SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE



Similar documents
auditing in a computer-based

Solutions to Student Self Assessment Questions

Information Technology Audit

Point to note: computer information system is NOT equal to computer assisted audit techniques

Learning Objective 1. The Impact of Information Technology on the Audit Process. Describe how IT improves internal control.

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

PART 10 COMPUTER SYSTEMS

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

INFORMATION TECHNOLOGY CONTROLS

AUDITING IN COMPUTER ENVIRONMENT. What is audit in a computer environme nt?

Chapter 7 Information System Security and Control

IT Application Controls Questionnaire

The Impact of Information Technology on the Audit Process

Spillemyndigheden s Certification Programme Information Security Management System

ACDM GUIDELINES TO FACILITATE PRODUCTION OF A DATA HANDLING PROTOCOL

Internal Control Systems

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

This interpretation of the revised Annex

Policy Document. Communications and Operation Management Policy

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

INFORMATION TECHNOLOGY SECURITY STANDARDS

Control Matters. Computer Auditing. (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising)

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

OECD DRAFT ADVISORY DOCUMENT 16 1 THE APPLICATION OF GLP PRINCIPLES TO COMPUTERISED SYSTEMS FOREWARD

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

REVENUE REGULATIONS NO issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the

IT - General Controls Questionnaire

PERFORMANCE EVALUATION AUDIT CHECKLIST EXAMPLE. EIIP Volume VI

Service Level Program for Ariba cloud Services. Service Accessibility Warranty Security Miscellaneous

Information Security Policies. Version 6.1

Operational Risk Publication Date: May Operational Risk... 3

Computer System Validation for Clinical Trials:

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

OECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT

An Approach to Records Management Audit

INFORMATION SYSTEM AUDITING AND ASSURANCE

Full Compliance Contents

Guidance for Industry Computerized Systems Used in Clinical Investigations

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

IT OUTSOURCING SECURITY

NHS Business Services Authority Information Security Policy

Newcastle University Information Security Procedures Version 3

Data Protection Act Guidance on the use of cloud computing

SECTION 15 INFORMATION TECHNOLOGY

National Occupational Standards in Accounting

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

CoSign for 21CFR Part 11 Compliance

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Spillemyndigheden s Certification Programme Information Security Management System

The Danish Bookkeeping Act and the Enterprise

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

FNS40211 CERTIFICATE IV FINANCIAL SERVICES BOOKKEEPING

SMDG-Interchange EDI - Understanding

Document Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0

Internal Controls Best Practices

HIPAA PRIVACY AND SECURITY AWARENESS

Fundamentals Level Skills Module, Paper F8 (IRL) 1 (a) Audit procedures procurement and purchases system

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Professional Development Programme on Enriching Knowledge of the Business, Accounting and Financial Studies (BAFS) Curriculum

Data Management Policies. Sage ERP Online

BUSINESS ONLINE BANKING AGREEMENT

PAYE Online for Employers EDI. Electronic Data Interchange (EDI) EB2 (PAYE) Information Pack

ELECTRONIC COMMERCE SYSTEMS

Terms and Conditions for Remote Data Transmission

4 Audit under Computerised Information System (CIS) Environment

Information security policy

Chapter 7 Securing Information Systems

Manual of Information Technology Audit

SOLUTION: AUDIT AND INTERNAL REVIEW, MAY 2014

FMCF certification checklist (incorporating the detailed procedures) certification period. Updated May 2015

Information Systems and Technology

Managing & Validating Research Data

ISO27001 Controls and Objectives

Level 3 Award in Computerised Accounting Skills

CHIS, Inc. Privacy General Guidelines

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

University of Liverpool

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Product overview. Tempest optional extras. Safe Tempest Internet (STi) Client, worker, consultant and supplier portals

Certified Information Systems Auditor (CISA)

General IT Controls Audit Program

Life Cycle of Records

Transcription:

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE Learning objective: explain the use of computer assisted audit techniques in the context of an audit discuss and provide relevant examples of the use of test data and audit software for the transaction cycles and balance sheet items discuss the use of computers in relation to the administration of the audit Control in CIS environment: The control in CIS environment is categorised into: General Control Application controls (also known as processing) General controls: These cover the environment within which CIS are developed, operated and maintained. This control is also known as System Development Controls. They are designed to ensure the integrity of hardware, software and data files and the continuity of operation. Systems development controls include: Proper authorisation Adequate testing Complete and quality documents Control implementation Review and monitor after implementation To ensure changes are properly authorised, tested and documented. Authorisation: Any system or application being developed for the users and hence users should authorise and control the development of all system. This is usually achieved by the establishment of a Steering Committee or Project Board comprising senior IT managers, programmer etc. 1

The Steering Committee is responsible for: Testing Standard: - Commissioning feasibility study into new project development - Approving the investment in the development of all systems. - Overseeing the progress of the project - Monitoring the success of the project after implementation. All systems and sub-systems must be thoroughly tested before implementation. There are 3 recognised stages in testing: - At the individual program level, techniques should be employed, such as diagnostic routines and test data (containing dummy data which test the effective design and operation of controls built into program) - At the complete systems level, the overall effective operation must be tested to ensure that the output of one program exactly matches the input to next: test data/pack is normally used. - User acceptance testing-no system should be accepted unless thoroughly tested by users for functionality, operation, and user friendliness and after dry runs. Documentation standard: The development of the new system must be fully documented thus providing a full detailed record facilitating subsequent investigation of bugs and modification or upgrade. Implementation of systems Adequate user training Complete and accurate file conversions Choice of an appropriate changeover methods for example: - Parallel running - Direct changeover - Phased/pilot running Review and monitoring after implementation The purpose of continuous review is to ensure the system is performing according to stated objectives 2

Performance appraisal and evaluation techniques will be employed in what is called the post implementation audit. Changes, amendments, upgrade: Any modification to a system must be: - Authorised - Tested - Fully documented Further users must be fully trained in the application of the modifications The modification should be monitored and reviewed after implementation. Organisational or administrative controls: The main objectives are to ensure integrity of hardware, software and data files and the continuity of operations. Hardware: To preserve the integrity of hardware, it is necessary to restrict access and use to authorised personnel only. Software and data files: To preserve the integrity of software and data files it is necessary to restrict access and use to authorised personnel only. Personnel In centralised processing systems, since processing is concentrated in onedepartment controls are also concentrated in that department. In decentralised, distributed, networked and PC-based systems, the above segregation of duties is difficult to impose. Therefore alternative control arrangements must be enforced. Standby To ensure continuity of operations in the event of system/program failure or data corruption, the following standby arrangement must be in force: Back-up - Dumps at the program or data file level - At the complete system level, parallel hardware may be on standby, or arrangement to use others hardware, or to use a bureau or service provider. Fire precautions 3

Insurance arrangements Application controls: These are controls over the processing of data, and are imposed at the input, processing and output stages of the processing cycle, to ensure: Controls over input: - Data input is authorised and is completely and accurately processing. - The integrity of standing data or master file. Authorisation of data: Conventional procedures may be adopted (eg signatures on input documents) Automated programmed validation checks may be designed: Accuracy of data - Reasonableness tests - Range tests - Limit tests There are 2 types of checks that can be made on input data detecting errors: Verification at the data conversion stages, data is keyed in twice preferably by 2 different operators and the 2 inputs compared. Validation checks performed under program control on input. These include: - Check digit verification: testing that a digit added to a reference number bears the required mathematical relationship to the rest of the number. Such a check will detect transposition and transcription errors. - Existence checks: comparing reference number with pre listed reference number for existence. Controls either conventional or automated include: Batching - Batch numbers - Record counts - Hash totals Sequence checks: - Detecting - Duplication - Omission 4

Master files controls: Master files contain: - Out of sequence Records continuously updated by transaction data (e.g. customer accounts, supplier accounts, employee salary records) Reference data (e.g. sales price, employee wage rates) Controls must be designed to ensure the integrity of master files: - Changes must be authorised - Changes must be documented - Password entry must be required - Checks on printout of changes against authorising documents must be performed - Periodic reviews of master file content should be carried out for accuracy, completeness and for being up-to-date. The Audit of Computerised Information Systems There are 2 ways in which the auditor can approach the audit of CIS Auditing around the computer: This approach ignores the detail procedures carried out in individual application. It constitute on reconciling the output with input. An existence of an audit trail and ability to trace transaction through each stage of processing. A direct relationship between input and output The use of a software package, which is properly tested and used on trial. Auditing through the computer: Audit trail is loss, where output is indirectly related to input. Bespoke system are use Large volume of transaction An evaluation of system and controls is necessary The auditor will use. 5

Computer Assisted Audit Technique The use of is necessary when: Transaction volumes are high-s will enable large sample and automated programmed validation checks to be tested. There is little or no audit trail and hence it is necessary to audit through the computer To test original records (eg records held on disk) rather than printouts purporting to exact copies of files-thus producing auditor-generated evidence. Decentralised, End-User & Small Computer Systems The consideration of controls and testing technique has no far been mainly concerned with larger centralised systems. The modern type of system-concentrated upon end-user, PC-based computing presents additional problem to both management and auditor. Such systems require no special environment and are sited in an open office in contrast to the central computer department where there is a natural separate physical division between computer operations and user activities. Control problems and potential solutions: Access to computers is more difficult to control There will be a lack of segregation of duties-one person being able to initiate transactions authorise transactions and record transaction (i.e. able to input and process it) First time users may be ignorant of the importance of controls and of application of controls in particular (e.g. reconcilitions, review etc). Standing and reference data may be capable of being altered without proper authorisation. Data conversion standard from old to new systems may result in incomplete and inaccurate conversion and in data loss and corruption. Standby arrangements, including back-up software and data files, may be lax. The ability to write programs to process data using easy-to-learn language could result in unauthorised, untested and badly documented programs, capable also of being amended without necessary authorisation. 6

Electronic Data Interchange (EDI) and ECommerce Audit problems: The increasing use of EDI and in particular trading on the Internet by all types of business, creates problems for auditors: Originating documents may not exist-purchase orders and sales orders and respective invoices being placed electronically. There may be a lack of evidence of the operation of controls. Global trading raises problems of enforcement of cross-boarder contract-thus debtor values may be difficult to verify. Data transmissions may be intercepted and the risk of unauthorised accesses increases. Further viruses may be introduced causing data loss and corruption, and systems crashes. The failure of integrated and complex accounting systems may impact on partners in the supply chain, leading to material losses. Audit approach and consideration: Audit attention must be centred upon the following controls over transmissions: Agreements by both parties of the amount transmitted. Formal acknowledgement of transmissions Authentication procedures including the use of codes and encryption Continuous monitoring of transaction through sequence checking. Firewalls should be implemented controlling accesses to authorised businesses only. Virus protection software should be installed and regularly updated. Contingency plans and back-up procedures should be implemented and regularly tested. Appropriate insurance should be arranged It would be desirable to request letter of comfort from auditors of business partners to obtain assurance as to the existence of appropriate controls in their client s businesses. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information