Excel at Tax Accounting Assignments with Pro Tips

Excel at Tax Accounting Assignments with Pro Tips
avatar
Published: 8 months ago

Excel at Tax Accounting Assignments with Pro Tips

categories:  

INTERNAL CONTROLS SPECIFIC TO INFORMATION TECHNOLOGY



To address many of the risks associated with reliance on IT, organizations often imple - ment specific IT controls. Auditing standards describe two categories of controls for IT systems: general controls and application controls. General controls apply to all aspects of the IT function, including IT administration; separation of IT duties; systems development; physical and online security over access to hardware, software, and related data; backup and contingency planning in the event of unexpected emergencies; and hardware controls. Because general controls often apply on an entity-wide basis, auditors evaluate general controls for the company as a whole. Application controls apply to processing transactions, such as controls over the processing of sales or cash receipts. Auditors must evaluate application controls for every class of transactions or account in which the auditor plans to reduce assessed control risk because IT controls will be different across classes of transactions and accounts. Application controls are likely to be effective only when general controls are effective. Figure 12-1 illustrates the relationship between general controls and application controls. General controls provide assurance that all application controls are effective. Strong general controls reduce the types of risks identified in the boxes outside the general controls oval in Figure 12-1. Table 12-1 describes six categories of general controls and three categories of application controls, with specific examples for each category. Let’s examine these categories of general and application controls in more detail. Similar to the effect that the control environment has on other components of internal control discussed in Chapter 10, the six categories of general controls have an entitywide effect on all IT functions. Auditors typically evaluate general controls early in the audit because of their impact on application controls. Administration of the IT Function The board of directors’ and senior manage - ment’s attitude about IT affect the perceived importance of IT within an organization. Their oversight, resource allocation, and involvement in key IT decisions each signal the importance of IT. In complex environments, management may establish IT steering committees to help monitor the organization’s technology needs. In less complex organizations, the board may rely on regular reporting by a chief information officer (CIO) or other senior IT manager to keep management informed. In contrast, when management assigns technology issues exclusively to lower-level employees or outside



https://files.transtutors.com/book/qimg/9f9f1342-b362-4c80-8fef-d0c6368a0722.png



consultants, an implied message is sent that IT is not a high priority. The result is often an understaffed, underfunded, and poorly controlled IT function. Separation of IT Duties To respond to the risk of combining traditional custody, authorization, and record-keeping responsibilities by having the computer perform



https://files.transtutors.com/book/qimg/58bf9ca5-4be8-4d4e-a307-4a719c3aa8c2.png



those tasks, well-controlled organizations respond by separating key duties within IT. For example there should be separation of IT duties to prevent IT personnel from authorizing and recording transactions to cover the theft of assets. Figure 12-2 shows an ideal separation of duties. Ideally, responsibilities for IT management, systems development, operations, and data control should be separated as follows:



• IT management. The CIO or IT manager should be responsible for oversight of the IT function to ensure that activities are carried out consistent with the IT strategic plan. A security administrator should monitor both physical and online access to hardware, software, and data files and investigate all security breaches.



• Systems development. Systems analysts, who are responsible for the overall design of each application system, coordinate the development and changes to IT systems by IT personnel responsible for programming the application and personnel outside IT who will be the primary system users (such as accounts receivable personnel). Programmers develop flowcharts for each new applica - tion, prepare computer instructions, test the programs, and document the results. Programmers should not have access to input data or computer operations to avoid using their knowledge of the system for personal benefit. They should be allowed to work only with test copies of programs and data so they can only make software changes after proper authorization.



• Operations. Computer operators are responsible for the day-to-day operations of the computer following the schedule established by the CIO. They also monitor computer consoles for messages about computer efficiency and malfunctions. A librarian is responsible for controlling the use of computer programs, trans - action files, and other computer records and documentation. The librarian releases them to operators only when authorized. For example, programs and transaction files are released to operators only when a job is scheduled to be pro - cessed. Similarly, the librarian releases a test copy to programmers only on approval by senior manage ment. Network administrators also affect IT operations as they are responsible for planning, implementing, and maintaining operations of the network of servers that link users to various applications and data files.



• Data control. Data input/output control personnel independently verify the quality of input and the reasonableness of output. For organizations that use databases to store information shared by accounting and other functions, database adminis - trators are responsible for the operation and access security of shared databases.



https://files.transtutors.com/book/qimg/b0c24fea-0a39-4cbe-9e84-6a1d2268f16c.png



Naturally, the extent of separation of duties depends on the organization’s size and complexity. In many small companies, it is not practical to segregate the duties to the extent illustrated in Figure 12-2. Systems Development Systems development includes:



• Purchasing software or developing in-house software that meets the organiza - tion’s needs. A key to implementing the right software is to involve a team of both IT and non-IT personnel, including key users of the software and internal auditors. This combination increases the likelihood that information needs as well as software design and implementation concerns are properly addressed. Involving users also results in better acceptance by key users.



• Testing all software to ensure that the new software is compatible with existing hardware and software and determine whether the hardware and software can handle the needed volume of transactions. Whether software is purchased or developed internally, extensive testing of all software with realistic data is critical. Companies typically use one or a combination of the following two test approaches:



1. Pilot testing: A new system is implemented in one part of the organization while other locations continue to rely on the old system.



2. Parallel testing: The old and new systems operate simultaneously in all locations. Proper documentation of the system is required for all new and modified software. After the software has been successfully tested and documented, it is transferred to the librarian in a controlled manner to ensure only authorized software are ultimately accepted as the authorized version. Physical and Online Security Physical controls over computers and restrictions to on - line software and related data files decrease the risk of unauthorized changes to programs and improper use of programs and data files. Security plans should be in writing and monitored. Security controls include both physical controls and online access controls.



• Physical controls. Proper physical controls over computer equipment restrict access to hardware, software, and backup data files on magnetic tapes or disks, hard drives, CDs, and external disks. Common examples to physically restrict unauthorized use include keypad entrances, badge-entry systems, security cameras, and security personnel. More sophisticated controls only allow physical and online access after employee fingerprints are read or employee retinas are scanned and matched with an approved database. Other physical controls include monitoring of cooling and humidity to ensure that the equipment functions properly and installing fire-extinguishing equipment to reduce fire damage.



• Online access controls. Proper user IDs and passwords control access to software and related data files, reducing the likelihood that unauthorized changes are made to software applications and data files. Separate add-on security software packages, such as firewall and encryption programs, can be installed to improve a system’s security. (See page 388 for a description of firewall and encryption programs.) Backup and Contingency Planning Power failures, fire, excessive heat or humidity, water damage, or even sabotage can have serious consequences to businesses using IT. To prevent data loss during power outages, many companies rely on battery backups or on-site generators. For more serious disasters, organizations need detailed backup and contingency plans such as off-site storage of critical software and data files or out - sourcing to firms that specialize in secure data storage. Backup and contingency plans should also identify alternative hardware that can be used to process company data. Companies with small IT systems can purchase replacement computers in an emergency and reprocess their accounting records by using backup copies of software and data files. Larger companies often contract with IT data centers that specialize in providing access to off-site computers and data storage and other IT services for use in the event of an IT disaster.



(Objective 12-4)



IMPACT OF INFORMATION TECHNOLOGY ON THE AUDIT PROCESS



Because auditors are responsible for obtaining an understanding of internal control, they must be knowledgeable about general and application controls, whether the client’s use of IT is simple or complex. Knowledge of general controls increases the auditor’s ability to assess and rely on effective application controls to reduce control risk for related audit objectives. For public company auditors who must issue an opinion on internal control over financial reporting, knowledge of both general and application IT controls is essential. Auditors should evaluate the effectiveness of general controls before evaluating appli - cation controls. As illustrated in Figure 12-1 (p. 375), general controls have a pervasive effect on the effectiveness of application controls, so auditors should first evaluate those controls before concluding whether application controls are effective. Effects of General Controls on System-wide Applications Ineffective general controls create the potential for material misstatements across all system applications, regardless of the quality of individual application controls. For example, if IT duties are inadequately separated such that computer operators also work as programmers and have access to computer programs and files, the auditor should be concerned about the potential for unauthorized software program or data file changes that might lead to fictitious transactions or unauthorized data and omissions in accounts such as sales, purchases, and salaries. Similarly, if the auditor observes that data files are inadequately safeguarded, the auditor may conclude that there is a significant risk of loss of data for every class of transaction that relies on that data to conduct application controls. In this situation, the auditor may need to expand audit testing in several areas such as cash receipts, cash disbursements, and sales to satisfy the completeness objective. On the other hand, if general controls are effective, the auditor may be able to place greater reliance on application controls whose functionality is dependent on IT. Auditors can then test those application controls for operating effectiveness and rely on the results to reduce substantive testing. Effect of General Controls on Software Changes Client changes to application software affect the auditor’s reliance on automated controls. When the client changes the software, the auditor must evaluate whether additional testing is needed. If general controls are effective, the auditor can easily identify when software changes are made. But in companies where general controls are deficient, it may be difficult to identify



soft ware changes. As a result, auditors must consider doing tests of application controls that depend on IT throughout the current year audit. Obtaining an Understanding of Client General Controls Auditors typically obtain information about general and application controls through the following ways:



• Interviews with IT personnel and key users



• Examination of system documentation such as flowcharts, user manuals, program change requests, and system testing results



• Reviews of detailed questionnaires completed by IT staff



In most cases, auditors should use several of these approaches because each offers different information. For example, interviews with the chief information officer and systems analysts provide useful information about the operation of the entire IT function, the extent of software development and hardware changes made to account ing application software, and an overview of any planned changes. Reviews of program change requests and system test results are useful to identify program changes in application software. Questionnaires help auditors identify specific internal controls. The following discussion of control risk may seem familiar because auditors link IT controls to audit objectives following the same principles and approaches we covered in Chapter 10. You may recall that auditors relate controls and deficiencies in internal control to specific audit objectives. Based on those controls and deficiencies, the auditor assesses control risk for each related audit objective. The same approach is used when controls are done by IT. Relating IT Controls to Transaction-Related Audit Objectives Auditors do not normally link controls and deficiencies in general controls to specific transactionrelated audit objectives. Because general controls affect audit objectives in several cycles, if the general controls are ineffective, the auditor’s ability to rely on IT-related application controls to reduce control risk in all cycles is reduced. Conversely, if general controls are effective, it increases the auditor’s ability to rely on IT-based application controls for all cycles. Auditors can use a control risk matrix, much like the one we discussed in Chapter 10, to help them identify both manual and automated application controls and control deficiencies for each related audit objective. For example, to prevent payments to fictitious employees, a computer comparison of inputted employee identification numbers with the employee master file might reduce control risk for the occurrence objective for payroll transactions. Auditors can identify manual and automated controls at the same time or separately, but they should not identify deficiencies or assess control risk until both types of controls have been identified. Effect of IT Controls on Substantive Testing After identifying specific IT-based application controls that can be used to reduce control risk, auditors can reduce sub - stantive testing. The systematic nature of automated application controls may allow auditors to reduce sample sizes used to test those controls in both an audit of financial statements and an audit of internal control over financial reporting. Auditors may also be able to rely on prior year testing of automated controls as described in Chapter 10 when general controls are effective and the automated control has not been changed since testing by the auditor. Auditors often use their own software to test the controls. These factors, when combined, often lead to extremely effective and efficient audits. The impact of general controls and application controls on audits is likely to vary depending on the level of complexity in the IT environment. We discuss that next.



Many organizations design and use accounting software to process business transactions so that source documents are retrievable in a readable form and can be traced easily through the accounting system to output. Such systems retain many of the traditional source documents such as customer purchase orders, shipping and receiving records, and sales and vendor invoices. The software also produces printed journals and ledgers that allow the auditor to trace transactions through the accounting records. Internal controls in these systems often include client personnel comparing computer-produced records with source documents. In these situations, the use of IT does not significantly impact the audit trail. Typically, auditors obtain an understanding of internal control and do tests of controls, substantive tests of transactions, and account balance verification pro - cedures in the same way they do when testing manual accounting systems. The auditor is still responsible for obtaining an understanding of general and application computer controls because such knowledge is useful in identifying risks that may affect the financial statements. But, the auditor typically does not test automated controls. This approach to auditing is often called auditing around the computer because the auditor is not using automated controls to reduce assessed control risk. Instead, the auditor uses manual controls to support a reduced control risk assess - ment. Auditors in smaller companies often audit around the computer when general controls are less effective than in more complex IT environments. Often, smaller companies lack dedicated IT personnel, or they rely on periodic involvement of IT consultants to assist in installing and maintaining hardware and software. The responsi bility of the IT function is often assigned to user departments, such as the accounting department, where the hardware physically resides. Auditing around the computer is effective because these systems often produce sufficient audit trails to permit auditors to compare source documents such as vendors’ and sales invoices to output, and there may be manual controls over the input and output processes that operate effectively to prevent and detect material financial statement misstatements. Many organizations with non-complex IT environments often heavily rely on desktop and networked servers to do accounting system functions. The use of computers creates the following unique audit considerations:



• Limited reliance on automated controls. Even in less sophisticated IT environ - ments, automated controls can often be relied on. For example, software programs can be loaded on the computer’s hard drive in a format that does not permit changes by client personnel, making the risk of unauthorized changes in the software low. Before relying on controls built into that software, auditors must be confident that the software vendor has a reputation for quality.



• Access to master files. When clients use desktop computers and servers, auditors should be concerned about access to master files by unauthorized people. Appropriate separation of duties between personnel with access to master files and responsi bilities for processing is critical. Regular owner-manager review of transaction output improves internal control.



• Risk of computer viruses. Computer viruses can lead to the loss of data and programs. Certain viruses can damage electronic files or shut down an entire network of computers. Regularly updated virus protection software that screens for virus infections improves controls. A public company’s use of desktop computers in the financial reporting process may affect the audit of internal control over financial reporting. If the auditor concludes that general controls are ineffective, the auditor’s tests of automated application controls may need to be increased. The auditor must also consider the implications of the lack of effective general controls on the opinion about the operating effectiveness of internal control over financial reporting.



(Objective 12-5)


Posts from same Category