basic ideas 2 Chapter 8 Systems work:

Size: px

Start display at page:

Download "basic ideas 2 Chapter 8 Systems work:"

Tabitha Hardy
6 years ago
Views:

1 Chapter 8 Systems work: basic ideas 2

2 Learning objectives To explain the nature and role of application controls and describe the main features of these controls. To distinguish between systems-development/maintenance controls and application controls. To show how the auditor breaks down systems into components as an aid to understanding the systems. To explain how the auditor records systems in use. 2

3 Application controls The major objectives of computer applications: Data collected prior to input is genuine, accurate and complete. Data accepted by the system remains genuine, accurate and complete during processing. Data stored temporarily or permanently should be genuine accurate and complete. Output data/information is genuine, accurate and complete and goes to the intended recipient. Information/audit trail is complete. Explanation of Genuine, accurate and complete (see Table 6.2 and PowerPoint slides 6, 7 and 8 for Chapter 6). Application controls are applied at: data capture/input; processing; and output. Special controls: database and e-commerce. 3

4 Data capture/input controls Boundary controls are controls over user and system interface: cryptographic controls; plastic cards for identification; PINs; digital signatures; passwords; firewalls; and initiation of information/audit trail. Input controls in place before data passes interface: design of source documentation; design of product, customer and other codes; check digits; sequence checking; limit or reasonableness tests; one-for-one checking; and batch controls. In database systems batch controls are different in nature. Input data verified as soon as possible after entry. Two useful controls: exception reports and sound warnings of invalid data entry. 4

5 Activity 8.2 A sales clerk receives a telephone order from a customer, Harry Smith, who asks for a delivery of 100 units of a product, at a price of 5 per unit. What is particularly risky about this transaction and what procedures would be appropriate to reduce the risks to an acceptable level? 5

6 Password and related systems 1 Features of password system: degrees of access alphanumeric digits avoid passwords identified with person using secrecy regular/frequent changes shutdown of terminals if incorrect. 6

7 Password and related systems 2 Related controls: Restriction of terminals to one particular activity Records of terminals and employees accessing Restriction of use of terminals Where national telephone system used for transmitting data: numbers ex-directory private secure lines numbers restricted to identified activities call-back system encryption. 7

8 Firewalls Firewall system controlling access between internet and entity network. Intranets allow easy transfer of data between parts of the system. Extranets networks expanded to people and organizations outwith the organization may be more vulnerable to outside threats. Firewalls need authorization and identification systems. Some networks very tight intranet for use of top management or transfer of data. Others more open for some forms of communication. 8

9 Activity 8.3 Apart from recording the identity and the authenticity of the user, what other data about users and related actions should be recorded when a user initiates a transaction? 9

10 Data capture/input controls Figure

11 Data capture/input controls Organizational controls in non-data base systems (Figure 8.1): Segregation of user departments and the computer department. User department retention of control over data Formal transfers of data. Maintenance of control log Investigation of differences. Early verification of inputs. 11

12 Processing controls Controls over CPU, main memory, operating system Controls over applications Continuity in processing run-to-run controls file dumping control totals. Master files data genuine, accurate, complete. Testing of programs during development and on continuing basis. Complete and recorded information/audit trail. Control system to ensure no data lost or corrupted if system failure. Other processing controls: sequence checks limit or reasonableness tests checking calculations. 12

13 Activity 8.5 Assume that, in an entity that you are auditing, an inventory order is automatically prepared when a minimum inventory level has been reached. What kind of data would you like to see recorded in the preparation of the purchase order? 13

14 Output controls Two purposes of output controls: (1) outputs are genuine, accurate and complete; (2) outputs are distributed to those who need them. Access controls, batch control and rapid correction of errors make genuine, accurate and complete outputs more likely. The exception report is a special kind of output, important in the context of control. Users of output data and information should be trained to review the output for any obvious errors. 14

15 Database systems A database is a collection of data that is shared and used by a number of different applications for different purposes. Prime advantage provide the same data to all authorized users, but there are security and integrity problems to be solved: a) Loss of control over data by data preparation personnel. b) Excessive power in the hands of the database administrator. c) Technical features to secure safety in processing may reduce control. d) The information/audit trail is particularly important. 15

16 E-commerce Risk enhanced by the openness of the internet. There are four degrees of internet use: 1. Using the internet as a means of making information available to outsiders. 2. Exchanging information with trading partners. 3. Using the internet to transact business. 4. Full integration with business systems with direct impact on the entity s records. Auditors determine management strategy and steps to identify risks and how controlled: security risks legal and taxation matters practical business and accounting problems the internet never sleeps crisis management. 16

17 E-commerce: security risks Threats to security of data and systems: Corruption of data by viruses and hackers Threat to privacy of personal data Infringement of intellectual property rights Unwanted communication, e.g. spam Controls to reduce impact of risks: 1. Security policy 2. Firewalls 3. Private networks, such as intranets and extranets 4. Information/audit trails 5. Other security measures i. Encryption of data ii. Identification and authentication information 17

18 Legal and taxation matters ISA 250: The auditor shall obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements. The internet is international in nature must be known which legal jurisdiction applies when transactions are entered into. Also which tax jurisdiction can tax income derived from a transaction, including VAT. 18

19 E-commerce practical business and accounting problems Entity carrying on business over internet may act as principal (record as sales) or agent (record commission) examine contractual arrangements with third parties. Other accounting matters include: Cut-off Return of goods and claims under product warranties Bulk discounts and special offers Payment other than by monetary transfer Browsing Follow-through of transactions 19

20 E-commerce the internet never sleeps E-commerce systems must operate efficiently and effectively for 24 hours Staffing implications Systems robust enough to work properly over the 24-hour period Integration of systems and automatic updates of accounting records desirable. 20

21 E-commerce crisis management Systems to ensure losses minimized when things go wrong. Possible consequences of failures include loss of reputation, loss or corruption of data and information and significant reductions in positive cash flows possible going concern implications. Appropriate measures include back-up of important data, installing emergency power supplies, regular review of system quality by independent persons and regular maintenance and testing of systems in use. 21

22 Audit approaches to systems and controls Systems objectives are audit objectives. Recording accounting and control systems. 22

23 Systems objectives = audit objectives (1) The basic approach to any audit area: 1. Identify the components. 2. Identify the assertions relating to those components assertions = audit objectives, often framed as key questions. 3. Identify the inherent risks associated with each assertion. 4. Identify the controls associated with the component. 5. Estimate the level of control risk. 6. Determine the audit detection procedures necessary to reduce total audit risk to acceptable proportions. See Table 8.1 for assertions in a sales and trade receivables system. 23

24 Systems objectives are audit objectives (2) Table

25 Activity 8.11 Consider the following assertion relating to sales: The sales represent goods whose title has passed to a third party. This can be rephrased as an inherent risk: There is an inherent risk that recorded sales do not represent goods that have passed to a third party. Under what circumstances do you think that inherent risk might be high in relation to this assertion? 25

26 Systems objectives are audit objectives (3) Figure

27 Activity 8.12 Examine Figure 8.2 (on the previous slide) and identify points where there should be control actions. 27

28 Systems objectives are audit objectives (4) Figure

29 Activity 8.13 Now identify points where there should be control actions in the data flow system shown in Figure 8.3 (on the previous slide). 29

30 Recording accounting and control systems (1) Practical way to approach the work is: 1. Find out persons operating the system by enquiry. 2. Interview each person. 3. Note distribution of copies of any documents. 4. Find out what entries are made in permanent records as a result of the transactions and construct the information/audit trail. Auditors use walk-through tests to understand system, record it and to see if the entity appears to have appropriate controls in force. Auditors record systems and controls, using: Narrative description Visual description Questionnaires and checklists 30

31 Recording accounting and control systems (2) Visual description: 1. Organization charts 2. Information trail/audit trail flow chart 3. Flow charts: document flow chart data flow diagram system flow chart program flow chart. 4. Questionnaires and checklists: Internal control questionnaire (ICQ) Internal control evaluation questionnaire (ICEQ) Electronic data processing (EDP) or IT checklists In practice, a combination of narrative description, flowcharts and questionnaires and checklists will be used. Each method has its value. 31

32 Flowcharts Advantages: 1. Aids understanding of accounting/control systems. 2. To draw a flow chart properly auditor must understand how the entity controls its operations. 3. Detect strengths, weaknesses, unnecessary procedures and documents. Disadvantages: 1. Time-consuming to prepare and difficult to alter. 2. In simple systems, narrative descriptions better. 3. Considerable variation of symbols used. 4. Require experience to prepare and interpret. 5. In complex situations too simplistic. 32

33 Internal control questionnaire (ICQ) (1) ICQs record details of the system useful in recording small systems. Used to interpret the strengths and weaknesses of the system. Designed to prompt memory as to the matters of importance in the system. Indicates whether individual parts of the system are strong or weak, but requires overall conclusion. See Horton Limited cash receipts system in Figure

34 Receipts of cash system Figure

35 Internal control evaluation questionnaire (ICEQ) (2) ICEQs not used to record the system, but to evaluate it after recording by other means. Set objectives for auditors, phrased as key questions. These key questions can often only be answered by asking other questions. See Table 8.2 for key questions and suggested subsidiary questions in the sales and debtors area. Larger firms use computer-generated information on ICEQs in conjunction with expert systems. 35

36 Key and subsidiary questions in a sales system (1) Table

37 Key and subsidiary questions in a sales system (2) Table 8.2 (continued) 37

38 Key and subsidiary questions in a sales system (3) Table 8.2 (continued) 38

39 Key and subsidiary questions in a sales system (4) Table 8.2 (continued) 39

40 Key and subsidiary questions in a sales system (5) Table 8.2 (continued) 40

41 Key and subsidiary questions in a sales system (6) Table 8.2 (continued) 41

42 Electronic data processing (EDP) or IT checklists EDP or IT checklists, have been developed to help the auditor assess the quality of computer systems. See Figure 8.5. This EDP/IT checklist has been completed for general controls: development controls and organizational controls and security for Burbage Limited whose sales system is described in Case study 9.4 in Chapter 9. 42

43 EDP IT checklist of development, organizational and security controls (Burbage Limited) (1) Figure

44 EDP IT checklist of development, organizational and security controls (Burbage Limited) (2) Fig 8.5 (continued) 44

45 EDP IT checklist of development, organizational and security controls (Burbage Limited) (3) Figure 8.5 (continued) 45

46 EDP IT checklist of development, organizational and security controls (Burbage Limited) (4) Figure 8.5 (continued) 46

47 EDP IT checklist of development, organizational and security controls (Burbage Limited) (5) Figure 8.5 (continued) 47

48 EDP IT checklist of development, organizational and security controls (Burbage Limited) (6) Figure 8.5 (continued) 48

49 Figure 8.1 Interface between data preparation and computer room

50 Figure 8.2 Sales system: simplified overview chart

51 Figure 8.3 Data flow diagram: customer order system

52 Figure 8.4 Receipts of cash system

53 Figure 8.5 EDP IT checklist of development, organizational and security controls (Burbage Limited)

54 Figure 8.5 (Continued) Note 1: An S denotes strong controls: Note 2: If this checklist was on an expert system the initial evaluation might be suggested by the computer program, but would have to be reviewed manually before a final conclusion was reached

55 Figure 8.6 Computer systems flowchart for a payroll system

Retail Payment Systems Internal Control Questionnaire

Retail Payment Systems Internal Control Questionnaire Completed by: Date Completed: POLICIES AND PROCEDURES 1. Has the board of directors, consistent with its duties and responsibilities, adopted formal