Sako Mayrick
AUDITING IN COMPUTER ENVIRONMENT
What is audit in a computer environme
nt?
Wherever computer based accounting system, large or small are operated by an enterprise, or by a third party on behalf of the enterprise, for processing information supporting the amounts included in the financial statements. The audit is said to be performed in computer environment.
1APT Financial Consultants
Auditing in Computer Environment
Issues The audit objective remain “to enable the
auditor to express an opinion whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework.
However, the methods of applying audit procedures in gathering audit evidence may be influenced by the way accounting data is processed.
Sako Mayrick 2APT Financial Consultants
Auditing in Computer Environment
Computer Environment Audit Trail In manual processing, clerical errors in
computer environment programming errors or systematic errors in hardware or software
Central Processing of transactions (keep incompatible duties separate.)
Alteration of data or files without being detected (possibility of fraud)
Sako Mayrick 3APT Financial Consultants
Sako Mayrick
Auditing in computer environment
Approaches Auditing around the computer
Auditing through the Computer
Auditing with the computer
4APT Financial Consultants
Approaches to auditing in Computer Environment
1. Auditing around the computer Computer as a black box Test transaction method e.g. multiplying unit price with
number of products No attempt is made to establish and evaluate existence
of controls Appropriate where no significant computer controls are
required, for example where computers are used only for calculation purposes
Should not be used because of auditor’s lack of knowledge on computerized systems.
Audit around the computer ONLY WHEN; the audit trail is complete, processing operations are straight forward and system documentation is complete and readily available.
Sako Mayrick 5APT Financial Consultants
Approaches to auditing in Computer Environment
1. Auditing through the computer Auditor evaluate client’s software and hardware for
reliability hard for human eyes to view Test operating effectiveness of related computer
controls (Access Controls) Controls are embedded in the IS of most companies
It is impractical to ignore them due to legal and compliance requirements
External auditors use this to test the controls Internal auditors frequently uses this to ensure
that errors are discovered and corrected.
Sako Mayrick 6APT Financial Consultants
Approaches to auditing in Computer Environment
Around or through the computer Nothing is wrong with auditing around the computer
But auditor should be satisfied with the control system in place and able to gather sufficient evidence.
But what about various requirements of gaining sufficient understanding of system (internal control) Auditing through the computer is the best for auditors to
follow Some standards restricts auditors to issue opinions on
the operating effectiveness of internal control of the business if auditing around the computer approach is used.
Which approach minimize auditor’s risk?
Sako Mayrick 7APT Financial Consultants
Sako Mayrick
Approaches to auditing in the computer environment
Auditing with the computer Use of computer of audit
automation Working Papers Statistical sampling and analytical
procedures
Decision Support System; Audit Review and Reporting
8APT Financial Consultants
Sako Mayrick
Auditing with the Computer
Types of software on PC in order to aid audit work Standard software for word processing ,
spreadsheets Expert systems such as teammate,
Generally, an auditor can use the PC to assist for Production of time budget and budgetary
control . Analytical procedures. The maintenance of permanent file
information
9APT Financial Consultants
Sako Mayrick
Auditing in computer environment
The computer systems challenges lack of visible evidence and
systematic errors. What to do? techniques available to an auditor, The internal controls, the availability of the data the length of time it is retained in a
readily usable form.
10APT Financial Consultants
Sako Mayrick
AUDITING IN COMPUTER ENVIRONMENT
Controls over audit computersSecurity, and Accuracy (of input,
processing and output). The auditor should exercise controls
when PCs are used by auditor in their work are as follows:Access controls for users by means of passwords
11APT Financial Consultants
Sako Mayrick
AUDITING IN COMPUTER ENVIRONMENT
Controls over audit computersBack up of data contained on files, regular production of hard copy; back-up disks held off the premises.
Viral protection for programs and Training users.
Evaluation and testing of programs use Proper recording of input data , to ensure reasonableness of output.
12APT Financial Consultants
Sako Mayrick
INTERNAL CONTROLS IN CIS
The internal control over computer based accounting system
General controls
Application controls
13APT Financial Consultants
INTERNAL CONTROLS IN CIS
General controls; relates to the environment CIS
are developed, maintained and operated, and which are therefore applicable to all the applications.
The application controls and general controls are inter-related. Strong general controls contribute to assurance, which may be obtained by an auditor in relation
If general controls are ineffective, there may be potential for material misstatement in each computer based accounting application. 14Sako MayrickAPT Financial Consultants
Auditing in Computer Environment
Sako Mayrick 15APT Financial Consultants
Sako Mayrick
INTERNAL CONTROLS IN CIS
Specific Requirements in order to achieve the overall objective of general controls:- Control over applications development To prevent or detect unauthorized changes to programs To ensure that all programs changes are adequately
tested and documented Control to prevent and detect errors during program
execution To prevent unauthorized amendments to data files To ensure that system software is properly installed
and maintained To ensure that proper documentation is kept To ensure continuity of operations.
16APT Financial Consultants
AUDITING IN COMPUTER ENVIRONMENT
Types of General Controls
1. Organizational controls of EDP unit No one individual should be able to
a. access the data;
b. Alter the computer system or programme,
c. Access the computer
Sako Mayrick 17APT Financial Consultants
AUDITING IN COMPUTER ENVIRONMENT
Types of General Controls
2. Application development and maintenance controls
Computer programs and related applications design and use of systems manuals, program flow charts, narratives, records and file layout and operators instructions.
3. Hardware controls Manufacturer to detect equipment
failure, how the organisation handles errors the computer identifies
Sako Mayrick 18APT Financial Consultants
AUDITING IN COMPUTER ENVIRONMENT
Types of General Controls4. Access to Computer equipment, data files and
programs Safeguarding equipment and records e.g.
locked doors, locked cabinets, segregation of duties, locked cabinets, cabinets containing data files, passwords or security codes and job reports for the computer.
5. Data or procedural controls Keeping the files and programmes off site.
This may prevent losses due to accidental erasure, intentional vandalism or catastrophic loss (fire). Grandfather-father-son method Sako Mayrick 19APT Financial Consultants
Sako Mayrick
INTERNAL CONTROLS IN CIS Application controls:
The objective of application controls (manual or programmed) are to Ensure completeness and
accuracy of accounting records validity of entries made resulting
from both manual and programmed processing.
20APT Financial Consultants
Sako Mayrick
INTERNAL CONTROLS IN CIS
The specific requirements in order to achieve the overall objectives of application controls are:- Control over the completeness and
authorization of input Control over the completeness and
accuracy of processing Control over the maintenance of master
files and the standing data contained therein
21APT Financial Consultants
Internal Controls in CIS Application Controls
They are specific to particular accounting application Major types of application controls
1. Input Controls Ensures validity, completeness and accuracy of
processed information e.g. Check digits, batch totals, hash totals, limits or reasonableness checks, and validity checks.
2. Processing Controls Accurate processing of data input into the system Data are processed, processed only once and processed
accurately. Most of processing controls are also programmed controls
i.e. the computer is programmed to do the checking. Examples, control totals, logic tests and completeness tests.
Sako Mayrick
22APT Financial Consultants
Internal Controls in CIS
3. Output ControlsEnsures that data generated by
computer are valid, accurate, and complete.
Output distributed in appropriate quantities only to authorized people.
The most important output controls is review of the data for reasonableness by someone who knows what the output should look like.
Sako Mayrick 23APT Financial Consultants
Internal Controls in CIS
4. Controls over master file information Most transactions depends on the accuracy of
information on the master file. For exampleSales transactions depends on price list or
all payroll amounts depends on hourly rate or salary rate.
User departments should get periodic reports containing content of the master file.
There should be procedures in place to verify that the correct version of Master File is being used.
Sako Mayrick 24APT Financial Consultants
Internal Control in CIS
Auditors obtain information on the general and application controls by Interviewing EDP staffReviewing flowcharts and
documentsReviewing internal control
questionnaires
Sako Mayrick 25APT Financial Consultants
5 Minutes Break
Sako Mayrick 26APT Financial Consultants
AUDITING IN THE COMPUTER ENVIRONMENT - Techniques
What are the tools to use? What are the techniques?What are the tricks? What are the risks ?What is the examiners focus?
Sako Mayrick 27APT Financial Consultants
Sako Mayrick
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs)
Definition Techniques in that the auditors are
afforded opportunities to use either the enterprises or another computer to assist them in performance of audit work.
CAATs, are ways in which the auditor may use the computer in a computerized information system to gather, or assist in gathering, audit evidence.
28APT Financial Consultants
CAATs
Advantages Are independent of the system being audited and will use
a read-only copy of file to avoid corruption of an organization's data
Simplifies audit routines such as sampling Provides documentation of each test performed in the
software that can be used as documentation in auditor’s work papers
Can perform activities such as data queries, data stratification, sample extraction, missing sequence identification, statistical analysis, calculations, duplicate inquiries, pivot talbes and cross tabulation
Sako Mayrick 29APT Financial Consultants
CAATs
UsesCreation of electronic work papersFraud detection
Analytical testsData analysis reportsContinuous monitoring
Sako Mayrick 30APT Financial Consultants
Sako Mayrick
CATEGORIES OF CAAT
Audit softwareTest dataOther techniques
31APT Financial Consultants
Sako Mayrick
CATEGORIES OF CAAT
1. Audit software: generalized audit softwarespecialized audit software or
Interrogation softwareutility programs and existing entity programs.
Regardless of the source of the programs, the auditor should substantiate their validity for audit purposes prior to use.
32APT Financial Consultants
Sako Mayrick
CATEGORIES OF CAAT
Audit software some usesStratify accounting population and
select monetary unit statistical samples.
Carry out an aging /usage analysis of stocks
Perform detailed analytical reviews of financial statements
33APT Financial Consultants
Sako Mayrick
TYPES OF CAATs
Test data Is a CAAT in which test data
prepared by the auditor is processed on the current production version of the client's software, but separately from the client's normal input data.
34APT Financial Consultants
Sako Mayrick
TYPES OF CAATs
Other techniques embedded audit facilities
Integrated test facility System Review and control file
( SCARF) Application program examination
Internal control evaluation via; Flowchart verification (Logical Path analysis ) ,Program code verification (Code Comparison Programs), Printout examination.
35APT Financial Consultants
Sako Mayrick
CAATs and Sustentative testing
During substantive testing some, CAATs are used frequently. Audit software is used extensively to
examine accounting records maintained on computer files
CAATs assists in carrying out analytical review procedures
36APT Financial Consultants
Sako Mayrick
Limits of CAATs
Limits of CAATs Evaluation of general controls
Use ICQ or the ICE approach.
37APT Financial Consultants
Sako Mayrick
Program authenticity
Source Program authenticity guarantee that the correct application
program is being tested.“Live test” data, integrated test
facilities and embedded audit facilities as described above are audit techniques, which help in this respect.
General controlsCopy must be identical to orignal
38APT Financial Consultants
Sako Mayrick
Knowledge based system
Knowledge based systemsDecision Support Systems and Expert systems can be used to assist with the auditors own judgment and decisions.
39APT Financial Consultants
Sako Mayrick
MANUAL Vs CAATs
Factors to consider in choosing between CAATs and manual Techniques:-
Practicability of carrying out audit tests manually Cost effectiveness of the procedures under
considerations. Availability of audit time The availability of appropriate computer facilities and
independence issue The level of audit experience and expertise. The extent of possible reliance upon internal audit
work
40APT Financial Consultants
Sako Mayrick
Factors to consider in using CAATs
IT knowledge and experience of the audit team
Availability of CAATs and suitable computer facilities and data
Impracticability of manual testsEffectiveness and efficiencytiming
41APT Financial Consultants
Sako Mayrick
PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
Planning an audit in a Computer environmentPossibilities of attending during
system development stageConsideration of use of CAATsPracticability of manual auditExpertise
42APT Financial Consultants
Sako Mayrick
PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
Use of CAATS The pattern cost associated with CAATs, The extent of tests of controls or substantive
procedures achieved by both alternatives, Ability to incorporate within the use of CAAT a
number of different audit tests. Time of reporting
43APT Financial Consultants
Sako Mayrick
PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
In using CAAT, computer facilities, computer files
and programs should be available; the auditors should plan the use of
CAAT in good time so that these copies are retained for their use.
Internal auditor CAATs , consider ISA Availability of computer facilities
44APT Financial Consultants
Sako Mayrick
INTERNAL CONTROL EVALUATION
Internal control evaluation ICQ . Weak controls = extensive
substantive procedures In determining whether they wish to
place reliance on application controls or general controls ,the auditors will be influenced by the cost effectiveness and ease of testing by the following matters
General controls and application controls
45APT Financial Consultants
Sako Mayrick
INTERNAL CONTROL EVALUATION
Check systematic errors and program intergrityManual examination may be useful in
small computer applicationObservation, examination of
documentary evidence or reperforming the procedures may be useful.CAATs can also be useful
46APT Financial Consultants
Sako Mayrick
Review of financial statements
Review of financial statements CAATs (audit software)
e.g analytical review. The working papers should indicate the
work performed by CAAT, the auditors conclusion, the manner in which any technical problems were resolved and may include any recommendations about modification of CAAT for future audits.
47APT Financial Consultants
Sako Mayrick
AUDIT TRAIL.
Audit trail.
As the complexity of computer systems has increased there has been a corresponding loss of audit trail. Most systems have searching facilities that are much quicker to use than searching through print outs by hand.
This offsets the so- called loss of “audit trail” to a significant extent. The trail is still there, although it may have to be followed through in electronic form.
48APT Financial Consultants
2 MINUTES BREAK
Sako Mayrick 49APT Financial Consultants
Sako Mayrick
COMPUTER SERVICE BUREAUX
These are third part service organization who provide EDP facilities to their clients
Factor to consider in using CSB make or buy decisions Consider and Analyze the cost benefit; Level of management’s own computing
knowledge and their willingness to take risk to unknown third party;
50APT Financial Consultants
Sako Mayrick
COMPUTER SERVICE BUREAUX
Factors to consider The volume and frequency of processing
requirements ; The complexity of the program package
required ;The simpler the program the easier it would be to process in – house on Micro;
The importance of timelines in processing of data check the efficiency and economy of DP
The confidentiality of the data being processed.
51APT Financial Consultants
Sako Mayrick
Types of Bureaux
Independent companies formed to provide specialist computer services
Computer manufacturers with bureau
Computer users (e.g. universities)
52APT Financial Consultants
Sako Mayrick
PLANNING AND CONTROL EXERCISED BY THE USER
When the system using CSB is set up it is essential that
a full feasibility study and system design should be carried
out.
In practice the bureau may provide assistance in performing these tasks.
53APT Financial Consultants
Sako Mayrick
PLANNING AND CONTROL EXERCISED BY THE USER
The control should include : Prior vetting of bureau standards ; Input controls at preparer’s end; bunching
and providing or authorizing in the same way as usual;
Transit controls ;Physical transfer of documents ;
batch controls ,physical security and authorized personnel;
54APT Financial Consultants
Sako Mayrick
PLANNING AND CONTROL EXERCISED BY THE USER
The control should include : Electronic transmission of data ;batch
totals, passwords and possibly encryption coding for very sensitive data;
Control over and action on rejection; there must be strong control over the level of rejections; whose fault, the bureaus or ours?;
55APT Financial Consultants
Sako Mayrick
COMPUTER SERVICE BUREAUX
Output controls :logging /registering receipt of output material and original documentation ,distribution and filing; Master file amendment controls; suggested control include the usual use of pre-numbered properly authorized forms. Special control of periodic print out of all master file amendments;
Adequate insurance covering loss of data or documents and computer breakdown at the bureau itself ;The external auditor review of bureau controls ;
56APT Financial Consultants
Sako Mayrick
COMPUTER SERVICE BUREAUX
A third party review –an independent firm to carry out review of internal controls, both the general and application based. The report is then made available to the auditors of clients of the bureaus. This saves the bureau having to make provision for many different sets of auditors all asking to run CAATs on the bureaux system and complete roughly similar ICQ/ICE forms.
Direct evaluation of the bureau by the auditor using the CAATs , ICQ and ICE.;
Standby /back up /emergency arrangement ;
57APT Financial Consultants
Sako Mayrick
COMPUTER SERVICE BUREAUX
The compliance and substantive testing of programmed procedures, the CAATs such as discussed above are appropriate where the client has the data and files on the premises. They may not be possible in context of the computer service bureau. The client may have to arrange to have files copied by the bureau or supplied to the auditor for testing.
58APT Financial Consultants
2 Minutes Break
Sako Mayrick 59APT Financial Consultants
Sako Mayrick
CONTROLS IN ON-LINE AND REAL TIME SYSTEMS
Controls in real time systems The main control problem is that primarily the
concern is on large, multi–user systems with terminals (dumb terminals or networked PCs)
The same person is often responsible for producing and processing the same information. Internal check ,supervisory controls should be strengthened (segregation of duties) ;
The ability of a person using remote terminal to gain access to databases at will results in the need for special controls to ensure that files are neither read nor written to (nor destroyed).
60APT Financial Consultants
Sako Mayrick
CONTROLS IN ON-LINE AND REAL TIME SYSTEMS Physical controls;
Operating system; Use passwords( or lockwords) or special badges or
key; Restriction by the operating system of a certain users
to certain files .eg wages dept can be given access to only wages file;
Logging of all attempted violation of the above controls .eg Automatic shut down of the PC or terminal used;
All violations should be speedily and thoroughly investigated
Application controls; Validity checks on input; Reporting of unusual transactions; Passwords
61APT Financial Consultants
Sako Mayrick
DATABASE MANAGEMENT SYSTEMS (DBMS)
Main controls; Control to prevent or detect unauthorized changes to programs; No access to live program file by any personnel
except for the operation personnel at the central computer;
Password protection on programs; Restricted access to the central computer and
terminal ; Maintenance of console; Periodic comparison of live production programs to
control copies and supporting documentation.
62APT Financial Consultants
Sako Mayrick
DATABASE MANAGEMENT SYSTEMS (DBMS)
Main controls; Controls to prevent or detect error during operation;
Restriction of access to terminals by use of password; Satisfactory application control over input , processing and
master file ; Use of operation manuals and training all users; Maintenance of logs showing unauthorized attempts to
access; Physical protection over data files ;Training in emergency
procedures Controls to ensure integrity of the database system;
Restriction of access to data dictionary
63APT Financial Consultants
Sako Mayrick
DATABASE MANAGEMENT SYSTEMS (DBMS)
Controls to ensure integrity of the database system; Restriction of access to data dictionary( point
of definition and interrelationship of data); Segregation of duties between data
processing manager and data base administration personnel;
Liaison between database administration function and systems development personnel
Preparation and update as necessary of user manual in conjunction with data dictionary
64APT Financial Consultants
Sako Mayrick
DATA BASE MANAGEMENT SYSTEM
The audit of DBMS creates particular problems as the two principal CAATs , test data and audit software, tend to work unsatisfactorily on programs and files contained within such system.
The auditor may, however, be able to use embedded audit facilities.
Close liaison with the internal auditor may provide audit comfort.
The auditors should if possible be involved at the evaluation, design and development stages, so that they are able to determine their audit requirements and identify control problems before implementation.
65APT Financial Consultants
5 Minutes Break
QUESTION 3 ( P18. MAY, 2010) You have been asked to evaluate the system of internal
control in an electronic date processing system.
REQUIRED: Specify some of the matters to which you would give
attention in relation to:Division of responsibilitiesFile storage
What will be the auditor’s work or the areas in which he requires to pay special attention in auditing:
College and schools?Charitable institutions?
Sako Mayrick 66APT Financial Consultants
2 MINUTES BREAK REQUIRED: (NBAA –CPA - Nov. 2009)
a) (i) List the audit procedures to be followed by your assistant in verifying the bank reconciliation in sufficient details for an inexperienced staff member to follow.(6marks)
(ii) Explain the purpose of each procedure in terms of audit objectives. (5 marks)
(b) Discuss the reliability of bank statements as audit evidence. What steps can be taken if it is considered desirable to increase their reliability? (3 marks)
(c) (i) Distinguish between ‘auditing around the computer’ and auditing through the computer’.(3 marks)
(ii) Explain the circumstances when it would be inappropriate for the auditor to rely on auditing around the computer.(3 marks)
(Total = 20 marks)Sako Mayrick 67APT Financial Consultants
Sako Mayrick
SMALL COMPUTER SYSTEM
Control problems in small computer systems
The problems surrounding PC’s can be grouped as ; Lack of planning over the acquisition
and use of PCs; Lack of documentary evidence ; Lack of security and confidentiality.
68APT Financial Consultants
2 MINUTES BREAK NBAA: QUESTION 5 – NOVEMBER, 2010 The auditors of Malaga Co. a large engineering company, are now in the
course of auditing the company's financial statements for the year ended 31st October, 2010. At the audit briefing, the audit manager made the following statements:
'Whilst we are all aware of the benefits that Malaga Co. should have gained from using a computer based accounting system, we need to be alert to the specific risks that a computer-based accounting system poses to an entity's internal controls. We will be using audit software.
REQUIRED: (a) State four benefits that Malaga Co.. should have gained from using
a computer-based accounting system. (b) State six specific risks that the use of a computer-based
accounting system poses to an entity's internal controls. c) Explain the term audit software. D) Describe any four functions performed by audit software and for each
function suggest how it could be used for a specific task by the external auditors of Malaga Co. (8 marks)
Sako Mayrick 69APT Financial Consultants
Sako Mayrick
COMPUTER FRAUD
Input fraud : Processing fraud; Fraudulent use of computer
system; Output fraud;
70APT Financial Consultants
Sako Mayrick
FACTORS- RISK TO COMPUTER FRAUD
Increase in computer literacy – Communications e.g. telephone and
PCs and hackers Reduction of internal Check Improvements in quality of software and
increase in implementation of good software has not kept pace with improvements in hard ware
71APT Financial Consultants
Sako Mayrick
COUNTERACT COMPUTER FRAUD
Planned approach to counteract computer fraud. All staff should be properly trained and should
fully appreciate their role in computer function Management policy on fraud should be clear
and firm A study should be carried to examine where the
company is exposed to possible fraud A company should map out an approach or plan
in each area of the business to tackle and prevent fraud.
72APT Financial Consultants
Sako Mayrick
CONTROLS TO PREVENT COMPUTER FRAUDS
As with a control system, three areas to examine are; prevention, detection and correction Access to the computer terminals and other parts of the
computer should be restricted Access to sensitive areas of the system should be logged
and monitored Errors logs and reports should be monitored and
investigated on regular basis Staff recruitment should include careful vetting ,include
taking up all references Expert systems software may be used to monitor unusual
transactions
73APT Financial Consultants
2 Minutes Break
See the separate question – detailed one
Sako Mayrick 74APT Financial Consultants
Sako Mayrick
DEVELOPMENTS IN COMPUTERIZED ENVIRONMENT
Many auditors are now finding their clients conducting business through the internet. As always, the principle audit concern , will be controls over the use of the internet and the strength of audit evidence obtained through the internet
75APT Financial Consultants
Sako Mayrick
INTERNET
Controls over the Internet Unauthorized use of the internet Staffs may use internet for unauthorized
purchases Staff may use internet for accessing data
which have a costs (call) People may be able to access “business “
internal systems via the internet and obtain confidential information or launch virus which disrupts internal systems
76APT Financial Consultants
Sako Mayrick
CONTROLS IN INTERNET…
Controls from these risks include Use of passwords, Disabling certain terminals – Firewalls Authorization the technique make sure that a
message has come from an authorized sender
Virus control software –regular updating Physical controls ;against fire, damage etc
77APT Financial Consultants
Sako Mayrick
AUDIT EVIDENCE IN THE INTERNET
Audit evidence in the Internet Certain general observations can be made about
audit evidence obtained through the Internet Internet evidence generated by the auditor will be
stronger than evidence generated by client. Comfort may be obtained if the auditor can access the internet and test what the client has posted
Internet evidence can be obtained in written form and thus stronger than oral evidence
If the internal controls mentioned above are strong ,the auditors will have more confidence in the quality of evidence
78APT Financial Consultants
Sako Mayrick
WHAT ABOUT E-MAIL?
Email may have numerous advantages in reducing office paperwork and speeding up communication, but it also has dangers from an audit point of view. e.g. unscrupulous employee in a large organization might find it quite easy to send and e-mail from his or her boss’s computer authorizing a substantial bonus /payrise
H/W; what controls could you put to prevent this from happening
79APT Financial Consultants
Sako Mayrick
CONTROL IN INTERNET SYSTEM
Control of network system is of uttermost importance .the auditors must be able to analyse the risk of unauthorized access such as line tapping or interception and to evaluate preventive measures
Authentication programs and encryption are used for security , the auditor must understand those matter and should be able to make recommendations on implementation.
Password security is extremely important, and the auditors may be called upon to recommend complex password procedures for sophisticated systems. 80APT Financial Consultants
Sako Mayrick
ELECTRONIC DATA INTERCHANGE
Electronic data interchange (EDI) is now used very widely because it cuts the task of re-inputting data that has already been input into a system in electronic form, saving time and improving accuracy EDI is authentic? What authorization measures
are in place to ensure that transactions above certain value are properly authorized before being transmitted or accepted?
What is the legal position of the two parties if the transaction is disputed?
Encryption and authentication offer some help, as do transaction logs that identify the originator or any transactions generated and transmitted.
81APT Financial Consultants
Sako Mayrick
WHAT IS EDI
Is the automated computer-to-computer exchange of structured business transactions between an enterprise and its vendors, customers, or other trading partners in a standard format, with a minimum of human intervention
82APT Financial Consultants
Sako Mayrick
CONSIDERATION OF AUDIT STANDARDS
ISA 315, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” and
ISA 330, “The Auditor’s Procedures in Response to Assessed Risks” became effective.
83APT Financial Consultants
Sako Mayrick
CONSIDERATION OF AUDIT STANDARDS
Major issues to be considered by an auditor as per ISA An auditor should consider new CIS
environment affects the audit The overall objective of audit in CIS audit
never changes. The design and performance of appropriate
tests of Controls and Substantive procedures to achieve the audit objective are likely to change.
84APT Financial Consultants
Sako Mayrick
CONSIDERATION OF AUDIT STANDARDS
Major issues to be considered by an auditor as per ISA The existence of computer is likely to have
an impact on the clients inherent risk and control risk.
The auditor should have sufficient knowledge of CIS to plan, direct supervise and review the work performed.
The auditor should consider whether specialized CIS skills are needed in an audit. 85APT Financial Consultants
Sako Mayrick
ISA
The ISA makes it clear that auditors should have sufficient knowledge of the CIS to perform such audit effectively. It is not necessary for overly member of audit team to be a computer expert auditors must consider need for specialized CIS skills.ISA 620 “using the work of expert” is relevant.
In planning the portions of audit which may be affected by the clients environment the auditor should obtain an understanding of significance and complexity of CIS activities and the availability of data for use in the audit.
86APT Financial Consultants
Sako Mayrick
ISA
Auditor must obtain understanding of accounting and IC sufficient to plan an effective approach.
Where CIS is significant, the auditor must assess the effect of the CIS on in hereunto control risk.
Complexity normally increases risk and deficiencies in program development, mtc, physical security and access controls would have an effect on all applications that the system served.
87APT Financial Consultants
Sako Mayrick
ELECTRONIC COMMERCEIAPS 1013
Is any Commercial activity that takes place by means of connected computers. E.g. offering goods for sale directly from office computer; the purchasers’ computer and office computer is connected over Internet.
How do we audit ex-commerce?
International Audit Practice Standard ISPS 1013 (IAP’s) in intended to assist auditors in identifying and assessing the new risk to which the business in exposed when it undertakes e-commerce transactions. 88APT Financial Consultants
Sako Mayrick
MAJOR AREAS OF FOCUS BY THE IAPS 1013
The skill and knowledge required to understand the implications of e-commerce on audit
The extent of knowledge an auditor should have about the client’s business environment and activities.
89APT Financial Consultants
Sako Mayrick
MAJOR AREAS OF FOCUS BY THE IAPS 1013
The business, legal, regulatory and other risk faced by entities engaged in e-commerce transactions.
The effect of electronic records on audit evidence.
The statement may be also helpful to the auditor of any business engaged in e-commerce.
90APT Financial Consultants
5 MINUTES BREAK
See the Class Presentation on the question
Sako Mayrick 91APT Financial Consultants
Sako Mayrick
What is an IT audit?
Like operational, financial and compliance auditors, Information Technology (IT) auditors work to:
Understand the existing internal control environment
Identify high risk areas through a formal methodology
Ensure that adequate internal controls are in place and operate effectively (through the testing of said controls)
Recommend control implementation where risk exists
92APT Financial Consultants
Sako Mayrick
Why IT AUDIT?
Because of Information Technology RISK!! Risk: The probability that a particular threat
exploits a particular vulnerability (i.e. an issue which may impact ability to meet objective).
Threat: Event with the potential to cause unauthorized access, modification, disclosure, or destruction of info resources.
Vulnerability: Weakness in a system control, or a design flaw, that can be exploited to violate system, network, or data integrity.
93APT Financial Consultants
Sako Mayrick
What Reduces IT Risk and What about any Remaining Risk?
Internal Controls (i.e. safeguards)Control: Protective measure implemented
to ensure company assets (IT or otherwise) are both available and accurate in order to meet the business requirements of that asset.
Residual Risk: The risk that is left over after reasonable internal controls have been both evaluated and implemented.
Internal Controls do not eliminate all risk!!
94APT Financial Consultants
Sako Mayrick
INTERNAL CONTROLS OTHER MATTERS
The are two major types of controls:Application ControlsGeneral Controls.
95APT Financial Consultants
Sako Mayrick 96APT Financial Consultants
Sako Mayrick
What about OTHER types of audits that may impact IT
Traditional Audit Types: Financial – “opinion” audits (CPAs) Operational – process audits – now
includes environmental & construction Compliance – laws/regulations and
policies, standards, and procedures IT – usually considered “operational”
unless performed so “opinion” auditors may “rely” on financial info provided
Hybrid - Integrated Audit – today almost all audits are actually hybrid
97APT Financial Consultants
Sako Mayrick
Operational Audits Review operating policies/procedures
Documented policies/procedures? Informal policies/procedures?
Work flow examined (thru flowchart or description requested/developed)
Controls identified and documented Examine the business process and
recommend improvements – control related or efficiency/effectiveness
98APT Financial Consultants
Sako Mayrick
MANUAL AND PROGRAMMED CONTROLS
Many controls over computers are manual controls, and prodding that the manual controls exercised by users are sufficient to provide reasonable assurance of the completeness, accuracy and authorization of output, test of control may be limited to those manual controls. In a payroll system, for example, if users test check gross pay, deductions net pay and authorization at the output stage, and if they compare net pay with approved bank transfer documentation and perform regular bank reconciliation’s; there may be no need to test programmed controls.
99APT Financial Consultants
Sako Mayrick
MANUAL CONTROLS
Other Controls: Manual Controls
Physical Controls: -Is a matter of common sense. -Limit access to a computer room, -
Locks and keys, only to specified people -Prevention of smooking.
Back-up of disks: -Create and update an identical back up
disk for every disk in the system; Data files&Program files; The disk should be stored in separate place.
100APT Financial Consultants
Sako Mayrick
MANUAL CONTROLS
Other Controls: Manual Controls
Data filing: -Each disk should be labeled clearly and filed
securely.The labeled disks should be filed in special disk boxes to provide a degree of protection against liquid being spoilt on the disks or their being bent or plied.
Documentation: It is vital, as it provides both a support system for work already stored on disk and filed, and progress report on data currently being processed or updated.
Staff Training:Proofing:There is always room for manual checking or
proofing, to control data on disk.
101APT Financial Consultants
Sako Mayrick
PROGRAMMED CONTROLS
Programmed Controls:
Passwords; Date/time stamps for compass on of two revisions of data; Prompts – Asking the user to continue with an action or not.
Check Digit: A means of control on that they ascertain whether or not a number, such as ISBN is valid. E.g. customer account No. The computer will detect of the number is ever input incorrectly.
Batch totals and hash totals:102APT Financial Consultants
Sako Mayrick
PROGRAMMED CONTROLS
Programmed Controls: Reasonable checks: Checks to ensure that
data input is reasonable given the type of input it is e.g. A payroll system would check that his recorded for a falls within a range of 30 to 50.
Existence checks: Checks to ensure that the data input is valid by checking that the entity already exists in the system. E.g. employee number.
Dependency checks: Data input fields can be compared with other fields for reasonableness.
103APT Financial Consultants
Sako Mayrick
SMALL STAND ALONE MICRO-COMPUTER
Main problems. Internal Controls.
Major controls appropriate in this environment are:-
Authorization: Physical security AUDIT PROCEDURES
Substantive tests
104APT Financial Consultants
Sako Mayrick
Internal controlsInherent limitations of the system of IC in elimination of
frauds & errors. The need to balance the cost of control with its benefits; The fact that IC are applied to systematic transaction,
not one-off year-end adjustments, which are often larger and subject to error;
The potential human error; Possibility of circumvention of IC through collusion of
managers or employees with other parts inside /outside the entity;
Abuse of controls or override of controls e.g. ordering of personal goods; Obsolescent of controls
105APT Financial Consultants
Sako Mayrick
FURTHER CONSIDERATION OF CAATs
Further considerations of CAATs ISA requires auditors to obtain appropriate audit
evidence to be able to allow reasonable conditions on which to base their opinion.
Advantages of CAATS: Helps to test larger number of data hence increase
confidence in their opinion; Help’s to test Accounting Systems its records
(Tables & Disk files) rather than relying on testing printout;
Are cost effective once set up for obtaining audit evidence;
Comparison can easily be made from clerical audit work hence increase confidence.
106APT Financial Consultants
Sako Mayrick
OTHER DETAIL MATTERS
Difficulties of using computer programs cost. Cost; Changes to clients system; Small
installations PC; Over –elaboration; Larger quantities of output; Version of file used for lest.
Test Data: Is a data submitted by the auditor for
processing the clients computer-based accounting system.
107APT Financial Consultants
Sako Mayrick
OTHER MATTERS
Major approached to the use of test data Using live data Using dummy data in a normal
production nun. Using dummy data in special nun.
Difficulties of test data: Cost Limited objective Dangers of live testing Difficult in recording audit evidence
108APT Financial Consultants