Internal Control and the Computerised Information System (CIS) Environment. CA A. Rafeq, FCA

Similar documents
CHAPTER -10 CIS AUDIT

4 Internal Control. Internal control. Internal Control in CIS Environment: General CIS Controls. CIS Application Controls.

ACCA Certified Accounting Technician Examination Paper T8 (INT) Implementing Audit Procedures (International Stream)

STATEMENT OF AUDITING STANDARDS 500 AUDIT EVIDENCE

Auditing Standards and Practices Council

Scope of this SA Effective Date Objective Definitions Sufficient Appropriate Audit Evidence... 6

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 500

INTERNATIONAL STANDARD ON AUDITING 500 AUDIT EVIDENCE CONTENTS

IAASB CAG Public Session (March 2018) CONFORMING AND CONSEQUENTIAL AMENDMENTS ARISING FROM DRAFT PROPOSED ISA 540 (REVISED) 1

IAASB Main Agenda (March 2019) Agenda Item

Article: Auditing in a computer environment July 2015 Article by Paul Lydon, BA, CPA, MBS (Hons), PGCLTHE, FHEA - Current Examiner in P1 Auditing

Audit Evidence. SSA 500, Audit Evidence superseded the SSA of the same title in September 2009.

International Standard on Auditing (Ireland) 500 Audit Evidence

Audit Evidence. ISA 500 Issued December International Standard on Auditing

International Auditing and Assurance Standards Board ISA 500. April International Standard on Auditing. Audit Evidence

evidence explained Chapter 6 The search for

The Auditor s Responses to Assessed Risks

SUGGESTED SOLUTIONS Audit and Assurance. Certificate in Accounting and Business II Examination March 2014

International Standard on Auditing (UK and Ireland) 500

Internal Controls and Sampling Tests

AUDIT TECHNIQUES---SA 500

Seminar Internal Control Identification and Filtering

UNIVERSITY OF TOLEDO INTERNAL AUDIT BILL THE CUSTOMER

Audit Evidence. HKSA 500 Issued July 2009; revised July 2010, May 2013, February 2015, August 2015, June 2017

THE AUDITOR S RESPONSES TO ASSESSED RISKS SRI LANKA AUDITING STANDARD 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

computer-assisted Chapter 10 Substantive testing, audit techniques and audit programmes

ISA 500. Issued March 2009; updated June International Standard on Auditing. Audit Evidence

Due: Tuesday, May 1, 2007 by 5:45 p.m.

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

CHAPTER 9 TESTS OF CONTROLS

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

FOUNDATIONS IN ACCOUNTANCY Paper FAU (UK) Foundations in Audit (United Kingdom)

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

Auditing Standards and Practices Council


Detailed competency map

IAASB Main Agenda (June 2008) Page Agenda Item

CHAMBER OF TAX CONSULTANT S STUDENT COMMITTEE. Presentation on

INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS

Using Data Analytics in Audits

Analytical Procedures

AUDITING (PART-11) (UNIT-II) ROUTINE CHECKING AND TEST CHECKING (PART-4)

AT Assertions, Audit Procedures and Audit Evidence Red Sirug Page 1

covered member immediate family impaired not a covered member close relative not impaired

Chapter 8 Analytical Procedures

Audit Sampling and Other Means of Testing

QUESTION TWO Write brief explanation notes on each of the following terms:

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT MANAGE FIXED ASSETS

Lecture Notes Internal Controls

Special Audit Techniques. CA Final Paper 3: Advanced Auditing & Professional Ethics Chapter 5 CA Arijit Chakraborty

Financial Statement Close Process

Characteristics of Audit Sampling 7

De Coding IFC. 30 th December 2015 ICAI Baroda Branch

evaluation of Chapter 9 Testing and systems

Presenter: CPA CATHERINE MUEMA

2.3 Controls in a computerised environment General controls Application controls

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 520

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Audit Workshop Part 2 12 December 2009

A REVIEW OF MODERN APPROACH TO COMPUTER AUDITING

CAAS 104 Cost Audit and Assurance Standard on Knowledge of Business, its Processes and the Business Environment

INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF SELECTIVE TESTING PROCEDURES CONTENTS

Auditing and Assurance Standards Council

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

ISA 520 Proposed SAS AU Section 329 Comments

6 Assessment of risk Introduction General risk assessment Specific risk assessment Reliability factors 50 6.

Institute of Chartered Accountants of India. Standards on Auditing

Audit evidence. chapter. Chapter learning objectives. When you have completed this chapter you will be able to:

NEPAL STANDARDS ON AUDITING AUDIT SAMPLING AND OTHER SELECTIVE TESTING PROCEDURES

INDIAN SCHOOL MUSCAT DEPARTMENT OF COMMERCE & HUMANITIES CLASS :11 ACCOUNTANCY

Audit Evidence This section is effective for audits of financial statements for periods ending on or after December 15, 2012.

The most commonly applied model for designing and auditing internal

IAASB Main Agenda (February 2007) Page Agenda Item

CHAPTER 10: SUBSTANTIVE TESTS OF TRANSACTIONS AND BALANCES

SUGGESTED SOLUTIONS/ ANSWERS EXTRA ATTEMPT EXAMINATIONS, MAY of 11 AUDIT & ASSURANCE [P2] PROFESSIONAL LEVEL

Chapter 13: The Expenditure Cycle

Overview of Internal Control. Course #6015B/QAS6015B Course Material

Implementation Tool for Auditors

AUDIT FIELD WORK Laws and Regulations. Presenter: Errol Gardner

Business Requirements Definitions

NOVEMBER 2013 EXAMINATION DATE: 13 NOVEMBER 2013 DURATION: 3 HOURS PASS MARK: 40% (BUS-IA2)

Auditing Standards and Practices Council

SA 402(REVISED) AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a AUDITING THEORY AUDIT PLANNING

Audit Strategy, Planning and Programming

New cycles...same story

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

The use of CAATS in Auditing Application Controls. Institute Of Internal Auditors Zambia/ISACA Zambia Chapter, 28 August 2014 Tricha Simon

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

Paper FAU (UK) Foundations in Audit (United Kingdom) FOUNDATIONS IN ACCOUNTANCY. Monday 18 June 2012

SCA Standard on Cost Auditing Audit Sampling

COMPUTERISED SYSTEMS

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT PURCHASE CAPITAL GOODS

Computerised Systems. Alfred Hunt Inspector. Wholesale Distribution Information Day, 28 th September Date Insert on Master Slide.

POLICY & PROCEDURES MEMORANDUM

Corporate Background and Experience: Financial Soundness: Project Staffing and Organization

Transcription:

Internal Control and the Computerised Information System (CIS) Environment CA A. Rafeq, FCA 1

Agenda 1. Internal Controls and CIS Environment 2. Planning audit of CIS environment 3. Design and procedural aspects of CIS environment 4. Internal controls in CIS Environment 5. CIS Application Controls 6. Approaches to Audit in CIS Environment 7. Using CAATs 2

Reference Material Study material Revision Test paper Suggested answer and compilation Questions from IPCC exam 3

1. INTERNAL CONTROLS AND CIS ENVIRONMENT 4

Principal objectives of audit Ensure that accounts on auditor is reporting show a true and fair view of: State of affairs at a given date Results for the period ended on that date 5

Essential features of audit - 1 a) Evaluation to ascertain whether system of accounting and internal control are: Appropriate for the business and Properly record all transactions. b) Making of such tests and enquires to determine whether the systems are being operated correctly 6

Essential features of audit - 2 c) Examination of the accounts to verify: (i) The title, existence and value of the assets appearing in the balance sheet and to verify that all liabilities are correctly included therein; (ii) That the results shown by the profit and loss account are fairly stated; Ensure that such accounts are as per the underlying records and comply with appropriate statutory requirements. 7

Impact of Computers on controls Objectives and scope of audit does not change in CIS Environment. Use of computer changes the processing and storage of financial information May affect the organisation and procedures in terms of way internal controls. 8

Impact of CIS on audit procedures Procedures followed in study and evaluation of accounting system and related internal controls Nature, timing and extent of audit procedures 9

Auditing in a CIS Environment Relevant IT Skills and Competence Work Performed by Others Planning Accounting System and Internal Control Audit Evidence 10

What is Internal Control System? Policies and procedures Orderly and efficient conduct of business Adopted by management Assist in achieving management's objective 11

Controls Policies, Procedures, Practices and organisation structure Designed to provide reasonable assurance Business objectives are achieved Undesired events are prevented or detected and corrected

Objective of Internal Controls Adherence to management policies Safeguarding of assets Prevention and detection of fraud and error Accuracy and completeness of accounting records, Timely preparation of reliable financial information. Role of internal audit function 13

Accounting System and Internal Control Management responsibility Internal controls normally contribute to such assurance. Auditor to provide assurance 14

Auditors and CIS Internal Controls Obtain understanding Arrive at conclusion Test Controls Examine the results Evaluate controls 15

Auditors: Understanding of internal controls Auditor should gain understanding of accounting system and related internal controls Study and evaluate the operation of those internal controls Internal controls are reliable, substantive procedures would be less extensive 16

Auditors: Testing of Controls in CIS environment Tests of control do not change from those in a manual environment but some audit procedures may change. Auditor may use CAATs as required. Use of CAATs such as file interrogation tools or audit test data, may be appropriate there is no visible evidence documenting the performance of internal controls. 17

2. PLANNING AUDIT OF CIS ENVIRONMENT 18

Audit Planning in a CIS environment-1 Auditor should gather information about the CIS environment that is relevant to the audit plan, including information as to: How the CIS function is organized and the extent of concentration or distribution of computer processing throughout the entity. Computer hardware and software used. Each significant application processed by the computer, the nature of processing (e.g. batch, on line) and data retention policies. 19

Audit Planning in a CIS environment-2 Planned implementation of new applications or revisions to existing applications. When considering his overall plan the auditor should consider matters, such as: Determining the degree of reliance, if any, he expects to be able to place on the CIS controls in his overall evaluation of internal control. Planning how, where and when the CIS function will be reviewed including scheduling the works of CIS experts, as applicable. Planning auditing procedures using CAATs 20

Auditors reliance on CIS Controls Auditor should acquire knowledge of accounting system to gain understanding of the overall control environment and the flow of transactions. If relying on internal controls, auditor has to consider: Manual and computer controls affecting the CIS function (general CIS) Controls Specific controls over the relevant accounting li ti (CIS A li ti t l ) 21

Audit Evidence: Testing and review Effectiveness and efficiency of auditing procedures may be improved through the use of CAATs in obtaining and evaluating audit evidence, for example: (i) (ii) Some transactions may be tested more effectively for a similar level of cost by using the computer to examine all or a greater number of transactions than would otherwise be selected. In applying analytical review procedures, transactions or balance details may be reviewed and reports printed of unusual items more efficiently by using the computer than by manual methods. 22

When does usage of CAATs becomes necessary? A CIS environment may affect the application of compliance and substantive procedures in several ways. The absence of input documents (e.g. order entry in on line systems) or the generation of accounting transactions by computer programs(e.g. automatic calculation of discounts) may preclude the auditor from examining documents evidence. The lack of a visible audit trail will preclude the auditor from visually following transactions through the computerized accounting system. The lack of visible output may necessitate access to data retained on files readable only the computer 23

Organizational Structure in CIS Environment Entity will establish an organizational structure and procedures to manage the CIS activities. Key characteristics of a CIS organizational structure: a. Concentration of functions and knowledge b. Concentration of programs and data 24

Use of computer in data processing Design of systems that provide less visible evidence than those using manual procedures Systems may be accessible by a large number of persons. 25

System Characteristics of CIS Processing a. Absence of input documents b. Lack of visible transaction trail c. Lack of visible output d. Ease of access to data/programs 26

Question: Objectives and scope of audit in EDP environment Comment on the overall objectives and scope of an audit does not change an EDP environment. 27

Answer: Objective and scope of audit in CIS do not change - 1 Principal objective of an audit of financial statements, prepared within a framework of recognised accounting policies and practices and relevant statutory requirements, if any, so to ensure that the financial statements reflect a true and fair view. Scope of an audit of financial statements is determined by the auditor having regard to the terms of the engagement, the requirements of relevant legislation and the pronouncements of the institute. Involves assessment of reliability and sufficiency of the information contained in the accounting records and other source data by study and evaluation of accounting system and internal controls in operations. 28

Answer: Objective and scope of audit in CIS do not change - 2 Overall objective and scope of an audit does not change in EDP environment but the use of a computer changes the processing and storage of financial information and may affect the organisation and procedures employed by the entity to achieve adequate internal control. Procedures followed by the auditor is his study and evaluation of the accounting system and related internal controls and nature, timing and extent of his other audit procedures may be affected by an EDP environment. Computerisation of accounts would also have an impact on the increase in fraud and errors. 29

Answer: Objective and scope of audit in CIS do not change - 3 When auditing in an EDP environment, the auditor should have sufficient understanding of computer hardware, software and processing systems to plan the engagement and to understand how EDP affects the study and evaluation of internal control and application of auditing procedures including computer assisted audit techniques. Auditor should also have sufficient knowledge of EDP to implement the auditing procedures, depending on the particular audit approach adopted. Overall objectives and scope of audits does not change irrespective of fact that whether the accounting information is generated manually or through EDP 30

Question: Audit objectives in CIS State with reasons (in short) whether the following statements is true or false. The overall objectives of audit changes in Computer Information Systems(CIS) environment. 31

Answer False: Overall objectives of audit does not change in Computer Information System (CIS) environment. But the use of computer changes the processing and storage, retrieval and communication of financial information 32

Question: Audit in EDP environment is simpler Doing an audit in an EDP environment is simpler since the trial balance always tallies. Analyse critically? 33

Answer: Trial balance in CIS always tallies - 1 It is true that in EDP environment in trial balance always tallies, the same can not imply that the job of an auditor becomes simpler. There can still be some accounting errors like Omission of certain entries, Compensating errors, Duplication of entries, Errors of commission in the form of wrong A/c head is posted., Possibility of Windows Dressing Creation of Secret Reserves At Present, due to complex business environment the importance of trial balance canot be judged only upon the arithmetic accuracy but the nature of transactions recorded in the books and which appear in the trial balance should be reviewed. 34

Answer: Trial balance in CIS always tallies - 2 Emergence of new forms of financial instruments like options and futures, derivatives, off balance sheet financing etc. have given rise to further complexities in recording and disclosures of transactions. In an audit, beside the tallying of a trial balance, there are also other issue like estimation of provision for depreciation, valuation of inventories, obtaining audit evidence, ensuring compliance procedure and carrying out substantive procedure, verification of assets & liabilities their valuation etc., which still requires judgement to be excised by the auditor 35

Answer: Trial balance in CIS always tallies - 3 Responsibility of expressing an audit opinion and objectives of an audit are not changed in the audit in EDP environment. Simply because of EDP environment and the trial balance has tallied, it does not mean that the audit would become simpler 36

3. DESIGN AND PROCEDURAL ASPECTS OF CIS ENVIRONMENT 37

Question: Design and Procedural aspects in CIS In a CIS environment, what are the different Design and Procedural aspects, which are different from those found in Manual systems? 38

Answer: Design and procedural aspects of systems - 1 i. Consistency of performance CIS systems performed functions are more reliable provided that all transactions types and conditions that could occur are anticipated and incorporated into the system. ii. Programme control procedures These procedures can be designed to provide controls with limited visibility. iii. Single transactions update of multiple or data base computer file A single input into the accounting system may automatically update all records associated with the transaction. 39

Answer: Design and procedural aspects of systems - 2 iv. Systems generated transactions: Certain transactions may be initiated by the CIS system itself without the need for an input documents. E.g. Interest may be calculated and changed automatically to customer s account balances. v. Vulnerability of data and audit programme storage media: Large volume of data may be stored on portable of fixed storage media, such as magnetic disks and tapes 40

Question: Design and procedural aspects of EDP systems What are the different design and procedural aspects of EDP systems? 41

Answer: Different design and procedural aspects of EDP systems i. Consistency of Performance ii. iii. iv. Programmed Control Procedures Single Transaction Update of Multiple or Database Files Systems Generated Transactions v. Vulnerability of Data and Programme Storage Media 42

i. Consistency of Performance EDP systems perform functions exactly as programmed and are potentially more reliable than manual systems, provided that all transaction type and conditions that could occur are anticipated and incorporated into the system. 43

ii. Programmed Control Procedures The nature of computer processing allows the designed of internal control procedures in computer programs. These procedures can be designed to provide control with limited visibility(e.g., protection of data against unauthorized access may be provided by passwords). Other procedures can be designed for use with manual intervention, such as review of reports printed for exception and error reporting, and reasonableness and limit checks of data. 44

iii. Single Transaction Update of Multiple or Database Files A single input to the accounting system may automatically update all records associated with the transaction Example: shipment of goods documents may update the sales and customers accounts receivable files as well as the inventory file) An erroneously entry in such a system may create errors in various financial accounts. 45

iv. Systems Generated Transactions Certain transactions may be initiated by the EDP system itself without the need for an input document. The authorization of such transactions may neither be supported by visible input documentation nor documented in the same way as transactions which are initiated outside the EDP system(example: interest may be calculated and charged automatically to customer s account balances on the basis of pre authorization terms contained in a computer program.) 46

v. Vulnerability of Data and Programme Storage Media Large volumes of data and the computer programs used to process such data may be stored on portable or fixed storage media, such as magnetic discs and tapes. These media are vulnerable to theft, or intentional or accidental destruction. 47

4. INTERNAL CONTROLS IN CIS ENVIRONMENT 48

Question: Internal controls in EDP Explain the internal controls in an EDP Environment. 49

Answer: Internal controls in an EDP Environment The internal controls over computer processing, which help to achieve the overall objectives of internal control, include both manual procedures and procedures designed into computer programmes. Such manual and computer controls affect: 1. EDP environment (general EDP controls) and 2. Specific controls over accounting applications(edp application controls) 50

1. Purpose of General EDP Controls Establish a framework of overall control over the EDP activities Provide a reasonable level of assurance that the overall objectives of internal control are achieved. 51

Types of General EDP Controls a. Organisation and management controls b. Application systems development and maintenance controls c. Computer operation controls d. Systems software controls e. Data entry and program control 52

a. Organisation and management controls Designed to establish an organisational framework over EDP activities: (i) Policies and procedures relating to control functions; (ii) Appropriate segregation of incompatible functions. 53

b. Application systems development and maintenance controls Designed to establish control over: (i) Testing, conversion, implementation and documentation of new or revised systems. (ii) Changes to application systems. (iii) Access to system documentation (iv) Acquisition of application systems from third parties 54

c. Computer operation controls Designed to control the operation of the system and to provide reasonable assurance that: (i) The system are used for authorised purposes only. (ii) Access to computer operation is restricted to authorised personnel. (iii) Only authorized programs are used. (iv) Processing errors controls are detected and corrected. 55

d. Systems software controls (i) Authorisation, approval, testing, implementation and documentation of new systems software and systems software modification. (ii) Restriction of access to systems software and documentation to authorised personnel. 56

e. Data entry and program control Designed to provide reasonable assurance that: (i)an authorisation structure is established over transactions being entered into the system. (ii)access to data and programs is restricted to authorised personnel. (iii)offsite back up of data and computer programmes (iv)recovery procedures for use in event of theft, loss or intentional or accidental destruction. (v)provision for offsite processing in the event of disaster. 57

5. CIS APPLICATION CONTROLS 58

Purpose of CIS Application Controls Establish specific control procedures over accounting application to provide reasonable assurance that all transactions are: 1. Authorized and recorded 2. Processed completely, accurately and on a timely basis. 59

Types of CIS Application Controls A. Controls over the input C. Controls over output B. Controls over processing and computer data files 60

A. Controls over input Designed to provide reasonable assurance that: Transactions are properly authorized before being processed by computer. Transactions are accurately converted into machine readable form and recorded in computer data files. Transactions are not lost, added, duplicated or improperly changed. Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis. 61

B. Controls over processing and computer data files Transactions, including system generated transactions, are properly processed by the computer. Transactions are not lost, added, duplicate or improperly changed. Processing errors are identified and corrected on a timely basis. Designed to provide reasonable assurance 62

C. Controls over output Results of processing are accurate Designed to provide reasonable assurance Output is provided to appropriate authorized personnel on a timely basis Access to output is restricted to authorized personnel. 63

Question: Input controls in CIS (a) State any four important elements of input control in processing of data in a computerised accounting system. 64

Answer: Input controls in CIS - 1 i. Input to computer should be authorized. ii. Authorization levels should be checked. iii. Authorization is effected by levels of access to entry for computer system. iv. Access control is operated through use of password and logging procedures. 65

Answer: Input controls in CIS - 2 i. System should devise controls to check data input are accurate. ii. Input documents should be reviewed and verified by another person after preparation. iii. Transaction should be accurately converted into machine readable language and recorded in a computer data file 66

Answer: Input controls in CIS - 3 i. The transactions are not lost, duplicated, or changed without authorization. ii. iii. iv. There should be validity and cross reference checks, inbuilt in the system to throw light on errors which appear in the process of feeding input. Incorrect transactions are thrown out by a list which must be corrected, resubmitted before the process could run on the inputs The check digit total of financial information contained in the document or hash total may be used to act as a control tool. v. The serial control may be used in inputting data that are to follow serial sequence. Any deviation in serial sequence will have to be automatically signalled out. 67

Question: Reliability of internal control system in CIS How would you assess the reliability of internal control system in computerised information systems? 68

Answer: Evaluating reliability of internal control system in CIS - 1 The auditor would consider the following: i. Authorised, correct and complete data is made available for processing ii. Provides for timely detection and corrections of errors 69

Answer: Evaluating reliability of internal control system in CIS - 2 iii. In case of interruption due to mechanical, power of processing failures, the system a. Ensures accuracy and completeness of output. b. Provides security to application software's & data files against fraud etc. c. Prevents unauthorised amendments to programs 70

6. APPROACHES TO AUDITING IN A CIS ENVIRONMENT 71

Audit approaches in CIS environment Audit around the computer Audit through the computer 72

Auditing around the Computer 1. System logic is straightforward and there are no special routines resulting from the use of the computer to process data. 2. Input transactions are batched and control can be maintained through the normal methods, for example, separation of duties and management supervision. 3. Processing primarily consists of sorting the input data and updating themaster file 73

Auditing through the Computer The auditor can use the computer to test: (a) The logic and controls existing within the system and (b) The records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor. 74

Auditing through the Computer 1. Application system processes large volumes of input and produce large volume of output that make extensive direct examination of the validity of input and output difficult. 2. Significant parts of the internal control system are embodied in the computer system. 3. Logic of the system is complex and there are large portions that facilitate use of the system or efficient processing. 4. Substantial gaps in the visible audit trail. 75

Question: Approaches to EDP auditing Explain briefly the approaches to EDP auditing? State clearly the circumstances where Auditing through the Computer approach must be used. 76

Answer: Approaches to EDP Auditing Computerisation of accounts does not affect the basic objective of auditing. However, the auditor would need to modify his audit procedures approach and technical capabilities so as to be able to form an opinion on the accounts processed in a computerised environment. The auditor must plan whether or not to use the computer. The two approaches are commonly called: Auditing around the computer Auditing through the computer. 77

Audit around the Computer Auditor views the computer as a black box Audit around the computer involves forming of an audit opinion wherein the existence of computer is not taken into account. Principle of conventional audit like examination of internal controls and substantive testing is done. 78

Auditing around computer (i) The system is simple and uses generalised software that is well tested and widely used. (ii) Processing mainly consists of sorting the input data and updating the master file in sequence. (iii) Audit trail is clear. Detailed reports are prepared at key processing points within the system. (iv) Control over input transactions can be maintained through normal methods, i.e. separation of duties, and management supervision. 79

Auditing a GAS* environment - 1 GAS like payroll and provident fund package, accounts receivable and payable, etc. are available developed by software vendors. Auditor may decide not to go in details of the processing aspects, if there are well tested widely used packages provided by a regulated vendor. Ensure that there are adequate controls to prevent unauthorised modifications of the package. *Generalized Accounting software (GAS) 80

Auditing a GAS environment - 2 All such generalised packages do not make system amenable to audit. Some software packages provide generalised functions that still must be selected and combined to achieve the required application system. In such a case, instead of simply examining the systems input and output, the auditor must check the system in depth to satisfy him about such system. 81

Auditing through the Computer Sophistication of computers have finally reached the point where auditors can no longer audit around the computer but have to audit through it. Auditing through the computer requires that auditor submits data to the computer for processing. Results are then analysed for the processing reliability and accuracy of the computer programme. 82

Advantages of Audit through the computer Auditor has increased power to effectively test to computer system. Range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system s processing, auditor also can access the systems' ability to cope with environment change. 83

Impact of Technical and other developments On-line data entry Elimination or reduction of print-outs Real time files up dating Complexity 84

Using Computer for performing audit tests a. The logic and controls existing within the system; and b. The records produced by the system 85

Disadvantages of auditing around the computer Not beneficial for complex systems, of large scale in very large multi unit, multi locational companies, having various inter unit transactions. It can be used only in case of small organisations having simple operations. Difficult for auditor to assess degradation in the system in case of change in environment, and whether the system can cope with a change environment. 86

Dis-advantages of Audit through the computer Generally high costs and need for extensive technical expertise when systems are complex. At times, auditing through the computer is the only viable method of carrying out the audit Auditing through computer requires knowledge of using test data and computer software to check logic, processing and results. 87

7. USING CAATS 88

What are CAATs? CAATs are computer programs and data that the auditor uses as part of the audit procedures to process data of audit significance, contained in an entity's information systems. Important tools for auditor in performing audits. Used in performing various auditing procedures CAATs allow the auditor to: Gain access to data without dependence on the client Test reliability of client software, and Perform audit tests more efficiently 89

Why to use CAATs? During course of audit, auditor is to obtain: Sufficient, relevant and useful evidence to achieve the audit objectives effectively Audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence Today's information processing environments pose a stiff challenge to auditor to collect sufficient, relevant and useful evidences since the evidence exists on magnetic media and can only be examined using CAATs With systems having different hardware and software environments, different data structure, record formats, processing functions, etc, it is almost impossible for the auditors to collect evidence without a software tool to collect and analyze the records 90

Where can CAATs be used? Tests of details of transactions \ balances Example: Use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records; Tests of general controls Example: Testing set up or configuration of operating system or access procedures to program libraries or by using code comparison software to check that version of the program in use is version approved by management Tests of application controls Example: Testing functioning of a programmed control 91

Specific examples of using CAATs Analytical procedures Example: Identifying inconsistencies or significant fluctuations Sampling programs to extract data for audit testing Example: identifying specific invoices for vouching based on random sample/value Re performing calculations performed by the entity s accounting systems Example: Re computation of Income tax, interest, balancing 92

Question: Audit Trail and CAATs Briefly state the special audit techniques using the computer as an audit tool. 93

Answer: Computer as audit tool i. Input documents may be non existent where sales orders are entered online.in addition, accounting transactions such as discounts and interest calculations may be generated by computer programmed with no visible authorization of individual transactions. ii. iii. The system may not produce a visible audit trail of transactions processed through the computer. Delivery notes and suppliers invoices may be matched by a computer programme. In addition, programmed control procedure such as checking customer credit limits, may provide visible evidence only on an exception basis. In such cases, there may be no visible evidence that all transactions have been processed. Output reports may not be produced by system or a printed report may only contain summary totals while supporting are retained in computer files 94

Special audit techniques In absence of audit trail, auditor needs assurance that the programmes are functioning correctly in respect of specific items by using special audit techniques. Absence of input documents or the lack of visible audit trail may require the use of CAATs i.e. using computer as an audit tool. 95

Answer: CAAT The auditor can use the computer to test: The logic and controls existing within the system The records produced by the system. Depending upon complexity of application system being audited, the approach may be fairly simple or require extensive technical competence by auditor. 96

Answer: CAAT Effectiveness and efficiency of auditing procedure may be enhanced through the use of CAATs. Two Common types of CAATs: 1. Test pack or test data and 2. Audit software or computer audit programmes. 97

Question: CAAT and Audit evidence Why are computer assisted audit techniques (CAAT) needed in a Computer Information Systems (CIS) environment and how it helps the auditor in obtaining and evaluating audit evidences? 98

Answer: Using CAAT in CIS environment Absence of input documents Example: order entry in on line systems or the generation of accounting transactions by computer programs Example: automatic calculation of discounts may preclude the auditor from examining documentary evidence. Lack of a visible audit trail will preclude the auditor from visually following transactions through the computerized accounting system. Lack of visible output may necessitate access to data retained on files readable only by the computer. 99

Answer: Using CAAT for audit evidence The effectiveness and efficiency of auditing procedures may be improved through the use of computer assisted audit techniques in obtaining and evaluating audit evidence, for example (i) Some transactions may be tested more effectively for a similar level of cost by using computer to examine all or a greater number of transactions than would otherwise be selected. (ii) In applying analytical review procedures, transactions or balance details may be reviewed and reported printed by unusual items more efficiency by using the computer than by manual methods. 100

Question: CAAT in EDP Audit and advantages of CAATs Why are Computer Aided Audit Techniques (CAAT) required in EDP audit? What are the advantages of CAATs? 101

Answer: CAAT Use of computers may result in the design of systems that provides less visible evidence than those using manual procedures. CAATs are such techniques applied through the computer which are used in the verifying the data being processed by it. Systems characteristics resulting from the nature of EDP processing that demand the use of Computer Aided Audit Techniques(CAAT) 102

Systems characteristics for using CAAT i. Absence of input documents ii. Lack of visible transaction trail iii. Lack of visible output iv. Ease of Access to data and computer programmes 103

i. Absence of input documents Data may be entered directly into the computer systems without supporting documents. In on line transaction systems, written evidence of individual data entry authorization Example: credit limit approval may not be available. 104

ii. Lack of visible transaction trail Certain data may be maintained on computer files only. In a manual system, it is normally possible to follow a transaction through the systems by examining source document, books of account, record files and reports. In an EDP environment, however, the transaction trail may be partly in machine readable form, and it may exist only for a limited period time. 105

iii. Lack of visible output In a manual system, it is normally possible to examine visually the results of processing. In EDP systems, the results of processing may not be printed or only a summary data may be printed. Lack of visible output may result in the need to access data retained on machine readable files. 106

iv. Ease of Access to data and computer programmes Data and computer programmes may be altered at the computer or through the use of computer equipment at remote locations. In absence of appropriate controls, there is an increased potential for unauthorized access to, and allocation of data and programmes by persons inside or outside the entity. 107

Advantages of CAAT i. Audit effectiveness ii. Savings in time iii. Effective tests checking and examination in depth 108

i. Advantages of CAAT i. Audit effectiveness Effectiveness and efficiency of auditing procedures will be improved through the use of CAAT in obtaining an evaluating audit evidence, for example: (a) Some transactions may be tested more effectively for a similar level of cost by using the computer. (b) In applying analytical review procedures, transactions or balance details of unusual items may be reviewed and reports got printed more efficiently by using the computer. 109

Advantages of CAAT ii. Savings in time The auditor can save time by reviewing the EDP controls using CAAT than through other audit procedures. iii. Effective tests checking and examination in depth CAAT permits effective examination in depth of selected transactions since the auditor constructs the lost audit trail. 110

Summary 1. Internal Controls and CIS Environment 2. Planning audit of CIS environment 3. Design and procedural aspects of CIS environment 4. Internal controls in CIS Environment 5. CIS Application Controls 6. Approaches to Audit in CIS Environment 7. Using CAATs 111

Thank you 112

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback