TECHNOLOGY IN
BUSINESS
AND
ITS IMPACT ON AUDIT
PROCESS
1
LEARNING OBJECTIVES
• Disruptive Technologies
• IT and business
• Impact of IT on Internal Control
• Impact of IT on Audit Process
• Audit Documentation
• Audit Evidence
2
Catalyst of Change – Internet of Things (IoT)
3
DISRUPTIVE TECHNOLOGIES
• BIG DATA
• Definition: large and complex datasets
• Characteristics: 4Vs [Volume (qty), Velocity (speed), Variety
(complexity: structured and unstructured), **Veracity
(inconsistencies)
• Example: Instagram, Facebook, Google
• Evolution: Database Management System (storage), Data
Warehousing (analytics), Stream Computing (real time analytics) –
significantly used for Business Intelligence
• Problems: Capture, storage, analysis, visualisation
• Benefits: real time, spot trends, correlations,
informed decisions
4
DISRUPTIVE TECHNOLOGIES
• Definition: process of collecting, organising
and analysing large data sets in seeking
patterns and useful information
DATA • Examples: Predictive analysis, Data Mining,
ANALYTICS Business Intelligence
• Usage: Customer analytics, Operational
analytics, Fraud & Compliance
(Infrastructure & Apps)
6
https://www.youtube.com/watch?v=_Xcmh1LQB9I
DISRUPTIVE
TECHNOLOGIES
WHAT IS MOST
NEEDED????
DATA
SCIENCE
7
BUSINESS MAJOR CONCERNS
• Business survival & competitiveness
• Cost of investment
• Data & Information – an emerging crucial assets
• Cognitive technology (artificial intelligence /
machine learning) – better decision making
• Robotics automation – HUMAN ???
8
TECHNOLOGY IN BUSINESS
9
IT SYSTEM & ENVIRONMENT
• Stand alone, online, database, mobile computing
• Online real-time systems – embedded audit facilities,
snapshots, extended records (log)
• Distributed data processing
10
IT INFRASTRUCTURE
• IT infrastructure
• Network – LANs, WANs, EDI
• Database Management System – Intelligence System (DSS,
CRM)
• ERP systems – Knowledge Sharing (KMS)
• Firewall
• Encryption
• Digital signatures
• Outsource (Offshoring) i.e. cloud computing, application
service providers, shared services 11
DISCUSS THE
IMPACTS OF
TECHNOLOGY
TOWARDS
INTERNAL
CONTROL?
12
BENEFITS OF IT TO
BUSINESS
• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits through
effective and innovative use of IT – databases
• Achieve operational excellence through reliable and efficient
application of technology
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology – ROI
13
INTERNAL CONTROL IN IT
• Importance of internal control not diminished in
computerized environment
• Separation of duties
• Defined responsibilities
• Controls specific to IT
• General controls
• Application controls
GENERAL CONTROLS
Physical control
• Policies and procedures that support effective
functioning of application controls
• Controls over computer equipment & documents
• Organizational controls.
• Systems development and modification controls.
• Hardware and systems software controls.
• Security and access controls.
• Operations and data controls.
15
APPLICATION CONTROLS
Technical control
• Controls within the systems
• Electronic based (data encryption), authorisation or approval
Input Process Output
Accuracy Readable Accurate &
Completeness Errors complete
identification Restricted
Batch / online access
Timely basis
Data capture Processing Output
Data validation controls controls
Error controls 16
IT & AUDIT
17
IT GOVERNANCE
• Leadership, organizational structures and processes in relation
to IT initiatives and systems that ensure that the organization’s
IT sustains and extends the organization’s strategy and
objectives.
• Directors should govern IT through three main tasks:
• Evaluate the current and future use of IT.
• Direct preparation and implementation of plans and
policies to ensure that use of IT meets business
objectives.
• Monitor conformance to policies, and performance 18
against the plans.
AUDITING IT GOVERNANCE
Steps:
• Asking management to collect program documentation in
preparation for the audit.
• Evaluating the IT governance's design adequacy and the
effectiveness of IT and risk management controls.
• Assessing information security processes, procedures, and
performance metrics.
• Defining tests to confirm the operational effectiveness of
information security activities.
• Identifying and recommending opportunities for improving 19
information security activities.
IT AUDIT
TYPES OF IT AUDIT
• IT audit in financial audit
• Scope –IT portfolio, entity-level controls, information
security, backup and recovery, and third-party IT
providers, compliance audit
• IT audit / IS audit
• Scope – application, database, OS, networking and
infrastructure, physical controls and entity-level
controls.
• Main objective of IT audit - to enable integrity,
reliability, timely communication and security of the
data through checking data life cycle management
20
AUDITOR’S CONCERNS
• Degree of dependency of business process on the system.
• Extent of complexity of the system & audit trail (i.e.
accessibility and evidences)
• Safeguarding of assets (controls) and data integrity
• Cost of error in computer or system.
21
A) DEGREE OF DEPENDENCY
Shared Services / Outsourcing / Offshoring Services
• The auditor should consider:
• The inherent risk and significance of the audit objectives
affected by the controls.
• The extent of the interaction between the client's controls and
the service organization's controls.
• Controls applied by the client to transactions processed by the
service organization.
• The auditor's prior experience with the service organization.
• The extent of audit trail within the client's internal control.
22
B) COMPLEXITY, TRAIL &
ASSETS
• Complexity – Infrastructure
• Trail – Networking, Security, Backup
• Safeguarding Assets – hardware, software, data files, manuals
(SOPs)
23
C) DATA INTEGRITY
24
EFFECT OF IT ON
AUDIT APPROACH &
AUDIT PROCESS
• Risk based approach
• Understand nature of business, business & technology risks
• Understand AIS, security system, general and application
controls
• Scope of audit
• Fair & true view, going concern, proper accounting records.
• Audit strategy
• Auditing ‘around’ computer
• Auditing ‘through’ computer
25
AUDITING ‘AROUND’
COMPUTER
SUBSTANTIVE STRATEGY
26
AUDITING ‘THROUGH’
COMPUTER
RELIANCE STRATEGY
How to audit in IT environment:
• Control Risk Assessment
• General and application controls are reviewed and tested.
• CAAT in gathering audit evidence
• Computer-Audit Assisted Techniques (CAAT).
• Modelling – predictive audit tests, statistical
• Tools – risk assessment procedures (AR)
• Audit Automation – IT in audit documentation
• Expert systems – customized audit software
27
• WP – electronic working paper
TEST OF CONTROLS IN
AUDITING ‘THROUGH’
COMPUTER
Input Process Output
Paper Online vs batch Files
document processing Reports
Database Time stamp Control totals /
Application doc Storage device hash totals
Sign on
procedures
Time stamp
ACL
28
COMPUTER-ASSISTED
AUDIT TECHNIQUES
(CAAT)
• Integrated test facility – test data
• Generalized audit software – ACL / IDEA
• Analyse data (large data i.e. 100%) & gather
evidence (i.e. computerised records)
• Data analysis software prog (not documenting
audit work)
• Routines: read computer files, select desired info
(i.e. exception reports on specified criteria),
perform repetitive calculations (i.e. arithmetic)
and print reports in auditor- specified format
• Custom audit software
29
30
AUDIT PROGRAM
31
WORKING PAPER – EXCEL
32
GROUP PROJECT BRIEFING
• Objective: To examine extent of use of IT in different audit stages
• Audit planning – AR, RA
• Audit fieldwork -
• Use of CAAT in data collection and analysis
• Use of IT in audit documentation
• Use of Excel / Word
• Use of standard or customized audit software
• Audit completion – audited FS, AR, Memorandum etc.
• Specific task(s)
• Challenges / obstacles & enablers
33