Module 7: Computer auditing Module 7: Computer auditing Overview In this module, you learn about the effects that computer processing has on both the control environment and the audit of financial systems. You also learn about the approaches to auditing computerized systems and the ways to use computers for an audit. When you have worked through the module, you should have a thorough understanding of the audit implications of a computer-based system for a company s internal controls. Throughout the module, you apply what you have learned to scenarios involving a company planning to computerize its accounting systems. Assignment reminder: Assignment 2 is due this week (see the Course schedule in the course navigation). Be sure to allocate time to complete and submit the assignment by the deadline. Test your knowledge Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required. Learning objectives 7.1 Explain the major effects of computerization of accounting systems on a company s operations and on the audit approach. (Levels 1 and 2) 7.2 Describe the major elements of audit significance in today s computer environment. (Level 2) 7.3 Explain the audit implications of a simple computer-based system for a company s internal control as it relates to the organizational structure and the processing of transactions. (Levels 1 and 2) 7.4 Explain the audit implications of a simple computer-based system for a company s internal control as it relates to system access, design, backup, and data recovery. (Level 1) 7.5 Describe general controls and application controls, and explain how they relate to accounting controls. (Level 2) 7.6 Summarize the impact of EDI and the Internet on a company s operations, including the implications of electronic commerce for the company s internal control and for its audit. (Level 2) 7.7 Explain how an audit is conducted in a computer environment. (Level 1) 7.8 Identify the phases of auditing a computerized accounting system. (Level 1) file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07intro.htm (1 of 2) [31/08/2009 10:13:24 AM]
Module 7: Computer auditing 7.9 Identify internal control considerations in personal computer, online, and database environments. (Level 1) 7.10 Explain the difference between auditing around/without the computer and auditing through/with the computer to test internal control. (Level 1) 7.11 Explain how an auditor can use computers in conducting audits by using test data and generalized audit software. (Level 1) 7.12 Identify ways to use computers in conducting an audit. (Level 1) file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07intro.htm (2 of 2) [31/08/2009 10:13:24 AM]
7.1 Company operations and computer systems 7.1 Company operations and computer systems Learning objective Explain the major effects of computerization of accounting systems on a company s operations and on the audit approach. (Levels 1 and 2) Required readings Chapter 7, pages 211-215 (up to Elements of an IT-Based Information System) and pages 223-225 (Level 1) Chapter 9, pages 314-317 (Level 1) CAS 315, Appendix 1 (CICA Handbook, section 5141, Appendix B), section titled Information System, Including the Related Business Processes Relevant to Financial Reporting, and Communication (Level 1) Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," sections 1-3 (Level 2) LEVEL 1 Computerization of accounting systems has some major effects on a company s operations. Understanding these effects will help you understand the audit implications better. Read CAS 315, Appendix 1 (CICA Handbook, section 5141, Appendix B), the section entitled "Information System, Including the Related Business Processes, Relevant to Financial Reporting, and Communication," which provides an overview of how the client s information system correlates between the management assertion, audit objectives, and the functions of the information system. Scenario 7.1-1: TRP Inc. Teresa is the Director of Finance for TRP Inc. As part of the business planning for the following year, the Chief Financial Officer (CFO) has tabled a project to computerize TRP s accounting systems. Teresa has been assigned the task of identifying and analyzing the major effects of this project on the company s organizational structure and data processing. As TRP Inc. s auditor, you must help Teresa gather information for the project. What information will Teresa need to have? Hint: Start by organizing the information into three categories: Effect (or impact) Risk Management responsibility Solution Transaction processes Another effect of computerization is dramatic changes in the transaction processes. On pages 223 to 225, the text describes these changes and provides a general statement of the audit implication for each of the characteristics. Topic 7.3, which covers the control file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t01.htm (1 of 2) [31/08/2009 10:13:24 AM]
7.1 Company operations and computer systems environment in computer-based systems, looks at the implications of these characteristics in more detail. Auditing approach Computerization also causes changes in the approach to auditing. Read sections 1-3 of Reading 7.1-1 (CGA Auditing Guideline No. 6) for an overview of computer environment issues, and, as you read, think about how a computer environment will affect internal controls and the audit. Scenario 7.1-2: TRP Inc. In this topic, you learned about the impact of computerization on a company s operations. If you were the auditor assigned to audit TRP Inc., what changes would you make in your approach to the audit? Solution file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t01.htm (2 of 2) [31/08/2009 10:13:24 AM]
7.2 Major elements in today's computer environment 7.2 Major elements in today s computer environment Learning objective Describe the major elements of audit significance in today s computer environment. (Level 2) Required readings Chapter 7, page 215-216, Elements of an IT-Based Information System Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," sections 9 and 10 LEVEL 2 Be aware of major elements in today s computer environment. You have already studied basic elements of computer-based systems in Managing Information Systems [MS1] or its equivalent. The major elements of audit significance include microcomputers, databases, online systems, and electronic commerce, specifically Electronic Data Interchange (EDI), and the Internet. Microcomputers are explained in section 9 of CGA AuG-6 (Reading 7.1-1). Internal controls with respect to microcomputers are explained in detail in Topic 7.5. Paragraphs 10.2 to 10.4 of Reading 7.1-1 describe the features and characteristics of online systems, and paragraphs 10.5 to 10.11 outline the characteristics of database systems. Electronic commerce is transforming the business environment and is likely to give rise to a wide range of assurance engagements for public accountants. You consider some of the audit implications of electronic commerce in Topic 7.6. Microcomputers Experienced auditors are concerned about their ability to keep up with the advances in information technology. Companies used to use mainframe computers and terminals only; now, many companies use computer networks. The auditor used to be concerned about the integrity of computer programs that ran on the mainframe; now, the auditor is concerned about the proliferation of stand-alone computers and software. With this proliferation, there is a tendency to decentralize data processing. This, in turn, increases the amount of work an auditor needs to do to understand and rely on the computer controls. At one time, only programmers could change the programs used to process the company s data. Now, each employee with access to a computer could also have access to the software that runs on that computer, and could alter it unless adequate safeguards are in place. Database systems Database systems store data in a central location under the control of the database file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t02.htm (1 of 3) [31/08/2009 10:13:25 AM]
7.2 Major elements in today's computer environment administrator. The use of centralized database management systems can result in more reliable data because there is no redundant (duplicate) data, thus removing the chance of conflicting information. However, the database administrator typically exercises substantial power over the databases. This concentration of data and lack of segregation of duties create significant risk. In light of this risk, the auditor must carefully review the activities of the database administrator and examine any audit trail provided by the database management system to ensure that there are adequate compensating controls over the activities of the database administrator. The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection of databases. Because all the systems rely on the databases for accurate processing, the auditor should confirm that there is adequate internal control to ensure the integrity of the databases. Online systems The most common forms of online systems are real-time processing and online batch processing. The ATM you use to make withdrawals from, or deposits to, your bank account is an example of an online real-time processing system. Access control and security of online systems Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access. Access issues apply to both users and programmers. A user with unauthorized access to an online accounts receivable file may, intentionally or unintentionally, wipe out the balances in individual accounts. A programmer with unauthorized access may modify the code of a program to the detriment of the company. The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line. Auditors should carefully review the backup and recovery procedures of online systems. This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate. Control over online systems Unlike traditional systems, online systems permit transactions to be entered directly through terminals, without requiring the use of source documents on paper. To exercise control over online systems, management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system. Such paper-based source documents form the audit trail needed by the auditor. Activity 7.2-1 What are the implications for the auditor's ability to obtain evidence if no paper-based source documents are used? What checks and control can be instituted instead of the use of source documents? Solution file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t02.htm (2 of 3) [31/08/2009 10:13:25 AM]
7.2 Major elements in today's computer environment EDI (Electronic data interchange) EDI consists of the exchange of electronic documents between two companies. Effectively, transactions and contracts are created through two interacting computer systems. EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper. What are the benefits of EDI? Some obvious benefits are the elimination of paperwork, the reduction of document processing costs, access to more information on a timely basis, and increased accuracy of recordkeeping. There are some drawbacks as well, but the increasing use of EDI suggests that the benefits outweigh the costs. How do EDI transactions affect the auditor s work? The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system. These characteristics significantly increase risk, making control assurance the key objective for EDI environments. Auditors, in turn, need to monitor EDI controls throughout the period under audit, for example, through the use of software that allows tagging of transactions to trace their processing. To control potential legal risks, businesses may require their trading partners to enter into trading partner agreements (TPAs). TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control. Increasingly, auditors will be asked to provide opinions on the EDI control environment. Such audit opinions may become mandatory, which will likely encourage development of generalized control standards and criteria. Consequently, auditors will have to be better trained in this emerging area of information technology. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t02.htm (3 of 3) [31/08/2009 10:13:25 AM]
7.3 Audit implications: Internal control processes 7.3 Audit implications: Internal control processes Learning objective Explain the audit implications of a simple computer-based system for a company s internal control as it relates to the organizational structure and the processing of transactions. (Levels 1 and 2) Required readings Chapter 7, page 234 (Level 2) CAS 315.A49-.A55 (CICA Handbook, paragraphs 5141.057-.063) (Level 1) Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," section 4 (Level 2) LEVEL 1 Internal control objectives are the same under manual systems and computer systems; however, their evaluation is different. The auditor must be aware of the differences between the two systems: certain differences may result in improved controls, while other differences may result in reduced controls. Some differences for example, the centralization of processing may be a mixed blessing. Reading 7.1-1, section 4, provides a perspective for assessing risk and internal control in a computer processing environment. The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified. Read paragraph 4.2 of Reading 7.1-1 to become familiar with all the characteristics that have internal control implications. In this topic, you look at the organizational structure required to manage the computer system, the nature of transaction processing, and the effect on auditing. Review CAS 315-A49-.A55 (CICA Handbook, paragraphs 5141.057-.063), which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditor s risk assessment. Topic 7.4 describes audit implications of computerized systems related to system access and design, and backup and recovery procedures. The guidelines deal with internal controls over computer activities; they do not describe computer processing as part of internal controls over an organization s operations. By themselves, computerbased systems are tools; they are not policies and procedures. The following sections describe the more important implications of simple computer-based systems on internal controls. Concentration of functions One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions. Scenario 7.3-1: Segregation of duties Your audit manager informs you that in general, implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t03.htm (1 of 3) [31/08/2009 10:13:26 AM]
7.3 Audit implications: Internal control processes duties is maintained. For you, the audit implication is to ensure that appropriate controls are in place, which may include segregating the following functions: Data control Data entry Computer operation Data and programs custody Do you agree that this is possible for traditional large systems? If so, outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation. Solution 1 In general, a clear segregation of duties is a feature of traditional large systems. Can segregation of duties be applied to microcomputer systems? Solution 2 Documentation of transactions The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor. Additional controls are necessary to achieve the objectives of validity, authorization, and completeness that are traditionally supported by documentation. Documentation deficiencies can take the following forms: Input documentation (such as batch entry sheet or purchase invoice), which normally contains evidence of authorization and validity, does not exist. Audit trail documents, such as ledgers, reports, and records are not available except for machine-readable documents. Output documentation providing evidence of transactions, including trial balances and invoices, is not produced by the computer system. Data may be input to a system without leaving an audit trail of transactions. For example, a customer may order goods by accessing the client s system directly; in that case, no hard copy purchase order would exist. The internal accounting, preparation of the invoice and shipping documents, debit to accounts receivable and related credit to sales, debit to cost of goods sold and the related credit to inventory, and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation. The auditor must be able to confirm that the system is properly recording all of these activities. Scenario 7.3-2: TRP Inc Automatic transactions Teresa is the Director of Finance for TRP Inc. The Chief Financial Officer (CFO), as part of the business planning for the following year, has tabled a project to computerize TRP s accounting systems. The various user groups within TRP Inc. have submitted their requirements. They would like to see internal accounting transactions be initiated and completed within the computer automatically. For example, a sales commission may be calculated and paid automatically by the system without human intervention. Another example is pre-authorized bill payments. The CFO likes the idea of initiating automatic transactions within the system. What comments should Teresa provide in light of controls that may be required for such transactions? file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t03.htm (2 of 3) [31/08/2009 10:13:26 AM]
7.3 Audit implications: Internal control processes Solution Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction. A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable, the customer s account, and the credit profile of the client. The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files. Yet another risk arises in the capital markets. Worldwide, computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions, such as the price of a stock. Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives? In these circumstances, auditors should make certain that effective controls exist. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t03.htm (3 of 3) [31/08/2009 10:13:26 AM]
7.4 Audit implications: System access and design 7.4 Audit implications: System access and design Learning objective Explain the audit implications of a simple computer-based system for a company's internal control as it relates to system access, design, backup, and data recovery. (Level 1) Required reading Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," section 4 (Level 2) LEVEL 1 In a computerized environment, concentration of data and programs as well as ease of access can lead to significant risks for companies. Unauthorized access For example: Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols; individuals within a company may be able to access that company s system, or parts of it, without authorization; and "hackers" can break into any computer system. A company may not be aware that its system has been compromised, and may be unaware of transactions made by an unauthorized person. Unauthorized access can be the result of outside operators breaking into a network, or of a company allowing unrestricted access to sensitive areas where hardware and software are kept. Because there is a higher level of centralization of data in computerized systems, unauthorized access can have catastrophic consequences. Audit implications The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization. Such controls include, but are not limited to, the following: Password controls Physical restrictions to computer equipment Activity logs regarding all access and attempted access to data files or programs System design Properly designed systems enable data to be processed consistently and correctly with little human intervention. However, computer systems may produce errors that a human would never make and, usually, the fault is in the system. With manual processing, we usually recognize absurd transactions and correct them; unless programmed to do so, computer systems do not. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t04.htm (1 of 2) [31/08/2009 10:13:26 AM]
7.4 Audit implications: System access and design Example 7.4-1: Design requirements A customer bought some furniture polish from the furniture department of a large department store on his store credit card. The computer system was programmed to perform a limit check on each transaction, but the limits were quite high because furniture tends to have a high unit price. The clerk erroneously punched in the product code as the price, and the sale for the bottle of furniture polish was recorded at $2,045. Neither the clerk nor the customer noticed the error. Several days later, the customer tried to use his store credit card again and was told that he had exceeded his credit limit, which was $2,000. This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice. Control procedures can be embedded in computer programs to avoid these types of errors, and the auditor should ensure that such control procedures are in place. In the case of the pricing error for furniture polish, what could have been included as part of the design requirements to prevent or reduce such errors? Solution Auditors should offer their expertise to clients in the design and implementation of new computer systems. Information system designers design computer systems for efficiency and effectiveness. They are not as concerned with controls as auditors and management are, and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice. Vulnerability of hardware, software, and data files What happens if there is a fire? Computer systems tend to centralize programs and data. In case of fire, files and computers may be destroyed. If it is not possible to reconstruct the information files from another source, the company could be in serious difficulties. From an audit standpoint, there may even be a denial of opinion, because nothing can be verified without proper access to records. Internal controls must be in place to make sure that data can be recovered in case of an accident. The auditor would have to ensure that there are policies and procedures to back up and recover data, as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t04.htm (2 of 2) [31/08/2009 10:13:26 AM]
7.5 General controls and application controls 7.5 General controls and application controls Learning objective Describe general controls and application controls, and explain how they relate to accounting controls. (Level 2) Required readings Chapter 7, pages 226-228 and 235-246 (up to Review checkpoints) CAS 315.21 and CAS 315.A91-.A93 (CICA Handbook, paragraph 5141.093) Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," section 4 LEVEL 2 Technology and technological changes can present risk to a business in different ways. CAS 315.21 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT. Section 4 of Reading 7.1-1 defines general and application controls in paragraphs 4.5 and 4.6. General controls and application controls are also described on pages 235 to 245 of the text. The control hierarchy diagram in the following exhibit illustrates how computer controls, including their general and application controls components, fit into the overall internal control framework of the organization. Exhibit 7.5-1: Control hierarchy diagram file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05.htm (1 of 3) [31/08/2009 10:13:27 AM]
7.5 General controls and application controls General controls A general control applies to overall computer processing activities (for example, controls over systems development and maintenance, operations, and backup), while an application control is specific to one or more accounting applications (for example, controls over authorizing, recording, and processing of payroll or sales transactions). General controls are an extension to computer controls of the control environment concept covered in Module 5. Like the control environment, general controls are mostly preventive in nature and apply to all parts of the computer systems. The boxes on text pages 235 and 237 illustrate some general controls that auditors should consider. The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves. Activity 7.5-1 General controls include documentation and system development controls. Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature? file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05.htm (2 of 3) [31/08/2009 10:13:27 AM]
7.5 General controls and application controls Solution 1 The general control procedures of backup, file security, and file retention are described on pages 238-240 of the text. Backup controls are one of the most important general controls, not only for audit planning purposes, but also possibly for accounting disclosure purposes. Why is this so? Solution 2 Management and the auditor should be equally concerned that backup control objectives are met. Application controls: Reasonableness check Application controls are needed to replace the loss of human review that normally exists in a manual system. The lists on text pages 243 and 244 illustrate typical application controls organized by input, processing, and output controls. Note that the application controls are often embedded in the software used by the client. The boxes on pages 243 and 244 illustrate important input, processing, and output controls that the auditor should consider for each application. Scenario 7.5-1: TRP Inc - Application controls Teresa, Director of Finance for TRP Inc., met with Mario, TRP s Payroll Manager. Mario indicated that in the current manual system, a payroll clerk was able to instantly recognize that 1,000 hours recorded for a single employee during a one-week period is physically impossible. Mario would like to know how this error could be detected if the same processing were done by computer. What do you think Teresa s answer would be? Solution Understanding internal control in a computer environment The auditor s objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system. The auditor wants to determine how much reliance can be placed on internal control, given audit risk and inherent risk, and thus how much evidence must be obtained from the tests of details of balances. If the computer system is very complex, the auditor may need the assistance of a computer audit specialist. Scenario 7.5-2: TRP Inc Conversion to computer TRP Inc. is planning to change from a manual accounting system to a computer system. Having regard for the fact that the auditor s objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system, what special audit considerations would likely be triggered in a conversion? Solution file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05.htm (3 of 3) [31/08/2009 10:13:27 AM]
7.6 Audit implications of electronic commerce 7.6 Audit implications of electronic commerce Learning objective Summarize the impact of EDI and the Internet on a company s operations, including the implications of electronic commerce for the company s internal control and for its audit. (Level 2) Required reading Chapter 9, pages 339-343 LEVEL 2 The Internet, or World Wide Web, is rapidly evolving in a variety of ways as a major force in commerce. This affects the auditor in the following ways: The Internet provides a vast source of information auditors can use in the course of their work. This information includes real-time access to financial indicators, clients public documents, news, and quotes. Companies can conduct some or all of their business through the Internet. Therefore, there is an anticipated need to provide customized assurance services for these companies. A company s Internet website is an open door into the company s network systems. Therefore, security problems may arise unless proper controls are put in place. Website security In October 1997, the AICPA and CICA announced a joint program of developing and promoting assurance services for websites on the Internet. The most immediate impact on business is the creation of business websites. It is becoming commonplace for businesses to create an Internet presence through a website. Most websites started as information sources about the company by converting existing brochures and other documents into an online format. Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly "wired" society (more people have convenient access to the Internet). Websites are proving to be a major link to customers and suppliers, with the result that companies are using websites to make sales and purchases, to help in the design of products and marketing strategy, and to distribute and share financial and other information. More and more websites are turning into the major outlet or "store front" for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity. Securing sales transactions Security technologies and strategies should be familiar to you from Managing Information Systems [MS1] or equivalent. Other important security technologies include file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t06.htm (1 of 2) [31/08/2009 10:13:28 AM]
7.6 Audit implications of electronic commerce digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication, and firewalls, a part of organization s overall security plan. Activity 7.6-1 Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers, making sales and purchase transactions secure, and ensuring customer privacy. What are some of the control features an auditor should be looking for in order to address these concerns? Highlight both technological controls as well as organizational controls. Solution file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t06.htm (2 of 2) [31/08/2009 10:13:28 AM]
7.7 Auditing computerized systems General considerations 7.7 Auditing computerized systems General considerations Learning objective Explain how an audit is conducted in a computer environment. (Level 1) LEVEL 1 Regardless of whether an entity operates a manual system, a computer system, or a combined manual and computer system, the auditor should comply with GAAS in GAAS audits. Accordingly, the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines. Complying with GAAS examination standards First examination standard of GAAS: As part of using sufficient knowledge of the entity s business to plan the audit, the auditor should obtain an understanding of the computer processing configuration, the method of processing and related matters, in order to assess inherent risk in connection with planning the audit. For instance, the auditor will consider the impact of computer processing in determining the nature, timing, and extent of auditing procedures. Second examination standard of GAAS: The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit. This can be done through questionnaires, enquiry, and prior-year working papers. Also, the auditor should obtain an understanding of the application controls over input, processing, and output (control systems) relating to major transaction classes and account balances that are significant to the audit. This can be done through a review of systems documentation, for example. Based on the understanding of the computer processing system and related manual internal control policies, and procedures with respect to specific assertions at the account balance or classes of transactions level, the auditor would assess, on a preliminary basis, control risk at/near maximum or below maximum level, and use a substantive approach or a combined approach accordingly. When using a combined approach, the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information. In this regard, the auditor may use a computer for performing tests of controls or dual-purpose procedures. Based on tests of controls, the auditor would finalize control risk for specific assertions at the account balance or class of transactions level, and determine the nature, timing, and extent of substantive procedures in light of materiality and inherent risk. Some of these procedures could be performed using computers, and others performed manually. Third examination standard of GAAS: The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level. In this regard, the auditor may consider using generalized audit software packages where appropriate. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t07.htm [31/08/2009 10:13:28 AM]
7.8 General strategy in auditing computerized systems 7.8 General strategy in auditing computerized systems Learning objective Identify the phases of auditing a computerized accounting system. (Level 1) Required readings Chapter 9, pages 314-317 CAS 315.A77-.A82 (CICA Handbook, paragraphs 5141.080-.089) Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," section 5 LEVEL 1 Reading 7-1 section 5 describes audit planning considerations in a computer environment. Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315-A77-.A82 (CICA Handbook, paragraphs 5141.080-.089). The steps in evaluating computer processing controls can be summarized as follows. 1. Preliminary evaluation of internal control Activity 7.8-1 Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit. The general controls may have a pervasive effect on the processing of transactions in applications systems. If these controls are not effective, the risk is that errors might occur and go undetected in the application system. Weaknesses in general controls may make certain application controls unreliable. However, manual procedures exercised by the users may provide effective compensating control at the application level. Can you identify a compensating control? Solution 1 What compensating control might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls? Solution 2 2. Test of controls procedures The purpose of the auditors test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation. In a computer environment, the objectives of test of controls procedures do not change from those in a manual environment; however, some audit procedures may change. In addition to enquiry, observation, and sampling file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t08.htm (1 of 2) [31/08/2009 10:13:29 AM]
7.8 General strategy in auditing computerized systems procedures, the auditor may find it necessary, or may prefer, to use computer-assisted audit techniques (CAATs). 3. Final evaluation If the auditor obtains evidence that the controls were not operating as designed, or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance, the auditor s final evaluation may be to discontinue the planned reliance. Instead, the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t08.htm (2 of 2) [31/08/2009 10:13:29 AM]
7.9 Internal control considerations in personal computer, online, and database environments 7.9 Internal control considerations in personal computer, online, and database environments Learning objective Identify internal control considerations in personal computer, online, and database environments. (Level 1) Required readings Chapter 7, pages 246-249 Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," sections 9 and 10 (paragraphs 10.1 to 10.11) LEVEL 1 Text pages 246 to 249 and AuG-6 section 9 provide an overview of the audit considerations in a personal computer environment. Personal computers The control environment for stand-alone microcomputers is generally weak because of a lack of segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software, and documentation for software and software changes. Typically, there are no application controls (such as use of batch totals or passwords) in small systems. In a typical microcomputer environment, it may not be easy to distinguish between general controls and application controls. Frequently, it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level. The auditor may often assume the control risk is high in such systems. Nevertheless, the auditor may be able to rely on owner/manager controls to compensate for the poor control environment. Online and database systems Paragraphs 10.1 to 10.11 in Reading 7.1-1 outline the internal control considerations for online and database systems. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t09.htm [31/08/2009 10:13:29 AM]
7.10 Approaches to auditing computerized systems 7.10 Approaches to auditing computerized systems Learning objective Explain the difference between auditing around/without the computer and auditing through/with the computer to test internal control. (Level 1) Required reading Chapter 9, pages 348-349 (up to Review Checkpoints) LEVEL 1 There are two terms to describe the methods of auditing computerized systems auditing around the computer and auditing through the computer. Auditing around the computer When auditing around the computer, no attempt is made to evaluate the internal processes of the computer. This method of bypassing the computer, or treating it like a "black box," consists of vouching or tracing to and from source documents and outputs. Exhibit 9-14 on page 348 illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the client s system. Auditing through the computer This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system. Exhibit 7.10-1 summarizes the two approaches. Exhibit 7.10-1: Auditing around the computer and through the computer Auditing around the computer How is it done? No attempt is made to evaluate the internal processes of the computer. Consists of vouching or tracing to and from source documents and outputs. Advantage(s) Simplicity does not require computer-proficient personnel. May be more cost effective. Auditing through the computer Auditing the computer processing system or data produced by the system to test the programmed controls. Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t10.htm (1 of 2) [31/08/2009 10:13:29 AM]
7.10 Approaches to auditing computerized systems What are the "ideal" conditions for each? Requires sufficient audit trail of visible evidence. This method must be used if any one of the following exists: The presence of large volumes of input/output means that direct examination of the records is difficult. Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system. System is complex and includes key parts of the accounting system. Approaches Bypasses the computer (auditing without the computer). Two main approaches 1. Test data 2. Parallel simulation file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t10.htm (2 of 2) [31/08/2009 10:13:29 AM]
7.11 Approaches to auditing through the computer 7.11 Approaches to auditing through the computer Learning objective Explain how an auditor can use computers in conducting audits by using test data and generalized audit software. (Level 1) Required readings Chapter 9, pages 349-357, Exhibits 9-15 and 9-16 on pages 351 and 352 Reading 7-1: CGA AuG-6, "Auditing in an EDP environment," section 6 LEVEL 1 There are several approaches to auditing through the computer. The text describes two of these approaches to "auditing with the computer" to test a company s programmed controls: Test data approach Auditor s computer program approach, including generalized audit software (GAS) Each approach has its particular strengths and weaknesses and may be used alone or in combination. As clients computer systems perform more and more of the accounting functions, the audit trail becomes less visible. If the audit trail is non-existent, the auditor is forced to audit through the computer using one of the two approaches described. Exhibit 7.11-1 compares the two approaches. Exhibit 7.11-1: Test data and parallel simulation approaches Strengths Test data approach Uses the uniformity principle (once a computer is programmed to handle transactions in a certain logical way, it will handle every transaction in a similar fashion). Parallel simulation approach The auditor s own programs can be tailored to the client s system. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t11.htm (1 of 2) [31/08/2009 10:13:30 AM]
7.11 Approaches to auditing through the computer Weaknesses A computer system may contain errors that offset each other, providing output that appears to be correct. Without examining the internal processing logic of the computer systems, the auditor can only "prove" that the computer system works correctly with the test data used. The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data. The programs may be costly to develop and modify. Generalized audit software (GAS) makes the parallel simulation approach more attractive. GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications. The test data approach involves developing simulated data that are processed using the client s actual computer program (or more likely a copy thereof), and then comparing the output to predetermined results. When using the test data approach, the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review, and that none of the test data has contaminated the client s records and files. Because of the high risks of not detecting system errors in complex systems, the test data approach is not the best approach to use in auditing such systems. Generalized audit software (GAS) Parallel simulation consists of processing client data using the auditor s program and comparing the result to the output of the same data processed by the client s program. This process can be performed by GAS. Exhibit 9-16 on page 352 illustrates how an auditor would use developed software as a parallel simulation. Some larger firms develop software for the audit of specific clients (for example, life insurance companies). GAS has the advantages of being relatively easy to use and widely applicable. GAS can be used to process a variety of files in different formats or media to perform a number of functions, such as sampling, calculating totals and subtotals, selecting specific records, and so on. Text page 354 lists a number of techniques (with excellent examples) that the auditor can perform if the client s data are in machine-readable form. Reading 7.1-1, CGA AuG-6 section 6, Computer-assisted audit techniques (CAATs), explains the uses of CAATs. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t11.htm (2 of 2) [31/08/2009 10:13:30 AM]
7.12 Computer-aided auditing 7.12 Computer-aided auditing Learning objective Identify ways to use computers in conducting an audit. (Level 1) Required reading Chapter 9, pages 357-358 LEVEL 1 On pages 357 to 358, the text describes several ways to use computers for an audit. The future of computers in auditing is firmly established because of their small size yet large computing power. Hardware is being developed that is more powerful yet more compact, such as laptop and notebook computers. The development of software to support the new hardware is keeping pace. Many public accounting firms provide staff with computers; laptop and notebook computers are becoming as ubiquitous as the auditor s briefcase. This exciting area of audit practice creates new opportunities as well as risks. The CICA study "Assurance Engagement Working Paper" (1997) provides a good analysis of the issues. For example, industry information and information on comparable companies can be obtained on the Internet as a means to improve the auditor s knowledge of the business and in performing analytical procedures. Only a lack of creativity prevents the auditor from maximizing the potential of the Internet. Here are some highlights of the software programs and aids available to auditors. Commercial general use software Spreadsheet programs such as Microsoft Excel or Lotus 1-2-3 can be used for analysis or for sampling (see Computer activity 6.11-1 in Topic 6.11). Word-processing programs such as Microsoft Word or WordPerfect are useful for drafting statements or preparing reports and letters. Pre-built spreadsheet templates Auditors often use pre-built spreadsheet templates (for example, model working papers and financial statements). Special use software Some academics and public accountants see the development of expert systems as one of the next major developments in auditing. The work on expert systems is slow and very expensive. There are some applications in auditing one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans. Expert systems are being developed for audit planning and for assessing EDP controls. Custom programs These special programs are written by auditors to audit specific areas. For example, one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies. Working paper software Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example, file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t12.htm (1 of 2) [31/08/2009 10:13:31 AM]
7.12 Computer-aided auditing CaseWare). The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations, engagement, and management letters. The main purpose of working paper software is to automate calculations such as footings and extensions, as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers, lead sheets, trial balances, and financial statements. Networked files Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network. The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date. Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file, while supervisors can monitor progress and provide feedback without being physically present at the audit location(s). This alternative provides great flexibility in organizing the team s work. Standardized document templates The use of standardized templates provides a common starting point for all documents. A database of templates can be useful in customizing documents such as internal control questionnaires, audit programs, and sample letters. Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers. Thus, not only various staff but also various sources of information can be integrated to support the auditor s opinion. Of course, to obtain such efficiencies, the audit firms would need to invest in hardware, software, and training of staff. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t12.htm (2 of 2) [31/08/2009 10:13:31 AM]
E-106 (1) Auditing Guideline No. 6 Auditing in an EDP environment TABLE OF CONTENTS PAGE 1. Introduction 2 2. Objectives 2 3. Skills and competence 2 4. Internal controls in an EDP environment 3 5. Audit planning 4 6. Computer-assisted audit techniques (CAATs) 5 7. Reliance on evidence obtained from other professionals 6 8. Evaluate potential for fraud 6 9. Auditing microcomputers 7 10. Special topics in EDP auditing 9 Appendix 11 May 2008
E-106 (2) 1. Introduction 1.1 International Standards on Auditing and Related Services ISA 200, Objective and General Principles Governing an Audit of Financial Statements, published by IFAC, states that the objective of an audit of financial statements is to express an opinion whether the financial statements are prepared, in all material respects, in accordance with an identified financial reporting framework. 1.2 The overall objective and scope of an audit does not change in an electronic data processing (EDP) environment. However, an EDP environment may significantly affect the processing and storage of financial information and related internal controls. Accordingly, the nature, timing and extent of the audit procedures may be affected. 1.3 In the context of CGA-Canada Auditing Guidelines, an EDP environment exists when a computer of any type or size is involved in the processing of financial information which is of significance to the audit, whether that computer is operated by the entity or by a third party. The EDP environment comprises computer hardware, software, manual procedures, and related support resources and services. 1.4 To determine the significance of the effect of the EDP environment on the audit, the auditors should assess the impact of the EDP environment on the operations of the client. The significance depends on the complexity and pervasiveness of the EDP operations. In other words, the more complex the EDP applications are, and the more pervasive the EDP environment is to the day-to-day operations of the client, the more dominant the EDP environment will be. Consequently, the EDP environment will have a greater impact on the audit. 1.5 In general, an EDP environment will affect the application of both tests of control and substantive procedures in several ways. First, changes may have to be made in the audit techniques due to the possible absence of input and output documents, the lack of a visible audit trail and the possible weakening in the internal control system. Second, the timing of audit procedures may be affected, because data may not be retained in computer files for an indefinite time. Third, the effectiveness and efficiency of audit procedures may be improved by the use of computer-assisted audit techniques. The overall objective and scope of an audit does not change in an EDP environment. However, the nature, timing and extent of the audit procedures may be affected, depending on the impact of the EDP environment on the operations of the business, especially the processing of financial information. 2. Objectives 2.1 The objective of this Guideline is to provide auditors in an EDP environment with the additional guidance necessary to attain the overall audit objective. At the same time, it will assist the auditors to conform with Canadian generally accepted auditing standards (Canadian GAAS) and the CGA-Canada Code of Ethical Principles and Rules of Conduct (CEPROC). This Guideline will assist auditors in determining how to plan for an audit in an EDP environment, what skills and competence are required, and when to use computer-assisted audit techniques (CAATs). Guidance for auditing microcomputers, on-line systems, databases, and computer service bureaus is also provided. 3. Skills and competence 3.1 The skills required when auditing in an EDP environment include a knowledge of computer hardware, software and processing systems. The level of knowledge will depend on the nature of the computerized accounting system. However, as a minimum, it should be at a level required to manage the internal controls of the particular EDP environment. 3.2 Auditors must understand how EDP affects the study and evaluation of internal controls and the application of auditing procedures, including the use of CAATs. May 2008
E-106 (3) 3.3 Auditors must have sufficient understanding of the EDP environment to plan the audit. Auditors must also have sufficient knowledge of EDP to implement the auditing procedures; alternatively, they should involve other professionals who possess the required skills to assist in applying auditing procedures. Where the audit involves other professionals, the auditors continue to be responsible for forming and expressing an opinion on the financial statements. Auditors must have: sufficient understanding of the EDP, environment to plan the audit, sufficient knowledge of EDP to implement the auditing procedures, sufficient skills to competently evaluate the results. 4. Internal controls in an EDP environment 4.1 Internal controls comprise the plan of organization and all the coordinated systems established by the management of an entity to assist in achieving management s objective of ensuring the orderly and efficient conduct of the business. The auditors should, as a first step, gain and document an understanding of the overall control environment and flow of transactions. If the auditors plan to assess control risk at less than maximum, they should also review, test and document the relevant control systems. 4.2 The auditors should understand and consider those characteristics of the EDP environment that may have an impact on the control environment, the accounting system and related control systems. Such characteristics may include: concentration of functions and knowledge, absence of visible audit trail, absence of input and output documents, existence of, and control over, system generated transactions, built-in control procedures within computer programs, concentration of data and computer programs, vulnerability of storage media, increased exposure to fraud, or internal audit staff s knowledge of EDP systems. 4.3 The auditors must be aware of the areas of concern and changes in risk due to the EDP environment. Some potential areas of risk include: the absence of a visible audit trail, system-generated transactions, the existence of proper internal controls and their classification, the competence of management with respect to the EDP environment, the pervasiveness and the complexity of the EDP environment, conversion from manual procedures to EDP procedures, conversion from one EDP application to another, data access controls, unwarranted reliance on computer-generated information, segregation of incompatible functions, or security and backup procedures. 4.4 The auditors should understand what impact the EDP environment has on the internal controls of the entity. The internal controls in the EDP environment include both the manual procedures and computer procedures, such as controls built into computer programs. Two types of internal controls can be identified. General EDP controls are concerned with overall controls over the EDP function. EDP application controls are concerned with specific controls over the computerized accounting applications. 4.5 General EDP controls establish a structure of control over the management and operation of the EDP function. Such controls may include: organization and management controls, application systems development controls, May 2008
E-106 (4) computer operation controls, systems software controls, program and data access controls, physical security, or backup and recovery controls. General EDP controls will affect the auditor s assessment of the control environment. 4.6 EDP application controls establish specific controls over the accounting applications, in order to ensure that all transactions are authorized, recorded and processed completely, accurately and on a timely basis. EDP application controls include input/output controls, and processing controls. 4.7 Auditors should understand the inherent limitations of internal controls in an EDP environment. These limitations include human error, exposure to collusion due to concentration of functions and knowledge, varying efficiency with changes in EDP staff, and lack of sufficient controls because of the cost involved. Auditors should understand the inherent limitations of internal controls in an EDP environment. 5. Audit planning 5.1 The audit engagement should be planned in accordance with the guidelines provided in CGA-Canada Auditing Guideline No. 3, Audit Planning and Control. [E-103] Planning the Audit in Volume II of the CGA-Canada Public Practice Manual also provides guidance for audit planning. In addition, auditors should consider special audit procedures required in an EDP environment. 5.2 Special plans should be set up for first engagements. These plans include procedures to gather information on the EDP environment that is relevant to the audit plan, including: the organization of the EDP function, the extent of concentration of functions and knowledge, the computer hardware and software configurations, the major applications which are computerized and which affect the financial information, planned implementation of new applications, revisions to existing applications, or applications currently under development, the policies guiding the EDP function, and the competence of management with respect to the EDP environment. Information should be gathered on the EDP environment relevant to the audit. 5.3 There are many ways to gather such information. A very effective technique is the use of a general review questionnaire. A sample is provided in [Exhibit 6-1]. It comprises two sections: part 1 is a general review of internal controls, while part 2 is a more detailed examination of potential applications that can be served by the EDP department. This latter part would serve to document whether the application in question is present in the EDP environment of the firm. If it is present, then the auditors can formulate the investigation knowing that it will be necessary to review these applications. 5.4 If the audit is a repeat engagement, the previously obtained information on the EDP environment must be updated to reflect all changes which have occurred since the last audit. 5.5 If there has been a changeover to an EDP environment, or significant changes have occurred within the EDP environment, the auditors should: review the documentation relating to the changeover process and ensure that the controls over the process were adequate, and May 2008
E-106 (5) where appropriate, attend, or have a specialist attend, all, or a portion, of the implementation or the changeover, to ensure that all procedures are followed, and all data has been transferred. 5.6 When the auditors have an expectation that the controls operate effectively, they should include procedures in the overall audit plan to identify relevant EDP controls and to test the reliability of such controls. The use of an EDP internal control checklist, such as [Exhibit 6-2], should be considered. 5.7 The auditors must determine how, when and where the EDP function will be reviewed. Based on this information, the auditors must assess the level of EDP expertise required to carry out the audit plan, and determine whether the necessary technical skills are available. The auditors may use independent EDP professionals to augment the technical skills of the audit team. 5.8 The auditors must obtain an overall understanding of the internal control structure in an EDP environment as part of the audit planning. If the auditors have an expectation that the controls operate effectively, they should review and evaluate the relevant general EDP controls and EDP application controls. Where such controls are found to be materially deficient, the level of control risk should not be reduced. Instead, other methods should be undertaken to accomplish the audit objectives. 5.9 The audit plan must include procedures to obtain sufficient and appropriate audit evidence. An EDP environment may affect the existence and nature of the audit evidence. The timing of procedures to obtain audit evidence may be affected inasmuch as data may not be retained in computer files for a sufficient length of time for audit use. The auditors may have to make special arrangements to retain the needed audit evidence, or time the audit procedures to examine the audit evidence when it is available. 5.10 The use of CAATs should be considered. Such techniques may improve the effectiveness and efficiency of auditing procedures. Audit plans must consider the: the control environment in the EDP area, level of EDP expertise required, changes that have occurred in the EDP environment, need for involvement of EDP professionals, nature, timing and extent of audit evidence, use of CAATs. 6. Computer-assisted audit techniques (CAATs) 6.1 CAATs involve the use of computer programs and data to assist in the auditing procedures. Some examples of CAATs are: recalculating data, test of internal controls, testing of extensions and footings, analytical review procedures, statistical selection of random and/or key audit samples, selection and printing of confirmations, and summarizing of data. 6.2 CAATs can be broadly classified into two groups: those which are used to review systems controls, and those which are used to review production data. The first group includes test data methods, integrated test facilities, automated program logic analyzers, and code comparison programs. The second group includes techniques to examine, retrieve, manipulate, and report on actual production data. Refer to the Appendix for a description of some of the more common CAATs available to the auditor. 6.3 CAATs may be used during tests of control and substantive procedures, such as: detailed dual purpose tests of transactions and balances, May 2008
E-106 (6) analytical review procedures, tests of EDP application controls, financial analyses, and statistical sampling. 6.4 Factors affecting the use of CAATs include: the level of computer expertise of the audit team, the availability of suitable computer facilities, the effectiveness and efficiency of alternative means of testing, the availability of, and access to, data, and the cost-benefit involved. The auditors should be aware of the potential benefits of using CAATs, such as improved efficiency of some audit procedures, and savings in audit costs/time. 6.5 The use of CAATs may be required when: a visible audit trail is lacking, thereby precluding the auditor from tracing transactions through the computerized system manually, data is stored in the computer and manual means of examining the data is unfeasible or uneconomical, and input and output documents are not available (e.g., system-generated transactions). Computer-assisted audit techniques (CAATs) should be considered when: cost savings can be achieved, and there are no other means of performing the audit procedures. 7. Reliance on evidence obtained from other professionals 7.1 When auditing in an EDP environment, the auditors may decide to engage the services of an EDP professional to assist in the audit. The auditors should be satisfied with the technical qualifications of the EDP professional when it is planned to use that professional s work as audit evidence. The auditors should consider the professional certification, licence or other evidence of the competence of the EDP professional. Other relevant considerations include the EDP professional s experience, reputation, and membership in an appropriate professional body. When an EDP professional is engaged to assist in the audit, the auditors should be satisfied that the EDP professional is qualified to carry out the audit procedures. 7.2 Additional guidance for the reliance on evidence obtained from other professionals can be found in the ISA 620 entitled Using the Work of an Expert. 8. Evaluate potential for fraud 8.1 An EDP environment provides easy access to data for those who have legitimate purposes. However, such access may also be used to perpetrate fraud. Because vital operating information is often stored on the computer, computer fraud can be a major threat to the entity. The auditors should assess the risk of material misstatements in the financial statements due to fraud and/or embezzlement. 8.2 Control weaknesses which may indicate the potential for fraud include: inadequate control over systems development and computer operations, inadequate segregation of jobs requiring technical knowledge, inadequate segregation of record-keeping duties from physical operations and custodianship over assets, and inadequate access control. May 2008
E-106 (7) It must be stressed that these examples of potential weaknesses are by no means exhaustive. Auditors must be aware that there may be other equally serious deficiencies in the entity s controls. Auditors should assess the risk of material misstatements caused by computer fraud. 8.3 If the auditor selects the substantive approach during the planning of the audit, the intent would be to place a high reliance on substantive audit procedures instead of testing controls. However, there are some circumstances when such an approach may need to be modified. When the auditor identifies significant risks of misstatement, the auditor s response to those risks must be planned carefully to ensure an effective audit. One of the issues that must be addressed is: Can the risk be reduced to an acceptably low level by substantive procedures alone? If not, should the controls that relate to those risks be tested? For example, when routine day-to-day business transactions are initiated, recorded, processed or reported electronically with little or no manual intervention, it may not be possible, by performing only substantive procedures, to sufficiently reduce the risk that relevant classes of transactions or account balances are not materially misstated. If audit evidence is available only in electronic form, its accuracy and completeness will likely depend on the effectiveness of controls. There is often a greater potential for improper initiation or alteration of information to occur and not be detected in such automated environments when appropriate controls are not operating effectively. 9. Auditing microcomputers 9.1 Microcomputers are being used either as stand-alone computers, or as part of a network of computers. In the former case, microcomputers are used to process the accounting applications. In the latter case, microcomputers are often used as terminals attached to the main computers where the major accounting applications are processed or are attached to local area networks (LANs). 9.2 Generally, the EDP environment in which microcomputers are used is less structured than a centrally-controlled EDP environment. In the former, application programs can be developed relatively quickly by users possessing only basic data processing skills. In such cases, controls over the data development process and operations, which are essential to the effective control of a large computer environment, may not be viewed by the developer, the user or management as being important or cost-effective in a microcomputer environment. However, because the data are being processed on a computer, users of such data may tend to place unwarranted reliance on the financial information stored or generated by a microcomputer. Since microcomputers are oriented to individual end-users, the degree of accuracy and dependability of financial information produced will depend upon the internal controls prescribed by management and adopted by the user. 9.3 Where microcomputers are used as computing devices attached to main computers, the control problems are similar to those encountered in a normal EDP environment. The major exception is the ability of microcomputers to retrieve information from the main computer and store a copy on some form of storage media, such as floppy disks. Such information may then be used for unauthorized purposes. Auditors should review the controls over access to information stored in the main computers. Where microcomputers are used as terminals, auditors should pay special attention to controls on access to information stored in the main computer. 9.4 Where microcomputers are used to process applications, either as a stand-alone workstation or as part of a LAN, auditors should pay special attention to the internal controls over the operations of the microcomputers. 9.5 Within the microcomputer environment, auditors should be aware of the following control policies: physical security of equipment, physical security of removable and non-removable media, May 2008
E-106 (8) program and data security, software and data integrity, and hardware, software and data back-up. Management can contribute to the effective operation of microcomputers in an EDP environment by prescribing and enforcing policies for their control and use such as the ones noted above. 9.6 Auditors will find that, in many cases, one person in the entity assumes the role of the expert, programming as well as operating the microcomputer. In such cases, the auditors should review the degree of segregation of functions, particularly over the processing of accounting records. Where there is inadequate segregation, compensating audit procedures should be undertaken. 9.7 Auditors should review the software used on the microcomputer for the processing of accounting records. In particular, the adequacy of security, data integrity, back-up provisions, and audit trails should be reviewed. 9.8 Auditors should be particularly concerned with the following control weaknesses, which tend to be prevalent in a microcomputer environment: lack of segregation of incompatible functions, such as having the programmer responsible for posting the general ledger transactions, lack of audit trails, excessive dependency on the technical knowledge of one person, lack of access security, both physical and logical, and limited knowledge of the user, lack of policies and standards regulating the use and control of microcomputer resources, and lack of management involvement with the operation of the microcomputer. It must be stressed that these examples of potential weaknesses are by no means exhaustive. Auditors must be aware that there may be other equally serious deficiencies in the entity s controls. 9.9 The effect of microcomputers on the EDP environment, the accounting system and the associated risks, will generally depend on: the extent to which the microcomputer is being used to process accounting applications, the type of financial transactions being processed and the significance of these transactions, and the nature of the data and programs utilized within the applications. 9.10 In general, auditors should assume that control risk may be high in a microcomputer EDP environment. Accordingly, it may be more cost-effective and efficient for the auditors to simply obtain an understanding of the control environment and transaction flow, rather than perform a detailed review of the general and EDP application controls. Consequently, the auditors may wish to concentrate the audit efforts on substantive tests to gain audit assurance. Where microcomputers are used to process accounting applications, auditors should review the internal controls over the operations of the microcomputers and evaluate the level of reliance to be placed on the controls in order to determine the nature, extent, and timing of the substantive procedures to be performed. 9.11 The following are examples of control procedures that auditors may consider when the auditor s assessment of internal accounting controls related to a microcomputer environment includes an expectation that controls are operating effectively: segregation of duties, balancing controls, access to the microcomputer and its files, and use of third-party software. May 2008
E-106 (9) 9.12 Additional guidance on the effects of microcomputers on the audit function can be found in IAPS 1001 CIS Environments Stand-alone Microcomputers. 10. Special topics in EDP auditing 10.1 Three types of EDP environments require special attention by auditors. These are: on-line systems, databases, and computer service bureaus. 10.2 On-line systems typically involve the use of terminals connected to computers by some form of telecommunications link. Often, terminals are scattered over a wide geographical area. Applications are activated through terminals and controlled by some means of access control mechanism, such as passwords. The most significant characteristics of on-line systems relate to on-line data entry and validation, on-line access to the system by users, potential programmer access to the system and possible lack of visible audit trail(s). 10.3 Certain general EDP controls are particularly important to on-line systems. These include (but are not limited to): access controls to terminals, programs, and data, back-up controls and standby procedures, data transmission controls, data integrity controls, user and transaction logs, controls over passwords, system development and maintenance controls, and programming controls. 10.4 Certain EDP application controls are particularly important to on-line systems. These include (but are not limited to): pre-processing authorization, terminal device edit, reasonableness, and other validation tests, cut-off procedures, file controls, master file controls, and balancing. Additional guidance on the implications of on-line systems on the audit function can be found in IAPS 1002 CIS Environments On-line Computer Systems. 10.5 A database is a collection of interrelated data that is shared and used by a number of different applications for different purposes, but is independent of the applications. The multi-users and multi-uses of the data implies that the information in the database is a common resource shared within the organization. The data sharing requires that the data should be independent of the uses thereof. This is achieved by having the DBMS record the data once for use by the various application programs, thereby avoiding data redundancy. In non-database management systems, separate data files are maintained for each application, and similar data used by several applications may be repeated in several files. 10.6 The use of the data by various application programs emphasizes the importance of centralized coordination of the use and definition of data and maintenance of its integrity, security, accuracy, and completeness. These activities are provided by the database administrator, who, out of necessity, has vast powers over the database. 10.7 Generally, internal control in a database environment requires effective controls over the database, the DBMS, and the applications. The effectiveness of internal control depends to a great extent on the nature of the database administrator s tasks. 10.8 Due to data sharing, data independence, and other characteristics of database systems, general EDP controls normally have a greater importance than EDP applications controls on May 2008
E-106 (10) database systems. The general EDP controls of particular importance in a database environment can be classified as follows: standard approaches for development and maintenance of applications programs, data ownership, access to the database, and segregation of duties. 10.9 The effect of a database on the accounting system and the associated risks will generally depend on: extent of use by accounting applications, type and significance of financial transactions processed, nature of the database, the DBMS, the database administrator s tasks, and the applications, and general EDP controls which are particularly important in a database environment. 10.10 Auditors should assess the impact that the database environment has on the audit. Auditors should pay special attention to the additional controls required in this environment: controls over access to, and updating of, data, controls to ensure data and applications independence, controls to ensure integrity of data, controls over the activities of the database administrator, and controls over access by the database administrator to the data. In auditing a database environment, auditors should pay special attention to: access to and updating of data, data and application independence, data integrity, and activities of the data administrator. 10.11 Additional guidance on the implications of database systems on the audit function can be found in IAPS 1003 CIS Environments Database Systems. 10.12 Where the entity under audit uses a computer service bureau instead of an in-house EDP facility, the auditors should be aware of the special audit considerations. In general, there are three ways whereby EDP services are provided by a computer service bureau: computer time and standard application software, systems development and maintenance, and some combination of the above. 10.13 It is important that the relationship between the entity and the computer service bureau be precisely specified in a contractual agreement. Typically, the entity has very limited control over the computer service bureau. The special audit considerations are: The contractual arrangements between the entity and the computer service bureau should be examined for adequate protection for the entity in the event of non-performance or business failure of the computer service bureau. Auditors may not be permitted to carry out certain audit procedures to test the internal controls of the computer service bureau. In such cases, the auditors may have to rely on the reports of the computer service bureau s auditors. Where a computer service bureau is used, auditors should pay special attention to the contract between the entity and the computer service bureau. May 2008
E-106 (11) Appendix A.1 The following paragraphs provide a brief description of some of the more common computer-assisted audit techniques available for the auditors use. A.2 The test data method is one of the techniques used to review system controls and other system procedures. It involves the insertion of test data (e.g., a stream of transactions) into the computer system being audited. The results obtained from processing the test data are then compared with predetermined results. The auditor may use actual or live data, or dummy data may be created to test cases related to specific situations. Generally, test data is processed separately from the entity s normal processing. A.3 The use of an integrated test facility can be of two techniques. One approach is to create dummy units (e.g., departments or individuals) to which test transactions are directed as part of normal processing. The output associated with these dummy units will then be examined for completeness and accuracy. When using this technique, auditors must ensure that the dummy units and their associated transactions are removed from the entity s records after the audit has been completed. A.4 The second approach to the use of an integrated test facility is to embed audit computer programs into the computer system being audited. These hidden programs act as audit monitors, which the auditors can turn on or off, in order to selectively audit different aspects of the processing cycle at different times. A.5 There are programs that can convert a source program into a logical path printout, sometimes in flowchart form. Such programs are known as automated program logic analysis routine. The auditors are thus relieved of the often tedious flowcharting activities that are sometimes necessary to analyze program logic. However, it must be pointed out that the capability of these programs is limited, in that they will only interpret simple source programs with adequate accuracy. A.6 Code comparison programs are either source or object versions of operational computer programs being audited. These programs are generally utilized when the auditors want to ensure that the version of the operational computer program used for processing is in fact identical to the authorized version. This technique can thus be used to detect unauthorized or undocumented program changes. A.7 Generalized audit software is a set of computer programs developed to perform various data- processing functions specific to auditing procedures. These functions included statistical sampling, data manipulation, computation, selection and printing of reports, etc. The auditors can specify the desired functions by coding pre-defined instructions to the generalized audit software. The advantage of such generalized software is that it can be used for many different audit engagements. A.8 In addition to the descriptions provided by paragraph A.2 to A.7, paragraphs 5 and 6 of IAPS 1009, entitled Computer-assisted Audit Techniques, provide further information on audit software available for use by auditors. May 2008
Module 7 summary Module 7 summary Explain the major effects of computerization of accounting systems on a company's operations and on the audit approach Effects on the company s operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions Effects on the approach to auditing Consider IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit When acquiring sufficient knowledge of the client s business, the auditor should obtain an understanding of the client s computer systems and how they are used. The auditor must sufficiently understand the internal controls related to the computer systems. This understanding includes both general controls and application controls. The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level. Describe the major elements of audit significance in today s computer environment Major elements of audit significance include microcomputers, databases, online systems, and e-commerce (Electronic Data Interchange and the Internet). Explain the audit implications of a simple computer-based system for a company s internal control as it relates to the organizational structure and the processing of transactions Although control objectives do not change, the procedures used to achieve control and the means of evaluation will change. Increased concern must be placed on controls related to the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions Explain the audit implications of a simple computer-based system for a company s internal control as it relates to system access, design, backup, and data recovery Although control objectives do not change, the procedures used to achieve control and the means of evaluation will change. Increased concern must be placed on controls related to controls over access to programs and data controls over system design and maintenance file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07summary.htm (1 of 4) [31/08/2009 10:13:33 AM]
Module 7 summary protection of the system against hazards of nature and against potential sabotage Describe general controls and application controls and explain how they relate to accounting controls General controls apply to all or many computerized accounting activities. They include controls over segregation of duties, physical access to the computer, programs, data, documentation, systems development controls, hardware controls, backup and recovery procedures, and so on. Application controls are related to specific applications such as order processing and payroll. They include input controls, processing controls, and output controls. Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems. The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing. Summarize the impact of EDI and the Internet on a company s operations, including the implications of electronic commerce for a company s internal control and for its audit The two main effects of EDI for auditors are a paperless environment, resulting in the loss of an audit trail the lack of human involvement in the data interchange, resulting in a complete dependence on the electronic system The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organization s internal networks and systems. The main implications for internal control are related to security issues. These include control over access to websites and protection from viruses, and so on. Both websites and the transactions carried out on the Internet must be secure. The main implications for the audit are an expansion of the area of knowledge required of the auditor, who will have to gain knowledge of the additional controls and almost certainly test their performance. Explain how an audit is conducted in a computer environment Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system. The audit should be properly planned. The auditor should gain an understanding of the entity and its environment, including its internal controls and should use that understanding to plan the audit. Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07summary.htm (2 of 4) [31/08/2009 10:13:33 AM]
Module 7 summary The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit. Identify the phases of auditing a computerized accounting system The auditor should conduct a preliminary evaluation of internal control. This should include general and application controls the auditor might consider effective to rely on when conducting the audit. The auditor must then test the controls to see if they were functioning properly throughout the period being audited. Identify internal control considerations in personal computer, online, and database environments The auditor should take into account any unique internal control considerations for personal computers, online, and database environments. Guidance in auditing microcomputers, online systems and database environments are found in Sections 9 and 10 of CGA-Canada s Auditing Guideline No. 6. Explain the difference between auditing around/without the computer and auditing through/with the computer to test internal control Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output. This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances. Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large, there is little or no audit trail, or the system is complex. Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches. Explain how an auditor can use computers in conducting audits by using test data and generalized audit software The test data approach is used by developing simulated data and processing it through the client s system and comparing the output to predetermined results. Generalized audit software can be used for a variety of audit purposes. Such programs will extract data from the client system, sort data, perform calculations, match data from different files, select statistical samples, and generate worksheets or databases for further analysis. The auditor should consider the extent to which it will be efficient to use computerassisted audit techniques in carrying out the compliance or substantive testing required for the audit. Identify ways to use computers in conducting an audit file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07summary.htm (3 of 4) [31/08/2009 10:13:33 AM]
Module 7 summary commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07summary.htm (4 of 4) [31/08/2009 10:13:33 AM]
Self-test Module 7 self-test Question 1 As a potential CGA, you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation. Describe the skills and competence required to perform such an audit, and explain why they are so important. Solution Question 2 Review checkpoint 7.19, page 226 Solution Question 3 What concerns should an auditor have about the actual conversion when a client converts to a new information system? Solution Question 4 a. Review checkpoint 7.41, page 246 b. Review checkpoint 9.1, page 317 Solution Question 5 Review checkpoint 7.31, page 245 Solution Question 6 Review checkpoint 9.91, page 353 Solution Question 7 a. Review checkpoint 9.94, page 359 b. Review checkpoint 9.103, page 360 file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftest.htm (1 of 2) [31/08/2009 10:13:33 AM]
Self-test Solution file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftest.htm (2 of 2) [31/08/2009 10:13:33 AM]
Scenario 7.1-1 solution Scenario 7.1-1 solution Effect/Impact Risk Management responsibility Change to the organizational structure: Implementation of computer systems requires additional resources for the systems to function properly. These resources include qualified personnel and investment in capital assets (appropriate computer equipment). Appropriate internal controls lacking in computerized environment Management is responsible for establishing internal controls, regardless of the environment in which the company operates (computerized or noncomputerized). Therefore, implementation of computer systems forces management to ensure that adequate procedures are in place and computer systems are properly documented an adequate audit trail for significant classes of transactions exists, and knowledgeable personnel are in place to support the computer system and assist management and auditors. Centralization of data processing and resulting efficiencies: Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems. Rather than having separate accounts payable or accounts receivable departments doing the data processing independently, for example, more data processing is done through one department the computer centre or computer processing department. Greater risk of losing large amount of data in case of breakdown of computer system Internal controls, policies, and procedures must be in place to make sure that data can be recovered in case of an accident. (The users of the computer processing department, such as the accounts receivable and accounts payable departments, become more dependent on centralized processing.) file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t01sol.htm [31/08/2009 10:13:36 AM]
Scenario 7.1-2 solution Scenario 7.1-2 solution There might be more emphasis on evaluating the internal controls of the IT department. The auditor will have to determine if an IT specialist needs to be brought into the audit team and how this will affect the nature, extent, and timing of audit procedures. Make planning decisions regarding other resources that will be needed for the audit, such as the use of computer-assisted audit techniques. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t01sol2.htm [31/08/2009 10:13:36 AM]
Activity 7.2-1 solution Activity 7.2-1 solution The auditor may not be able to obtain evidence that the transactions have been properly authorized. In such cases, the auditor may need to perform more extensive tests of details of balances. A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system. To continue with the ATM example, the system checks for a correct PIN number, then accesses the information from the customer s bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t02sol.htm [31/08/2009 10:13:37 AM]
Scenario 7.3-1 solution 1 Scenario 7.3-1 solution 1 Segregation of duties In traditional large systems, it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation. The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks. Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing. There is segregation of duties among the data control clerk, data entry clerk, and the operator. Operations staff is not permitted to modify the computer programs. Only programmers and systems analysts (systems development staff) can access and modify computer programs, provided they have authorization; however, they are not allowed to work with actual live data. Thus, there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other, and the chance for unauthorized changes to computer programs is minimized. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t03sol1.htm [31/08/2009 10:13:37 AM]
Scenario 7.3-1 solution 2 Scenario 7.3-1 solution 2 With microcomputer systems, the segregation of duties and functions is often impractical and unlikely in practice. Usually, the same person (user) has complete control over the installation of the computer programs and entry of data. Thus, it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t03sol2.htm [31/08/2009 10:13:37 AM]
Scenario 7.3-2 solution Scenario 7.3-2 solution Automatic transaction processes must have appropriate controls in place. For example, input controls should ensure that purchases or sales will not take place above a prespecified amount, and organization controls should ensure that changes to the program trading software are authorized, fully tested before implementation, and documented. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t03sol3.htm [31/08/2009 10:13:38 AM]
Example 7.4-1 solution Example 7.4-1 solution Design requirements A computer may prompt the user each time a transaction is out of the ordinary before continuing the process. Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item. The system could be programmed to prompt the user whenever a transaction would cause a customer s account balance to exceed the customer s credit limit. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t04sol.htm [31/08/2009 10:13:38 AM]
Activity 7.5-1 solution 1 Activity 7.5-1 solution 1 These controls affect the integrity of the various application programs that are developed and documented by the IT department, and as such, they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05sol1.htm [31/08/2009 10:13:38 AM]
Activity 7.5-1 solution 2 Activity 7.5-1 solution 2 Backup controls and control procedures are of particular interest because they have serious accounting implications. One of the basic assumptions underlying a company s financial statements is that the company is a going concern. Researchers have estimated that a large company, which has computerized its system extensively, would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05sol2.htm [31/08/2009 10:13:39 AM]
Scenario 7.5-1 solution Scenario 7.5-1 solution The payroll software should have built-in limits or reasonableness checks to flag such transactions. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05sol3.htm [31/08/2009 10:13:39 AM]
Scenario 7.5-2 solution Scenario 7.5-2 solution To rely on internal control, the auditor must audit the internal controls of the original accounting system up to the changeover date, audit the conversion to ensure that the correct balances were carried forward to the new system, and audit the new internal controls to the year-end. In other words, a conversion forces the auditor to perform three sets of audit tests in the year of conversion. The auditor may decide not to rely on one or both systems, and so would not audit either one or both, but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system. This will apply as well in situations where there is a change from one computer system to another. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t05sol4.htm [31/08/2009 10:13:39 AM]
Activity 7.6-1 solution Activity 7.6-1 solution One key control in designing a site is a firewall. Essentially, a firewall is a logical filter between an organization s internal network and the rest of the world. Firewalls monitor the data traffic both into and out of the organization s network and can be configured to block both certain kinds of data and all traffic from particular locations. Firewalls, however, are not sufficient. They simply form part of the organization s overall security plan. Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus, worm, or similar destructive agent. A company engaged in electronic commerce needs to address issues related to authentication, authorization, privacy, and non-repudiation. Technological controls also need to be supplemented by organizational controls, such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall. A company should also set up policies regarding the use of e-mail because sensitive information sent via e-mail cannot be secured. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t06sol.htm [31/08/2009 10:13:40 AM]
Activity 7.8-1 solution 1 Activity 7.8-1 solution 1 To compensate for lack of appropriate processing controls, the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t08sol1.htm [31/08/2009 10:13:40 AM]
Activity 7.8-1 solution 2 Activity 7.8-1 solution 2 The auditor does not need to continue the review documentation or to perform compliance procedures. Instead, the auditor may seek to accomplish the audit objectives through the application of substantive procedures. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07t08sol2.htm [31/08/2009 10:13:40 AM]
Solution 1 Self-test 7 Solution 1 CGA Auditing Guideline No. 6, Auditing in an EDP Environment (Reading 7.1-1), paragraph 3.3 under "Skills and competence" describes the skills and competence an auditor should have in order to properly audit an EDP system. They are: a. "Sufficient understanding of the EDP environment to plan the audit." An important part of planning an audit is gaining knowledge of the client s business and the environment in which the business operates. This includes a knowledge of the client s information processing capability, whether it be manual or EDP, or a mixture of both. b. "Sufficient knowledge of EDP to implement the auditing procedures." Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing. A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system, which includes assessing inherent and control risk for specific assertions in an EDP environment, and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence. c. "Sufficient skills to competently evaluate the results." The comments pertaining to (b) apply equally to (c). file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol1.htm [31/08/2009 10:13:41 AM]
Solution 2 Self-test 7 Solution 2 The six characteristics important to the auditor s understanding of IT controls are: 1. Audit trail Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form. (A transaction trail is a chain of evidence provided through coding, cross-references, and documentation connecting account balances and other summary results with the original transaction documents and calculations.) Continuous auditing methods may be required to continuously select and monitor the processing of data (for example, embedded audit modules). 2. Uniform processing Computers process uniformly subjects like transactions to the same processing instructions, potentially eliminating random errors normally associated with manual processing. Conversely, programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions. The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions, as is the case in manual systems), and testing that the software tested has not been tampered with between tests. This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software. 3. Segregation of duties Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems. Password control procedures are a control method to separate incompatible functions, such as access to assets and access to records through an online terminal. The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre. 4. Visibility of alterations The potential for individuals, including those performing control procedures, to gain unauthorized access or alter data without visible evidence, as well as to gain access (direct or indirect) to assets, may be greater in computerized accounting systems. 5. Availability of analytical tools The IT system provides tools that management may use to review and supervise the operations of the company. This can enhance the entire system of internal control and reduce control risk. 6. Transactions initiated or executed automatically by a computer system The authorization of these transactions or procedures may not be documented and may be implicit in management s acceptance of the system design. Auditors need to assess general controls over system development and design. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol2.htm [31/08/2009 10:13:41 AM]
Solution 3 Self-test 7 Solution 3 The auditor s greatest concern is whether the data have been accurately and completely converted to the new system. If the new system or changed system starts with inaccurate data, the errors might never be caught. In addition, the cost of tracking down and converting discovered errors is very high. The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process. The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained. Because of the conversion, control risk may have increased and audit procedures will have to be changed. Accurate cut-off between the two systems is essential. Documentation of conversion process should be required. The auditor needs to test the accuracy and completeness of the conversion. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol3.htm [31/08/2009 10:13:42 AM]
Solution 4 Self-test 7 Solution 4 a. Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature. Generally, a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes, so there is no point testing specific application controls unless the overall control environment and general controls are adequate. b. The extent of IT use has an impact on how a client produces financial information. The information systems and IT used in the client s significant accounting processes influence the nature, timing, and extent of planned audit procedures. Significant accounting processes are those relating to accounting information that can materially affect the financial statements. Important matters to consider include its complexity, how the IT function is organized and its place in the overall business organization, data availability, availability of CAATs, and the need for IT specialist skills. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol4.htm [31/08/2009 10:13:42 AM]
Solution 5 Self-test 7 Solution 5 General control procedures include: organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately, and that an accurate cut-off between the two systems is achieved) Application control procedures include: Input controls: input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limit/reasonableness tests error correction and resubmission Processing controls: run-to-run totals control total reports file logs limit/reasonableness tests Output controls: control totals master file changes output distribution file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol5.htm [31/08/2009 10:13:42 AM]
Solution 6 Self-test 7 Solution 6 Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system. This conclusion is used to assess the control risk and determine the nature, timing, and extent of substantive audit procedures for auditing the related account balances in the overall audit plan. This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system. The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software. CAATs can also be used when performing substantive testing. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol6.htm [31/08/2009 10:13:43 AM]
Solution 7 Self-test 7 Solution 7 a. Advantages of a generalized audit software package include: Original programming is not required. Designing tests is easy. Many GAS packages are PC-based and menudriven so they operate much like commonly used spreadsheet programs. For special-purpose analysis of data files, GAS is more efficient than special programs written from scratch because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package. The same software can be used on various clients computer systems. Control and specific tailoring are achieved through the auditors own ability to program and operate the system. b. Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance, posting adjusting entries, grouping accounts into lead schedules, computing ratios, producing draft financial statements; also to prepare audit working papers, programs, and memos. PCs can also be used in audit planning and administration. file:///f /Courses/2009-10/CGALU/AU1/06course/01mod/au10910/module07/m07selftestsol7.htm [31/08/2009 10:13:43 AM]