INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS



Similar documents
Control Matters. Computer Auditing. (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising)

Knowledge Management Series. Internal Audit in ERP Environment

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

How To Audit A Financial Statement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Chapter 15 Auditing the Expenditure Cycle

INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS CONTENTS

The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements

Stages of the Audit Process

IT Application Controls Questionnaire

Audit Phases. Phase 1: Planning and Risk Identification

Risk Assessment Standards

INTERNATIONAL STANDARD ON AUDITING 320 AUDIT MATERIALITY CONTENTS

Accounting 408 Test 3b Section Row

4 Testing General and Automated Controls

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

INTERNATIONAL STANDARD ON AUDITING 501 AUDIT EVIDENCE ADDITIONAL CONSIDERATIONS FOR SPECIFIC ITEMS CONTENTS

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS

INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS

THE AUDITOR S RESPONSES TO ASSESSED RISKS

STANDING ADVISORY GROUP MEETING

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Comparison of ISA 330 with AS-402 Objectives and Requirements Only

Audit Evidence. AU Section 326. Introduction. Concept of Audit Evidence AU

Risks (Audit Risk Formula)

Application controls testing in an integrated audit

The auditors responsibility to consider fraud in an audit of financial statements

Module 7: Computer auditing

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

How To Audit A Company

SA 530 AUDIT SAMPLING. Contents. (Effective for audits of financial statements for periods beginning on or after April 1, 2009) Paragraph(s)

Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1

Audit Documentation See section 9339 for interpretations of this section.

Chapter 6--Audit Evidence, Audit Objectives, Audit Programs and Working Papers

auditing in a computer-based

AUDITING IN COMPUTER ENVIRONMENT. What is audit in a computer environme nt?

INTERNATIONAL STANDARD ON AUDITING 501 AUDIT EVIDENCE SPECIFIC CONSIDERATIONS FOR SELECTED ITEMS CONTENTS

[300] Accounting and internal control systems and audit risk assessments

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Fraud Checklist. From the enquiries made and procedures performed in completing Part B of this checklist we consider the risk of irregularities to be

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS

INTERNATIONAL STANDARD ON AUDITING 540 AUDIT OF ACCOUNTING ESTIMATES CONTENTS

Audit Sampling. AU Section 350 AU

(Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS

Communicating Internal Control Related Matters Identified in an Audit

SESSION 3 AUDIT PLANNING

Management s Discussion and Analysis

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 540

Additional Considerations

The Impact of Information Technology on the Audit Process

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

INTERNATIONAL AUDITING PRACTICE STATEMENT 1012 AUDITING DERIVATIVE FINANCIAL INSTRUMENTS

STATEMENT OF AUDITING STANDARDS 300 AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

U S I N G D A T A A N A L Y S I S T O M E E T T H E R E Q U I R E M E N T S O F R I S K B A S E D A U D I T I N G S T A N D A R D S

Auditing Standard ASA 330 The Auditor's Responses to Assessed Risks

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 501 AUDIT EVIDENCE ADDITIONAL CONSIDERATIONS FOR SPECIFIC ITEMS CONTENTS

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 200

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors)

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 520 ANALYTICAL PROCEDURES CONTENTS

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

January (1) CHAPTER 5. Table of Contents

4 Audit under Computerised Information System (CIS) Environment

Article: Control Systems and Controls Testing: General Review

SOLUTION: AUDIT AND INTERNAL REVIEW, MAY 2014

Auditing Module 7 June Suggested Solutions

INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING

Identifying and Assessing. Understanding the Entity

three TESTS OF CONTROLS AND TESTS OF DETAILS

The Auditor s Responsibilities Relating to Fraud in an Audit of Financial Statements

Audit Planning, Types of Audit Tests and Materiality

In recent years, information technology (IT) used by firms,

ISA 200, Overall Objective of the Independent Auditor, and the Conduct of an Audit in Accordance with International Standards on Auditing

Practice Note. 25(Revised) February 2011 ATTENDANCE AT STOCKTAKING

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

Audit Sampling. HKSA 530 Issued July 2009; revised July 2010

INTERNATIONAL STANDARD ON AUDITING 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

INTERNATIONAL STANDARD ON AUDITING 540 AUDITING ACCOUNTING ESTIMATES, INCLUDING FAIR VALUE ACCOUNTING ESTIMATES, AND RELATED DISCLOSURES CONTENTS

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

Learning Objective 1. The Impact of Information Technology on the Audit Process. Describe how IT improves internal control.

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

This subject is dealt with in ISA 530, Audit Sampling. The definition of audit sampling is:

10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process

INTERNATIONAL STANDARD ON AUDITING 200 OBJECTIVE AND GENERAL PRINCIPLES GOVERNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

STAFF QUESTIONS AND ANSWERS

Internal Auditing & Controls. Examination phase of the internal audit Module 5. Course Name: Internal Auditing & Controls

INFORMATION SYSTEM AUDITING AND ASSURANCE

Reporting on Control Procedures at Outsourcing Entities

SESSION 6 AUDIT RISK AND BUSINESS RISK

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

Substantive Tests of Transactions and Balances

AUD. Auditing & Attestation. Roger Philipp, CPA

Navigating the Standards for Information Technology Controls

Audit Evidence Specific Considerations for Selected Items

Transcription:

INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph Introduction... 1-3 Skills and Competence... 4 Planning... 5-7 Assessment of Risk... 8-10 Audit Procedures... 11-12 International Standard on Auditing (ISA) 401, Auditing in a Computer Information Systems Environment should be read in the context of the Preface to the International Standards on Quality Control, Auditing, Assurance and Related Services, which sets out the application and authority of ISAs. * ISA 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement and ISA 330, The Auditor s Procedures in Response to Assessed Risks are effective for audits of financial statements for periods beginning on or after December 15, 2004. ISA 401 372

Introduction 1. The purpose of this International Standard on Auditing (ISA) is to establish standards and provide guidance on procedures to be followed when an audit is conducted in a computer information systems (CIS) 1 environment. For purposes of ISAs, a CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party. 2. The auditor should consider how a CIS environment affects the audit. 3. The overall objective and scope of an audit does not change in a CIS environment. However, the use of a computer changes the processing, storage and communication of financial information and may affect the accounting and internal control systems employed by the entity. Accordingly, a CIS environment may affect: The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems. The consideration of inherent risk and control risk through which the auditor arrives at the risk assessment. The auditor s design and performance of tests of control and substantive procedures appropriate to meet the audit objective. Skills and Competence 4. The auditor should have sufficient knowledge of the CIS to plan, direct, supervise and review the work performed. The auditor should consider whether specialized CIS skills are needed in an audit. These may be needed to: Obtain a sufficient understanding of the accounting and internal control systems affected by the CIS environment. Determine the effect of the CIS environment on the assessment of overall risk and of risk at the account balance and class of transactions level. Design and perform appropriate tests of control and substantive procedures. If specialized skills are needed, the auditor would seek the assistance of a professional possessing such skills, who may be either on the auditor s staff or an outside professional. If the use of such a professional is planned, the AUDITING 1 This term is used throughout this ISA in place of electronic data processing (EDP) used in prior ISA Auditing in an EDP Environment. Related International Auditing Practice Statements revised and issued subsequent to this ISA use the term information technology (IT) environments. 373 ISA 401

Planning auditor should obtain sufficient appropriate audit evidence that such work is adequate for the purposes of the audit, in accordance with ISA 620, Using the Work of an Expert. 5. In accordance with ISA 400 Risk Assessments and Internal Control, the auditor should obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. 6. In planning the portions of the audit which may be affected by the client s CIS environment, the auditor should obtain an understanding of the significance and complexity of the CIS activities and the availability of data for use in the audit. This understanding would include such matters as: The significance and complexity of computer processing in each significant accounting application. Significance relates to materiality of the financial statement assertions affected by the computer processing. An application may be considered to be complex when, for example: The volume of transactions is such that users would find it difficult to identify and correct errors in processing. The computer automatically generates material transactions or entries directly to another application. The computer performs complicated computations of financial information and/or automatically generates material transactions or entries that cannot be (or are not) validated independently. Transactions are exchanged electronically with other organizations (as in electronic data interchange (EDI) systems) without manual review for propriety or reasonableness. The organizational structure of the client s CIS activities and the extent of concentration or distribution of computer processing throughout the entity, particularly as they may affect segregation of duties. The availability of data. Source documents, certain computer files, and other evidential matter that may be required by the auditor may exist for only a short period or only in machine-readable form. Client CIS may generate internal reporting that may be useful in performing substantive tests (particularly analytical procedures). The potential for use of computer-assisted audit techniques may permit increased efficiency in the performance of audit procedures, or may enable the auditor to economically apply certain procedures to an entire population of accounts or transactions. ISA 401 374

7. When the CIS are significant, the auditor should also obtain an understanding of the CIS environment and whether it may influence the assessment of inherent and control risks. The nature of the risks and the internal control characteristics in CIS environments include the following: Lack of transaction trails. Some CIS are designed so that a complete transaction trail that is useful for audit purposes might exist for only a short period of time or only in computer readable form. Where a complex application system performs a large number of processing steps, there may not be a complete trail. Accordingly, errors embedded in an application s program logic may be difficult to detect on a timely basis by manual (user) procedures. Uniform processing of transactions. Computer processing uniformly processes like transactions with the same processing instructions. Thus, the clerical errors ordinarily associated with manual processing are virtually eliminated. Conversely, programming errors (or other systematic errors in hardware or software) will ordinarily result in all transactions being processed incorrectly. Lack of segregation of functions. Many control procedures that would ordinarily be performed by separate individuals in manual systems may be concentrated in CIS. Thus, an individual who has access to computer programs, processing or data may be in a position to perform incompatible functions. Potential for errors and irregularities. The potential for human error in the development, maintenance and execution of CIS may be greater than in manual systems, partially because of the level of detail inherent in these activities. Also, the potential for individuals to gain unauthorized access to data or to alter data without visible evidence may be greater in CIS than in manual systems. In addition, decreased human involvement in handling transactions processed by CIS can reduce the potential for observing errors and irregularities. Errors or irregularities occurring during the design or modification of application programs or systems software can remain undetected for long periods of time. Initiation or execution of transactions. CIS may include the capability to initiate or cause the execution of certain types of transactions, automatically. The authorization of these transactions or procedures may not be documented in the same way as those in a manual system, and management s authorization of these transactions may be implicit in its acceptance of the design of the CIS and subsequent modification. Dependence of other controls over computer processing. Computer processing may produce reports and other output that are used in AUDITING 375 ISA 401

performing manual control procedures. The effectiveness of these manual control procedures can be dependent on the effectiveness of controls over the completeness and accuracy of computer processing. In turn, the effectiveness and consistent operation of transaction processing controls in computer applications is often dependent on the effectiveness of general CIS controls. Potential for increased management supervision. CIS can offer management a variety of analytical tools that may be used to review and supervise the operations of the entity. The availability of these additional controls, if used, may serve to enhance the entire internal control structure. Potential for the use of computer-assisted audit techniques. The case of processing and analyzing large quantities of data using computers may provide the auditor with opportunities to apply general or specialized computer audit techniques and tools in the execution of audit tests. Both the risks and the controls introduced as a result of these characteristics of CIS have a potential impact on the auditor s assessment of risk, and the nature, timing and extent of audit procedures. Assessment of Risk 8. In accordance with ISA 400, Risk Assessments and Internal Control, the auditor should make an assessment of inherent and control risks for material financial statement assertions. 9. The inherent risks and control risks in a CIS environment may have both a pervasive effect and an account-specific effect on the likelihood of material misstatements, as follows: The risks may result from deficiencies in pervasive CIS activities such as program development and maintenance, systems software support, operations, physical CIS security, and control over access to specialprivilege utility programs. These deficiencies would tend to have a pervasive impact on all application systems that are processed on the computer. The risks may increase the potential for errors or fraudulent activities in specific applications, in specific data bases or master files, or in specific processing activities. For example, errors are not uncommon in systems that perform complex logic or calculations, or that must deal with many different exception conditions. Systems that control cash disbursements or other liquid assets are susceptible to fraudulent actions by users or by CIS personnel. 10. As new CIS technologies emerge, they are frequently employed by clients to build increasingly complex computer systems that may include micro-to- ISA 401 376

mainframe links, distributed data bases, end-user processing, and business management systems that feed information directly into the accounting systems. Such systems increase the overall sophistication of CIS and the complexity of the specific applications that they affect. As a result, they may increase risk and require further consideration. Audit Procedures 11. In accordance with ISA 400, Risk Assessments and Internal Control, the auditor should consider the CIS environment in designing audit procedures to reduce audit risk to an acceptably low level. 12. The auditor s specific audit objectives do not change whether accounting data is processed manually or by computer. However, the methods of applying audit procedures to gather evidence may be influenced by the methods of computer processing. The auditor can use either manual audit procedures, computer-assisted audit techniques, or a combination of both to obtain sufficient evidential matter. However, in some accounting systems that use a computer for processing significant applications, it may be difficult or impossible for the auditor to obtain certain data for inspection, inquiry, or confirmation without computer assistance. AUDITING 377 ISA 401

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information