CHAPTER -10 CIS AUDIT

Size: px
Start display at page:

Download "CHAPTER -10 CIS AUDIT"

Transcription

1 CHAPTER -10 CIS AUDIT CIS ENVIRONMENT Meaning of CIS audit Does overall objective of audit changes in CIS environment Skills and competence Work performed by others Planning CIS audit is the process of auditing in a computerized environment. The prime objective of CIS audit is to determine whether computer systems : - Safeguard assets Maintain data integrity Achieve organizational goals effectively Consume resources efficiently The overall objective and scope of an audit does not change in a CIS environment. However, the use of a computer changes the processing and storage of financial information and may effect the organization and procedures employed by the entity to achieve adequate internal control. The CIS environment affects all aspects of Audit including : The consideration of inherent audit risks and control risks. The procedures following by the auditor to obtain a sufficient understanding of the internal control structure. The design and performance of audit procedures by the auditor. The auditor should have an understanding of computer hardware, software and processing system sufficient to plan the engagement and to understand how CIS affects the study and evaluation of internal control and application of auditing procedures including CAAT. Specialized skills and competence may be required to : - Determine the effect of CIS environment on the assessment of overall audit risk. Obtain an understanding of internal control structure affected by the CIS environment and its effects on the business operations. Design and performed appropriate tests of control and substantive procedures. Evaluate the results of the procedures performed. When the auditor delegates work to assistants or uses work performed by other auditors or experts the auditor should have sufficient knowledge of CIS to : Direct, supervise and review the work of assistants with CIS skills. Obtain the reasonable assurance that the work performed by other auditor or experts with CIS skills is adequate for his purpose. The auditor should gather the information about the CIS environment that is relevant to audit plan. He should obtain the information in respect of the following : - The computer hardware and software used by the organization. Classes at I.G.P 43

2 Accounting system and Internal control Audit evidence Past Attempt Questions The significance and complexity of computer processing in each significant accounting application. Planning how, where and when CIS function will be reviewed including scheduling the words of CIS experts, as applicable. Planning auditing procedures using CAAT. Determining the degree or reliance to place on the CIS controls in his overall evaluation of internal control. The way in which CIS function is organized and the extent of concentration or distribution of computer processing through out the entity. The availability of data, source documents, computer files and other evidences. The auditor should acquire the knowledge of accounting system to gain an understanding of the overall control environment and the flow of transactions. The Auditor should consider : General CIS controls CIS application controls A CIS environment may effect the application of compliance and substantive procedures in several ways. The use of CAAT may be required because of following : - The absence of input documents Generation of accounting transactions by computer programs automatically. The lack of visible audit trail. The lack of visible output. The effectiveness and efficiency of auditing procedures may be improved through the use of CAAT in obtaining and evaluating audit evidence e.g. in applying analytical review procedures, transaction or balance details may be reviewed and reports printed of unusual items more efficiently by using the computer than by manual methods. Q1. To prepare an audit plan in CIS environment an auditor should gather information. Mention any four such important information which he has to collect. (4 Marks, May, 2013) Q2. State with reasons (in short) whether the following statement is True or False: The overall objective of audit changes in Computer Information System (CIS) environment. (2 Marks, November, 2009) Q3. The environment in which internal control operates has no relationship with the effectiveness of the Specific control procedure. (2 Marks, November, 2008) Q4. Is there any change in audit approach in the audit of computerised accounts as compared to audit of manual accounts? (8 Marks, November, 2005) 10.2 Organizational Structure in an CIS Environment I. Characteristics of CIS organizational structures: Classes at I.G.P 44

3 Concentration of functions and knowledge Concentration of programs and data Generally, the number of persons involved in the processing of financial information in a CIS environment is significantly reduced. Further, certain date processing personnel may have detailed knowledge of : The inter relationship between the source of data; How it is processed The distribution and use of output There may be a possibility that they are aware of any weakness in internal controls and, there fore, may be in a position to alter programs or data while stored or during processing. In many CIS installations all computer programs and data files are stored centrally or in a limited number of allocations. Therefore, in the absence of appropriate controls, there is an increased potential for unauthorized access to, and alteration of, programs and data. II. Nature of Processing The nature of processing in a CIS environment has certain distinguishing features. System features that may result from the nature of CIS processing include; Absence of Input documents Lack of Visible Transaction Trail Lack of Visible Output Ease of access to data and computer programs III. Design and Procedural aspects Consistency of performance Data may be entered directly in to the computer system without supporting documents e.g. in an online system, sales transactions may be fed in to the computer directly by the salesman without there being any source document. Moreover, some transactions my also be generated by the system itself based on program instructions. Transaction trial (Audit Trial) refers to the successive stages in the recording of a transaction in the books of accounts through which an auditor may be able to trace accounting, entries in the books back to their initiation and viceversa. In a CIS environment, source documents of many transactions may not be available. Moreover, updating of multiple files may be done by a single transaction. In a CIS environment, transaction trial may be partly in machine readable form, and further more it may exit only for a limited period of time. In a manual system, it is normally possible to examine the detailed results of processing. However, in some CIS systems, certain transactions or results of processing may not be printed or only summary data may be printed. Thus, the lack of visible output may result in the need to access data retained on files readable only by the computer. Data and computer programs may be accessed and altered at the computer or through the use of computer equipment at remote locations. Therefore, in the absence of appropriate controls, there is an increased potential for unauthorized access to and alteration of, data and programs by persons inside or outside the entity. CIS system performs functions exactly as they are programmed. It implies that if a computer program is correct, the information will be consistently processed correctly. On the other hand, if the computer is not correctly Classes at I.G.P 45

4 Programmed control procedure System generated transactions Single transaction update of multiple or data computer files Vulnerability of data and program storage media Past Attempt Questions programmed, it will consistently process the data erroneously. The consistency of performance of CIS system has an important bearing on the work of the auditor. In a CIS system, some of the internal control procedures may be incorporated in to the computer program itself e.g. Password controls can be used for protection of data against unauthorized access. Programmed controls do not have any relaxations. In case of many programmed control procedures, there is a little visible evidence of their execution, while in case of others evidence of execution can be reviewed through manual procedures. In a CIS system, certain transactions may be initiated by the system itself without need for an input document e.g. interest may be calculated and charged to customer s accounts automatically. The authorization of such transactions may not be evidenced by visible input documentation. A single transaction fed in to a CIS system may automatically update all records associated with transaction. It ensures that all relevant records are kept up to date. On the other hand, it also implies that if one erroneous input is made, many records will contain errors. The programs and data in an CIS system are stored on portable or fixed storage media e.g. floppy disks, magnetic tapes, hard disk etc. The vulnerability of CIS systems requires extensive internal controls against thefts, loss alteration and destruction of programs and data. Q1 In a CIS environment, what are the different Design and Procedural aspects, which are different from those found in Manual systems? (4 Marks, November, 2008) 10.3 Internal Controls in CIS Environment The internal controls over computer processing, which help to achieve the overall objectives of internal control can be classified as: - Overall controls affecting CIS environment (General CIS controls) Specific controls over accounting applications (CIS Application Controls) General CIS Controls The purpose of general CIS controls is to: General CIS Controls include the following : Establish a frame work of overall control over the CIS activities and To provide a reasonable level of assurance that the overall objectives of internal control are achieved. Organization and These are designed to establish an organizational framework over CIS Management activities including : - Controls Policies and procedures relating to control functions. Appropriate segregation of incompatible functions. Application System Development and Maintenance The designed to provide reasonable assurance that systems are developed and maintained in an authorized and efficient manner. These are designed to control over : - Changes to application systems Classes at I.G.P 46

5 Controls Access to system documentation Acquisition of application systems from third parties. Testing, implementation and documentation of new or revised systems. Computer Operation These are designed to control the operation of the systems and to provide reasonable assurance that : - Controls Only authorized programs are used. Processing errors are detected and corrected Systems are used for authorized purpose by authorized personnel. System Software Controls These are designed to provide reasonable assurance that system software is acquired or developed in an authorized and efficient manner, including; Restriction of access to authorized personnel only Authorization, approval, testing, implementation and documentation of new systems software and modifications. Data Entry and There are designed to provide reasonable assurance that : Program Controls Access to data and programs is restricted to authorized personnel. An authorization structure is established over transactions being entered in to the systems. There are other CIS safeguards that contribute to the continuity of CIS processing. These may include: Off site back up of data and computer programs Provision of offsite processing in the event of disaster. Recovery procedures for use in the event of theft, loss, destruction etc. CIS Application Controls The purpose of CIS Application Control procedures over the accounting application in order to provide reasonable assurance that all transaction are authorized and recorded and are processed completely, accurately and on a timely basis. These include the following : - Controls over These controls provide reasonable assurance that : - Input Transactions are properly authorized before being processed by the computer. Transactions are not list, added duplicated or improperly changed. Incorrect transactions are rejected or submitted after correction. Transactions are properly converted in to machine readable form and recorded in computer data files. Controls over These are designed to provide reasonable assurance that : - Processing and Processing errors are identified and corrected on a timely basis. computer data Transactions are not lost, added or improperly changed. files Transactions are properly processed by the computers Controls over These provide assurance that : - Output Results of processing are accurate Access to output is restricted to authorized personal Out put is provided to appropriate authorized personal on a timely basis. Classes at I.G.P 47

6 10.4 Review of Internal Controls Review of General CIS Controls Review of CIS Application Controls The general CIS controls which the auditor may wish to test are described above. The auditor should consider how these general CIS controls affect the CIS applications significant to the audit. General CIS controls that relate to some or all applications are typically inter-dependent controls in their operation is often essential to the effectiveness of CIS application controls. Accordingly, it may be more efficient to review the design of the general controls before reviewing the application controls. Review of CIS Application Controls - Control over input, processing, data files and output may be carried out by CIS personnel, by users of the system, by a separate control group, or may be programmed into application software. CIS application controls which the auditor may wish to test include Manual controls exercised by the user if manual controls exercised by the user of the application system are capable of providing reasonable assurance that the systems output is complete, accurate and authorized, the auditor may decide to limit tests of control to these manual controls (e.g. the manual controls exercised by the user over a computerized payroll system for salaried employees could include an anticipatory input control total for gross pay, the test checking of net salary output computations, the approval of the payments and transfer of funds, comparison to payroll register amounts, and prompt bank reconciliation). In this case, the auditor may wish to test only the manual controls exercised by the user. Controls over system output if, in addition to manual controls exercised by the user, the controls to be tested use information produced by the computer or are contained within computer programs, it may be possible to test such controls by examining the system s output using either manual or computer-assisted audit techniques. Such output may be in the form of magnetic media, microfilm or printouts (e.g. the auditor may test controls exercised by the entity over the reconciliation of report totals to the general ledger control accounts and may perform manual tests of those reconciliations). Alternatively, where the reconciliation is performed by computer, the auditor may wish to test the reconciliation by reperforming the control with the use of computer-assisted audit techniques. Programmed control procedures in the case of certain computer systems, the auditor may find that it is not possible or, in some cases, not practical to test controls by examining only user controls or the system s output (e.g. in an application that does not provide printouts of critical approvals or overrides to normal policies, the auditor may want to test control procedures contained within the application program). The auditor may consider performing tests of control by using computer-assisted audit Classes at I.G.P 48

7 techniques, such as test data, reprocessing transactions data or, in unusual situations, examining the coding of the application program. Evaluation - The general CIS controls may have a pervasive effect on the processing of transactions in application systems. If these controls are not effective, there may be a risk that misstatements might occur and go undetected in the application systems. Thus, weaknesses in general CIS controls may preclude testing certain CIS application controls; however, manual procedures exercised by users may provide effective control at the application level Evaluation The general CIS controls may have a pervasive effect on the processing of transaction in application systems. If these controls are not effective, there may be risk that misstatements might occur and go undetected in application systems. Thus, weaknesses in general CIS controls may preclude testing certain CIS application controls Internal Controls In Service Bureau Requirements of Internal Control System at a Service Bureau: Various requirements to establish or evaluate a system of internal control for applications processed at a service bureau are stated below- Liaison between bureau and user should be clearly defined. Senior member of the user s staff is appointed as liaison officer. Need for a system testing including all clerical procedures at the user company. Control over physical movement of data and in this respect whether a copy or microfilm of documents sent to the service bureau is kept. Planning procedure so that error is identified by documents provided by the bureau. The user must ensure that prompt correction and resubmission of rejection to meet the bureau processing schedule. Establishing a system in the user company to ensure that all exceptional reports are received from bureau. Establish clerical control to verify the accuracy of computer processing. Normally, user has no physical control over the files; therefore, high control over the maintenance of data on master files should be established Approaches To ing Change in hardware and software have changed the conceptual approach to auditing. The computers are being used in two ways; As a tool of the auditor aiding in the performance of audit such as printing confirmation requests. As the target of audit where data are submitted to the computer and the result are analyzed for processing reliability and accuracy of the computer program. Audit Trail Audit Trail is a situation where it is possible to relate on one-to-one basis, the original input with the final output. i.e. tracing the details of processed Classes at I.G.P 49

8 Auditing Around the Computer (Black Box Approach) between the input and the output. When there is significant visible audit trial, the auditor s work is not affected and he need not change his approach to audit. Absence of audit trail may be due to factors such as : - Direct data entry in to the system.. Direct posting of transactions to master file. Elimination of reports as information in supplied on-line. The auditor may use special techniques to overcome the loss or changes in audit trial. Some measures to overcome that loss of audit trial may include : - Testing on total basis. Programmed Interrogation facilities. Arranging for special printouts containing additional information. Reliance on alternative tests. Auditing around the Computer - Auditing around the computer involves arriving at an audit opinion through examining the internal control system for a computer installation and the input and output only for application systems. On the basis of the quality of the in put and output of the application system, the auditor infers the quality of the processing carried out. Application system processing is not examined directly. The auditor views the computer as a black box. The auditor can usually audit around the computer when either of the following situations applies to application systems existing in the installation: The system is simple and batch oriented. The system uses generalized software that is well-tested and used widely by many installations. Sometimes batch computer systems are just an extension of manual systems. These systems have the following attributes: The system logic is straightforward and there are no special routines resulting from the use of the computer to process data. Input transactions are batched and control can be maintained through the normal methods, for example, separation of duties and management supervision. Processing primarily consists of sorting the input data and updating the master file sequentially. There is a clear audit trail and detailed reports are prepared at key processing points within the system. The task environment is relatively constant and few stresses are placed on the system. For these well-defined systems, generalized software packages often are available. For example, software vendors have developed payroll, accounts receivable, and accounts payable packages. If these packages are provided by a reputable vendor, have received widespread use, and appear error-free, the auditor may decide not to test directly the processing aspects of the system. Classes at I.G.P 50

9 Auditing Through Computer The auditor must ensure, however, that the installation has not modified the package in any way and that adequate controls exist, to prevent unauthorized modification of the package. Not all generalized software packages make application systems amenable to auditing around the computer. Some packages provide a set of generalized functions that still must be selected and combined to accomplish application system purposes. For example, database management system software may provide generalized update functions, but a high-level program still must be written to combine these functions in the required way. In this situation the auditor is less able to infer the quality of processing from simply examining the system s input and output. The primary advantage of auditing around the computer is simplicity. Auditors having little technical knowledge of computers can be trained easily to perform the audit. There are two major disadvantages to the approach. First, the type of computer system where it is applicable is very restricted. It should not be used for systems having any complexity in terms of size or type of processing. Second, the auditor cannot assess very well the likelihood of the system degrading if the environment changes. The auditor should be concerned with the ability of the system to cope with a changed environment. Systems can be designed and programs can be written in certain ways so that a change in the environment will not cause the system to process data incorrectly or for it to degrade quickly Auditing through the Computer - The auditor can use the computer to test: (a) the logic and controls existing within the system and (b) the records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor. There are several circumstances where auditing through the computer must be used: The application system processes large volumes of input and produces large volumes of output that make extensive direct examination of the validity of input and output difficult. Significant parts of the internal control system are embodied in the computer system. For example, in an online banking system a computer program may batch transactions for individual tellers to provide control totals for reconciliation at the end of the day s processing. The logic of the system is complex and there are large portions that Classes at I.G.P 51

10 Past Attempt Questions facilitate use of the system or efficient processing. Because of cost-benefit considerations, there are substantial gaps in the visible audit trail. The primary advantage of this approach is that the auditor has increased power to effectively test a computer system. The range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system s processing the auditor also can assess the system s ability to cope with environment change. The primary disadvantages of the approach are the high costs sometimes involved and the need for extensive technical expertise when systems are complex. However, these disadvantages are really spurious if auditing through the computer is the only viable method of carrying out the audit. Q1 Write a short note on Auditing through the computer.(4 Marks, May, 2014) Or Q2 What do you understand by Auditing through the computer?(4 Marks, May, 2005) Q3 State clearly the circumstances where "Auditing through the computer" approach must be used. (6 Marks, November, 2010) Or Q4 State the circumstances where the auditing through the computer must be used. (5 Marks, May, 2007) Q5 What do you understand by Auditing around the computer?(4 Marks, May, 2005) 10.7 Computer Assisted Audit Techniques (CAATS) Definition Computer assisted audit techniques (CAATs) are computer programmers and data that the auditor uses as part of the audit procedures to process data of audit significance, contained in an entity s information systems. Reason for its use The use of CAATs may be required because : The auditor may not be able to examine documentary evidence because of the absence of input documents (e.g., order entry in on line systems) or the generation or accounting transactions by computer programme (e.g. automatic calculation of discounts) The auditor will not be able to follow transactions through computerized accounting system because of lack of visible audit trail; and The lack of visible output may necessitate access to data retained of files readable only by the computer. Advantages of CAATs CAATs allow the auditor to give access to data without dependence on the client, test the reliability of audit software and perform audit tests more efficiently. CAATs may be used in performing audit procedures such as:- Test of details of transactions and balances for example the use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records; Analytical procedures, for example, identify inconsistencies or significant fluctuations; Sampling programs to extract data for audit testing; Classes at I.G.P 52

11 Past Attempt Questions Reperforming calculations performed by the entity s accounting systems. Q1 What are CAATS? Why are CAAT required in computerized information system (CIS) environment? (8 Marks, November, 2011) Or Q2 Why are Computer Aided Audit Techniques (CAAT) required in EDP audit? What are the advantages of CAATs? (10 Marks, May, 2006) Q3 Why are computer assisted audit techniques (CAAT) needed in a Computer Information Systems (CIS) environment and how it helps the auditor in obtaining and evaluating audit evidences? (6 Marks, November, 2007) 10.8 Some Techniques Test data approach Auditor prepares transaction data (test data, also called test pack) and processes it on the client s processing system under his control. If results of processing match with the predetermined output, this indicates that all the application and general controls are functioning properly. Test data should test each control on which he wishes to rely. Advantages reliable, easy to use and long term economies. Disadvantages additional work for the auditor, difficulty in designing test data and high initial cost. Generalized audit software (GAS) Audit programmes are designed by computer manufacturers, software professionals and large firm of auditors. The functions that can be performed with GAS include:- Examination and review of records based on auditor s criteria; Selecting and printing audit samples; Testing calculations and making comparisons; Comparing data on separate files 10.9 Extra Questions Q. 'Doing the audit in EDP environment is simpler since Trial Balance always tallies.' Analyse the statement critically. (5 Marks, May, 2010) Answer:- Audit in a Computerised Information System (CIS) Environment: Though it is true that in CIS environment the trial balance always tallies, the same can not imply that the job of an auditor becomes simpler. There can still be some accounting errors like omission of certain entries, compensating errors, duplication of entries, errors of commission in the form of wrong head of accounts etc. Possibility of Window Dressing and/or Creation of Secret Reserves can be possible in CIS environment also in spite of tallied trial balance. At present, due to complex business environment the importance of trial balance cannot be judged only upto the arithmetical accuracy but the nature of transactions recorded and its classification in the books should be focused. Classes at I.G.P 53

12 The emergence of new forms of financial instruments like options and futures, derivatives, off balance sheet financing etc have given rise to further complexities in recording and disclosure of transactions. In an audit, besides the tallying of a trial balance, there are other issue also like estimation of provision for depreciation, estimation of tax liability, valuation of inventories, obtaining audit evidence, ensuring compliance with various laws, regulations and standards, verification of existence and valuation of assets and liabilities, reporting requirement as per statute etc. which still requires judgement to be exercised by the auditor. The CIS environment has its own complexities and requires lot of controls, safeguards and application which requires specialised knowledge and skill for proper implementation. Responsibility of expressing an audit opinion and objectives of an audit are not changed in the audit in CIS environment. Compliance with various laws and standards are still to be verified, ensured and reported. Therefore, it can be said that simply because of CIS environment and tallying of the trial balance, the audit can t be said to have become simpler. Q. How would you assess the reliability of Internal control system in computerized information system? (6 Marks, May, 2008) Answer Reliability of Internal Control System in CIS: For evaluating the reliability of internal control system in CIS, the auditor would consider the followings- (i) That authorised, correct and complete data is made available for processing. (ii) That it provides for timely detection and corrections of errors. (iii) That in case of interruption due to mechanical, power or processing failures, the system restarts without distorting the completion of entries and records. (iv) That it ensures the accuracy and completeness of output. (v) That it provides security to application softwares & data files against fraud etc. (vi) That it prevents unauthorised amendments to programs. Q. What is an Audit Trail? Briefly state the special audit techniques using the computer as an audit tool. (8 Marks, May, 2004) Answer Audit Trail: Audit trail refers to a situation where it is possible to relate, on a one to one basis, the original input with the final output. In a manual accounting system, it is possible to relate the recording of a transaction of each successive stage enabling an auditor to locate and identify all documents from beginning to end for the purposes of examining documents, totalling and cross referencing. In first and early second generation computer systems, a complete audit trail was generally available. However, with the advent of modern machines, the CIS environment has become more complex. This led to use of exception reporting by the management which effectively eliminated the audit trail between input and output. The lack of visible evidence may occur at different stages in the accounting process, for example: (i) Input documents may be non-existent where sales orders are entered online. In addition, accounting transactions such as discounts and interest calculations may be generated by computer programmes with no visible authorization of individual transactions. (ii) The system may not produce a visible audit trail of transactions processed through the computer. Delivery notes and suppliers invoices may be matched by a computer programme. In addition, programmed control procedures such as checking customer credit limits, may provide visible evidence only on an exception basis. In such cases, Classes at I.G.P 54

13 there may be no visible evidence that all transactions have been processed. Output reports may not be produced by system or a printed report may only contain summary totals while supporting details are retained in computer files. Q. Installation of Computer Operating System have created both benefits and problems for auditors. Explain the Statement? (6 Marks, May, 2004) Answer Computer Operating Systems and the Auditor: The installation of computer operating system is an integral and absolutely essential part of a computer even in a standalone PC-based environment. In fact it is difficult to visualize a computer to be operational without installation of the operating system. With the advancement of technology, the operating systems are part of the server or hard disc and provide lot of options and flexibility to the user. The provision of all these built-in-features is quite beneficial to user and the auditor alike. The data stored in the system can be extracted depending upon the requirement, e.g., records relating to students can be region-wise, city-wise, examination centre- wise, etc to compare the performance. At the same time, these advanced features of operating systems have given rise to several general hazards associated with it. In these circumstances, it becomes essential to restrict the access to data by ensuring proper security system such as passwords and other access controls, etc. However, such system at time can be hacked and then the entire database is vulnerable to manipulation. Thus, from the auditor s point of view installation of operating system have created both benefits and problems. The major benefits flow from the fact of examination of execution of transactions, taking samples, etc. while problems might arise to potential manipulation of the data. It May however, be noted that benefits from the operating system for outweigh the problems associated with it. Classes at I.G.P 55