Control Matters. Computer Auditing. (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising)



Similar documents
INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS

AUDITING IN COMPUTER ENVIRONMENT. What is audit in a computer environme nt?

PART 10 COMPUTER SYSTEMS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Internal Controls. A short presentation from Your Internal Audit Department

Internal Control Guide & Resources

The Impact of Information Technology on the Audit Process

Learning Objective 1. The Impact of Information Technology on the Audit Process. Describe how IT improves internal control.

Chapter 9 The Study of Internal Control and Assessment of Control Risk

How To Audit A Financial Statement

Module 7: Computer auditing

Internal Control Systems

Connecting the dots: IT to Business

5:31-7 Appendix B LOCAL AUTHORITIES - ACCOUNTING AND AUDITING IF ANY ARE NOT APPLICABLE, INSERT N/A AS YOUR ANSWER. FIRE DISTRICT YEAR UNDER AUDIT

INFORMATION TECHNOLOGY CONTROLS

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE

SECTION 15 INFORMATION TECHNOLOGY

Auditing in an Automated Environment: Appendix C: Computer Operations

Master Document Audit Program

GENERALIZED AUDIT SOFTWARE

DETAIL AUDIT PROGRAM Information Systems General Controls Review

IT Application Controls Questionnaire

Chapter 15 Auditing the Expenditure Cycle

Knowledge Management Series. Internal Audit in ERP Environment

Ethics, Fraud, and Internal Control

Information System Audit Report Office Of The State Comptroller

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Internal Control Guidelines

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

auditing in a computer-based

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Center City Development & Operations Department. Parking Revenue. Project No.

[300] Accounting and internal control systems and audit risk assessments

STATEMENT OF AUDITING STANDARDS 300 AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS

REVENUE REGULATIONS NO issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the

The policy and procedural guidelines contained in this handbook are designed to:

Basic Concepts of Accounting Subsidiary Subsidiary Special Special Inform Infor a m tion Ledgers Ledger Journals Jour Systems

4 Testing General and Automated Controls

Information Technology Audit

Full Compliance Contents

Audit Manual PART TWO SYSTEM BASED AUDIT

Good Internal Controls for Small Businesses

Solutions to Student Self Assessment Questions

Chapter 7 Securing Information Systems

MEMORANDUM. Municipal Officials. From: Karen Horn, Director, Public Policy and Advocacy; and Abby Friedman, Director, Municipal Assistance Center

Fundamentals of Computer and Internet Fraud WORLD HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX USA

Transactional Flowchart: Guidelines and Examples

1 INTRODUCTION TO SYSTEM ANALYSIS AND DESIGN

DISASTER RECOVERY PLAN

The audit of inventories

Newcastle University Information Security Procedures Version 3

Operational Risk Publication Date: May Operational Risk... 3

IT Enabled System : Opportunities & Challenges for Assurance Professionals

TRANSFERRING INTERNAL CONTROL KNOWLEDGE FROM LEGISLATION TO SCHOOL MANAGEMENT: THE CASE OF SLOVENIA

Types of Fraud and Recent Cases. Developing an Effective Anti-fraud Program from the Top Down

INFORMATION SYSTEM AUDITING AND ASSURANCE

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

TRAINING IN FINANCIAL AND BUSINESS MANAGEMENT FOR ROAD CONTRACTORS MODULE ONE: SESSION FIVE PARTICIPANTS NOTES FINANCIAL ACCOUNTING FRAMEWORK

FINAL May Guideline on Security Systems for Safeguarding Customer Information

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM

CHAPTER 3. Data Modeling and Database Design- Part1

CPA Student Training Records

Department of Consumer Affairs Cash Disbursements by Agency Checks

Point to note: computer information system is NOT equal to computer assisted audit techniques

ETHICS, FRAUD, AND INTERNAL CONTROL

SOLUTION: AUDIT AND INTERNAL REVIEW, MAY 2014

In recent years, information technology (IT) used by firms,

Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

THE HUD PARTNERSHIP CENTER S CAPACITY BUILDING WORKSHOP SERIES: FINANCIAL MANAGEMENT MODULE

Practice Note. 25(Revised) February 2011 ATTENDANCE AT STOCKTAKING

Internal Controls over Cash for Small Nonprofits

Introduction to Systems Analysis and Design

Appendix 1: Identity Theft Red Flags Mitigation and Resolution Procedures

Accounting Information Systems, 4th. Ed. CHAPTER 4 THE REVENUE CYCLE

Computer Assisted Audit Group A Guide to Computer Assisted Audit Techniques

Internal Control Requirements December 11, 2002

September 2005 Report No

AUD. Auditing & Attestation. Roger Philipp, CPA

STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER 110 STATE STREET ALBANY, NEW YORK February 25, 2011

CONTROLLING COMPUTER-BASED INFORMATION SYSTEMS, PART I

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

INTERNATIONAL STANDARD ON AUDITING 501 AUDIT EVIDENCE ADDITIONAL CONSIDERATIONS FOR SPECIFIC ITEMS CONTENTS

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

2. Auditing Objective and Structure What Is Auditing?

Investigate Requirements for Software Solutions

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 501 AUDIT EVIDENCE ADDITIONAL CONSIDERATIONS FOR SPECIFIC ITEMS CONTENTS

ABSTRACT. assesses the perception of billing of consumers via computerized system. The project is aimed

Transcription:

Computer Auditing Control Matters (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising) The introduction of a computerized or electronic data processing (EDP) accounting system has not brought any changes to auditors audit objectives, i.e. to enable the auditor to express an opinion whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. However, the methods of applying audit procedures in gathering audit evidence may be influenced by the way accounting data is processed. Characteristics of Computerized Accounting Systems Computerized accounting systems have the following characteristics: (i) Audit trail A transaction trail that can be used for audit purposes might only exist for a short period of time or only be in computer readable form. This is because computerized accounting systems eliminate some steps and some documents used that would otherwise be present in manual systems. (ii) Nature of processing errors Clerical errors are ordinarily associated with manual processing. In an EDP environment, processing errors are mainly caused by programming errors or systematic errors in the hardware or software. Furthermore, in computerized systems, data must be converted into machine-readable form; this introduces the possibility of input errors, which are supposed to be detected by input controls. (iii) Central processing of transactions When transactions are centrally processed in an EDP department, sometimes many incompatible functions are combined. To keep incompatible duties separate, segregation of duties is often established. (iv) Alteration of data or files Permanent data (such as a worker s hourly rate) stored in master file can often be altered without being

detected; this kind of fraud may not be detected for a long time. EDP Controls The control environment in complex EDP systems is even more critical than that in more simple systems because there is greater potential for misstatement. The types of controls in an EDP system are general controls and application controls. The difference between general and application controls is illustrated in the diagram below, in which three computer applications are shown. General controls affect all three applications, but separate application controls are developed for purchases, cash payments and inventory. Although some application controls affect one or only a few transactionrelated audit objectives, most of the procedures prevent or detect several types of misstatements in all phases of the application. Relationship of General Controls and Application Controls to Audit Applications General Controls General Controls If general controls are ineffective, there may be potential for material misstatement in each computerbased accounting application. General controls relate to the environment within which systems are developed, maintained and operated. Such controls related to all parts of the EDP system and they apply to any one application. Auditors usually evaluate the effectiveness of general controls before evaluating application controls. If general controls are ineffective, there may be potential for material misstatement in each computer-based accounting application. The general controls must therefore be evaluated early in the audit. Purchases Cash payments Inventory General controls are to ensure the integrity of application development and implementation and to ensure that computer operations are properly administered to protect hardware, programmes and data files. There are five main types of general controls: (i) Organization of EDP department for purchases for cash payments for inventory 1. An application is a programme or group of programmes designed to process a particular group of transactions such as payment of creditors. No one individual should be able to (a) access the data; (b) alter the computer system or programmes; and (c) access the computer.

There should be segregation of duties within EDP Department, so as to prevent EDP personnel from authorizing and recording transactions to hide theft of assets, and to minimize the possibility of recording and processing errors. In principle, no one individual should be able to (a) access the data; (b) alter the computer system or programme, and (c) access the computer. Suppose that there is inadequate segregation of duties such that computer operators are also programmers and have access to computer programmes and data files, then the auditors would be concerned about the potential for fictitious transactions or unauthorised data and omissions in the accounts. Assume that the auditors find that there are inadequate safeguards over data files, they may then conclude that there is a significant risk of loss of data because the general controls affect each application. The following functions should be separated within the EDP Department: Applications and programming (design and maintenance of computer hardware and software). It is important that the programmer does not have access to input data on computer operations, since his understanding of the programme can easily be used for personal benefit. The librarian provides a means of important physical control over the computer programmes, transaction files, and other important computer records and releases them only to authorized personnel. Operations (running the computer, executing jobs). Ideally, the operator should be prevented from having sufficient knowledge of the programme to modify it immediately before or during its use. Data Control (data input and output). The function of the data control group is to test the effectiveness and efficiency of all aspects of the system. This includes the application of various controls, the quality of the input, and the reasonableness of the output. (ii) Application Development and Maintenance Controls The purpose of this general control area is to ensure that the client adequately controls computer programmes and related documentation. The primary controls are included in the design and use of systems manuals. Documentation is often the best source of information about control features within computer programmes, and thus the auditor s review of computer controls may depend, in part, on adequate documentation. Common types of computer documentation include programme flowcharts and narratives, record and file layouts and operator instructions. (iii) Hardware Controls Hardware controls are built into the equipment by the manufacturer to

detect equipment failure. Auditors are less concerned with the adequacy of the hardware controls in the system than with the organization s methods of handling the errors that the computer identifies. (iv) Access to Computer Equipment, Data Files and Programmes These general controls are important for safeguarding EDP equipment and records. This is accomplished through locked doors, segregation of duties, locked cabinets containing data files, passwords or security codes and reports of jobs run on the computer. (v) Data or Procedural Controls Copies of all important files and programmes should be kept off site. This may prevent losses due to accidental erasure, intentional vandalism, or catastrophic loss (e.g. because of fire). One commonlyused data storage method is the grandfather-father-son method. Application Controls are controls specific to a particular accounting application. Separate application controls are developed for different applications. must be evaluated specifically for every audit area in which the client uses the computer where the auditor plans to reduce assessed control risk. There are four main types of application controls: (i) Input controls; (ii) Processing controls; (iii) Output controls; and (iv) Controls over Master File information. are to ensure the completeness and accuracy of all processing and the validity of the accounting entries made. There are four main types of application controls: (i) Input controls Controls over input are designed to assure that the information processed by the computer is valid, complete, and accurate. These controls are critical because a large number of errors in computer systems are the results from input errors. Common input controls include check digits, batch totals, hash totals, limits or reasonableness tests, validity checks etc. (ii) Processing controls Controls over processing are designed to assure that data input into the system is accurately processed. This means that all data entered in the computer are processed, processed only once, and processed accurately. Most processing controls are also programmed controls, which mean that the computer is programmed to do the checking. Common examples include control totals, logic tests, and completeness tests. (iii) Output controls Controls over output are designed to assure that data generated by the computer are valid, accurate, and complete. Moreover, outputs should be distributed in the appropriate quantities only to authorized people. The most important output control is review of the data for reasonableness by someone who knows what the output should look like. (iv) Controls over Master File information Many transactions depend on the accuracy of information in the Master File. For example, all sales transactions depend on price list, or all payroll amounts depend on hourly rate or salary rate. User departments should get periodic reports containing the contents of the Master File. There should be procedures in place to verify that the correct version of the Master File is being used.

How do Auditors Test Controls in an EDP Environment? Auditors obtain information on general and application controls by: (i) interviewing EDP staff; (ii) reviewing flowcharts and documentation that describe the system and programmes; and (iii) reviewing internal control questionnaires they have given the client to complete. Audit around the computer only when: (a) the audit trail is complete; (b) processing operations are straightforward, and (c) systems documentation is complete and readily available When the audit trail is incomplete and the computer processing operations are complicated, it is inappropriate to audit around the computer. This technique should only be used when the audit trail is complete, computer-processing operations are straightforward and systems documentation is complete and readily available. Under the technique of auditing around the computer, auditors bypass the computer and treat it as a giant book-keeping machine. This is acceptable in some situations but becomes unacceptable if the relationship between the output and the input cannot be properly understood without examining the intervening computer processing, e.g. when there is no visible audit trail. Audit through the computer with: (i) audit test data; (ii) parallel simulation; and (iii) integrated test facility In more complex EDP environments, clients retain data in electronic format only. The loss of audit trail means auditors must test application controls directly by auditing through the computer. Auditors test application controls using three types of tests: (i) audit test data, (ii) parallel simulation and (iii) integrated test facility.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information