MAIN FOCUS OF AUDITOR: Adequacy of CONTROL over transactions, not upon transactions

themselves, as in manual systems. (dire adi upod ppt hehe )

PLANNING CONSIDERATIONS (pinaka title talaga)

1. The significance and complexity of computer processing.

2. The organizational structure of the client’s IT activities and the concentration of distribution
of computer processing.

3. The availability of data.

NATURE OF THE RISKS AND INTERNAL CONTROL CHARACTERISTICS IN IT ENVIRONMENT

1. Lack of transaction trails.

2. Uniform processing of transactions.

3. Lack of segregation of functions.

4. Potential errors and irregularities.

ADVANTAGE OF USING INFORMATION TECHNOLOGY IN HANDLING TRANSACTIONS

1. Initiation or execution of transactions

2. Dependence of other controls over computer processing.

3. Potential for increased management supervision.

4. Potential for the use of computer-assisted audit techniques.

5. Potential impact on the auditor’s assessment of risk, and the NET of audit procedures.

ASSESSMENT OF RISK

 The risk may result from deficiencies in pervasive IT activities. These deficiencies would
tend to have a pervasive impact on all application systems hat are processed on the
computer.
 The risk may increase the potential for errors or fraudulent activities in specific
applications, in specific data bases or master files, or in specific processing activities.
CONDUCTING AUDIT OF IT SYSTEMS

1. Review the system

- Determine whether the system provides reasonable assurance that errors and
irregularities have been and will be prevented or detected on a timely basis by employees.

2. Test of compliance
 - Relating to the prescribed controls if they are functioning properly.

a. Audit around the computer

- Auditor does not use the computer to perform tests, select samples,
etc.

b. Audit through the computer

- Auditor can use a computer program to examine data files and

perform tasks.

NEXT IS AUDITING THROUGH THE USE OF COMPUTER

Computers are essential in the auditing process. A computer application can be used by the
auditor to review data files and do many of the administrative duties that were previously handled by a
junior auditor.
Considering the speed of the computers, These tests can actually be run on the entire file rather than
just a sample of transactions due to the computers' speed. several auditors have universal computer
audit software that can operate on a wide range of systems and execute several audit functions.

Auditing through the use of computer, involves employing computer software and tools to automate
audit processes, analyze large datasets, detect anomalies, and improve audit efficiency and
effectiveness. These techniques leverage technology to enhance the audit process, allowing auditors to
perform tasks more efficiently than traditional manual methods.

In contrast with auditing around the computer, auditing through the computer examines an IT control
by entering the client's system.

So for this An illustration is shown in the next slide

This enables the auditor to examine and verify the consistency of the processes and data computations
carried out by it.

THIS PROCESS IS KNOWN AS white-box testing or crystal-box testing.

This method aims to understand as well as verify the procedure that the input data has gone through in
order to generate the output information that is shown in the diagram. This approach is executed
through the use of computer-assisted auditing techniques (CAATs) to evaluate the design,
implementation and operations of IT controls.

Computer assisted auditing techniques are software tools that provide detailed analysis of computer
systems configurations, vulnerability, logs and other information. These CAATS have built-in report
writers that generate predefined reports that contain findings relevant to the test of control. The use of
CAATS requires more extensive planning considerations as it can be time-consuming and expensive.
Furthermore, expert training is often needed to utilize these techniques effectively.

With this, the following factors are considered before this approach is applied:

1. Degree of technical competence in an IT environment

2. Complexity of the IT environment and level of risks due to IT

3. Availability of Computer Assisted Auditing Techniques and appropriate computer facilities

4. Cost and benefit constraints

5. Impracticability of manual tests

6. Effectiveness and efficiency

7. Timing of tests and

8. Data security
3. Evaluation to determine the extent of the substantive tests

a. Substantive testing without using the computer

- Printouts are used to test the correctness of account and as a basis from which
samples will be selected.

LASTLY IS SUBSTANTIVE TESTING OF COMPUTER-BASED RECORDS

IN SUBSTANTIVE TESTING, IT CAN BE PERFORMED WITH AND WITHOUT THE USE OF COMPUTER

FIRST LET’S TALK ABOUT THE SUBSTANTIVE TESTING WITHOUT USING THE COMPUTER

Substantive testing without the use of computers involves manually examining and verifying financial
information, transactions, and balances to assess their accuracy, completeness, and validity.

Printouts are used to verify that accounts are accurate and it serves as a basis from which a sample will
be selected for additional testing or verification.

- Auditor uses a program written to gain access to the computer-based records.

NEXT IS SUBSTANTIVE TESTING WITH THE USE OF COMPUTER

Substantive testing through computer involves leveraging technology to perform detailed analysis and
verification of financial data and transactions.

By leveraging computer technology, substantive testing can be performed more efficiently, accurately,
and comprehensively compared to manual methods, enabling auditors to obtain greater assurance over
financial information while reducing the risk of errors and fraud.

So here

An application is used by the auditor to access computer-based records. Once access has been granted,
the auditor can use the computer to carry out clerical tasks.

Sources of program are:

a. Auditor written programs

- specifically written to client’s tiles.

b. Auditee programs which are

- Coded by the company’s own programmer to meet the

auditor’s needs.

c. Utility Programs

- Provided by software vendors and is also used to obtain data.

d. Generalized computer audit programs

- These programs offer audit-oriented functions for use in

accessing and testing records.

AND THEN NEXT IS THE INTERNAL CONTROL CONSIDERATION

INTERNAL CONTROL CONSIDERATIONS

1. Security

- An important feature as external parties are able to access the entity’s information system
using a public network such as the Internet.

The following must be considered:

 Use of firewalls and virus protection software

 Use of encryption
 Controls over the development and implementation of systems to support e-
commerce activities
 Consider whether security controls in place continue to be effective as new
technologies to attack Internet security becomes available
 Whether the control environment supports the control procedures
implemented.

2. Transaction Integrity

- Auditor shall consider the completeness, accuracy, timeliness and authorization of information
provided for recording and processing in the entity’s financial records.

Controls are designed to:

 Validate input
 Prevent duplication or omission of transactions
 Ensure the terms of trade such as delivery and credit terms have been agreed
before an order is processed.
 Distinguish between customer browsing and orders placed.
 Prevent incomplete processing by ensuring all steps are completed and
recorded.
 Ensure the per distribution of transaction details across multiple systems in a
network.
 Ensure records are properly retained, backed-up and secured.
3. Process Alignment

- Refer to the way various IT systems are integrated with one another and thus operate, as one
system.

E-commerce transactions may affect the following:

 Completeness and accuracy of transaction processing and information

storage; and
 Timing of the recognition of sales revenue, purchases and other
transactions