Chapter 8

• ERP- (SAP, Oracle, Dynamics), Small (quickbooks)
• Batch, on-line batch, real-time
• Core of all systems are data bases
• Hardware
• SW applications
• Networks
• Electronic Commerece- EDI,FEDI, EFT, web

• Segregation of duties
• _{It operations}
• User access to data/applications
• Clearly defined responsibilities
• Augmented by controls written into computer programs
• Software Development Life Cycle

• In computerized environment, audit trail ordinarily still exists, but often not in printed form
• _{Can affect audit procedures}
• Consulting auditors during design stage of IT-based system helps ultimate audibility

• Information systems management
• Systems analysis
• Application Programming
• Database Administration
• Data Entry
• It Operations
• Program and file library
• Data Controls
• Telecommunications Specialists
• System Programing

Supervise the operation of the department and report to the vice president of finance

Responsible for designing the system

Design flowcharts and write programming code

Responsible for planning and adminstering the company database

Prepare and verify input data for processing

Run and monitor central computers

Protect computer programs, master files and other records from loss, damage and unauthorized use

Reviews and tests all input procedures, monitors processes and reviews IT logs

Responsible for maintaining and enhancing IT networks

Responsible for Troubleshooting the operating system

• Developing new programs and systems
• changing existing programs and systems
• Access to programs and data
• It operations controls

• History shows that developer is mostly the culprit
• Segregation's of duties
• programing separate from controlling data entry
• computer operator from custody or detailed knowledge of programs
• If segregation not possible need:
• Compensating controls like batch totals
• Organizational controls not effective in mitigating collusion

• Security:
• Authentication-who get in
• Authorization-what can the user do
• Encryption

• Input validation checks
• Batch controls
• Processing Controls

Consider IT system in planning

• Documentations of clients's IT-based system depends on complexity of system
• Narrative
• Systems flowchart
• Program flowchart
• Internal Control questionnaires

• ID risks
• Relate the ID risks to what can go wrong at the relevant assertion level
• Consider whether the risks are of a mangitude that could result in a material misstatement
• Consider the likelihood that the risks could result in a material misstatement

• Hire IT control expert if auditor not experienced
• Use COBIT or AICPA trust services
• General Control assessment- applies to all IT operations and applications
• Application Control- embedded in process control evaluation
• Must test controls at both levels
• Same assessment outcomes as manual process controls
• _{Operational Effectiveness}
• _{Material Weakness and significant deficiencies.}

Manually processing selected transaction and comparing results to computer output

Inspection of computer control reports and evidence of manual follow-up on exceptions

• Test data
• Integrated Test Facility
• Controlled programs
• Program Analysis Techniques
• Tagging and Tracing transactions
• Generalized audit software-paralles simulation

• Examine client's records for overall quality, completeness and valid conditions
• Rearrange data and perform analyses
• Select audit samples
• Compare data on separate files
• Compare results of audit procedures with client's records

• Computer service centers provide processing services (payroll, benefits, accounting)
• Outsourcing companies (IBM, EDS) run computer centers and provide IT personnel
• Cloud Computing
• Internet Services (ASP-Application service providers)

• How clients transactions are initiated
• The accounting records, supporting information
• The accounting proces for initiation to inclusion in FS
• The financial reporting process

If no SAS 70 report, audit must include service organization in audit scope