WIXLIB

AUD-7Miles CPA ReviewI C-1) General Controls General controls - Policies & procedures that relate to many applications and support the effectivefunctioning of application controls. Maintain the integrity of information and security of data General controls over technology Include control activities over the IT infrastructure - May be shared by different business units within the entity (e.g., ashared service center) or outsourced either to third-party service organizations or tolocation-independent technology services (e.g., cloud computing) Security management - Generally cover access rights at the data, operating system(system software), network, application, and physical layers IT acquisition, development, and maintenance – E.g., SDLC (System Development LifeCycle) covered in BEC-7.1 Apply to all technology - from IT applications on a mainframe computer; to client/server,desktop, end-user computing, portable computer, and mobile device environments; tooperational technology, such as plant control systems or manufacturing robotics The extent and rigor of control activities will vary for each of these technologiesdepending on various factors, such as the complexity of the technology and risk of theunderlying business process being supported Similar to application controls, general controls may include both manual and automatedcontrol activities Effect of general controls on financial reporting Although ineffective general IT controls do not by themselves cause misstatements, theymay permit application controls to operate improperly and allow misstatements to occurand not be detected E.g., If deficiencies in the general IT controls over access security exist and applicationsare relying on these general controls to prevent unauthorized transactions from beingprocessed, such general IT control deficiencies may have a more severe effect on theeffective design and operation of the application control Assessed with regard to their effect on applications & data that become part of F/S E.g., If no new systems are implemented during the period of F/S, deficiencies in thegeneral IT controls over application system acquisition and development may not berelevant to F/S being audited Examples of General IT controls Program change controls Controls that restrict access to programs or data Controls over the implementation of new releases of packaged software applications Controls over system software that restrict access to, or monitor the use of, system utilitiesthat could change financial data or records without leaving an audit trailA7.4-8

Miles CPA ReviewAUD-7 Personnel policies ARCCS: Authorization - The development of new programs and changes to existing programs should beperformed by systems analysts and programmers. These personnel should not be involved inthe supervision of computer operations or the control and review of output. Systems analystswork with operating systems and compilers. Further, the database must be under the charge ofthe database administrator who would maintain the database and restrict database access toauthorized personnel Recording - Data entry clerks and computer operators have the role of entering informationinto the computer and running the programs. These personnel should not have access toprogram code that would enable them to modify programs nor should they control the output. Custody - Librarians retain custody of the removable media (disks, tapes, etc.) and maintainprogram & system documentation Comparison - Control clerks obtain and review the output from computers to review exceptionreports indicating inappropriate functioning of the computer, send printouts and other outputto the appropriate destinations, and ensure compliance with control totals. Segregation of the incompatible duties of ARCC E.g., Computer operators should have custody of the data E.g., Control clerks should not have the ability to create or alter programs or to operate thecomputers that generate the informationPhysicalAccessElectronicAccess File Security (access controls) - General controls over access to computers and files are of greatsignificance in evaluating internal control in an IT environment (particularly important in networks,where the data is widely distributed) Access to programs and data should require the entry of passwords or identification numbers,and different levels of password authority should apply so that individuals only gain access toE.g.,Read-Only the programs and files that are compatible with their assigned responsibilities (may be testedby an auditor by entering invalid passwords to see that they rejected and verifying that validAccesspasswords only provide compatible access) Good practice to require that individual users change assigned passwords when newaccounts are created User accounts should be removed when an employee leaves a client Systems access log should also periodically be reviewed to detect computer-related fraudA7.4-9

AUD-7Miles CPA Review Contingency planning refers to controls that are designed to protect the information fromaccidental or intentional destruction or unauthorized alteration. Includes: Back up & controls - Copies of files and programs should be maintained to allow reconstructionof destroyed or altered files. This may include copies on the same computer, backups toremovable storage media such as disks, and off-premises backups to computers and locationoutside the company Copies may be identical or the client may use the grandfather-father-son retention systemin which periodic saving of data versions allows the reconstruction of records by startingwith an older file, and reentering lost data since that time {the name comes from thegeneral idea of saving at least two generations of older data so that, if the immediateversion before the lost file is also lost, reconstruction can start two versions back withreentry of all data processed since that point} Checkpoint - Similar to grandfather-father-son, but at certain “checkpoints”, the systemmakes a copy of the database and this “checkpoint” file is stored on a separate disk or tape.If a problem occurs, the system is restarted at the last checkpoint Planned downtime - Since some downtime is inevitable, planned downtime allowsmaintenance so that unplanned downtime does not interrupt system operations Disaster recovery - The Company should have plans in place that will allow operations to berestored and continued in the event of physical destruction or disabling of the site of computeroperations. A complete disaster recovery plan would provide for an alternative processing site,backup and off-site storage procedures, identification of critical applications, and a testing ofthe planWarm Site Hot site - Site has available computers and data ready to begin operations immediately inSite the event of the disaster Site Hardware SoftwareHardware Cold site - Site has available space for operations but will require setup of computers andloading of data before operations can begin at that site Only Site Mirrored web server - off-site server to assure continuity of operations in the event of anatural disaster (effective particularly for e-commerce companies)A7.4-10

Miles CPA ReviewAUD-7 Hardware controls are built into computers by the manufacturer. Binary computers can only thinkin terms of bits (binary digits) of information that are on or off (“1” or “0”). A series of 8consecutive bits will produce a byte of information that represents a unit of human thought such asa letter, number, or other character. Hardware controls may include: Parity check - In the storage of bytes, one bit will a “dummy” bit that does not represent anyactual information, but is turned on automatically when necessary so that the total number ofbits in the on position is an odd number (in an odd-parity computer). When the computer isreading bytes of data from a chip or disk drive, a byte with an even number of bits turned onwill be known to be functioning improperly. Echo check (Echo control) - When data is being transmitted from one computer to another,especially over telephone lines, distortions caused by static or other causes can causeinformation to be transmitted improperly. An echo check involves the data sent from onecomputer to another being transmitted back to the original one, which will verify that it hasreceived what it sent. If the echoed data does not agree with the transmission, the packet ofdata is then resent Documentation of new programs and alterations to existing programs ensures that IT personnelare aware of the availability and proper use of programs and that changes in programmingpersonnel during projects does not interfere with the ability of other employees to understandwhat has been done previouslyA7.4-11

AUD-7Miles CPA ReviewI C-2) Application Controls Application controls - Relate to procedures used to initiate, authorize, record, process, and reporttransactions or other financial data; help ensure that transactions occurred, are authorized, and arecompletely & accurately recorded/processed Manual or automated procedures that typically operate at a business process level and apply tothe processing of transactions by individual applications Because of the inherent consistency of IT processing, audit evidence about theimplementation of an automated application control, when considered in combination withaudit evidence about the operating effectiveness of the entity's general IT controls (inparticular, change controls), also may provide substantial audit evidence about its operatingeffectiveness Application controls can be preventive or detective and are designed to ensure the integrity ofthe accounting records. Typically: Input & Processing controls are preventive controls (designed to prevent errors and fraud) Output controls are detective controls (designed to detect errors and fraud) Examples of Application controls - Include controls which relate to Integrity of data input into the system - Ensure they are authorized Processing of data – Ensure they are processed completely & accurately Integrity of reports and information that are the products of the processing – Ensure thatthe output is complete & accurate Rights granted to specific users to Access the application or data Delete transactions or data that had previously been processed by the application Originate a new transaction or record (e.g., authorized vendor, approved customer, ornew employee)[Note: Controls over system access are considered part of IT general controls] Note for Auditing: Without strong IT general controls where they are relevant, the auditor will havelittle basis to rely upon application controlsA7.4-12

Miles CPA ReviewAUD-7 Input Controls - Ensure the validity, accuracy, and completeness of transactions which are entered/processed/recorded. E.g., Preventive controls Controls to verify data/transactions as these are entered into the system: Field checks - Ensures that data entered contains appropriate format (e.g., numeric,alphabetical, alpha-numeric) E.g., SSN must be in numerical digits, not letters Validity checks - Ensures validity of data by cross-checking with a list of acceptable inputs E.g., For state abbreviation, check if NY is among the list of 50 state abbreviations Limit tests - Ensures that data entered falls within the acceptable range E.g., SSN must not be greater than 9 characters Check digits - Additional digit added to a series based on an algorithm applied; generallydesigned to avoid human transcription errors. E.g., 10th digit of the National Provider Identifier for the US healthcare industry Final (9th) digit of routing transit number (bank code used in the US) 9th digit of a Vehicle Identification Number (VIN) Edit checks - cross-check between files to verify if each entry is appropriate E.g., Comparing time card transactions with employee names in a personnel file to ensure ifthe time card transaction is for a valid employee Rejected transactions may be reviewed by the control clerk Batch controls - When inputting data in batches, manual control totals of the data entered maybe compared with computer-generated totals so as to ensure inputs are accurate. Include: Record count – Control total of number of records entered in the batch Financial total – Control total of amount of entries entered in the batch Hash total – Control total of values where the total is meaningless for financial purposes butwould still help verify if data has been correctly entered (e.g., total of invoice #, total ofcheck #, total of employee SSNE.g., Following is a “batch” of checks issued which are being entered into an application program:Check Number PayeeAmountAccount Code1007Varun International 700.007071008Meenakshi Corp. 6,000.001211009Miles Professional 3,000.009143024 9,700.001742After the data entry clerk has entered all the checks, the IT system will indicate:Checks Entered 3 (record count)Check Number total 3024 (hash total)Amount total 9,700.00 (financial total)Amount code total 1742 (hash total)The data entry clerk then agrees the total from the IT system with the total on his input sheet to ensure that all thedata is correctly entered. Use of documents which are pre-numbered, pre-printed, numerical sequence – Sequenceshould be periodically reconciled to unused numbers to ensure no information is missed out;also, ensure that only valid transactions are enteredA7.4-13

AUD-7Miles CPA Review Processing Controls - Once the IT system accepts the inputs, processing controls ensure that thedata is processed completely & accurately. E.g.,Preventive controls Essentially, most input controls are also applicable for processing. E.g., processed informationshould indicate batch control totals Systems/software documentation - Allows system analysts to verify if processing is donecompletely & accurately Error testing compilers - May be used to test the IT systems for programming language errors User acceptance testing - by end “users” to ensure that the application meets businessrequirements Test data - Simulated (dummy) data which tests the program with one sample of each type ofpossible exception conditions System testing - To ensure that programs within a system are working in an integrated fashion Database processing integrity procedures - Proper procedures for accessing & updating thedatabase. May have concurrent update controls to prevent 2 or more users to simultaneouslyupdate one record Output Controls - Assess whether the output is complete & accurate. Also monitor the distributionand use of outputDetective controls Completeness, accuracy, and validity of processing results can be checked using activity listings Distribution and use of output can be monitored using numbered forms, distribution lists, andrequiring signatures for certain reports When information is particularly sensitive, users might be instructed to use paper shredders todispose of reports after useA7.4-14

Miles CPA ReviewAUD-7II) Auditor’s consideration of I/C in IT environmentsII A) Auditing in IT environments - Planning Stage Auditor should consider the impact of IT on the entity’s F/S, and whether specialized IT skills areneeded in performing the audit. If yes, the auditor should seek the assistance of a professionalpossessing such skills, who either may be on the auditor's staff (IT auditor) or an outsideprofessional (IT specialist) In determining whether an IT auditor is needed on the audit team, the auditor may considersuch factors as the following: Complexity of the entity's systems and IT controls and the manner in which they are used inconducting the entity's business Significance of changes made to existing systems or the implementation of new systems Extent to which data is shared among systems Extent of the entity's participation in electronic commerce Entity's use of emerging technologies Significance of audit evidence that is available only in electronic form The IT auditor determines the effect of IT on the audit, understand the IT controls, or designand perform tests of IT controls or substantive procedures. Examples of procedures that may beassigned to the IT auditor: Inquiry of an entity's IT personnel how data and transactions are initiated, authorized,recorded, processed, and reported, and how IT controls are designed Inspect systems documentation Observe the operation of IT controls Plan and perform tests of IT controls Note: The audit partner remains responsible for the audit report on the F/S. And needs tosupervise and review the work performed by any IT auditors (same as for the work performedby other members of the engagement team) Auditor may also consider that the entity’s use of IT may affect the availability of informationneeded for the audit. When entity data is processed electronically, the auditor may be Prevented from using only substantive procedures to obtain audit evidence E.g., If the evidence regarding the transaction is not maintained in paper form or observablein the historical record, it may not be observable in the transaction record that thetransaction was authorized by management electronically, thus requiring that theauthorization systems and controls be examined directly for proper application of thecontrol procedure Enabled to electronic data extraction, Audit Data Analytics (ADA) and other Computer AssistedAudit Techniques (CAAT) to gather audit evidence; e.g., by examining an entire population of anaccount balanceA7.4-15

AUD-7Miles CPA ReviewII B) Auditing in IT environments - Risk Assessment Procedures Auditing in IT environments [Source: AICPA Journal of Accountancy, adapted]:A7.4-16

Miles CPA ReviewAUD-7 Risk assessment procedures to understand IT controls and assess the design and implementationof IT controls (general controls and application controls) Auditor should obtain an un

Miles CPA Review AUD-7 A7.4-5 I B) Segregation of Duties in an IT Environment Entities operating in an IT environment often have a separate Information Systems department. Note that roles/responsibilities and job titles for IT are defined by the entity, and could vary from entity-to-entity (below roles & job titles are only indicative) .