10,000 to 25,000) c) Sequence Test (A check to ensure that all entries in batch of input data are in proper numerical sequence e.g there is no missing purchase invoice) d) Existence Test (A check to ensure that a code/number exists by looking up the code in the valid record e.g whether a supplier exists.) e) Format/Field Test (A check to ensure that format of a data in a field is either alphabet or numeric or alphanumeric e.g that there are no alphabets in a sales invoice number field) f) Check-digit (A check-digit is a digit that is calculated in a mathematical way from the original code and then is added to the end of the code as extra-digit e.g to detect transposition errors)  Control Totals: A Control Total is the sum of all inputtransactions It may be sum of Number of transactions or Value of transactions on a batch/file A manually calculated number/value of records is compared with number/value of record processed by computer to ensure that they agree Auditing – Study Notes Controls over Output To ensure that computer output is not distributed or displayed to unauthorized users Controls over Master File/Standing Data To ensure that data held on master files and standing files is correct Chapter 20 IT Concepts and Controls  Limit Test  Range Test  On-Screen Prompts: On-screen prompts are used to ensure that a transaction is not left partly processed A prompt displays on screen and guides users what to next  Marking a file as read only  Checkpoint and recovery procedures  Restriction on printing of confidential reports  Distribution of report restricted to relevant/authorized personnel only  A distribution-log should be kept (i.e when a report was prepared, list of its intended recipients and acknowledgement of recipients)  Audit trail  Exception reports showing data that does not conform to specified criteria  Record-counts in master file  Regular update of master files  Review of master file by management LO 4: CONTROLS OVER DATA TRANSMISSION: Controls over data transmission ensure that data is transmitted accurately, completely and with confidentiality Controls over data transmission include:  Data Encryption  Using secured Wi-Fi with password protection  Firewalls to prevent intrusion into the programs that send and receive data  Restricting access to source data that is transmitted  Using check sums and check digits to ensure that data received is accurate and complete  Programmed Control that ensure data is transmitted in the correct format Data Encryption: Encryption is the process of transforming information to make it unreadable to anyone except those possessing special knowledge (called a key) There are two methods of encryption: Symmetric (in which same keys are used to encrypt and decrypt data.) Asymmetric (in which different keys are used to encrypt and decrypt data; this is sometimes knows as public-private key) There are two types of symmetric encryption i.e  Block Ciphers (in which a fixed length block is encrypted)  Stream Ciphers (in which the data is encrypted one 'data unit', typically byte, at a time in the same order it was received in.) Auditing – Study Notes Chapter 20 IT Concepts and Controls PART B – USE OF COMPUTERS IN AUDITING LO 5: AUDITING AROUND COMPUTERS VS AUDITING THROUGH COMPUTERS : Auditing Around Computers: “Auditing Around Computers” means that client’s ‘internal’ software is not audited Auditor agrees inputs of the system with output and compares actual output with expected output This method of auditing increases audit risk because:  The actual files and programs of computer system are not tested; the auditor has no direct evidence that the programs are working as documented  Where errors are found in reconciling inputs to outputs, it may be difficult or even impossible to determine how those errors occurred Auditing Through Computers: “Auditing Through Computers” means that the auditor uses various techniques (e.g CAATs) to evaluate client’s computerized information system to determine reliability of its operations (alongwith its output) LO 6: COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs): Computer Assisted Audit Techniques (CAATs): CAATs are the use of computer techniques by auditor to perform procedures and obtain audit evidence There are two types of CAATs commonly used: Test Data (used as Tests of Control) Audit Softwares (used as Substantive Procedures) Uses of CAATs by Auditor: CAATs are usually performed by auditor where adequate audit trail is not available, or auditor wants to check the accuracy and completeness of processing e.g In performing tests of controls e.g to ensure completeness of sales/purchase invoices To ensure accuracy and completeness of schedules provided by client (e.g wages, depreciation) In Analytical Procedures (e.g in variance analysis, turnover ratios) In Sampling (e.g stratification, sample selection) In detection of unusual items Advantages of CAAT: Enables auditor to test program controls (i.e “auditing through computers”) and not just copies or printouts Enable auditors to test a large volume of data accurately and completely Reduce level of human errors in performing audit procedures Reduces efforts on routine work and gives opportunity to concentrate on judgmental areas Disadvantages of CAAT: Expensive to set up (High investment needed for infrastructure and training of staff ) Require co-operation of the client Auditing – Study Notes Chapter 20 IT Concepts and Controls Major changes in client systems often require major changes in CAATs, which is expensive Client’s system may not be compatible with audit softwares Checking client’s original files ‘lively’ may increase risk of files being corrupted LO 7: TEST DATA AND EMBEDDED AUDIT FACILITIES : Test Data: Definition: Test data is a set of dummy transactions developed by auditor and processed by client’s IT system and comparing the actual results with expected results to determine whether controls are operating effectively Problem with Test data: A problem with test data is that it provides evidence about operation of controls only at the time when test data is processed (its solution is use of Embedded Audit Facilities) Embedded Audit Facilities (or “integrated audit facility” or “resident audit software”: It is auditor’s computer programs that is built into the client’s IT system to allow the audit to carry out tests at the time transactions are processed in ‘real time’ In this approach, a dummy department is built into client’s accounting system (usually during its original design) that operates every time the ‘live’ process is run Information about processing and controls of client’s system is stored in a file called SCARF (System Control And Review File) Only auditor has access to such dummy department and its data These facilities are used when: Database is continually processed and updated in real time by client Satisfactory Audit Trail is not available after the processing of transactions LO 8: AUDIT SOFTWARES: Audit Softwares are computer programs used by the auditor to interrogate a client’s computer files The principle objective is substantive testing Following are main types of Audit Softwares: Interrogation programs These are used to access the client’s files and records and to extract data for auditing These could be:  Package programs (generalised audit software) – i.e pre-prepared programs  Purpose-written programs – perform specific functions of the auditor’s choosing Interactive software: These are used in interrogation of on-line IT systems Embedded Audit Facilities (or “integrated audit facility” or “resident audit software”: (defined above) Auditing – Study Notes Chapter 20 IT Concepts and Controls PART C – FLOWCHARTS LO 9: TYPES OF FLOWCHARTS: Linear Flowchart  A Linear Flowchart is a diagram that displays the sequence of activities that make up a process  This tool can help identify rework and redundant or unnecessary steps within a process Opportunity Flowchart  An Opportunity Flowchart (a variation of the basic linear type) differentiates process activities that add value from those that add cost only  Value-added steps are essential for producing the required product or service Cost-addedonly steps are not essential for producing the required product or service They are added to a process to avoid something wrong e.g end-of-process review Deployment Flowchart  A Deployment Flowchart shows the actual process flow and identifies the people or groups involved at each step  This type of chart shows where the people or groups fit into the process sequence, and how they relate to one another throughout the process LO 10: LEV ELS OF FLOWCHARTS: Macro level:  This is a “big picture” of flowchart for top level management  Generally, a macro-level Flowchart has six or fewer steps Micro/Ground Level:  This provides detailed presentation of specific portion of the process by documenting every action and decision Mini/Midi Level:  This is a flowchart between Macro and Micro  It focuses only on part of the Macro level flow chart LO 11: APPROACH TO DRAWING A SUCCESSFUL FLOWCHART : Observe the process to be documented (specially where to start and where to end) Record steps in the process (in narrative form e.g step 1, step etc.) Arrange the sequence of steps (sequence may be different for different people but it should be logical) Draw flowchart suing standardized Symbols Check accuracy and completeness of flowchart using a “test data” Auditing – Study Notes Chapter 20 IT Concepts and Controls LO 12: SYMBOLS USED IN FLOWCHARTS AND THEIR MEANINGS : Shape Symbol Oval Function/When to use This shows Start Point, and End Point of flowchart Rectangular Box This shows individual activity/process/instruction in the process i.e what to This shows decision point Decision is in Yes/No Form (like ‘if’ command in excel) Diamond Arrow / Flowline This shows direction of the flow Circle is a connector symbol used to show connection between two parts of a flow charts without drawing a connection line A letter/number inside circle clarifies continuation Pentagon is a connector symbol like circle to show connection between two parts of a flow charts without drawing a connection line However, it connects different steps on different pages A letter/number inside circle clarifies continuation Circle Pentagon APPENDIX: TIPS FOR DRAWING FLOWCHART IN EXAM: Start from the left section of the page (not from middle) Use only four symbols i.e Oval, Box, Diamond, Flow-line (as described below) Every symbol (except arrow) is to be filled with some words The flow of sequence is generally from the top of the page to the bottom of the page This can vary with loops which need to flow back to an entry point A flow chart should be presented and completed on one page It should not have more than 15 symbols (including START and STOP) Shape Oval Rectangular Box Diamond Arrow / Flow-line 3 3 Tips Every flowchart will have Oval Shapes; one at starts and other at end At start only one arrow comes out At end, only one arrow comes in (however other arrows may merge with last arrow) It is always in ‘verb’ form (as it shows an activity) Only one arrow should come in Box Only one arrow comes out from Box which leads to next activity or a decision table (except when End) Two arrows come out from Diamond one for yes and one for no (Yes arrow should go down; No arrow should go right) These arrows can lead to a Box or another Diamond You can use symbols like “>”, “=”, “