Chapter 9.4 & 11.4 Paper F8 Audit and Assurance
(International)
http://www.accaglobal.com/pubs/students/public
ations/student_accountant/archive/sa_aug09_byrn
e.pdf
IK
University of Greenwich
December 14, 10
1
 Understand
controls in a computer-based
environment and the impact on the audit.
IK University of Greenwich
December 14, 10
2
 Identify
weaknesses and associated risks
within a computerised environment.
 Suggest internal control improvements to a
computerised environment, make this
applicable to particular control objectives
and assertions.
 Discuss the impact a computerised
environment has on audit risk and audit
procedures.
IK University of Greenwich
December 14, 10
3
 Discuss
the application and general controls
within a computerised environment.
 Discuss the use of CAATs and practically
incorporate CAATs in audit procedures;
discuss benefits and disadvantages associated
with CAATs.
IK University of Greenwich
December 14, 10
4
IK University of Greenwich
December 14, 10
5
2 Types of IT controls:
1. General
2. Application
• Controls in a computerised environment
comprise of:
1. Manual procedures &
2. Procedures designed into the computer
program
•
IK University of Greenwich
December 14, 10
6
 Remember:
1. ISA
300 – Planning an audit of f/s
2. ISA 315 – Identify and assess the risk of
material misstatement through
understanding the entity and its environment
3. ISA 330 – The auditor’s responses to assessed
risks
IK University of Greenwich
December 14, 10
7
IK University of Greenwich
December 14, 10
8
IK University of Greenwich
December 14, 10
9
IK University of Greenwich
December 14, 10
10
DEFINITION
“(1)application controls relate to
procedures(manual/operated) used to
initiate, record, process and report
(2)transactions or other financial data.
These controls help(3) ensure that
transactions occurred, are authorised and
are completely and accurately recorded
and processed (ISA 315 (Redrafted)).”
(ensure integrity of accounting records)
IK University of Greenwich
December 14, 10
11
DEFINITION continued…
(4)Application controls normally function at
business process level for instance sales,
purchases and wages procedures.
(5)These controls can be both preventative or
detective.
IK University of Greenwich
December 14, 10
12
IK University of Greenwich
December 14, 10
13
IK University of Greenwich
December 14, 10
14
IK University of Greenwich
December 14, 10
15
 DEFINITION
 Policies
and procedures that relate to many
applications and support the effective
functioning of application controls by
ensuring continued proper operation of
information systems.
 General IT controls that maintain the
integrity of information and security of data.
IK University of Greenwich
December 14, 10
16
 DEFINITION
continued
 Commonly include controls over data centre
and network operations, system software
acquisition, change and maintenance, access
security, application system acquisition,
development and maintenance .
 Effectiveness usually essential to
effectiveness of application controls. First
assess general controls before assessing
application controls.
IK University of Greenwich
December 14, 10
17
IK University of Greenwich
December 14, 10
18
IK University of Greenwich
December 14, 10
19
IK University of Greenwich
December 14, 10
20
IK University of Greenwich
December 14, 10
21
 The
auditors will have to consider how
general controls affect the computer
applications that are significant to the audit.
 Based on this they will test some or all
general controls.
 First review general controls as these play a
big role in application controls.
IK University of Greenwich
December 14, 10
22
 Give
two examples of each type of General
control:
IK University of Greenwich
December 14, 10
23
 Should
manual controls provide reasonable
assurance that system output is:
1. Complete
2. Accurate
3. Authorised
 Auditor may decide to focus on manual
controls instead of computerised controls.
IK University of Greenwich
December 14, 10
24
 If
the auditor needs to test information
produced by the computer or contained
within the computer->test controls by
examining output (manually or
computerised).
 Output can be printouts, microfilm or
magnetic media.
 The auditor can also choose to test the
control via computer.
IK University of Greenwich
December 14, 10
25
 If
IMPRACTICLE OR IMPOSSIBLE to test
controls by examining user controls or system
output, test controls by:
1. Using computer
2. Reprocessing data OR
3. Examining coding of application program.
IK University of Greenwich
December 14, 10
26
 Generalised
audit software Packaged
computer programs used on a variety of
computers during audit field work to read
computer files, select information, perform
calculations, create data files, and print
reports in a format specified by the auditor.
IK University of Greenwich
December 14, 10
27
 Application
of auditing procedures using the
computer as audit tool.
3 Main categories of CAATs:
1. Audit software
2. Test data
3. Other
IK University of Greenwich
December 14, 10
28
Definition: Computer software used to
interrogate a client’s computer files; mainly
used for SUBSTANTIVE testing.
Types of programs:
1. Package (Generalised, pre-prepared for use
on different types of systems. Not adapted
for a specific system.)
2. Purpose-written (Perform specific functions.
Can be adapted to client’s system. Costly)
IK University of Greenwich
December 14, 10
29
3.


Enquiry programs (These are part of the
client’s system. Used to do things like:
Sort and print data
Accounting software with search facilities
within modules could be used for things
like finding customers with credit balances
or inventory items in excess of a certain
amount.
IK University of Greenwich
December 14, 10
30
 The
auditor uses this to scrutinise LARGE
volumes of data. The review of the data by
the software produces results that should be
investigated further.
The software has program logic to perform
functions like:
1. Select a sample
2. Report exceptional items
3. Compare files
IK University of Greenwich
December 14, 10
31
4.
Analyse, summarise and stratify (group
based on certain criteria).
See further examples p 206 of BPP set text
IK University of Greenwich
December 14, 10
32
 Definition:
Data submitted by the auditor to
be processed by the client’s computer
system. The results are compared with predetermined results
 Can
be used to test controls such as access
controls. Can also be used to test processing
characteristics (eg input invalid data).
 Dummy data will be processed that include
errors & data that are correct
IK University of Greenwich
December 14, 10
33
Examples of errors. Input:
 supplier account codes that do not exist
 employees earning in excess of a certain
limit
 sales invoices that contain addition errors
 data with incorrect batch control totals.
Two test environments: Live (within client’s
production run; could corrupt client’s master
files)
IK University of Greenwich
December 14, 10
34
 Dead
– Outside normal processing, use copies
of master files. Less assurance that client’s
normal/actual production programs were
used.
IK University of Greenwich
December 14, 10
35
 Live
test data can corrupt files – removal of
data may be difficult.
 Dead test data does not necessarily use the
same programme as the actual client system
used within the accounting process.
 Test data only tests the operation of the
system at a single point in time.
IK University of Greenwich
December 14, 10
36
 Integrated
test facility – run test data live,
but use dummy records, such as dummy
departments or dummy customers to which
dummy data can be processed. These dummy
items can then be ignored when records are
printed out and can easily be reversed. Note that
this can also be grouped under Test data.
 Embedded
audit facilities-the auditor’s own
program code is resident in the client’s
application software.(use at selected times
or every time the application program is
used)
IK University of Greenwich
December 14, 10
37
 1)Create
a SCARF (system control and review
file. Gather and review live info for
subsequent audit review.)
 2)Spot and record/tagging. (Gather
transactions that meet the auditors’
definition of exceptional as per the code in
the auditor software).
Disadvantages of embedded audit software:
Costly & might require auditor input at
development stage of client software.
IK University of Greenwich
December 14, 10
38
 It
does not alter the key stages in the
process.
 Impact on planning (ISA 300):
The overall audit strategy must incorporate
the
availability of data and the expected use of
CAATS.
 Impact on risk assessment (ISA 315)
Auditor needs to understand information
systems as part of understanding internal
control relevant to the client.
IK University of Greenwich
December 14, 10
39
 If
the auditor places reliance on internal
controls on an assertion level he needs to
understand and test both manual and
automated controls.
 Impact on testing (ISA 330)
Auditor needs to design and perform audit
procedures whose nature, timing and extent
are
based on the assessed risk of material
misstatement at the assertion level.
IK University of Greenwich
December 14, 10
40
 Def:
The auditor reconciles input to output
and does not test the processing of
transactions.
 Why? In the past this was done because of
limited audit software . Cost is still an issue.
 What is the antonym of around the machine?
Through the machine, this is the approach
where we use CAATs to test satisfactory
operation of computer-based application
controls.
IK University of Greenwich
December 14, 10
41
 In
small computer-based systems IF the
auditor can gain sufficient evidence by
testing input and output.
IK University of Greenwich
December 14, 10
42
 Auditors
can test programme controls and
general internal controls associated with
computers.
 Increases the speed at which items can be
tested & testing is more accurate.
 Actual transactions instead of paper records
are tested, paper records might not reflect
actual transactions.
IK University of Greenwich
December 14, 10
43
 Cost-effective
in the long term IF the client
does not change his/her system.
 Results from CAATs can be compared with
results from non-CAATs. Correlation increases
confidence.
 See steps in applying CAATs – p205.
IK University of Greenwich
December 14, 10
44
http://www.ais-cpa.com/glosa.html
IK University of Greenwich
December 14, 10
45
1. Read chapter 9, section 4 of the
textbook.(p152)
2. Read chapter 11, section 4 of the
textbook(p205)
3.Readhttp://www.accaglobal.com/pubs/students/publications/student_acc
ountant/archive/sa_aug09_byrne.pdf
3. BPP ACCA F8 Textbook Q9.3 (p156)
+11(p341)
4. BPP ACCA F8 Textbook Q11.5 (p213)
5. Give examples of how you’d use CAATS to
test wages.
IK University of Greenwich
December 14, 10
46
1. You are the audit manager for a new client
PPP Ltd – a client with a highly computerised
accounting environment. Discuss your
considerations in planning the financial
statement audit.
2.Upon receiving a management report with
numerous control weaknesses, the audit
committee of AAA Plc mandated a review of
the total internal control structure of the
company.
IK University of Greenwich
December 14, 10
47
As manager of the accounting department, a
department that relies heavily on computers,
they’ve asked you to draft a proposal of
general and application controls that can be
implemented in your department.
IK University of Greenwich
December 14, 10
48