SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE

Transcription

1 SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE Learning objective: explain the use of computer assisted audit techniques in the context of an audit discuss and provide relevant examples of the use of test data and audit software for the transaction cycles and balance sheet items discuss the use of computers in relation to the administration of the audit Control in CIS environment: The control in CIS environment is categorised into: General Control Application controls (also known as processing) General controls: These cover the environment within which CIS are developed, operated and maintained. This control is also known as System Development Controls. They are designed to ensure the integrity of hardware, software and data files and the continuity of operation. Systems development controls include: Proper authorisation Adequate testing Complete and quality documents Control implementation Review and monitor after implementation To ensure changes are properly authorised, tested and documented. Authorisation: Any system or application being developed for the users and hence users should authorise and control the development of all system. This is usually achieved by the establishment of a Steering Committee or Project Board comprising senior IT managers, programmer etc. 1

2 The Steering Committee is responsible for: Testing Standard: - Commissioning feasibility study into new project development - Approving the investment in the development of all systems. - Overseeing the progress of the project - Monitoring the success of the project after implementation. All systems and sub-systems must be thoroughly tested before implementation. There are 3 recognised stages in testing: - At the individual program level, techniques should be employed, such as diagnostic routines and test data (containing dummy data which test the effective design and operation of controls built into program) - At the complete systems level, the overall effective operation must be tested to ensure that the output of one program exactly matches the input to next: test data/pack is normally used. - User acceptance testing-no system should be accepted unless thoroughly tested by users for functionality, operation, and user friendliness and after dry runs. Documentation standard: The development of the new system must be fully documented thus providing a full detailed record facilitating subsequent investigation of bugs and modification or upgrade. Implementation of systems Adequate user training Complete and accurate file conversions Choice of an appropriate changeover methods for example: - Parallel running - Direct changeover - Phased/pilot running Review and monitoring after implementation The purpose of continuous review is to ensure the system is performing according to stated objectives 2

3 Performance appraisal and evaluation techniques will be employed in what is called the post implementation audit. Changes, amendments, upgrade: Any modification to a system must be: - Authorised - Tested - Fully documented Further users must be fully trained in the application of the modifications The modification should be monitored and reviewed after implementation. Organisational or administrative controls: The main objectives are to ensure integrity of hardware, software and data files and the continuity of operations. Hardware: To preserve the integrity of hardware, it is necessary to restrict access and use to authorised personnel only. Software and data files: To preserve the integrity of software and data files it is necessary to restrict access and use to authorised personnel only. Personnel In centralised processing systems, since processing is concentrated in onedepartment controls are also concentrated in that department. In decentralised, distributed, networked and PC-based systems, the above segregation of duties is difficult to impose. Therefore alternative control arrangements must be enforced. Standby To ensure continuity of operations in the event of system/program failure or data corruption, the following standby arrangement must be in force: Back-up - Dumps at the program or data file level - At the complete system level, parallel hardware may be on standby, or arrangement to use others hardware, or to use a bureau or service provider. Fire precautions 3

4 Insurance arrangements Application controls: These are controls over the processing of data, and are imposed at the input, processing and output stages of the processing cycle, to ensure: Controls over input: - Data input is authorised and is completely and accurately processing. - The integrity of standing data or master file. Authorisation of data: Conventional procedures may be adopted (eg signatures on input documents) Automated programmed validation checks may be designed: Accuracy of data - Reasonableness tests - Range tests - Limit tests There are 2 types of checks that can be made on input data detecting errors: Verification at the data conversion stages, data is keyed in twice preferably by 2 different operators and the 2 inputs compared. Validation checks performed under program control on input. These include: - Check digit verification: testing that a digit added to a reference number bears the required mathematical relationship to the rest of the number. Such a check will detect transposition and transcription errors. - Existence checks: comparing reference number with pre listed reference number for existence. Controls either conventional or automated include: Batching - Batch numbers - Record counts - Hash totals Sequence checks: - Detecting - Duplication - Omission 4

5 Master files controls: Master files contain: - Out of sequence Records continuously updated by transaction data (e.g. customer accounts, supplier accounts, employee salary records) Reference data (e.g. sales price, employee wage rates) Controls must be designed to ensure the integrity of master files: - Changes must be authorised - Changes must be documented - Password entry must be required - Checks on printout of changes against authorising documents must be performed - Periodic reviews of master file content should be carried out for accuracy, completeness and for being up-to-date. The Audit of Computerised Information Systems There are 2 ways in which the auditor can approach the audit of CIS Auditing around the computer: This approach ignores the detail procedures carried out in individual application. It constitute on reconciling the output with input. An existence of an audit trail and ability to trace transaction through each stage of processing. A direct relationship between input and output The use of a software package, which is properly tested and used on trial. Auditing through the computer: Audit trail is loss, where output is indirectly related to input. Bespoke system are use Large volume of transaction An evaluation of system and controls is necessary The auditor will use. 5

6 Computer Assisted Audit Technique The use of is necessary when: Transaction volumes are high-s will enable large sample and automated programmed validation checks to be tested. There is little or no audit trail and hence it is necessary to audit through the computer To test original records (eg records held on disk) rather than printouts purporting to exact copies of files-thus producing auditor-generated evidence. Decentralised, End-User & Small Computer Systems The consideration of controls and testing technique has no far been mainly concerned with larger centralised systems. The modern type of system-concentrated upon end-user, PC-based computing presents additional problem to both management and auditor. Such systems require no special environment and are sited in an open office in contrast to the central computer department where there is a natural separate physical division between computer operations and user activities. Control problems and potential solutions: Access to computers is more difficult to control There will be a lack of segregation of duties-one person being able to initiate transactions authorise transactions and record transaction (i.e. able to input and process it) First time users may be ignorant of the importance of controls and of application of controls in particular (e.g. reconcilitions, review etc). Standing and reference data may be capable of being altered without proper authorisation. Data conversion standard from old to new systems may result in incomplete and inaccurate conversion and in data loss and corruption. Standby arrangements, including back-up software and data files, may be lax. The ability to write programs to process data using easy-to-learn language could result in unauthorised, untested and badly documented programs, capable also of being amended without necessary authorisation. 6

7 Electronic Data Interchange (EDI) and ECommerce Audit problems: The increasing use of EDI and in particular trading on the Internet by all types of business, creates problems for auditors: Originating documents may not exist-purchase orders and sales orders and respective invoices being placed electronically. There may be a lack of evidence of the operation of controls. Global trading raises problems of enforcement of cross-boarder contract-thus debtor values may be difficult to verify. Data transmissions may be intercepted and the risk of unauthorised accesses increases. Further viruses may be introduced causing data loss and corruption, and systems crashes. The failure of integrated and complex accounting systems may impact on partners in the supply chain, leading to material losses. Audit approach and consideration: Audit attention must be centred upon the following controls over transmissions: Agreements by both parties of the amount transmitted. Formal acknowledgement of transmissions Authentication procedures including the use of codes and encryption Continuous monitoring of transaction through sequence checking. Firewalls should be implemented controlling accesses to authorised businesses only. Virus protection software should be installed and regularly updated. Contingency plans and back-up procedures should be implemented and regularly tested. Appropriate insurance should be arranged It would be desirable to request letter of comfort from auditors of business partners to obtain assurance as to the existence of appropriate controls in their client s businesses. 7