Auditing in Computer Environment Sako

AUDITING IN COMPUTER ENVIRONMENT
What is
audit in a
computer
environme
nt?
Wherever computer based accounting

system, large or small are operated by an
enterprise, or by a third party on behalf of
the enterprise, for processing information
supporting the amounts included in the
financial statements. The audit is said to be
performed in computer environment.
APT Financial Consultants Sako Mayrick 1
Auditing in Computer Environment
 Issues
 The audit objective remain “to enable the
auditor to express an opinion whether the
financial statements are prepared, in all
material respects, in accordance with an
applicable financial reporting framework.
 However, the methods of applying audit
procedures in gathering audit evidence may
be influenced by the way accounting data is
processed.
 Computer Environment
 Audit Trail
 In manual processing, clerical errors in
computer environment programming errors or
systematic errors in hardware or software
 Central Processing of transactions (keep
incompatible duties separate.)
 Alteration of data or files without being
detected (possibility of fraud)

Auditing in computer environment
Approaches
 Auditing around the computer
 Auditing through the Computer
 Auditing with the computer

Approaches to auditing in Computer Environment
1. Auditing around the computer

 Computer as a black box
 Test transaction method e.g. multiplying unit price with
number of products
 No attempt is made to establish and evaluate existence of
controls
 Appropriate where no significant computer controls are
required, for example where computers are used only for
calculation purposes
 Should not be used because of auditor’s lack of
knowledge on computerized systems.
 Audit around the computer ONLY WHEN; the audit trail is
complete, processing operations are straight forward and
system documentation is complete and readily available.
1. Auditing through the computer

 Auditor evaluate client’s software and hardware for
reliability hard for human eyes to view
 Test operating effectiveness of related computer
controls (Access Controls)
 Controls are embedded in the IS of most companies
 It is impractical to ignore them due to legal and
compliance requirements
 External auditors use this to test the controls
 Internal auditors frequently uses this to ensure

that errors are discovered and corrected.

Around or through the computer

 Nothing is wrong with auditing around the computer
 But auditor should be satisfied with the control system in
place and able to gather sufficient evidence.
 But what about various requirements of gaining sufficient
understanding of system (internal control)
 Auditing through the computer is the best for auditors to
follow
 Some standards restricts auditors to issue opinions on
the operating effectiveness of internal control of the
business if auditing around the computer approach is
used.
 Which approach minimize auditor’s risk?

Approaches to auditing in the computer environment
 Auditing with the computer

 Use of computer of audit
automation
 Working Papers
 Statistical sampling and analytical
procedures
 Decision Support System;
 Audit Review and Reporting

Auditing with the Computer
 Types of software on PC in order to aid audit

work
 Standard software for word processing ,
spreadsheets
 Expert systems such as teammate,
 Generally, an auditor can use the PC to assist
for
 Production of time budget and budgetary
control .
 Analytical procedures.
 The maintenance of permanent file
information
Auditing in computer environment
 The computer systems challenges

 lack of visible evidence and
systematic errors. What to do?
 techniques available to an auditor,
 The internal controls,
 the availability of the data
 the length of time it is retained in a

readily usable form.

Controls over audit computers

 Security, and Accuracy (of input,
processing and output).
 The auditor should exercise controls
when PCs are used by auditor in their
work are as follows:
Access controls for users by means
of passwords
Controls over audit computers

Back up of data contained on files,
regular production of hard copy; back-
up disks held off the premises.
Viral protection for programs and
Training users.
Evaluation and testing of programs use
Proper recording of input data , to

ensure reasonableness of output.
INTERNAL CONTROLS IN CIS
The internal control over

computer based accounting
system
 General controls
 Application controls

 General controls;
 relates to the environment CIS
 are developed, maintained and operated,
and which are therefore applicable to all the
applications.
 The application controls and general controls are

inter-related. Strong general controls contribute to
assurance, which may be obtained by an auditor in
relation
 If general controls are ineffective, there may be
potential for material misstatement in each
computer
APT based accounting
Financial Consultants Sako Mayrick application. 14

Specific Requirements in order to achieve the overall
objective of general controls:-
 Control over applications development
 To prevent or detect unauthorized changes to programs
 To ensure that all programs changes are adequately

tested and documented
 Control to prevent and detect errors during program
execution
 To prevent unauthorized amendments to data files
 To ensure that system software is properly installed

and maintained
 To ensure that proper documentation is kept
 To ensure continuity of operations.

 Types of General Controls

1. Organizational controls of EDP unit
 No one individual should be able to
a. access the data;
b. Alter the computer system or

programme,
c. Access the computer


2. Application development and
maintenance controls
 Computer programs and related
applications design and use of systems
manuals, program flow charts,
narratives, records and file layout and
operators instructions.
3. Hardware controls
 Manufacturer to detect equipment
failure, how the organisation handles
errors the computer identifies

4. Access to Computer equipment, data files and
programs
 Safeguarding equipment and records e.g.
locked doors, locked cabinets, segregation of
duties, locked cabinets, cabinets containing
data files, passwords or security codes and
job reports for the computer.
5. Data or procedural controls
 Keeping the files and programmes off site.
This may prevent losses due to accidental
erasure, intentional vandalism or catastrophic
loss (fire). Grandfather-father-son
APT Financial Consultants Sako Mayrick
method 19
 Application controls:
 The objective of application
controls (manual or programmed)
are to
 Ensure completeness and
accuracy of accounting records
 validity of entries made resulting
from both manual and
programmed processing.
The specific requirements in order to

achieve the overall objectives of
application controls are:-
 Control over the completeness and
authorization of input
 Control over the completeness and
accuracy of processing
 Control over the maintenance of master
files and the standing data contained
therein
Internal Controls in CIS
 Application Controls
 They are specific to particular accounting application
 Major types of application controls
1. Input Controls
 Ensures validity, completeness and accuracy of processed
information e.g. Check digits, batch totals, hash totals,
limits or reasonableness checks, and validity checks.
2. Processing Controls
 Accurate processing of data input into the system
 Data are processed, processed only once and processed

accurately.
 Most of processing controls are also programmed controls
i.e. the computer is programmed to do the checking.
Examples, control totals, logic tests and completeness
tests.
APT Financial Consultants 22
Sako Mayrick
3. Output Controls
 Ensures that data generated by
computer are valid, accurate, and
complete.
 Output distributed in appropriate
quantities only to authorized people.
 The most important output controls is
review of the data for reasonableness by
someone who knows what the output
should look like.

4. Controls over master file information

 Most transactions depends on the accuracy of
information on the master file. For example
 Sales transactions depends on price list or
all payroll amounts depends on hourly rate
or salary rate.
 User departments should get periodic
reports containing content of the master file.
 There should be procedures in place to
verify that the correct version of Master File
is being used.

Internal Control in CIS
Auditors obtain information on the

general and application controls by
 Interviewing EDP staff
 Reviewing flowcharts and

documents
 Reviewing internal control
questionnaires

5 Minutes Break

AUDITING IN THE COMPUTER
ENVIRONMENT - Techniques
What are the tools to use?
What are the techniques?
What are the tricks?
What are the risks ?
What is the examiners focus?

COMPUTER ASSISTED AUDIT TECHNIQUES
(CAATs)
 Definition
 Techniques in that the auditors are
afforded opportunities to use either the
enterprises or another computer to assist
them in performance of audit work.
 CAATs, are ways in which the auditor may
use the computer in a computerized
information system to gather, or assist in
gathering, audit evidence.
CAATs
 Advantages
 Are independent of the system being audited and will use
a read-only copy of file to avoid corruption of an
organization's data
 Simplifies audit routines such as sampling
 Provides documentation of each test performed in the
software that can be used as documentation in auditor’s
work papers
Can perform activities such as data queries, data

stratification, sample extraction, missing sequence
identification, statistical analysis, calculations, duplicate
inquiries, pivot talbes and cross tabulation
CAATs
Uses
 Creation of electronic work papers
 Fraud detection
Analytical tests
Data analysis reports
Continuous monitoring

CATEGORIES OF CAAT
Audit software
Test data
Other techniques
CATEGORIES OF CAAT
1. Audit software:
 generalized audit software
 specialized audit software or
Interrogation software
 utility programs and
 existing entity programs.
Regardless of the source of the
programs, the auditor should
substantiate their validity for audit
purposes prior to use.
CATEGORIES OF CAAT
Audit software some uses

 Stratifyaccounting population and
select monetary unit statistical
samples.
 Carry out an aging /usage analysis
of stocks
 Perform detailed analytical reviews
of financial statements

TYPES OF CAATs
Test data
 Is a CAAT in which test data
prepared by the auditor is
processed on the current
production version of the client's
software, but separately from the
client's normal input data.
TYPES OF CAATs
Other techniques
 embedded audit facilities
 Integrated test facility
 System Review and control file
( SCARF)
 Application program examination
 Internal control evaluation via; Flowchart
verification (Logical Path analysis ) ,Program
code verification (Code Comparison
Programs), Printout examination.

CAATs and Sustentative testing
 During substantive testing some, CAATs

are used frequently.
 Audit software is used extensively to
examine accounting records maintained
on computer files
 CAATs assists in carrying out analytical
review procedures

Limits of CAATs
 Limits of CAATs
 Evaluation of general controls
Use ICQ or the ICE approach.

Program authenticity
 Source Program authenticity
 guarantee that the correct application
program is being tested.
“Live test” data, integrated test
facilities and embedded audit facilities
as described above are audit
techniques, which help in this respect.
General controls
Copy must be identical to orignal

Knowledge based system
Knowledge based systems

Decision Support Systems
and Expert systems can be
used to assist with the
auditors own judgment and
decisions.

MANUAL Vs CAATs
Factors to consider in choosing between CAATs
and manual Techniques:-
 Practicability of carrying out audit tests manually
 Cost effectiveness of the procedures under
considerations.
 Availability of audit time
 The availability of appropriate computer facilities and
independence issue
 The level of audit experience and expertise.
 The extent of possible reliance upon internal audit
work

Factors to consider in using CAATs
IT knowledge and experience of the

audit team
Availability of CAATs and suitable
computer facilities and data
Impracticability of manual tests
Effectiveness and efficiency
timing

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
Planning an audit in a
Computer environment
 Possibilities of attending during
system development stage
 Consideration of use of CAATs
 Practicability of manual audit
 Expertise

 Use of CAATS
 The pattern cost associated with CAATs,
 The extent of tests of controls or substantive
procedures achieved by both alternatives,
 Ability to incorporate within the use of CAAT a
number of different audit tests.
 Time of reporting

 In using CAAT,
 computer facilities, computer files
and programs should be available;
 the auditors should plan the use of
CAAT in good time so that these copies
are retained for their use.
 Internal auditor CAATs , consider ISA
 Availability of computer facilities

INTERNAL CONTROL EVALUATION
Internal control evaluation

 ICQ .
 Weak controls = extensive

substantive procedures
 In determining whether they wish to
place reliance on application controls or
general controls ,the auditors will be
influenced by the cost effectiveness and
ease of testing by the following matters
 General controls and application
controls
INTERNAL CONTROL EVALUATION
Check systematic errors and program

intergrity
 Manual examination may be useful in
small computer application
 Observation, examination of
documentary evidence or reperforming
the procedures may be useful.
CAATs can also be useful

Review of financial statements
 Review of financial statements

 CAATs (audit software)
e.g analytical review.
 The working papers should indicate the

work performed by CAAT, the auditors
conclusion, the manner in which any
technical problems were resolved and
may include any recommendations about
modification of CAAT for future audits.
AUDIT TRAIL.
Audit trail.
 As the complexity of computer systems has
increased there has been a corresponding loss
of audit trail. Most systems have searching
facilities that are much quicker to use than
searching through print outs by hand.
 This offsets the so- called loss of “audit
trail” to a significant extent. The trail is still
there, although it may have to be followed
through in electronic form.

2 MINUTES BREAK

COMPUTER SERVICE BUREAUX
 These are third part service organization who
provide EDP facilities to their clients
 Factor to consider in using CSB
 make or buy decisions
 Consider and Analyze the cost benefit;
 Level of management’s own computing

knowledge and their willingness to take
risk to unknown third party;

 Factors to consider
 The volume and frequency of processing
requirements ;
 The complexity of the program package
required ;The simpler the program the easier
it would be to process in – house on Micro;
 The importance of timelines in processing of
data check the efficiency and economy of DP
 The confidentiality of the data being
processed.
Types of Bureaux
 Independent companies formed

to provide specialist computer
services
 Computer manufacturers with
bureau
 Computer users (e.g.
universities)
PLANNING AND CONTROL EXERCISED BY THE USER
When the system using CSB is set

up it is essential that
a full feasibility study and
system design should be carried
out.
In practice the bureau may provide
assistance in performing these
tasks.
The control should include :

 Prior vetting of bureau standards ;
 Input controls at preparer’s end; bunching

and providing or authorizing in the same
way as usual;
 Transit controls ;Physical transfer of
documents ;
 batch controls ,physical security and
authorized personnel;

The control should include :

 Electronic transmission of data ;batch
totals, passwords and possibly
encryption coding for very sensitive data;
 Control over and action on rejection;
there must be strong control over the
level of rejections; whose fault, the
bureaus or ours?;
 Output controls :logging /registering receipt of

output material and original documentation
,distribution and filing; Master file amendment
controls; suggested control include the usual
use of pre-numbered properly authorized forms.
Special control of periodic print out of all master
file amendments;
 Adequate insurance covering loss of data or
documents and computer breakdown at the
bureau itself ;The external auditor review of
bureau controls ;

 A third party review –an independent firm to carry

out review of internal controls, both the general
and application based. The report is then made
available to the auditors of clients of the bureaus.
This saves the bureau having to make provision
for many different sets of auditors all asking to run
CAATs on the bureaux system and complete
roughly similar ICQ/ICE forms.
 Direct evaluation of the bureau by the auditor
using the CAATs , ICQ and ICE.;
 Standby /back up /emergency arrangement ;

 The compliance and substantive testing of

programmed procedures, the CAATs such
as discussed above are appropriate where
the client has the data and files on the
premises. They may not be possible in
context of the computer service bureau.
The client may have to arrange to have
files copied by the bureau or supplied to
the auditor for testing.

2 Minutes Break

CONTROLS IN ON-LINE AND REAL TIME SYSTEMS
Controls in real time systems

 The main control problem is that primarily the
concern is on large, multi–user systems with
terminals (dumb terminals or networked PCs)
 The same person is often responsible for
producing and processing the same information.
Internal check ,supervisory controls should be
strengthened (segregation of duties) ;
 The ability of a person using remote terminal to
gain access to databases at will results in the
need for special controls to ensure that files are
neither read nor written to (nor destroyed).
CONTROLS IN ON-LINE AND REAL TIME SYSTEMS
 Physical controls;
 Operating system;
 Use passwords( or lockwords) or special badges or

key;
 Restriction by the operating system of a certain users
to certain files .eg wages dept can be given access to
only wages file;
 Logging of all attempted violation of the above
controls .eg Automatic shut down of the PC or
terminal used;
 All violations should be speedily and thoroughly
investigated
 Application controls; Validity checks on input; Reporting
of unusual transactions; Passwords
DATABASE MANAGEMENT SYSTEMS (DBMS)
 Main controls; Control to prevent or detect unauthorized

changes to programs;
 No access to live program file by any personnel
except for the operation personnel at the central
computer;
 Password protection on programs;
 Restricted access to the central computer and

terminal ;
 Maintenance of console;
 Periodic comparison of live production programs to

control copies and supporting documentation.

Main controls;
 Controls to prevent or detect error during operation;
 Restriction of access to terminals by use of password;
 Satisfactory application control over input , processing and

master file ;
 Use of operation manuals and training all users;
 Maintenance of logs showing unauthorized attempts to

access;
 Physical protection over data files ;Training in emergency
procedures
 Controls to ensure integrity of the database system;
Restriction of access to data dictionary

 Controls to ensure integrity of the database

system;
 Restriction of access to data dictionary( point
of definition and interrelationship of data);
 Segregation of duties between data
processing manager and data base
administration personnel;
 Liaison between database administration
function and systems development personnel
 Preparation and update as necessary of user
manual in conjunction with data dictionary
DATA BASE MANAGEMENT SYSTEM
 The audit of DBMS creates particular problems as
the two principal CAATs , test data and audit
software, tend to work unsatisfactorily on
programs and files contained within such system.
 The auditor may, however, be able to use
embedded audit facilities.
 Close liaison with the internal auditor may provide
audit comfort.
 The auditors should if possible be involved at the
evaluation, design and development stages, so that
they are able to determine their audit requirements
and identify control problems before implementation.
5 Minutes Break
 QUESTION 3 ( P18. MAY, 2010)
 You have been asked to evaluate the system of internal
control in an electronic date processing system.
REQUIRED:
 Specify some of the matters to which you would give
attention in relation to:
 Division of responsibilities
 File storage
 What will be the auditor’s work or the areas in which he

requires to pay special attention in auditing:
 College and schools?
 Charitable institutions?
2 MINUTES BREAK
 REQUIRED: (NBAA –CPA - Nov. 2009)
a) (i) List the audit procedures to be followed by your assistant in
verifying the bank reconciliation in sufficient details for an
inexperienced staff member to follow.(6marks)
(ii) Explain the purpose of each procedure in terms of audit
objectives. (5 marks)
 (b) Discuss the reliability of bank statements as audit evidence.
What steps can be taken if it is considered desirable to increase
their reliability? (3 marks)
 (c) (i) Distinguish between ‘auditing around the computer’
and auditing through the computer’.(3 marks)
(ii) Explain the circumstances when it would be inappropriate for
the auditor to rely on auditing around the computer. (3 marks)
 (Total = 20 marks)
SMALL COMPUTER SYSTEM
 Control problems in small computer

systems
 The problems surrounding PC’s can be
grouped as ;
 Lack of planning over the acquisition
and use of PCs;
 Lack of documentary evidence ;
 Lack of security and confidentiality.

2 MINUTES BREAK
 NBAA: QUESTION 5 – NOVEMBER, 2010
 The auditors of Malaga Co. a large engineering company, are now in the
course of auditing the company's financial statements for the year ended 31 st
October, 2010. At the audit briefing, the audit manager made the following
statements:
 'Whilst we are all aware of the benefits that Malaga Co. should have gained
from using a computer based accounting system, we need to be alert to the
specific risks that a computer-based accounting system poses to an entity's
internal controls. We will be using audit software.
 REQUIRED:
 (a) State four benefits that Malaga Co.. should have gained from using a
computer-based accounting system.
 (b) State six specific risks that the use of a computer-based accounting
system poses to an entity's internal controls.
 c) Explain the term audit software.
 D) Describe any four functions performed by audit software and for each
function suggest how it could be used for a specific task by the external
auditors of Malaga Co. (8 marks)

COMPUTER FRAUD
 Inputfraud :
 Processing fraud;
 Fraudulent use of computer

system;
 Output fraud;

FACTORS- RISK TO COMPUTER FRAUD
 Increase in computer literacy –

 Communications e.g. telephone and
PCs and hackers
 Reduction of internal Check
 Improvements in quality of software and

increase in implementation of good
software has not kept pace with
improvements in hard ware

COUNTERACT COMPUTER FRAUD
 Planned approach to counteract computer fraud.
 All staff should be properly trained and should
fully appreciate their role in computer function
 Management policy on fraud should be clear
and firm
 A study should be carried to examine where the
company is exposed to possible fraud
 A company should map out an approach or plan
in each area of the business to tackle and
prevent fraud.

CONTROLS TO PREVENT COMPUTER FRAUDS
 As with a control system, three areas to examine are;

prevention, detection and correction
 Access to the computer terminals and other parts of the
computer should be restricted
 Access to sensitive areas of the system should be logged
and monitored
 Errors logs and reports should be monitored and
investigated on regular basis
 Staff recruitment should include careful vetting ,include
taking up all references
 Expert systems software may be used to monitor unusual
transactions
2 Minutes Break
See the separate question –

detailed one

DEVELOPMENTS IN COMPUTERIZED
ENVIRONMENT
 Many auditors are now finding their clients

conducting business through the internet.
As always, the principle audit concern ,
will be controls over the use of the
internet and the strength of audit
evidence obtained through the internet

INTERNET
 Controls over the Internet

 Unauthorized use of the internet
 Staffs may use internet for unauthorized
purchases
 Staff may use internet for accessing data
which have a costs (call)
 People may be able to access “business “
internal systems via the internet and obtain
confidential information or launch virus which
disrupts internal systems

CONTROLS IN INTERNET…
 Controls from these risks include

 Use of passwords,
 Disabling certain terminals –
 Firewalls
 Authorization the technique make sure that a

message has come from an authorized
sender
 Virus control software –regular updating
 Physical controls ;against fire, damage etc

AUDIT EVIDENCE IN THE INTERNET
 Audit evidence in the Internet

 Certain general observations can be made about
audit evidence obtained through the Internet
 Internet evidence generated by the auditor will be
stronger than evidence generated by client. Comfort
may be obtained if the auditor can access the internet
and test what the client has posted
 Internet evidence can be obtained in written form and
thus stronger than oral evidence
 If the internal controls mentioned above are strong
,the auditors will have more confidence in the quality
of evidence

WHAT ABOUT E-MAIL?
 Email may have numerous advantages in

reducing office paperwork and speeding up
communication, but it also has dangers from an
audit point of view. e.g. unscrupulous employee
in a large organization might find it quite easy to
send and e-mail from his or her boss’s computer
authorizing a substantial bonus /payrise
 H/W; what controls could you put to prevent this

from happening

CONTROL IN INTERNET SYSTEM
 Control of network system is of uttermost
importance .the auditors must be able to analyse the
risk of unauthorized access such as line tapping or
interception and to evaluate preventive measures
 Authentication programs and encryption are used
for security , the auditor must understand those
matter and should be able to make
recommendations on implementation.
 Password security is extremely important, and the
auditors may be called upon to recommend complex
password procedures for sophisticated systems.

ELECTRONIC DATA INTERCHANGE
Electronic data interchange (EDI) is now used very

widely because it cuts the task of re-inputting data
that has already been input into a system in
electronic form, saving time and improving
accuracy
 EDI is authentic? What authorization measures
are in place to ensure that transactions above
certain value are properly authorized before
being transmitted or accepted?
 What is the legal position of the two parties if the
transaction is disputed?
Encryption and authentication offer some help, as do
transaction logs that identify the originator or any
transactions generated and transmitted.
WHAT IS EDI
Is the automated computer-to-
computer exchange of structured
business transactions between an
enterprise and its vendors,
customers, or other trading
partners in a standard format, with
a minimum of human intervention

CONSIDERATION OF AUDIT
STANDARDS
 ISA 315, “Understanding the Entity
and Its Environment and
Assessing the Risks of Material
Misstatement” and
 ISA 330, “The Auditor’s
Procedures in Response to
Assessed Risks” became effective.

CONSIDERATION OF AUDIT STANDARDS
 Major issues to be considered by an

auditor as per ISA
 An auditor should consider new CIS
environment affects the audit
 The overall objective of audit in CIS audit
never changes.
 The design and performance of appropriate
tests of Controls and Substantive
procedures to achieve the audit objective
are likely to change.
CONSIDERATION OF AUDIT STANDARDS
 Major issues to be considered by an

auditor as per ISA
 The existence of computer is likely to have
an impact on the clients inherent risk and
control risk.
 The auditor should have sufficient
knowledge of CIS to plan, direct supervise
and review the work performed.
 The auditor should consider whether
specialized CIS skills are needed in an audit.
ISA
 The ISA makes it clear that auditors should have
sufficient knowledge of the CIS to perform such
audit effectively. It is not necessary for overly
member of audit team to be a computer expert
auditors must consider need for specialized CIS
skills.ISA 620 “using the work of expert” is relevant.
 In planning the portions of audit which may be
affected by the clients environment the auditor
should obtain an understanding of significance and
complexity of CIS activities and the availability of
data for use in the audit.

ISA
 Auditor must obtain understanding of
accounting and IC sufficient to plan an
effective approach.
 Where CIS is significant, the auditor must
assess the effect of the CIS on in hereunto
control risk.
 Complexity normally increases risk and
deficiencies in program development, mtc,
physical security and access controls
would have an effect on all applications
that the system served.
ELECTRONIC COMMERCE
IAPS 1013
 Is any Commercial activity that takes place by means
of connected computers. E.g. offering goods for sale
directly from office computer; the purchasers’
computer and office computer is connected over
Internet.
 How do we audit ex-commerce?
 International Audit Practice Standard ISPS 1013

(IAP’s) in intended to assist auditors in identifying and
assessing the new risk to which the business in
exposed when it undertakes e-commerce transactions.
MAJOR AREAS OF FOCUS BY THE IAPS 1013
 The skill and knowledge required

to understand the implications of e-
commerce on audit
 The extent of knowledge an auditor
should have about the client’s
business environment and
activities.

MAJOR AREAS OF FOCUS BY THE IAPS 1013
 The business, legal, regulatory and

other risk faced by entities engaged
in e-commerce transactions.
 The effect of electronic records on
audit evidence.
 The statement may be also helpful
to the auditor of any business
engaged in e-commerce.
5 MINUTES BREAK
 See the Class Presentation on the

question

What is an IT audit?
 Like operational, financial and compliance auditors,
Information Technology (IT) auditors work to:
 Understand the existing internal control
environment
 Identify high risk areas through a formal
methodology
 Ensure that adequate internal controls are in place
and operate effectively (through the testing of
said controls)
 Recommend control implementation where risk
exists
Why IT AUDIT?
Because of Information Technology RISK!!
 Risk: The probability that a particular threat
exploits a particular vulnerability (i.e. an issue
which may impact ability to meet objective).
 Threat: Event with the potential to cause
unauthorized access, modification, disclosure, or
destruction of info resources.
 Vulnerability: Weakness in a system control, or a
design flaw, that can be exploited to violate
system, network, or data integrity.

What Reduces IT Risk and
What about any Remaining Risk?
Internal Controls (i.e. safeguards)

 Control: Protective measure implemented
to ensure company assets (IT or
otherwise) are both available and accurate
in order to meet the business
requirements of that asset.
 Residual Risk: The risk that is left over
after reasonable internal controls have
been both evaluated and implemented.
 Internal Controls do not eliminate all risk!!
INTERNAL CONTROLS OTHER MATTERS
The are two major types of controls:

 Application
Controls
 General Controls.

What about OTHER types of audits that may
impact IT
 Traditional Audit Types:
Financial – “opinion” audits (CPAs)
 Operational – process audits – now
includes environmental & construction
 Compliance – laws/regulations and
policies, standards, and procedures
 IT – usually considered “operational”
unless performed so “opinion” auditors
may “rely” on financial info provided
 Hybrid - Integrated Audit – today almost all
audits are actually hybrid
Operational Audits
 Review operating policies/procedures
Documented policies/procedures?
 Informal policies/procedures?
 Work flow examined (thru flowchart or

description requested/developed)
 Controls identified and documented
 Examine the business process and
recommend improvements – control related
or efficiency/effectiveness

MANUAL AND PROGRAMMED CONTROLS
Many controls over computers are manual controls, and

prodding that the manual controls exercised by
users are sufficient to provide reasonable assurance
of the completeness, accuracy and authorization of
output, test of control may be limited to those
manual controls. In a payroll system, for example, if
users test check gross pay, deductions net pay and
authorization at the output stage, and if they
compare net pay with approved bank transfer
documentation and perform regular bank
reconciliation’s; there may be no need to test
programmed controls.
MANUAL CONTROLS
 Other Controls:
 Manual Controls
Physical Controls:
 -Is a matter of common sense.
 -Limit access to a computer room,

-Locks and keys, only to specified
people
 -Prevention of smooking.
Back-up of disks:
 -Create and update an identical back up

disk for every disk in the system; Data
files&Program files; The disk should be
stored in separate place.
MANUAL CONTROLS
 Other Controls:
 Manual Controls
 Data filing:
 -Each disk should be labeled clearly and filed

securely.The labeled disks should be filed in special disk
boxes to provide a degree of protection against liquid
being spoilt on the disks or their being bent or plied.
 Documentation: It is vital, as it provides both a support
system for work already stored on disk and filed, and
progress report on data currently being processed or
updated.
 Staff Training:
 Proofing:There is always room for manual checking or
proofing, to control data on disk.
PROGRAMMED CONTROLS
Programmed Controls:
 Passwords; Date/time stamps for compass on

of two revisions of data; Prompts – Asking the
user to continue with an action or not.
 Check Digit: A means of control on that they
ascertain whether or not a number, such as
ISBN is valid. E.g. customer account No. The
computer will detect of the number is ever input
incorrectly.
 Batch totals and hash totals:
PROGRAMMED CONTROLS
Programmed Controls:
 Reasonable checks: Checks to ensure that
data input is reasonable given the type of input
it is e.g. A payroll system would check that his
recorded for a falls within a range of 30 to 50.
 Existence checks: Checks to ensure that the
data input is valid by checking that the entity
already exists in the system. E.g. employee
number.
 Dependency checks: Data input fields can be
compared with other fields for reasonableness.

SMALL STAND ALONE MICRO-COMPUTER
 Main problems.
Internal Controls.

 Major controls appropriate in

this environment are:-
 Authorization:
 Physical security
 AUDIT PROCEDURES
 Substantive tests

Internal controls
Inherent limitations of the system of IC in elimination of
frauds & errors.
 The need to balance the cost of control with its benefits;
 The fact that IC are applied to systematic transaction,
not one-off year-end adjustments, which are often larger
and subject to error;
 The potential human error;
 Possibility of circumvention of IC through collusion of
managers or employees with other parts inside /outside
the entity;
 Abuse of controls or override of controls e.g. ordering of
personal goods; Obsolescent of controls

FURTHER CONSIDERATION OF CAATs
 Further considerations of CAATs

ISA requires auditors to obtain appropriate audit

evidence to be able to allow reasonable
conditions on which to base their opinion.
 Advantages of CAATS:
 Helps to test larger number of data hence increase
confidence in their opinion;
 Help’s to test Accounting Systems its records (Tables
& Disk files) rather than relying on testing printout;
 Are cost effective once set up for obtaining audit
evidence;
 Comparison can easily be made from clerical audit
work hence increase confidence.

OTHER DETAIL MATTERS
 Difficulties of using computer

programs cost.
 Cost; Changes to clients system; Small
installations PC; Over –elaboration;
Larger quantities of output; Version of
file used for lest.
 Test Data:
 Is a data submitted by the auditor for
processing the clients computer-based
accounting system.
OTHER MATTERS
 Major approached to the use of test data

 Using
live data
 Using dummy data in a normal
production nun.
 Using dummy data in special nun.
Difficulties of test data:

 Cost
 Limited objective
 Dangers of live testing
 Difficult in recording audit evidence


Auditing in Computer Environment Sako

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Auditing in Computer Environment Sako

Cargado por

Copyright:

Formatos disponibles

AUDITING IN COMPUTER ENVIRONMENT

Wherever computer based accounting

APT Financial Consultants Sako Mayrick 3

 Auditing through the Computer

 Auditing with the computer

APT Financial Consultants Sako Mayrick 4

1. Auditing around the computer

1. Auditing through the computer

 Internal auditors frequently uses this to ensure

APT Financial Consultants Sako Mayrick 6

Around or through the computer

APT Financial Consultants Sako Mayrick 7

 Auditing with the computer

APT Financial Consultants Sako Mayrick 8

 Types of software on PC in order to aid audit

 The computer systems challenges

 The internal controls,

 the availability of the data

 the length of time it is retained in a

APT Financial Consultants Sako Mayrick 10

Controls over audit computers

Controls over audit computers

Proper recording of input data , to

The internal control over

APT Financial Consultants Sako Mayrick 13

 The application controls and general controls are

APT Financial Consultants Sako Mayrick 15

 To prevent or detect unauthorized changes to programs

 To ensure that all programs changes are adequately

 To ensure that system software is properly installed

 To ensure continuity of operations.

APT Financial Consultants Sako Mayrick 16

 Types of General Controls

a. access the data;

b. Alter the computer system or

APT Financial Consultants Sako Mayrick 17

 Types of General Controls

 Types of General Controls

The specific requirements in order to

 Data are processed, processed only once and processed

APT Financial Consultants Sako Mayrick 23

4. Controls over master file information

APT Financial Consultants Sako Mayrick 24

Auditors obtain information on the

 Reviewing flowcharts and

APT Financial Consultants Sako Mayrick 25

APT Financial Consultants Sako Mayrick 26

APT Financial Consultants Sako Mayrick 27

Can perform activities such as data queries, data

Data analysis reports

APT Financial Consultants Sako Mayrick 30

Audit software some uses

APT Financial Consultants Sako Mayrick 33

APT Financial Consultants Sako Mayrick 35

 During substantive testing some, CAATs

APT Financial Consultants Sako Mayrick 36

APT Financial Consultants Sako Mayrick 37

Copy must be identical to orignal

APT Financial Consultants Sako Mayrick 38

Knowledge based systems

APT Financial Consultants Sako Mayrick 39

APT Financial Consultants Sako Mayrick 40

IT knowledge and experience of the

APT Financial Consultants Sako Mayrick 41