Internal Control and the Computerised Information System (CIS) Environment. CA A. Rafeq, FCA

Transcription

1 Internal Control and the Computerised Information System (CIS) Environment CA A. Rafeq, FCA 1

2 Agenda 1. Internal Controls and CIS Environment 2. Planning audit of CIS environment 3. Design and procedural aspects of CIS environment 4. Internal controls in CIS Environment 5. CIS Application Controls 6. Approaches to Audit in CIS Environment 7. Using CAATs 2

3 Reference Material Study material Revision Test paper Suggested answer and compilation Questions from IPCC exam 3

4 1. INTERNAL CONTROLS AND CIS ENVIRONMENT 4

5 Principal objectives of audit Ensure that accounts on auditor is reporting show a true and fair view of: State of affairs at a given date Results for the period ended on that date 5

6 Essential features of audit - 1 a) Evaluation to ascertain whether system of accounting and internal control are: Appropriate for the business and Properly record all transactions. b) Making of such tests and enquires to determine whether the systems are being operated correctly 6

7 Essential features of audit - 2 c) Examination of the accounts to verify: (i) The title, existence and value of the assets appearing in the balance sheet and to verify that all liabilities are correctly included therein; (ii) That the results shown by the profit and loss account are fairly stated; Ensure that such accounts are as per the underlying records and comply with appropriate statutory requirements. 7

8 Impact of Computers on controls Objectives and scope of audit does not change in CIS Environment. Use of computer changes the processing and storage of financial information May affect the organisation and procedures in terms of way internal controls. 8

9 Impact of CIS on audit procedures Procedures followed in study and evaluation of accounting system and related internal controls Nature, timing and extent of audit procedures 9

10 Auditing in a CIS Environment Relevant IT Skills and Competence Work Performed by Others Planning Accounting System and Internal Control Audit Evidence 10

11 What is Internal Control System? Policies and procedures Orderly and efficient conduct of business Adopted by management Assist in achieving management's objective 11

12 Controls Policies, Procedures, Practices and organisation structure Designed to provide reasonable assurance Business objectives are achieved Undesired events are prevented or detected and corrected

13 Objective of Internal Controls Adherence to management policies Safeguarding of assets Prevention and detection of fraud and error Accuracy and completeness of accounting records, Timely preparation of reliable financial information. Role of internal audit function 13

14 Accounting System and Internal Control Management responsibility Internal controls normally contribute to such assurance. Auditor to provide assurance 14

15 Auditors and CIS Internal Controls Obtain understanding Arrive at conclusion Test Controls Examine the results Evaluate controls 15

16 Auditors: Understanding of internal controls Auditor should gain understanding of accounting system and related internal controls Study and evaluate the operation of those internal controls Internal controls are reliable, substantive procedures would be less extensive 16

17 Auditors: Testing of Controls in CIS environment Tests of control do not change from those in a manual environment but some audit procedures may change. Auditor may use CAATs as required. Use of CAATs such as file interrogation tools or audit test data, may be appropriate there is no visible evidence documenting the performance of internal controls. 17

18 2. PLANNING AUDIT OF CIS ENVIRONMENT 18

19 Audit Planning in a CIS environment-1 Auditor should gather information about the CIS environment that is relevant to the audit plan, including information as to: How the CIS function is organized and the extent of concentration or distribution of computer processing throughout the entity. Computer hardware and software used. Each significant application processed by the computer, the nature of processing (e.g. batch, on line) and data retention policies. 19

20 Audit Planning in a CIS environment-2 Planned implementation of new applications or revisions to existing applications. When considering his overall plan the auditor should consider matters, such as: Determining the degree of reliance, if any, he expects to be able to place on the CIS controls in his overall evaluation of internal control. Planning how, where and when the CIS function will be reviewed including scheduling the works of CIS experts, as applicable. Planning auditing procedures using CAATs 20

21 Auditors reliance on CIS Controls Auditor should acquire knowledge of accounting system to gain understanding of the overall control environment and the flow of transactions. If relying on internal controls, auditor has to consider: Manual and computer controls affecting the CIS function (general CIS) Controls Specific controls over the relevant accounting li ti (CIS A li ti t l ) 21

22 Audit Evidence: Testing and review Effectiveness and efficiency of auditing procedures may be improved through the use of CAATs in obtaining and evaluating audit evidence, for example: (i) (ii) Some transactions may be tested more effectively for a similar level of cost by using the computer to examine all or a greater number of transactions than would otherwise be selected. In applying analytical review procedures, transactions or balance details may be reviewed and reports printed of unusual items more efficiently by using the computer than by manual methods. 22

23 When does usage of CAATs becomes necessary? A CIS environment may affect the application of compliance and substantive procedures in several ways. The absence of input documents (e.g. order entry in on line systems) or the generation of accounting transactions by computer programs(e.g. automatic calculation of discounts) may preclude the auditor from examining documents evidence. The lack of a visible audit trail will preclude the auditor from visually following transactions through the computerized accounting system. The lack of visible output may necessitate access to data retained on files readable only the computer 23

24 Organizational Structure in CIS Environment Entity will establish an organizational structure and procedures to manage the CIS activities. Key characteristics of a CIS organizational structure: a. Concentration of functions and knowledge b. Concentration of programs and data 24

25 Use of computer in data processing Design of systems that provide less visible evidence than those using manual procedures Systems may be accessible by a large number of persons. 25

26 System Characteristics of CIS Processing a. Absence of input documents b. Lack of visible transaction trail c. Lack of visible output d. Ease of access to data/programs 26

27 Question: Objectives and scope of audit in EDP environment Comment on the overall objectives and scope of an audit does not change an EDP environment. 27

28 Answer: Objective and scope of audit in CIS do not change - 1 Principal objective of an audit of financial statements, prepared within a framework of recognised accounting policies and practices and relevant statutory requirements, if any, so to ensure that the financial statements reflect a true and fair view. Scope of an audit of financial statements is determined by the auditor having regard to the terms of the engagement, the requirements of relevant legislation and the pronouncements of the institute. Involves assessment of reliability and sufficiency of the information contained in the accounting records and other source data by study and evaluation of accounting system and internal controls in operations. 28

29 Answer: Objective and scope of audit in CIS do not change - 2 Overall objective and scope of an audit does not change in EDP environment but the use of a computer changes the processing and storage of financial information and may affect the organisation and procedures employed by the entity to achieve adequate internal control. Procedures followed by the auditor is his study and evaluation of the accounting system and related internal controls and nature, timing and extent of his other audit procedures may be affected by an EDP environment. Computerisation of accounts would also have an impact on the increase in fraud and errors. 29

30 Answer: Objective and scope of audit in CIS do not change - 3 When auditing in an EDP environment, the auditor should have sufficient understanding of computer hardware, software and processing systems to plan the engagement and to understand how EDP affects the study and evaluation of internal control and application of auditing procedures including computer assisted audit techniques. Auditor should also have sufficient knowledge of EDP to implement the auditing procedures, depending on the particular audit approach adopted. Overall objectives and scope of audits does not change irrespective of fact that whether the accounting information is generated manually or through EDP 30

31 Question: Audit objectives in CIS State with reasons (in short) whether the following statements is true or false. The overall objectives of audit changes in Computer Information Systems(CIS) environment. 31

32 Answer False: Overall objectives of audit does not change in Computer Information System (CIS) environment. But the use of computer changes the processing and storage, retrieval and communication of financial information 32

33 Question: Audit in EDP environment is simpler Doing an audit in an EDP environment is simpler since the trial balance always tallies. Analyse critically? 33

34 Answer: Trial balance in CIS always tallies - 1 It is true that in EDP environment in trial balance always tallies, the same can not imply that the job of an auditor becomes simpler. There can still be some accounting errors like Omission of certain entries, Compensating errors, Duplication of entries, Errors of commission in the form of wrong A/c head is posted., Possibility of Windows Dressing Creation of Secret Reserves At Present, due to complex business environment the importance of trial balance canot be judged only upon the arithmetic accuracy but the nature of transactions recorded in the books and which appear in the trial balance should be reviewed. 34

35 Answer: Trial balance in CIS always tallies - 2 Emergence of new forms of financial instruments like options and futures, derivatives, off balance sheet financing etc. have given rise to further complexities in recording and disclosures of transactions. In an audit, beside the tallying of a trial balance, there are also other issue like estimation of provision for depreciation, valuation of inventories, obtaining audit evidence, ensuring compliance procedure and carrying out substantive procedure, verification of assets & liabilities their valuation etc., which still requires judgement to be excised by the auditor 35

36 Answer: Trial balance in CIS always tallies - 3 Responsibility of expressing an audit opinion and objectives of an audit are not changed in the audit in EDP environment. Simply because of EDP environment and the trial balance has tallied, it does not mean that the audit would become simpler 36

37 3. DESIGN AND PROCEDURAL ASPECTS OF CIS ENVIRONMENT 37

38 Question: Design and Procedural aspects in CIS In a CIS environment, what are the different Design and Procedural aspects, which are different from those found in Manual systems? 38

39 Answer: Design and procedural aspects of systems - 1 i. Consistency of performance CIS systems performed functions are more reliable provided that all transactions types and conditions that could occur are anticipated and incorporated into the system. ii. Programme control procedures These procedures can be designed to provide controls with limited visibility. iii. Single transactions update of multiple or data base computer file A single input into the accounting system may automatically update all records associated with the transaction. 39

40 Answer: Design and procedural aspects of systems - 2 iv. Systems generated transactions: Certain transactions may be initiated by the CIS system itself without the need for an input documents. E.g. Interest may be calculated and changed automatically to customer s account balances. v. Vulnerability of data and audit programme storage media: Large volume of data may be stored on portable of fixed storage media, such as magnetic disks and tapes 40

41 Question: Design and procedural aspects of EDP systems What are the different design and procedural aspects of EDP systems? 41

42 Answer: Different design and procedural aspects of EDP systems i. Consistency of Performance ii. iii. iv. Programmed Control Procedures Single Transaction Update of Multiple or Database Files Systems Generated Transactions v. Vulnerability of Data and Programme Storage Media 42

43 i. Consistency of Performance EDP systems perform functions exactly as programmed and are potentially more reliable than manual systems, provided that all transaction type and conditions that could occur are anticipated and incorporated into the system. 43

44 ii. Programmed Control Procedures The nature of computer processing allows the designed of internal control procedures in computer programs. These procedures can be designed to provide control with limited visibility(e.g., protection of data against unauthorized access may be provided by passwords). Other procedures can be designed for use with manual intervention, such as review of reports printed for exception and error reporting, and reasonableness and limit checks of data. 44

45 iii. Single Transaction Update of Multiple or Database Files A single input to the accounting system may automatically update all records associated with the transaction Example: shipment of goods documents may update the sales and customers accounts receivable files as well as the inventory file) An erroneously entry in such a system may create errors in various financial accounts. 45

46 iv. Systems Generated Transactions Certain transactions may be initiated by the EDP system itself without the need for an input document. The authorization of such transactions may neither be supported by visible input documentation nor documented in the same way as transactions which are initiated outside the EDP system(example: interest may be calculated and charged automatically to customer s account balances on the basis of pre authorization terms contained in a computer program.) 46

47 v. Vulnerability of Data and Programme Storage Media Large volumes of data and the computer programs used to process such data may be stored on portable or fixed storage media, such as magnetic discs and tapes. These media are vulnerable to theft, or intentional or accidental destruction. 47

48 4. INTERNAL CONTROLS IN CIS ENVIRONMENT 48

49 Question: Internal controls in EDP Explain the internal controls in an EDP Environment. 49

50 Answer: Internal controls in an EDP Environment The internal controls over computer processing, which help to achieve the overall objectives of internal control, include both manual procedures and procedures designed into computer programmes. Such manual and computer controls affect: 1. EDP environment (general EDP controls) and 2. Specific controls over accounting applications(edp application controls) 50

51 1. Purpose of General EDP Controls Establish a framework of overall control over the EDP activities Provide a reasonable level of assurance that the overall objectives of internal control are achieved. 51

52 Types of General EDP Controls a. Organisation and management controls b. Application systems development and maintenance controls c. Computer operation controls d. Systems software controls e. Data entry and program control 52

53 a. Organisation and management controls Designed to establish an organisational framework over EDP activities: (i) Policies and procedures relating to control functions; (ii) Appropriate segregation of incompatible functions. 53

54 b. Application systems development and maintenance controls Designed to establish control over: (i) Testing, conversion, implementation and documentation of new or revised systems. (ii) Changes to application systems. (iii) Access to system documentation (iv) Acquisition of application systems from third parties 54

55 c. Computer operation controls Designed to control the operation of the system and to provide reasonable assurance that: (i) The system are used for authorised purposes only. (ii) Access to computer operation is restricted to authorised personnel. (iii) Only authorized programs are used. (iv) Processing errors controls are detected and corrected. 55

56 d. Systems software controls (i) Authorisation, approval, testing, implementation and documentation of new systems software and systems software modification. (ii) Restriction of access to systems software and documentation to authorised personnel. 56

57 e. Data entry and program control Designed to provide reasonable assurance that: (i)an authorisation structure is established over transactions being entered into the system. (ii)access to data and programs is restricted to authorised personnel. (iii)offsite back up of data and computer programmes (iv)recovery procedures for use in event of theft, loss or intentional or accidental destruction. (v)provision for offsite processing in the event of disaster. 57

58 5. CIS APPLICATION CONTROLS 58

59 Purpose of CIS Application Controls Establish specific control procedures over accounting application to provide reasonable assurance that all transactions are: 1. Authorized and recorded 2. Processed completely, accurately and on a timely basis. 59

60 Types of CIS Application Controls A. Controls over the input C. Controls over output B. Controls over processing and computer data files 60

61 A. Controls over input Designed to provide reasonable assurance that: Transactions are properly authorized before being processed by computer. Transactions are accurately converted into machine readable form and recorded in computer data files. Transactions are not lost, added, duplicated or improperly changed. Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis. 61

62 B. Controls over processing and computer data files Transactions, including system generated transactions, are properly processed by the computer. Transactions are not lost, added, duplicate or improperly changed. Processing errors are identified and corrected on a timely basis. Designed to provide reasonable assurance 62

63 C. Controls over output Results of processing are accurate Designed to provide reasonable assurance Output is provided to appropriate authorized personnel on a timely basis Access to output is restricted to authorized personnel. 63

64 Question: Input controls in CIS (a) State any four important elements of input control in processing of data in a computerised accounting system. 64

65 Answer: Input controls in CIS - 1 i. Input to computer should be authorized. ii. Authorization levels should be checked. iii. Authorization is effected by levels of access to entry for computer system. iv. Access control is operated through use of password and logging procedures. 65

66 Answer: Input controls in CIS - 2 i. System should devise controls to check data input are accurate. ii. Input documents should be reviewed and verified by another person after preparation. iii. Transaction should be accurately converted into machine readable language and recorded in a computer data file 66

67 Answer: Input controls in CIS - 3 i. The transactions are not lost, duplicated, or changed without authorization. ii. iii. iv. There should be validity and cross reference checks, inbuilt in the system to throw light on errors which appear in the process of feeding input. Incorrect transactions are thrown out by a list which must be corrected, resubmitted before the process could run on the inputs The check digit total of financial information contained in the document or hash total may be used to act as a control tool. v. The serial control may be used in inputting data that are to follow serial sequence. Any deviation in serial sequence will have to be automatically signalled out. 67

68 Question: Reliability of internal control system in CIS How would you assess the reliability of internal control system in computerised information systems? 68

69 Answer: Evaluating reliability of internal control system in CIS - 1 The auditor would consider the following: i. Authorised, correct and complete data is made available for processing ii. Provides for timely detection and corrections of errors 69

70 Answer: Evaluating reliability of internal control system in CIS - 2 iii. In case of interruption due to mechanical, power of processing failures, the system a. Ensures accuracy and completeness of output. b. Provides security to application software's & data files against fraud etc. c. Prevents unauthorised amendments to programs 70

71 6. APPROACHES TO AUDITING IN A CIS ENVIRONMENT 71

72 Audit approaches in CIS environment Audit around the computer Audit through the computer 72

73 Auditing around the Computer 1. System logic is straightforward and there are no special routines resulting from the use of the computer to process data. 2. Input transactions are batched and control can be maintained through the normal methods, for example, separation of duties and management supervision. 3. Processing primarily consists of sorting the input data and updating themaster file 73

74 Auditing through the Computer The auditor can use the computer to test: (a) The logic and controls existing within the system and (b) The records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor. 74

75 Auditing through the Computer 1. Application system processes large volumes of input and produce large volume of output that make extensive direct examination of the validity of input and output difficult. 2. Significant parts of the internal control system are embodied in the computer system. 3. Logic of the system is complex and there are large portions that facilitate use of the system or efficient processing. 4. Substantial gaps in the visible audit trail. 75

76 Question: Approaches to EDP auditing Explain briefly the approaches to EDP auditing? State clearly the circumstances where Auditing through the Computer approach must be used. 76

77 Answer: Approaches to EDP Auditing Computerisation of accounts does not affect the basic objective of auditing. However, the auditor would need to modify his audit procedures approach and technical capabilities so as to be able to form an opinion on the accounts processed in a computerised environment. The auditor must plan whether or not to use the computer. The two approaches are commonly called: Auditing around the computer Auditing through the computer. 77

78 Audit around the Computer Auditor views the computer as a black box Audit around the computer involves forming of an audit opinion wherein the existence of computer is not taken into account. Principle of conventional audit like examination of internal controls and substantive testing is done. 78

79 Auditing around computer (i) The system is simple and uses generalised software that is well tested and widely used. (ii) Processing mainly consists of sorting the input data and updating the master file in sequence. (iii) Audit trail is clear. Detailed reports are prepared at key processing points within the system. (iv) Control over input transactions can be maintained through normal methods, i.e. separation of duties, and management supervision. 79

80 Auditing a GAS* environment - 1 GAS like payroll and provident fund package, accounts receivable and payable, etc. are available developed by software vendors. Auditor may decide not to go in details of the processing aspects, if there are well tested widely used packages provided by a regulated vendor. Ensure that there are adequate controls to prevent unauthorised modifications of the package. *Generalized Accounting software (GAS) 80

81 Auditing a GAS environment - 2 All such generalised packages do not make system amenable to audit. Some software packages provide generalised functions that still must be selected and combined to achieve the required application system. In such a case, instead of simply examining the systems input and output, the auditor must check the system in depth to satisfy him about such system. 81

82 Auditing through the Computer Sophistication of computers have finally reached the point where auditors can no longer audit around the computer but have to audit through it. Auditing through the computer requires that auditor submits data to the computer for processing. Results are then analysed for the processing reliability and accuracy of the computer programme. 82

83 Advantages of Audit through the computer Auditor has increased power to effectively test to computer system. Range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system s processing, auditor also can access the systems' ability to cope with environment change. 83

84 Impact of Technical and other developments On-line data entry Elimination or reduction of print-outs Real time files up dating Complexity 84

85 Using Computer for performing audit tests a. The logic and controls existing within the system; and b. The records produced by the system 85

86 Disadvantages of auditing around the computer Not beneficial for complex systems, of large scale in very large multi unit, multi locational companies, having various inter unit transactions. It can be used only in case of small organisations having simple operations. Difficult for auditor to assess degradation in the system in case of change in environment, and whether the system can cope with a change environment. 86

87 Dis-advantages of Audit through the computer Generally high costs and need for extensive technical expertise when systems are complex. At times, auditing through the computer is the only viable method of carrying out the audit Auditing through computer requires knowledge of using test data and computer software to check logic, processing and results. 87

88 7. USING CAATS 88

89 What are CAATs? CAATs are computer programs and data that the auditor uses as part of the audit procedures to process data of audit significance, contained in an entity's information systems. Important tools for auditor in performing audits. Used in performing various auditing procedures CAATs allow the auditor to: Gain access to data without dependence on the client Test reliability of client software, and Perform audit tests more efficiently 89

90 Why to use CAATs? During course of audit, auditor is to obtain: Sufficient, relevant and useful evidence to achieve the audit objectives effectively Audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence Today's information processing environments pose a stiff challenge to auditor to collect sufficient, relevant and useful evidences since the evidence exists on magnetic media and can only be examined using CAATs With systems having different hardware and software environments, different data structure, record formats, processing functions, etc, it is almost impossible for the auditors to collect evidence without a software tool to collect and analyze the records 90

91 Where can CAATs be used? Tests of details of transactions \ balances Example: Use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records; Tests of general controls Example: Testing set up or configuration of operating system or access procedures to program libraries or by using code comparison software to check that version of the program in use is version approved by management Tests of application controls Example: Testing functioning of a programmed control 91

92 Specific examples of using CAATs Analytical procedures Example: Identifying inconsistencies or significant fluctuations Sampling programs to extract data for audit testing Example: identifying specific invoices for vouching based on random sample/value Re performing calculations performed by the entity s accounting systems Example: Re computation of Income tax, interest, balancing 92

93 Question: Audit Trail and CAATs Briefly state the special audit techniques using the computer as an audit tool. 93

94 Answer: Computer as audit tool i. Input documents may be non existent where sales orders are entered online.in addition, accounting transactions such as discounts and interest calculations may be generated by computer programmed with no visible authorization of individual transactions. ii. iii. The system may not produce a visible audit trail of transactions processed through the computer. Delivery notes and suppliers invoices may be matched by a computer programme. In addition, programmed control procedure such as checking customer credit limits, may provide visible evidence only on an exception basis. In such cases, there may be no visible evidence that all transactions have been processed. Output reports may not be produced by system or a printed report may only contain summary totals while supporting are retained in computer files 94

95 Special audit techniques In absence of audit trail, auditor needs assurance that the programmes are functioning correctly in respect of specific items by using special audit techniques. Absence of input documents or the lack of visible audit trail may require the use of CAATs i.e. using computer as an audit tool. 95

96 Answer: CAAT The auditor can use the computer to test: The logic and controls existing within the system The records produced by the system. Depending upon complexity of application system being audited, the approach may be fairly simple or require extensive technical competence by auditor. 96

97 Answer: CAAT Effectiveness and efficiency of auditing procedure may be enhanced through the use of CAATs. Two Common types of CAATs: 1. Test pack or test data and 2. Audit software or computer audit programmes. 97

98 Question: CAAT and Audit evidence Why are computer assisted audit techniques (CAAT) needed in a Computer Information Systems (CIS) environment and how it helps the auditor in obtaining and evaluating audit evidences? 98

99 Answer: Using CAAT in CIS environment Absence of input documents Example: order entry in on line systems or the generation of accounting transactions by computer programs Example: automatic calculation of discounts may preclude the auditor from examining documentary evidence. Lack of a visible audit trail will preclude the auditor from visually following transactions through the computerized accounting system. Lack of visible output may necessitate access to data retained on files readable only by the computer. 99

100 Answer: Using CAAT for audit evidence The effectiveness and efficiency of auditing procedures may be improved through the use of computer assisted audit techniques in obtaining and evaluating audit evidence, for example (i) Some transactions may be tested more effectively for a similar level of cost by using computer to examine all or a greater number of transactions than would otherwise be selected. (ii) In applying analytical review procedures, transactions or balance details may be reviewed and reported printed by unusual items more efficiency by using the computer than by manual methods. 100

101 Question: CAAT in EDP Audit and advantages of CAATs Why are Computer Aided Audit Techniques (CAAT) required in EDP audit? What are the advantages of CAATs? 101

102 Answer: CAAT Use of computers may result in the design of systems that provides less visible evidence than those using manual procedures. CAATs are such techniques applied through the computer which are used in the verifying the data being processed by it. Systems characteristics resulting from the nature of EDP processing that demand the use of Computer Aided Audit Techniques(CAAT) 102

103 Systems characteristics for using CAAT i. Absence of input documents ii. Lack of visible transaction trail iii. Lack of visible output iv. Ease of Access to data and computer programmes 103

104 i. Absence of input documents Data may be entered directly into the computer systems without supporting documents. In on line transaction systems, written evidence of individual data entry authorization Example: credit limit approval may not be available. 104

105 ii. Lack of visible transaction trail Certain data may be maintained on computer files only. In a manual system, it is normally possible to follow a transaction through the systems by examining source document, books of account, record files and reports. In an EDP environment, however, the transaction trail may be partly in machine readable form, and it may exist only for a limited period time. 105

106 iii. Lack of visible output In a manual system, it is normally possible to examine visually the results of processing. In EDP systems, the results of processing may not be printed or only a summary data may be printed. Lack of visible output may result in the need to access data retained on machine readable files. 106

107 iv. Ease of Access to data and computer programmes Data and computer programmes may be altered at the computer or through the use of computer equipment at remote locations. In absence of appropriate controls, there is an increased potential for unauthorized access to, and allocation of data and programmes by persons inside or outside the entity. 107

108 Advantages of CAAT i. Audit effectiveness ii. Savings in time iii. Effective tests checking and examination in depth 108

109 i. Advantages of CAAT i. Audit effectiveness Effectiveness and efficiency of auditing procedures will be improved through the use of CAAT in obtaining an evaluating audit evidence, for example: (a) Some transactions may be tested more effectively for a similar level of cost by using the computer. (b) In applying analytical review procedures, transactions or balance details of unusual items may be reviewed and reports got printed more efficiently by using the computer. 109

110 Advantages of CAAT ii. Savings in time The auditor can save time by reviewing the EDP controls using CAAT than through other audit procedures. iii. Effective tests checking and examination in depth CAAT permits effective examination in depth of selected transactions since the auditor constructs the lost audit trail. 110

111 Summary 1. Internal Controls and CIS Environment 2. Planning audit of CIS environment 3. Design and procedural aspects of CIS environment 4. Internal controls in CIS Environment 5. CIS Application Controls 6. Approaches to Audit in CIS Environment 7. Using CAATs 111

112 Thank you 112