Information technology (IT) encompasses automated means of originating, processing, storing, and communicating information. The use of information technology affects the manner in which transactions are initiated, recorded, processed, and reported. An entity's use of information technology affects both the evaluation of internal control and the procedures used to gather evidence. Note, however, that the audit objectives are the same in a computerized environment as they are in a manual environment.
An entity's IT environment may consist of multiple layers of supporting IT infrastructure. An auditor is concerned with the layers that impact significant business processes and the initiation of a transaction until its ultimate recording in the financial information. Therefore, many types of technology may be relevant to the audit.
An auditor documents his or her understanding of the entity's IT environment during risk assessment. Documentation of how technology impacts individual transactions is typically included in the documentation of the auditor's understanding of the process, associated risks, and relevant controls.
The differences between manual and computerized (IT) environments in an audit include the following:
In a computerized environment, transaction processing often results in a combination of functions that are normally separated in a manual environment.
The additional risk associated with this (possibly incompatible) concentration of functions may be mitigated by the implementation of compensating controls.
Paper audit trails are substantially reduced in a computerized environment (particularly in on-line, real-time systems). If a client processes most of its financial data in electronic form, without any paper documentation, audit tests should be performed on a continuous basis.
Computer systems should be designed to supply electronic audit trails, which are often as effective as paper trails.
Use of IT may make it more difficult to use physical inspection to identify nonstandard or unusual transactions or adjustments.
Processing consistency is improved in a computerized environment because clerical errors (e.g., random arithmetic errors, missed postings, etc.) are virtually eliminated.
In a computerized environment, however, there is an increased potential for systematic errors, such as errors in programming logic (e.g., using the incorrect tax rate).
Automated transactions are not subject to the same types of authorization as are used for manual transactions and may not be as well-documented.
When information is automatically transferred from transaction processing systems to financial reporting systems, inadvertent errors are reduced, but unauthorized interventions may not be evident.
Several characteristics of computerized processing act to increase the likelihood that fraud may occur and may remain undetected for long periods of time.
The opportunity for remote access to data in networked environments increases the likelihood of unauthorized access. Therefore, specific controls should exist to ensure that users can only access and update authorized data elements.
Concentration of information in computerized systems means that, if system security is breached, the potential for damage is much greater than in manual systems.
Decreased human involvement in transaction processing results in decreased opportunities for observation.
Errors or fraud may occur in the design or maintenance of application programs.
Computer disruptions may cause errors or delays in recording transactions.
Computer systems provide more opportunities for data analysis and review, including integration of audit procedures in the application programs themselves.
Utilization of these opportunities can help mitigate the additional risks associated with a lack of segregation of duties.
In a computerized environment, the increased availability of raw data and management reports affords greater opportunity for both the client and the auditor to perform analytical procedures.
Controls for specific applications are only as effective as the general controls in place in the information technology department, which processes the transactions and produces the reports.
An auditor can use manual audit procedures (called auditing around the computer), computerassisted audit techniques (CAA Ts, commonly called auditing through the computer), or a combination of both. In either event, because the reliability of automated systems is highly dependent on the adequacy of control design and execution, it is crucial that the auditor gain a thorough understanding of the structure and usage of the control system through inquiry and observation.
Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process?
Which of the following computer-assisted auditing techniques processes client input data on a controlled program under the auditor's control to test controls in the computer system?
A primary advantage of using generalized audit software packages to audit the financial statements of a client that uses an EDP system is that the auditor may: