AUDITING IN AN INFORMATION TECHNOLOGY (IT) SYSTEM ENVIRONMENT - PART I

Expected Learning Outcomes

After studying this chapter, you should be able to:

1. Describe the nature of information technology and its capabilities.

2. Enumerate and describe the major components of an information system.

3. Know the five fundamental functions of an information system.

4. Describe the characteristics of various types of IT-Based Systems.

5. Understand the auditor's responsibilities with respect to internal control over IT

Systems.

6. Describe the general control application control and user control activities in an IT
System.

INTRODUCTION

The studies cover:

1. An overview of a Computer Information System (CIS)

2. Characteristics of specific computer information system,
3. Internal control over IT activities,
4. Auditor's objectives, approach and procedures in performing an audit in an IT
environment.

Nature of IT and its Capabilities

The term information technology (IT) generally refers to a wide variety of computer
hardware and software technology that are used to manage and control information. When
IT is organized to perform a specific task or organizational process, an information system
is created.

In a traditional IT environment, information is processed on a large mainframe computer by a

separate information systems department, often using software developed or modified by
employees of that department. The other departments of the company, referred to as user
departments, send their data to the information systems department and receive computer,
generated reports when processing is complete. In recent years, however, commercially
available computer software varies from application costing less than P15,000 that are in
checkbooks (e.g., money, quicker) or basic general ledger costing into hundreds of thousand
or essence electronic systems (e.g., Quickbooks) to ERP systems million of pesos (e.g.,
systems by Microsoft, Oracle, People and SAP).

For small businesses, computer applications are frequently implemented by personnel within
uses department, using off-the-shelf software packages. The need for the client to employ
computer programmer for those applications in thus eliminated?

For large businesses they may use client server architecture (IT architecture) in which a
member of "client" computers are connected either to the corporate mainframe system or to
another "server" computer.

A more recent development is the use if cloud computing by companies of all sizes. Cloud
computing involves the use of IT services that are accessible over the Internet by subscription
or lease from IT service providers, such as Amazon Web Service.

Although IT has created some challenging problems for professional accountants, it also has
broadened the horizons of these professionals and expanded the range and value of the
services they offer. Technology is more than a tool for performing routine accounting tasks
with unprecedented speed and accuracy. It makes possible the development of information
that could not have been gathered in the past because of time and cost limitations. When a
client maintains accounting records with a complex and sophisticated IT-based system
auditors often find it helpful, and even necessary, to utilize technology IN performing many
auditing procedures. In addition, these systems make large amounts of data available to the
auditors to perform data analytics that can improve the effectiveness and efficiency of certain
audit procedures.
Major Components of an Information System

A typical information system records, processes, stores and disseminates information system
that consists of the methods and records established to record, process, summarize, and
report an entity's transactions and to maintain accountability for the related assets, liabilities,
and equity.

Generally, all information systems are comprised of the following major components:

1. Hardware - This refers to the computer and peripheral equipment for input, output
and storage of data.

2. Software - This refers to the series of programs that provide instructions for operating
the computer or tell the computer equipment what to do:

Software is of two major types:

(1) System software which controls the operations of the computer itself (e.g., the
operating system which schedules tasks, executes application and controls connected
devices) and

(2) Application software which is designed to perform specific tasks (e.g., payroll
application).

3. Data - This refers to the inputs and outputs of the computer system. Most
Accounting information systems are structured to store data in a
Database, which is an organized collection of data.

4. People - These are the users and information systems professionals.

5. Procedures - These are policies and practices within a company for operating and
maintaining the information system.

6. Networks - These are the specialized hardware and software that allow different IT
devices to connect with each other to share data, software, and other
hardware resources.
Functions of an Information System

Regardless of the information system components used, the architecture or the business task
undertaken, information systems perform five fundamental functions briefly discussed below

1. Capture Input

Inputs are the data needed by the system. An information system must provide a mechanism
to capture input. Input can come from many different types of devices, including data entered
via a keyboard, a mouse, barcodes, RFID tags, scanning devices, or voice-enabled
applications such as Siri and Alexa.

2. Process

The transformation of input into output is called processing. Performing Process calculations,
validating information, updating records, and tracking raw materials are all examples of
processing.

3. Convey Output

Outputs are the result of processing the data. The most common types of output are hardcopy
(printed) reports, output that is displayed electronically (on-screen), and out that is used as
input for other information systems.

4. Collect Feedback

In order to determine whether the system is working as planned, feedback - data about the
performance of the system 1S collected.

5. Controls

Controls refer to the processes and procedures that restrict and monitor input, processing and
output to provide reasonable assurance that organizational objectives are being met, including
reliable financial reporting.
CHARACTERISTICS OF VARIOUS TYPES OF IT-BASED SYSTEMS

Batch processing

is a system in which like transactions are processed periodically as a group (e.g., payroll
transactions). This system does not provide up-to-the minute or real-time transaction
information.

Real-time or online processing

is a system that allows immediate update or access to data, or instantaneous analysis of data.

Online transactions processing (OTP)

is a processing method in which the IT system processes data immediately after it IS captured
and provide information to the uses on a timely basis. (OLTP examples include airline
reservation systems and banking systems)

Designing support system.

IT information system that combine models and data in an attempt to solve non-structured
problems with extensive user involvement

Expert system

a computerized information system that guides decision processes within a well-defined area
and allows the making of decision comparable to those of an expert

Centralized Processing System

Computer systems in which processing is performed by one computer or by a cluster of

coupled computers in a single location. Data are often input and reports printed using
workstations. When the workstations themselves perform significant processing, the system
becomes a client / server environment.

Decentralized Processing Systems

Computer systems in different locations. Although data may be transmitted between the
computers periodically, such a system involves only limited communications among systems.
Contrast with distributed processing and centralized processing.

Client/server architecture (IT architecture)

A network system in which multiple computers (clients) share the memory and other
capabilities of a larger computer (the server), or that of printers, database, and so on.
Local Area Network (LAN)

A communications network that interconnects computers within a limited area, typically a

building or a small cluster of buildings.
Wide Area Network

A communications network that interconnects computers within a large geographical area.

Cloud Computing

A model for enabling on-demand user network access to a shared pool of

computing resources (e.g., servers, storage, applications, and services), often through a web
browser with minimal effort on the of the, user.

For example, an independent service provider may maintain databases for a client that can
be accessed in a number of locations by client personnel.

Virtualized client / server infrastructure

A virtual infrastructure iS a software-based IT infrastructure being hosted on another physical

infrastructure. This type of infrastructure is used for cloud computing.

Electronic Data Infrastructure (EDI)

A system in which data are exchanged electronically between the computers of different
companies. In an EDI system, source documents are replaced with electronic. transactions
created in standard format.

AUDITOR'S RESPONSIBILITIES

The auditor's responsibilities with respect to internal control over IT systems remains the same
as with manual systems, that IS to obtain an understanding adequate (1) to aid in planning
the remainder of the audit and (2) to assess control risk. Yet, factors such as the following
may affect the study of internal control in that computer systems may:

I. Result in transaction trails that exist for short period of time or only in a computer readable
form;

2. Include program error that cause uniform mishandling of transactions - clerical error become
less frequent;

3. Include computer controls that need to be relied upon instead of segregation of functions;

4. Involve increased difficulty in detecting an authorized access;

5. Allow increased management supervisory potential resulting from more timely reports;

6. Include less documentation of initiation and execution of transactions;

7. Include computer controls that affect the effectiveness of related manual control procedures
that use computer output.
INTERNAL CONTROL IN AN IT ENVIRONMENT

1. General control activities

2. Application control activities
3. User control activities

GENERAL CONTROLS

In an IT environment, general controls are those that systems, e.g., payroll, accounts payable,
and accounts affect multiple application receivable.

Five categories of general controls are presented in the AICPA audit guide.

The five categories are:

(A) organization and operation controls,
(B) systems development and documentation controls,
(C) hardware and systems software controls,
(D) access controls, and
(E) data and procedural controls. Each category described here includes a discussion of the
control, as well as detailed examples.

A. Organizational and Operation Controls

(1) Controls

(a) Segregate functions between the IT department and user departments

(b) Do not allow the IT department to initiate or authorize transactions

(c) Segregate functions within the IT department

(2) Segregation of duties provides the control mechanism for maintaining an independent
processing environment, thus meeting the control objectives. In addition, by
organizationally segregating the IT department from the user departments, the key
functions within IT should be segregated to ensure maximum separation of duties.

The key functions are:

(a) Systems analyst

The systems analyst is responsible for analyzing the present user environment and
requirements and

(1) recommending the specific changes which can be made,

(2) recommending the purchases of a new system,
(3) designing a new IT system.

The analyst is in constant contact with the user department and the programming
staff to ensure the user's actual and ongoing needs are being met. A system
flowchart is one tool used by the analyst to define the system requirement.
(b) Applications programmer –

The applications programmer is responsible for writing, testing, and debugging the
application programs from the specifications (whether general or specific) provided
by the systems analyst. A program flowchart is one tool used by the applications
programmer to define the program logic.

(c) Systems programmer –

The systems programmer is responsible for implementing, modifying, and

debugging the software necessary for making the hardware work (such as the
operating telecommunications monitor, and the data base system, management
system).

(d) Operator -

The operator is responsible for the daily computer operations of bath the hardware
and the software. She/He mouths magnetic tapes on the tape drives, supervises
operations on the operator's console (a special CRT), accepts any required input.
and distributes any generated output.

(e) Data librarian -

The librarian is responsible for the custody of the removable media, i.e., magnetic
tapes or disks, and for the maintenance of program and system documentation.

(f) Quality assurance

The quality assurance function is a relatively new function established primarily to

ensure that new systems under development and old systems being changed are
adequately controlled and that they meet the user's specifications and follow
department documentation standards.

(g) Control group –

The control group acts as liaison between users and the processing center. This
group records input data in a control log, follows the progress of processing,
distributes output and ensures compliance with control totals.

(h) Data security –

The data security function is responsible for maintaining the integrity of the on-line
access control security, software. Passwords and IDs are issued to users and
follow up is done on all security violations. Review of the work of the data security
function can minimize testing.

(i) Database administrator –

In a database environment, a database administrator (DBA) may exist as another
key function. The DBA is responsible for maintaining the database and restricting
access to the database to authorized personnel.
 (j) Network technician –

The network technician IS fast becoming the most powerful position in a MIS
organization. Using line monitoring equipment, they can see each key stroke made
by any user. This group most have strict accountability controls.

From an ideal standpoint, all of the key functions should be segregated; however,
in a small IT environment, many of the key functions are concentrated in a small
number of employees. In this situation, two key functions that should be segregated
are the applications programmer and the operator. When these functions are not
segregated, irregularities in IT can be perpetrated and concealed and the auditor
should not rely on the controls within IT.

The auditor's tests of controls (compliance test) of the organization and operation
controls should include inquiry, observation, discussion, and review of an
appropriate organization chart, responsibility for initiating and authorizing
transactions, discrepancies should be reported and the appropriate controls
recommended.

B. Systems development and documentation controls

(1) Controls

(a) User departments must participate in systems design.

(b) Each system must have written specifications which are reviewed and approved by
Management and by user departments.

(c) Both users and IT personnel must test new systems.

(d) Management, users, and IT personnel must approve new systems before they are
placed into operation.

(e) All master and transaction tile conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis.

(f) After a new system is operating there should be proper approval of all program
changes.

(g) Proper documentation standards should exist to assure continuity of the system.

(2) Within IT - new systems are developed that either replace old systems or enhance
present systems. This environment requires unique controls to ensure that the
integrity of the overall system is maintained.
 Two common controls over system change include the following:

(a) Design methodology –

All new systems being developed should flow through a documented process that
has specific control points where the overall direction of the system can be
evaluated and changes, if needed, can be made.

(b) Change control process –

To effect a change on a system that is presently operating, a formal change

process should exist that requires formal approval before any change is
implemented. Once approved, the change is developed and tested before it is
incorporated into the present system. Programmers should not have access to live
data files or production programs. All program changes and maintenance should
be done with copies of the program using test data only. This control process
applies to any system or program changes, as well as any changes to a file
structure or file content.
The auditor should use tests of controls (compliance test) to determine that the
system development procedures that exist are properly functioning and are
adequately documented. All documentation pertaining to procedures, programs, or
Methodologies, should be up to date and written in clear, concise language.

C. Hardware and systems software controls

(1) Controls
(a) The auditor should be aware of control features inherent in the computer
hardware, operating system, and other supporting software and ensure that
they are utilized to the maximum possible extent.
(b) Systems software (e.g., the operating system) should be subjected to the same
control procedures as tissue applied to installation of and changes to
application programs.

(2) The reliability of IT hardware has increased dramatically over the last decade. This
is primarily due to the chip technology. However, it is also due to the controls built
into the mechanism to detect and prevent equipment failures.
The following are examples of such controls:

(a) Parity check –

A special bit is added to each character stored in memory that can detect if the hardware loses
a bit during the internal movement of a character similar to a cheek digit.

(b) Echo check –

Primarily used in telecommunications transmissions. During the sending and receiving of

characters, the receiving hardware repeats hack to the sending hardware what it received and
the sending hardware automatically resends any characters that it detects were received
incorrectly.

(c) Diagnostic routines -

Hardware or software supplied by the manufacturer to check the internal operations and
devices within the computer system. These routines are often activated when the system is
booted up.

(d) Boundary protection -

Most CPUs have multiple jobs running simultaneously (multiprogramming environment). To

ensure that these simultaneous jobs cannot destroy or change the allocated memory of
another job, the system contains boundary protection controls.

(e) Periodic maintenance –

The system should be examined periodically (often weekly) by a qualified service technician.
Such service can help to prevent unexpected hardware failures.
Tests of control (compliance test) that cover hardware and system software controls test
whether the controls are functioning as intended. In addition, audit software can be used to
analyze the data collected by the diagnostic routines and detect significant trends.

D. Access controls

(1) Controls
(a) Access to program documentation should be limited to those persons who require it in the
performance or their duties.

(b) Access to data files and programs should be limited to those individuals authorized to
process data.

(c) Access to computer hardware should be limited to authorized individuals such computer
operators and their supervisors.
(2) Access to the IT environment
(a) Physical access controls
(1) Limited physical access –

The physical facility that houses IT equipment, files, and documentation should have
controls to limit access only to authorized individuals.

(2) Visitor entry logs –

Any individual entering a secure area must be either pre-approved by management

and wearing an ID badge or authorized by an appropriate individual, recorded in a
visitor's log, and escorted while in the secure area.

(b) Electronic access controls

(1) Access control software (user identification) –

The most used electronic access control IS a combination of a unique identification
code and a confidential password. Upon termination, password should be deleted.
Access control can be used to
(1) limit access to the entire system and

(2) limit look at once what the individual she/he is inside the can system. The system
should place restrictions on the level or information that u user can read and/or
change.

(2) Call back -

It is a specialized film of user identification that is used in highly sensitive systems.

In a call back system the user dials up the system, identifies him/herself, and is
disconnected from the system. Then either:

(1) an individual manually looks up the authorized telephone number for the
individual or

(2) the system automatically looks up the authorized telephone number of that
individual, calls back the individual, and reestablishes communications.

(3) Encryption boards -

They are new devices that are installed in the back of a microcomputer or stand
alone devices for larger systems. The board is programmed with a "key" that makes
data unreadable to anyone who might intercept a data transmission.

Access controls are tested by attempting to violate the system, either physically or
electronically, or reviewing any unauthorized access that has been recorded. The
auditor must use tests of controls (compliance tests) to ensure that all security
violations are followed up to ensure they are errors.
E. Data and procedural controls

(1) Controls

(a) A control group should:

1) Receive all data to be processed.

2) Ensure that all data are recorded.
3) Follow up in errors during processing and determine that transactions are
corrected and resubmitted by the proper user personnel.
4) Verify the proper distribution of output.

(b) A written manual of systems and procedures should be prepared for all computer
operations and should provide for management's general or specific authorization
to process transactions.

(c) Internal auditors (or another independent group in the organization; e.g., quality
assurance) should review and evaluate proposed systems at critical stages of
development and review and test computer processing activities.

(2) The IT environment

It should be clearly defined in detail and appropriately documented so each individual

responsible for processing knows what to do in each situation that may arise. To prevent
unnecessary stoppages or errors in processing, the following specific controls should be
implemented:
(a) Operations run manual –
The operations manual specifics, in detail, the "how to's" for each application to enable
the computer operator to respond to any errors that may occur.
(b) Backup and recovery –
To ensure the preservation of historical record and the ability to recover from an
unexpected error, files created within IT are backed up in a systematic manner.
(c) Contingency processing –
Detailed contingency processing plans should be developed to prepare for natural
disasters (such as a lightning strike), manmade disasters (such as arson), or general
hardware failures that disable the data center.
(d) Processing controls –
Processing controls should be monitored by the control group to ensure that
processing is completed in timely manner (controlled through a production schedule
of the IT department), all hardware errors have been corrected (controlled through an
operators log), and output has been properly distributed (controlled through distribution
logs).

(e) File protection ring –

A file protection ring is a processing control to ensure that an operator does not use a
magnetic tape as a tape to write on when it actually has critical information on it. If the
ring is on the tape, data can be written on the tape.
 (f) Internal and external labels

External labels are paper labels attached to a reel of tape or other storage medium
which identify the file.

Internal labels perform the same function through the use of machine-readable
identification in the first record of a file. The use of labels allows the computer operator
to determine whether the correct file has been selected for processing. Trailer labels
are often used on the end of a magnetic tape file to maintain information on the number
of records processed.

These controls are tested mainly through identification, observation, and inquiry. While
some of these controls, such as protection rings and labels, arc easily implemented,
other controls, such as contingency processing, are more difficult and costly
implement. The auditor should determine that these controls are either present or that
management has accepted the related risks and that all exceptions are scrutinized.

APPLICATION CONTROLS

Another set of specialized controls in an IT system is application controls. Application controls

are controls that relate to a specific application instead of multiple applications.

Each accounting application that processed in an IT system is controlled during is

three steps within IT: input, processing, and output. The input step converts human readable
information. Ensuring the integrity of the information in the computer is critical during the
processing step. Presentation of the results of processing to the user and retention of data for
future use occurs in the output step. Common controls relating to input, processing, and output
are presented and discussed with specific examples. The candidate should be prepared to
identify these controls in a multiple-choice question or use several of them in an essay
question.

A. Input controls

(1) Controls

(a) Input data should be properly authorized and approved.

(b) The system should verify all significant data fields used to record information (editing
the data)
(c) Conversion of data into machine-readable form should be controlled and verified for
accuracy.
(d) Movement of data between processing steps and departments should be controlled.
(e) The correction of errors and resubmission of corrected transactions should be reviewed
and controlled.
(2) To ensure the integrity of the human readable data into a computer readable format, there
are many common controls that can be used.

(a) Preprinted form

Information is pre-assigned a place and a format on the input form used. The form reduces
the possibility that computer input operators will miss or ignore input data recorded by
users. This control is used when a large quantity of repetitive data is inputted.

(b) Checker digit –

An extra digit iS added to an identification number to detect certain types of data

transmission or transposition errors. It is used to verify that the number
was entered into the computer system correctly (within the application program there is a
software code that recomputes the check digit), e.g., an extra number on an account
number that is calculated as mathematical combination of the other digits. For example,
a bank may add 3 check digit to individuals' digit account numbers. The computer will
calculate the correct check digit-based cm performing predetermined mathematical
operations on the 7-digit account number and will then compare it to the check digit which
has been inputted.

(c) Control batch, or proof total -

A total of one numerical field for all the records of a batch that normally would be added,
e.g., total sales pesos.

(d) Hash totals -

A total of one field all the records of a batch where the total is a meaningless total for
financial purposes, e.g., mathematical sum of account numbers added together.
(e) Record count –
A control total used for accountability to ensure all the records received are processed.
(f) Reasonableness and limit tests –
These tests determine if amounts are too high, too low, or unreasonable (e.g., for a field
that indicates auditing exam scores, a limit check would test for scores over 100). A
reasonableness check is similar to a validity check (see below).
(g) Menu driven input -
If input is being entered into a CRT, then the to the proper operator should be greeted by
a menu and prompted as response to make [e.g., What score did you get on the Auditing
part of the CPA Exam (75-100)?]

(h) Field checks -

Checks that make certain only numbers, alphabetical characters, special characters, and
proper positive and negative signs are accepted into a a specific data field where they are
required (e.g., a pay rate should include only numerical data; a numeric check would
assure that only numbers will be accepted into these columns. If alphabetical information
were erroneously inputted, an error message would result.)
(i) Validity check -
A check which allows only "valid" transactions or data to be entered into the system (e.g., field
indicating sex of an individual where 1 = male and 2 = female; if coded with a "3" would not
be accepted).

(j) Missing Data check -

If blanks exist in input data where they should. not (e.g., an employee's division number), an
error message would result.

(k) Field size check –

if an exact number of characters is to be inputted (e.g., employee number all have six digits),
an error message would result < 6 or > 6 characters are inputted.

(l) Logic check -

ensures that illogical combinations of inputs are not accepted into the computer (e.g., the field
total for raw material is validated by footing prince times quantity).

B. Processing controls

(1) Controls

(a) Controls totals should be produced and reconciled with input control totals --- proof of batch
totals.

(b) Control should prevent processing the wrong file and detect errors in file manipulation –
label checks.

(c) Limit and reasonableness checks should be incorporated into programs to prevent illogical
results such as reducing inventory to a negative value.

(d) Run-to-run totals should be verified at appropriate points in the processing cycle. This
ensures that records are not added or lost during the processing runs.

(2) Once the input has been accepted by the computer, processed through multiple steps.
Processing controls it usually is the integrity of the are essential to ensure
data through all of the Examples of processing controls that are established processing
steps. step and are revised or checked during processing include record counts, during
the input hash totals, and control totals.
Two additional controls that should be established are:

(a) Checkpoint / restart capacity –

If a particular significant amount of time program requires a to process, it is desirable to have

software within the application that allows the operator the ability to restart the application at
the last checkpoint passed as opposed to restarting the entire application.

(b) Error resolution procedure -

Individual transactions may be rejected during processing as a result of the error detection
controls in place. There should be complementary controls that ensure those records are
corrected and reentered into the system. Logging of error in a suspense file of "suspended"
transactions if often to control error resolution.

C. Output controls

(1) Controls - visual review the output should be done by the user of or an independent control
group:

(a) Output control totals should be reconciled with input and processing control totals.
(b) Output should be scanned and tested by comparison to original source documents.
(c) Systems output should be distributed only to authorized users.

(2) Prior to the release of output to the user, there should be appropriate controls in place to
ensure that processing was accomplished according to specifications. The following
controls are frequently used to maintain the integrity of processing:

(a) Control total –

The user of the application will frequently give the operator the expected
result of processing ahead of time to allow the operator to verify that processing was
completed properly and to notify the user if the totals did not agree.

(b) Limiting the quantity of output and total processing time –

time restraints and output page generation constraints are often automated within the
job being run to ensure that, if processing is being done in error, the job will not utilize
resources needlessly.

(c) Error message resolution –

Following each job, the system provides technical codes indicating the perceived
success of the job run. The operator should be trained to recognize these codes and
take the appropriate action detailed in the operations run manual.

-End of Part 1-