1 The proper installation of IT can lead to internal control enhancements by replacing manually-performed controls with computer-performed controls. IT-based accounting systems have the ability to handle tremendous volumes of complex business transactions cost effectively. Computer-performed controls can reduce the potential for human error by replacing manual controls with programmed controls that apply checks and balances to each transaction processed. The systematic nature of IT offers greater potential to reduce the risk of material misstatements resulting from random, human errors in processing.
The use of IT based accounting systems also offers the potential for improved management decisions by providing more and higher quality information on a more timely basis than traditional manual systems. IT-based systems are usually administered effectively because the complexity requires effective organization, procedures, and documentation. That in turn enhances internal control.
2 When entities rely heavily on IT systems to process financial information, there are new risks specific to IT environments that must be considered. Key risks include the following:
< Reliance on the functioning capabilities of hardware and software. The risk of system crashes due to hardware or software failures must be evaluated when entities rely on IT to produce financial statement information.
< Systematic versus random errors. Due to the uniformity of processing performed by IT based systems, errors in computer software can result in incorrect processing for all transactions processed. This increases the risk of many significant misstatements.
< Unauthorized access. The centralized storage of key records and files in electronic form increases the potential for unauthorized on-line access from remote locations.
< Loss of data. The centralized storage of data in electronic form increases the risk of data loss in the event the data file is altered or destroyed.
< Visibility of audit trail. The use of IT often converts the traditional paper trail to an electronic audit trail, eliminating source documents and paper-based journals and records.
< Reduced human involvement. The replacement of traditional manual processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees.
< Lack of traditional authorization. IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual approvals.
< Reduced segregation of duties. The installation of IT-based accounting systems centralizes many of the traditionally segregated manual tasks into one IT function.
< Need for IT experience. As companies rely to a greater extent on IT-based systems, the need for personnel trained in IT systems increases in order to install, maintain, and use systems.
3 The audit trail represents the accumulation of source documents and records maintained by the client to serve as support for the transactions occurring during the accounting period. The integration of IT can change the audit trail by converting many of the traditionally paper-based source documents and records into electronic files that cannot be visually observed. Because many of the transactions are entered directly into the computer as they occur, some of the documents and records are even eliminated.
4 Random error represents errors that occur in an inconsistent pattern. Manual accounting systems are especially prone to random errors that result from honest mistakes that occur as employees perform day-to-day tasks. When those mistakes do not consistently occur while performing a particular task, errors are distributed randomly into the accounting records. An example of a random error is when an employee accidentally pulls the wrong unit price off the approved price list when preparing a sales invoice for a particular customer.
Systematic error represents errors that occur consistently across all similar transactions. Because IT-based systems perform tasks uniformly for all transactions submitted, any mistake in software programming results in the occurrence of the same error for every transaction processed by the system. An example of a systematic error occurs when a program that is supposed to post sales amounts to the accounts receivable subsidiary records actually posts the sales amount twice to customers’ accounts.
5 In most traditional accounting systems, the duties related to authorization of transactions, recordkeeping of transactions, and custody of assets are segregated across three or more individuals. As accounting systems make greater use of IT, many of the traditional manually performed tasks are now performed by the computer. As a result, some of the traditionally segregated duties, particularly authorization and recordkeeping, fall under the responsibility of IT personnel. To compensate for the collapsing of duties under the IT function, key IT tasks related to programming, operation of hardware and software, and data control are segregated. Separation of those IT functions restricts an IT employee’s ability to inappropriately access software and data files in order to misappropriate assets.
6 General controls relate to all aspects of the IT function. They have a global impact on all software applications. Examples of general controls include controls related to the administration of the IT function; software acquisition and maintenance; physical and on-line security over access to hardware, software, and related backup; back-up planning in the event of unexpected emergencies;
and hardware controls. Application controls apply to the processing of individual transactions. An example of an application control is a programmed control that verifies that all time cards submitted are for valid employee id numbers included in the employee master file.
7 The typical duties often segregated within an IT function include systems development, computer operations, and data control. Systems development involves the acquisition or programming of application software. Systems development personnel work with test copies of programs and data files to develop new or improved application software programs. Computer operations personnel are responsible for executing live production jobs in accordance with a job schedule and for monitoring consoles for messages about computer efficiency and malfunctions. Data control personnel are responsible for data input and output control. They often independently verify the quality of input and the reasonableness of output. By separating these functions, no one IT employee can make changes to application software or underlying master files and then operate computer equipment to use those changed programs or data files to process transactions.
8 If general controls are ineffective, there is a potential for material misstatement in each computer-based accounting application, regardless of the quality of automated application controls. If, for example, the systems development process is not properly controlled, there is a greater risk that unauthorized and untested modifications to accounting applications software have occurred that may have affected the automated control. If general controls are strong, there is a greater likelihood of placing greater reliance on automated application controls. Stronger general controls should lead to greater likelihood that underlying automated application controls operate effectively and data files contain accurate, authorized, and complete information. When general controls are effective, the auditor may not have to test the automated application control in the current year, as long as the automated control has not changed since it was last tested by the auditor and that test was performed within the last three years.
CAclubindia
