This chapter describes the auditors' consideration of internal control in an IT environment. To summarize:
Auditors encounter IT-based recordkeeping in virtually every audit engagement. Even the smallest of audit clients can be expected to use a microcomputer at least to process its accounting records.
The use of an IT system by a client does not change the need to establish effective internal control; however, it does change the nature of the controls. More advanced IT features, such as online capabilities, database storage, IT networks, and end user computing, present special control risks. Therefore, specialized controls are needed, including passwords, validity tests, and computer logs.
The use of an IT may significantly affect the control system of the organization. From an organizational standpoint, it is essential to segregate the function of programming from the function of controlling input to the computer programs, and the function of the computer operator from those having detailed knowledge or custody of the computer programs.
IT controls are often classified as general control activities, application control activities, and user control activities. General control activities apply to all IT applications, and application control activities and user control activities relate only to a specific application. The auditors often consider general control activities first, because application and user control activities cannot be assumed to be effective if the general control activities are weak.
To test application control activities, the auditors will often use computer-assisted audit techniques, such as test data, integrated test facilities, controlled programs, program analysis techniques, and tagging and tracing transactions.
While generalized audit software also may be used to test application controls, it is more often used by the auditors to perform substantive tests of computerized records. Generalized audit software may be used to perform such functions as testing the clerical accuracy of records, making comparisons of related data, and selecting random samples.
Contrast the characteristics of an information technology-based system with those of a less sophisticated system. |
|
|
|
Describe the nature of various types of information technology-based systems. |
|
|
|
Describe the appropriate organizational structure in an information technology environment. |
|
|
|
Distinguish among general control activities, application control activities, and user control activities in an information technology-based system. |
|
|
|
Explain the manner in which the auditors obtain an understanding of internal control in an information technology environment. |
|
|
|
Discuss the ways in which the auditors may test controls in an information technology environment. |
|
|
|
Describe the nature of generalized audit software programs and the ways that they are used by the auditors. |