Chapter 12

The Impact of Information Technology

on the Audit Process

Most companies rely on information technology (IT) to record and process

business transactions. This chapter highlights how IT affects an audit client’s internal
controls, which in turn affects the audit process. Because IT often significantly
impacts internal control, this chapter builds upon the discussion of internal control in
Chapter 10.
Due to the expanding role of IT in the financial reporting process, we believe
that some discussion of the material in this chapter is useful in an introductory
auditing course. In this chapter, we highlight several of the key issues related to the
impact of IT on risks and have identified types of internal controls that are often
implemented to reduce those risks. However, the complexities associated with the
variety of IT-based systems in existence today and the ever-evolving nature of IT
including e-commerce and the Internet can make this a difficult topic to cover. A full
discussion of all the issues and details of related controls could easily turn into a full
advanced auditing course on IT auditing. Thus, when we teach this chapter in an
introductory auditing course, we try to keep in mind that our goal is to provide a brief
overview of the IT issues and related IT controls to increase student awareness of
the basic impact IT can have on the audit process. Discussion of this chapter should
complement material presented throughout the remainder of the textbook that
interweaves the impact of IT and e-commerce on various aspects of the audit. If an
advanced auditing course is provided, this chapter could be deferred to that course.
The following topics are covered:

 Chapter opening vignette

 How information technologies improve internal control
 Assessing risks of IT
 Internal controls specific to IT
 General controls
 Application controls
 Impact of IT on the audit process
 Issues for different IT environments, including e-commerce systems

Chapter Opening Vignette – “Just Because the Computer Did the Work
Doesn’t Mean It’s Right”

This vignette illustrates several important points concerning client IT-based

accounting systems. First, students must realize the extent of computer processing
of accounting information and how important it is for auditors to understand the
technology used in the financial reporting process and how it affects internal controls
and the audit. Second, as the title indicates, computer output looks good, but that
doesn’t mean it’s correct. Computer output must be tested, and evidence must be

12-1
obtained to support its reliability. In this case, students might be asked what different
ways the aging could be tested.

12-2
 This vignette also allows for a discussion of many of the audit software
packages, such as ACL software highlighted in this edition, that are now available for
purchase and use by auditors. These vendor developed software packages are
capable of reading client data stored in a variety of formats and re-computing
information, such as re-doing an aging of accounts receivable. The Windows based
format of the software allows the auditor to easily perform numerous audit tasks
requiring testing of client data presented in electronic form efficiently and effectively.
If not already assigned, ACL problems in chapters 7, 8, and 11 could be used to
illustrate the benefits of audit software tools as part of this chapter’s discussions.
This chapter highlights that while IT reduces many of the risks associated
with traditional manual accounting systems, new risks are introduced. We focus on
those risks and then outline internal controls specific to IT that management can
implement to address some of those risks.

How Information Technologies Improve Internal Control (page 370)

Most students already embrace the idea that IT provides tremendous benefits to
businesses and that most businesses rely on IT to some extent to produce financial
statement information. This section illustrates two primary benefits for internal control
when IT is integrated into accounting systems:

 The replacement of manual controls with computer performed controls that

apply checks and balances to each processed transaction thereby reducing
the risk of human error, which can be scattered randomly throughout
processing.
 The use of IT, if implemented correctly, typically provides management with
more and higher quality information faster than most manual systems.

In this section, we emphasize how a well-controlled IT system can offer greater

potential for reducing material misstatements because computers process
information consistently. Once management and the auditor are reasonably assured
that IT programs are properly designed and installed, they can benefit from the
systematic nature of IT processing of transactions.

Assessing Risks of IT (page 370)

While students generally think of IT offering significant benefits to a client’s

internal control, they often fail to recognize new risks that are introduced. In this
section we highlight several key risks specific to IT environments to emphasize the
impact on a client’s overall control risk. We believe this helps set the stage for the
discussion of general and application controls, which follows. T-12-1 summarizes
these key risks.

(See T-12-1)

12-3
Internal Controls Specific to IT (page 372)

In this section, we illustrate how management can respond to many of the risks
unique to IT by implementing internal controls specific to IT. We describe both
general controls and application controls and highlight how they differ. We
emphasize how general controls have an umbrella effect over all aspects of the IT
function while application controls apply to the processing of individual transactions
within a specific transaction cycle. We note that general controls are designed to
protect each application software program and data from many of the risks noted
earlier in this chapter. Figure 12-1 (page 373) provides a useful visual example of
the difference between general and application controls.

(See Figure 12-1)

General Controls (page 372)

We highlight how the six categories of general controls have an overriding effect
on all IT functions by briefly describing each category of control. Table 12-1 (page
373) provides a helpful summary of the six general controls along with an example of
each. We particularly emphasize the importance of segregating key duties and the
importance of a controlled systems development process.

(See Table 12-1)

 Segregation of duties – We refer back to the discussion in Chapter 10

about the importance of segregating the key duties of authorization,
accounting, and custody of assets in a traditional accounting system (see
pages 297-298). Then, we note how many of these duties traditionally
handled in different parts of the organization are now centralized under
the IT function. We highlight how companies address the risks of
collapsing many of these duties under the IT function by segregating key
duties within the IT function. We emphasize that ideally responsibilities for
IT management, systems development, operations, and data control
should be segregated. We briefly describe each of these functions.
Figure 12-2 (page 375) provides a useful depiction of an ideal IT
organizational chart. We also refer back to Chapter 10 (page 298) to note
the importance of segregating IT duties from the duties of key users
outside IT (for example, IT personnel should not have the ability to
authorize changes to the employee master file – that should reside with
the human resources function).

The use of Problem 12-20 provides a good way to emphasize the concepts
related to this general control.

(See Figure 12-2)

12-4
  Systems Development – We refer back to the discussion of how the use
of IT to process transactions can lead to systematic error by noting that
once errors are included in software programming the computer will
process transactions incorrectly until those programs are changed. We
describe how a well-designed process of selecting, designing, testing, and
implementing application software using a team of both IT and non-IT
personnel helps increase the likelihood that program design errors are
properly addressed before the system is implemented and relied upon to
produce financial statement information. We emphasize that an important
aspect of systems development involves thorough testing of the system
before implementation through the use of pilot and parallel testing.

In addition to discussing these general controls, we spend a brief amount of

time defining the other types of general controls by stating their importance and
providing an example of each.
Problems 12-25 and 12-27 provide students an opportunity to identify
weaknesses in general controls. The Internet Problem also provides students an
opportunity to consider emerging best-practices related to effective overall IT
governance and how that affects the entity’s overall internal control.

Application Controls (page 376)

After discussing general controls, we then highlight the three types of

application controls: input controls, processing controls, and output controls. We
refer back to Table 12-1 (page 373) to highlight examples of each of these
categories of application controls. T-12-2 also is useful to show the relationship of
these categories of control.

(See Table-12-1)

(See T-12-2)

The emphasis in this section is on relating application controls to the

transaction-related audit objectives developed in Chapters 6 and 10 and used in
subsequent chapters. This approach shows the relationship between IT and IT-
based systems. Problems 12-19 and 12-26 provide useful examples of how IT-based
application controls link to transaction-related audit objectives.

Impact of IT on the Audit Process (page 378)

In this section we illustrate how the auditor’s understanding and testing of

general controls affect the auditor’s testing of application controls. We note that most
auditors evaluate the effectiveness of general controls before evaluating application
controls, given the umbrella effect general controls have over application controls.
We emphasize that when the auditor determines that general controls are strong, the
likelihood that the auditor will rely on key application controls embedded in the
system to reduce control risk increases. That, in turn, can lead to greater audit
efficiencies because more expensive substantive tests are less necessary. However,
as general controls are found to be less effective, the auditor may be concerned that

12-5
underlying application software

12-6
programs or related master files are not reliable due to a deficient IT environment.
For example, the lack of control surrounding program development and program
changes increases the auditor’s concern that application programs are more likely to
produce systematic error. T-12-3 illustrates the typical flow of auditor testing of
general controls and application controls. It is important to emphasize that the results
of auditor testing of general and application controls should be considered by
auditors of public companies when issuing reports on internal control over financial
reporting.
This usually leads to a discussion of the terms “auditing around the computer”
(where the auditor does not use computer performed controls to reduce control risk)
and “auditing through the computer” (where the auditor tests computer-performed
internal controls and account balances electronically because good general controls
exist). When discussing this section, we illustrate the test data, parallel simulation,
and the embedded audit module approaches to auditing through the computer. T-12-
4 provides a useful way to demonstrate how these three approaches differ. In
addition, Figures 12-3 and 12-4 (pages 382 and 383) illustrate the test data and
parallel simulation approaches, respectively. Problems 12-22, 12-23, and 12-24 help
illustrate the uses of these audit approaches. The ACL Problem 12-31 provides
hands-on experience in using audit software as an audit tool.

(See T-12-3 and T-12-4)

(See Figures 12-3 and 12-4)

Issues for Different IT Environments (page 384)

The material presented in earlier sections of this chapter addresses the effect of
IT on the audit process for organizations that centralize the IT function. While all
organizations need a strong general controls environment, some of those general
control issues differ across various IT environments. In this section we highlight
unique issues for network environments, database management systems, e-
commerce systems and outsourced IT functions. Problem 12-28 provides a basis for
illustrating risks unique to on-line sales systems.

12-7
 CHAPTER 12
CROSS REFERENCE OF LEARNING OBJECTIVES AND PROBLEM MATERIAL

Discussion
Multiple Questions
Review Choice and ACL Problem
Learning Objectives Questions Questions Problems and Cases
12-1 Describe how IT improves internal control. 12-1 12-17 12-23
12-2 Identify risks that arise from using an IT-based 12-2, 12-3, 12-18 12-19, 12-20, 12-30
accounting system. 12-4, 12-5 12-21, 12-23,
12-25, 12-27
12-6

12-3 Explain how general controls and application controls 12-6, 12-7 12-19, 12-20, 12-30
reduce IT risks. 12-21, 12-23,
12-25, 12-27
12-4 Describe how general controls affect the auditor’s 12-8, 12-9, 12-17, 12-18 12-21, 12-23,
testing of application controls. 12-10 12-26
12-5 Use test data, parallel simulation, and embedded audit 12-11 12-21, 12-22, 12-31
module approaches when auditing through the 12-23, 12-24
computer.
12-6 Identify issues for e-commerce systems and other 12-12, 12-13, 12-28, 12-29
specialized IT environments. 12-14, 12-15,
12-16
 KEY RISKS SPECIFIC TO
IT ENVIRONMENTS

 Reliance on functioning of hardware

and software

 Lack of visible audit trail

 Reduced human involvement

 Systematic versus random errors

 Unauthorized access

 Loss of data

 Reduced segregation of duties

 Lack of traditional authorization

 Need for IT experience

T-12-1
 INPUT, PROCESSING, AND
OUTPUT APPLICATION CONTROLS

PROCESSING OUTPUT
INPUT CONTROLS CONTROLS CONTROLS

Input IT Output
Processing

 Authorization  Validation  Review of

tests output for
 Preparation reason-
of source  Sequence ableness
documents tests
 Reconciliation
 Input screen  Arithmetic of output to
controls accuracy input control
tests totals
 Validation
of input  Data reason-  Controls over
ableness tests distribution
 Control totals of output
(batch, hash,  Completeness
record counts) tests  Review of
error listings

T-12-2
T-12-3
 SEQUENCE FOR EVALUATION –
GENERAL AND APPLICATION CONTROLS

T e s t G e n e ra l
C o n tr o ls

N o - D o n o t r e ly o n IT
E ffe c tiv e
a p p lic a tio n c o n tr o ls to
?
r e d u c e c o n tr o l r is k

Y e s - E v a lu a te
a p p lic a tio n
c o n tr o ls

N o - D o n o t r e ly o n IT
E ffe c tiv e
a p p lic a tio n c o n tr o ls to
?
r e d u c e c o n tr o l r is k

Y e s - P e rfo rm
te s ts o f
a p p lic a tio n
c o n tr o ls a n d , if
e ffe c tiv e , r e d u c e
s u b s ta n tiv e te s ts

T-12-3
 COMPARISON OF TEST DATA,
PARALLEL SIMULATION AND
EMBEDDED AUDIT MODULE APPROACHES

EMBEDDED
BASIS FOR PARALLEL AUDIT
COMPARISON TEST DATA SIMULATION MODULE

Generally
Test to test
Test
effectiveness output, but
unusual
Objectives of client’s sometimes
transaction
internal used to test
output
controls internal
controls

Tests of
controls Generally Generally
Tests of
versus substantive substantive
controls
substantive tests tests
test

Information Client’s Client’s Client’s

being tested processes output output

Client’s
Computer
Client’s Auditor’s modified
program used
by auditor

T-12-3