信息技术对审计程序的影响并不因为工作由计算机完成,
就意味着工作就不存在错误
11
信息技术如何来增强内部控制?
计算机控制代替手工控制提供更高质量的信息
留下审计轨迹
减少人工参与
系统的错误 vs,偶然性错误
未加限制的准入
缺乏数据
缺乏职责分离
缺乏必要授权
缺乏 IT经验一般控制运用控制一般控制
IT功能的使用职责分离 系统开发实物或在线的保证备份及应急计划硬件的使用输入控制执行控制输出控制运用控制现金收入控制销售运用控制 工资运用控制其他循环的运用控制未经授权而修改应用程序的风险 系统崩溃的风险未授权而进行文件升级未授权就执行的风险一般控制图表 11 - 1
一般控制与运用控制的关系
Control Type Category of Control Example of Control
General ControlS Administration of the IT function Chief information officer or IT manager reports to senior
management and board,
Segregation of It duties Responsibility for programming,operations,and data
control are separated.
Systems development Teams of users,systems analysts,and programmers develop
and thoroughly test software.
Physical and on-line security Access to hardware is restricted,and passwords and user
Ids limit access to software and data files.
Back-up and contingency planning back-up plans are prepared and tested regularly throughout
the year.
Hardware controls failure or hard drive failure causes error messages on
the monitor.
Application Controls Input controls Preformatted screens prompt data input personnel for
information to be entered.
Processing controls Reasonableness tests review unit-selling prices used to
process a sale.
Output controls The sales department performs post-processing review
of sales transactions.
表 11 - 1
一般控制和申请控制的分类
IT部经理安全管理员操作图书管理员系统开发系统分析 编程计算机操作员网络管理员数据控制数据输入与输出 数据库管理图表 11 - 2
IT职责分离
Control Definition Examples
Financial total Summary total of field amounts for all The total of dollars of all
records in a batch that represent a vendor invoices to be paid
meaningful total such as dollars or
amounts
Hash total Summary total of codes from all records The total of all vendor
in a batch that do not represent a account numbers for
meaningful total vendor invoices to be paid
Record count Summary total of physical records The total number of vendor
in a batch to be processed
表 11 - 2
分批输入控制表 11 - 3 过程控制
Type of
Processing
Control Definition Examples
Validation test Ensures the use of the correct Does the internal label on the payroll
master file,database,and program master file tape match the file label
in processing indicated in the application software?
Sequence test Determines that data submitted for Has the file of payroll input trans-
processing is in the correct order action been sorted in departmental
order before processing?
Arithmetic Checks the accuracy of processed data Does the sum of net pay plus with-
accuracy test holdings equal gross pay for the
entire payroll?
Data Determines whether data exceeds Does employee’s gross pay exceed 60
reasonableness prespecified amounts hours or $999 for the week?
test
Completeness test Determines that every field in a record Is employee number,name,number
has been completed of regular hours,number of overtime
hours,department number,etc.,
included for each employee?
信息技术对审计程序的影响
IT控制对控制风险及实质性测试的影响
在一般复杂 IT环境中的审计
在较复杂 IT环境中的审计
1,测试数据应包括所有审计认为相关的内容,
2,审计师用于测试的数据应与客户全年使用的数据一致
3,测试的数据应消除客户记录
Input Test
Transactions to Test
Key Control
Procedures
Auditor Predicted Results
of Key Control Procedures
Based on an
Understanding of
Internal Control
Application Programs
(Assume Batch System)
Auditor
Makes
Comparisons
Control Test
Results
Differences
between Actual
Outcome and
Predicted Result
Master Files
Contaminated
Master Files
Transaction Files
(Contaminated?)
图 11 - 3
Test Data Approach
审计师运用其控制的软件对客户的软件进行串行测试
Production Transactions Master File
Auditor-Prepared
Program
Client Application
System
Programs
Auditor Results Client Results
Auditor Makes
Comparisons between
Client’s Application
System Output and
Understanding of the
Client Systems via the
Parallel Simulation
Exception Report
Noting Differences
Auditor Prepares a
Program to Simulate all
or Part of a Client’s
Application System
图 11 - 4
Parallel Simulation
嵌入审计模块的方法审计师在客户的应用程序系统中嵌入审计模块,以获取交易特征
就意味着工作就不存在错误
11
信息技术如何来增强内部控制?
计算机控制代替手工控制提供更高质量的信息
留下审计轨迹
减少人工参与
系统的错误 vs,偶然性错误
未加限制的准入
缺乏数据
缺乏职责分离
缺乏必要授权
缺乏 IT经验一般控制运用控制一般控制
IT功能的使用职责分离 系统开发实物或在线的保证备份及应急计划硬件的使用输入控制执行控制输出控制运用控制现金收入控制销售运用控制 工资运用控制其他循环的运用控制未经授权而修改应用程序的风险 系统崩溃的风险未授权而进行文件升级未授权就执行的风险一般控制图表 11 - 1
一般控制与运用控制的关系
Control Type Category of Control Example of Control
General ControlS Administration of the IT function Chief information officer or IT manager reports to senior
management and board,
Segregation of It duties Responsibility for programming,operations,and data
control are separated.
Systems development Teams of users,systems analysts,and programmers develop
and thoroughly test software.
Physical and on-line security Access to hardware is restricted,and passwords and user
Ids limit access to software and data files.
Back-up and contingency planning back-up plans are prepared and tested regularly throughout
the year.
Hardware controls failure or hard drive failure causes error messages on
the monitor.
Application Controls Input controls Preformatted screens prompt data input personnel for
information to be entered.
Processing controls Reasonableness tests review unit-selling prices used to
process a sale.
Output controls The sales department performs post-processing review
of sales transactions.
表 11 - 1
一般控制和申请控制的分类
IT部经理安全管理员操作图书管理员系统开发系统分析 编程计算机操作员网络管理员数据控制数据输入与输出 数据库管理图表 11 - 2
IT职责分离
Control Definition Examples
Financial total Summary total of field amounts for all The total of dollars of all
records in a batch that represent a vendor invoices to be paid
meaningful total such as dollars or
amounts
Hash total Summary total of codes from all records The total of all vendor
in a batch that do not represent a account numbers for
meaningful total vendor invoices to be paid
Record count Summary total of physical records The total number of vendor
in a batch to be processed
表 11 - 2
分批输入控制表 11 - 3 过程控制
Type of
Processing
Control Definition Examples
Validation test Ensures the use of the correct Does the internal label on the payroll
master file,database,and program master file tape match the file label
in processing indicated in the application software?
Sequence test Determines that data submitted for Has the file of payroll input trans-
processing is in the correct order action been sorted in departmental
order before processing?
Arithmetic Checks the accuracy of processed data Does the sum of net pay plus with-
accuracy test holdings equal gross pay for the
entire payroll?
Data Determines whether data exceeds Does employee’s gross pay exceed 60
reasonableness prespecified amounts hours or $999 for the week?
test
Completeness test Determines that every field in a record Is employee number,name,number
has been completed of regular hours,number of overtime
hours,department number,etc.,
included for each employee?
信息技术对审计程序的影响
IT控制对控制风险及实质性测试的影响
在一般复杂 IT环境中的审计
在较复杂 IT环境中的审计
1,测试数据应包括所有审计认为相关的内容,
2,审计师用于测试的数据应与客户全年使用的数据一致
3,测试的数据应消除客户记录
Input Test
Transactions to Test
Key Control
Procedures
Auditor Predicted Results
of Key Control Procedures
Based on an
Understanding of
Internal Control
Application Programs
(Assume Batch System)
Auditor
Makes
Comparisons
Control Test
Results
Differences
between Actual
Outcome and
Predicted Result
Master Files
Contaminated
Master Files
Transaction Files
(Contaminated?)
图 11 - 3
Test Data Approach
审计师运用其控制的软件对客户的软件进行串行测试
Production Transactions Master File
Auditor-Prepared
Program
Client Application
System
Programs
Auditor Results Client Results
Auditor Makes
Comparisons between
Client’s Application
System Output and
Understanding of the
Client Systems via the
Parallel Simulation
Exception Report
Noting Differences
Auditor Prepares a
Program to Simulate all
or Part of a Client’s
Application System
图 11 - 4
Parallel Simulation
嵌入审计模块的方法审计师在客户的应用程序系统中嵌入审计模块,以获取交易特征
