Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
THE IMPACT
OF INFORMATION
TECHNOLOGY ON
THE AUDIT PROCESS
JUST BECAUSE THE COMPUTER
DID THE WORK
DOESN’T MEAN IT’S RIGHT
11
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Visibility of audit trail
Reduced human involvement
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Systematic versus random errors
Unauthorized access
Loss of data
Reduced segregation of duties
Lack of traditional authorization
Need for IT experience
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
General Controls
Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
General Controls
Administration of the IT Function
Segregation of Duties Systems Development
Physical and On-Line Security
Back-Up and Contingency Planning
Hardware Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Input Controls
Processing Controls
Output Controls
Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Cash Receipts
Application
Controls
Sales Applications
Controls
Payroll
Application
Controls
Other Cycle
Application
Controls
Risk of unauthorized change
to application software Risk of system crash
Risk of unauthorized
master file update Risk of unauthorized
processing
GENERAL CONTROLS
FIGURE 11 - 1
Relationship between General
and Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Control Type Category of Control Example of Control
General ControlS Administration of the IT function Chief information officer or IT manager reports to senior
management and board,
Segregation of It duties Responsibility for programming,operations,and data
control are separated.
Systems development Teams of users,systems analysts,and programmers develop
and thoroughly test software.
Physical and on-line security Access to hardware is restricted,and passwords and user
Ids limit access to software and data files.
Back-up and contingency planning back-up plans are prepared and tested regularly throughout
the year.
Hardware controls failure or hard drive failure causes error messages on
the monitor.
Application Controls Input controls Preformatted screens prompt data input personnel for
information to be entered.
Processing controls Reasonableness tests review unit-selling prices used to
process a sale.
Output controls The sales department performs post-processing review
of sales transactions.
TABLE 11 - 1
Categories of General and Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Chief Information Officer or IT Manager
Security Administrator
Operations
Librarian
Systems
Development
Systems
Analyst
Programmers ComputerOperators
Network
Administrator
Data Control
Data
Input/Output
Control
Database
Administrator
FIGURE 11 - 2
Segregation of IT Duties
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Control Definition Examples
Financial total Summary total of field amounts for all The total of dollars of all
records in a batch that represent a vendor invoices to be paid
meaningful total such as dollars or
amounts
Hash total Summary total of codes from all records The total of all vendor
in a batch that do not represent a account numbers for
meaningful total vendor invoices to be paid
Record count Summary total of physical records The total number of vendor
in a batch to be processed
TABLE 11 - 2
Batch Input Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
TABLE 11 - 3 Processing Controls
Type of
Processing
Control Definition Examples
Validation test Ensures the use of the correct Does the internal label on the payroll
master file,database,and program master file tape match the file label
in processing indicated in the application software?
Sequence test Determines that data submitted for Has the file of payroll input trans-
processing is in the correct order action been sorted in departmental
order before processing?
Arithmetic Checks the accuracy of processed data Does the sum of net pay plus with-
accuracy test holdings equal gross pay for the
entire payroll?
Data Determines whether data exceeds Does employee’s gross pay exceed 60
reasonableness prespecified amounts hours or $999 for the week?
test
Completeness test Determines that every field in a record Is employee number,name,number
has been completed of regular hours,number of overtime
hours,department number,etc.,
included for each employee?
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
IMPACT OF INFORMATION
TECHNOLOGY ON
THE AUDIT PROCESS
Effects of IT Controls on Control Risk
and Substantive Test
Auditing in Less Complex IT Environments
Auditing in More Complex IT Environments
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
1,Test data should include all relevant conditions
that the auditor wants tested.
2,Application programs tested by the auditor’s
test data must be the same as those the
client used throughout the year.
3,Test data must be eliminated from the
client’s records.
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Input Test
Transactions to Test
Key Control
Procedures
Auditor Predicted Results
of Key Control Procedures
Based on an
Understanding of
Internal Control
Application Programs
(Assume Batch System)
Auditor
Makes
Comparisons
Control Test
Results
Differences
between Actual
Outcome and
Predicted Result
Master Files
Contaminated
Master Files
Transaction Files
(Contaminated?)
FIGURE 11 - 3
Test Data Approach
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
The auditor uses auditor-controlled
software to perform parallel operations to
the client’s software by using the same data files.
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Production Transactions Master File
Auditor-Prepared
Program
Client Application
System
Programs
Auditor Results Client Results
Auditor Makes
Comparisons between
Client’s Application
System Output and
Understanding of the
Client Systems via the
Parallel Simulation
Exception Report
Noting Differences
Auditor Prepares a
Program to Simulate all
or Part of a Client’s
Application System
FIGURE 11 - 4
Parallel Simulation
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Embedded Audit Module Approach
Auditor inserts an audit module in the client’s
application system to capture transactions
with characteristics that are of specific
interest to the auditor.
2000 Prentice Hall,Inc.
THE IMPACT
OF INFORMATION
TECHNOLOGY ON
THE AUDIT PROCESS
JUST BECAUSE THE COMPUTER
DID THE WORK
DOESN’T MEAN IT’S RIGHT
11
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
How Information Technologies
Enhance Internal Control
Computer controls replace manual controls
Higher-quality information is available
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Visibility of audit trail
Reduced human involvement
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Systematic versus random errors
Unauthorized access
Loss of data
Reduced segregation of duties
Lack of traditional authorization
Need for IT experience
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
General Controls
Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
General Controls
Administration of the IT Function
Segregation of Duties Systems Development
Physical and On-Line Security
Back-Up and Contingency Planning
Hardware Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Input Controls
Processing Controls
Output Controls
Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Cash Receipts
Application
Controls
Sales Applications
Controls
Payroll
Application
Controls
Other Cycle
Application
Controls
Risk of unauthorized change
to application software Risk of system crash
Risk of unauthorized
master file update Risk of unauthorized
processing
GENERAL CONTROLS
FIGURE 11 - 1
Relationship between General
and Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Control Type Category of Control Example of Control
General ControlS Administration of the IT function Chief information officer or IT manager reports to senior
management and board,
Segregation of It duties Responsibility for programming,operations,and data
control are separated.
Systems development Teams of users,systems analysts,and programmers develop
and thoroughly test software.
Physical and on-line security Access to hardware is restricted,and passwords and user
Ids limit access to software and data files.
Back-up and contingency planning back-up plans are prepared and tested regularly throughout
the year.
Hardware controls failure or hard drive failure causes error messages on
the monitor.
Application Controls Input controls Preformatted screens prompt data input personnel for
information to be entered.
Processing controls Reasonableness tests review unit-selling prices used to
process a sale.
Output controls The sales department performs post-processing review
of sales transactions.
TABLE 11 - 1
Categories of General and Application Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Chief Information Officer or IT Manager
Security Administrator
Operations
Librarian
Systems
Development
Systems
Analyst
Programmers ComputerOperators
Network
Administrator
Data Control
Data
Input/Output
Control
Database
Administrator
FIGURE 11 - 2
Segregation of IT Duties
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Control Definition Examples
Financial total Summary total of field amounts for all The total of dollars of all
records in a batch that represent a vendor invoices to be paid
meaningful total such as dollars or
amounts
Hash total Summary total of codes from all records The total of all vendor
in a batch that do not represent a account numbers for
meaningful total vendor invoices to be paid
Record count Summary total of physical records The total number of vendor
in a batch to be processed
TABLE 11 - 2
Batch Input Controls
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
TABLE 11 - 3 Processing Controls
Type of
Processing
Control Definition Examples
Validation test Ensures the use of the correct Does the internal label on the payroll
master file,database,and program master file tape match the file label
in processing indicated in the application software?
Sequence test Determines that data submitted for Has the file of payroll input trans-
processing is in the correct order action been sorted in departmental
order before processing?
Arithmetic Checks the accuracy of processed data Does the sum of net pay plus with-
accuracy test holdings equal gross pay for the
entire payroll?
Data Determines whether data exceeds Does employee’s gross pay exceed 60
reasonableness prespecified amounts hours or $999 for the week?
test
Completeness test Determines that every field in a record Is employee number,name,number
has been completed of regular hours,number of overtime
hours,department number,etc.,
included for each employee?
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
IMPACT OF INFORMATION
TECHNOLOGY ON
THE AUDIT PROCESS
Effects of IT Controls on Control Risk
and Substantive Test
Auditing in Less Complex IT Environments
Auditing in More Complex IT Environments
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
1,Test data should include all relevant conditions
that the auditor wants tested.
2,Application programs tested by the auditor’s
test data must be the same as those the
client used throughout the year.
3,Test data must be eliminated from the
client’s records.
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Input Test
Transactions to Test
Key Control
Procedures
Auditor Predicted Results
of Key Control Procedures
Based on an
Understanding of
Internal Control
Application Programs
(Assume Batch System)
Auditor
Makes
Comparisons
Control Test
Results
Differences
between Actual
Outcome and
Predicted Result
Master Files
Contaminated
Master Files
Transaction Files
(Contaminated?)
FIGURE 11 - 3
Test Data Approach
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
The auditor uses auditor-controlled
software to perform parallel operations to
the client’s software by using the same data files.
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Production Transactions Master File
Auditor-Prepared
Program
Client Application
System
Programs
Auditor Results Client Results
Auditor Makes
Comparisons between
Client’s Application
System Output and
Understanding of the
Client Systems via the
Parallel Simulation
Exception Report
Noting Differences
Auditor Prepares a
Program to Simulate all
or Part of a Client’s
Application System
FIGURE 11 - 4
Parallel Simulation
Arens,Loebbecke; Auditing,8/E
2000 Prentice Hall,Inc.
Embedded Audit Module Approach
Auditor inserts an audit module in the client’s
application system to capture transactions
with characteristics that are of specific
interest to the auditor.
