Lecture 9
Auditing
BUS20286
1
Effects of IT on accounting systems
 IT substantially changes the methods of operation and
control.
 ______________depends on the programs
 Transaction processing ________________by programs
 Most accounting transactions are in
_______________without any ______________________
 Source documents, journals and ledgers ____________
and stored in ____________
2
Effects of IT on accounting systems
 There are more basic controls in operation as controls
are ______________to perform
 _________________check,
 _________________check
 _________________check
 The I.T. Environment complicates the paper systems of the
past.




___________________ of data
___________________ access and linkages
Increase in ___________ activities in systems vs. paper
Opportunity that can cause management _________ (e.g., override)
IT change the nature of audits !
3
Effect on Internal Controls
 IC is … policies, practices, procedures
… designed to …
 safeguard assets
 ensure accuracy and reliability
 promote efficiency
 measure compliance with policies
4
Effect on Internal Controls
Modifying Principles
Management responsibility
2. Methods of data processing
1.


Objectives __________regardless of DP method
Specific controls ________ with different technologies
Limitations
4. Reasonable assurance
3.



Materiality IC weaknesses
No I.C.S. is perfect
Benefits => costs
5
Effect on Internal Controls
Modified Principles

Limitations
Possibility of ____________


Possibility of _____________




___________
___________
Authorised access by hackers, computer virus,
Management ________________



Due to incompetence, faulty computer programs, corrupted
input data
Personally distorting or direct subordinate to do so
______________conditions
6
Effect on Internal Controls
The PDC Model
7
Undesirable Events
Access
Errors
Fraud
Mischief
8
Effect on Internal Controls
5 Elements of IC
 The control environment
 Risk assessment
 Information & communication




IT ________________material transaction
IT ________________accounting records
IT ________________processing
IT enabled _____________
 Monitoring
 _______________computer monitoring modules and
audit tools
 Control activities
9
Control Activities
Physical controls
 May involve physical use of computer but not computer logic
 Authorisation
 Can be programmed
 Specific authority is management responsibility
 Segregation of Duties
 Authorisation + ____________ [e.g., Sales vs. Auth. Cust.]
 Authorisation + _______________ + ______________________ [e.g.,
custody of inventory vs. DP of inventory]
 Authorisation + custody + _________________________________
(journal, sub ledger, GL)
 Supervision
 _______________________ controls when ___________________ of
segregation of duties exists
 Performed by ____________________ and trustworthy personnel
10
Control Activities
Physical controls
 Accounting Records
 Source documents, journals and ledgers
 Provide audit trail of economic events
 Access control
 _______________: assets
 _____________________: documents that control assets
 Depend on technological nature of CIS
Via Control the use of ____________________
 Via segregation of duties
 Fraud
 Disaster Recovery

11
Control Activities
Physical controls
 Independent verification
 Independent check on accounting system for ___________and
misrepresentations
 Potential for increased management supervision
 CIS can offer mgmt ____________________________that may be used for
review and supervise operations
 these additional internal controls may enhance the entire I/C structure
 Management can assess:
 The performance of individuals
 The __________________of the AIS
 The integrity of the ______________in the records
 Examples: Reconciliation, Physical vs a/c records, Batch controls,
 Review management report
12
Control Activities
IT controls
 IT ________________, ______________, ________________,
__________________, _____________
 Applications controls
 Ensure _____________, _______________, and
_____________________ of financial transactions
 Direct impact on ______________ of data
 General controls
 Not _______________________________ i.e. apply
to_________systems
 Include controls over:





IT governance
IT infrastructure
Security and access to operating systems and databases
Application acquisition and development
Program change procedures
 Support the functioning of application controls
13
Risks in CIS environments
1.
Lack of ___________________________
 exist for only a short period of time or only in computer
readable form
 errors in application’s programme __________may be
_______________ to ______________
2. __________________processing of transactions
 minimise clerical errors ordinarily associated with
manual processing
 potential programming _______________ (_________ in
hardware or software) result in ____________ processing
14
Risks in CIS environments
3. Lack of ______________________ of functions
 traditional control procedures performed by separate
individuals may be highly ___________________ in CIS.
One person may have access to computer programme,
processing or data - who can perform incompatible
functions
15
Risks in CIS environments
4. Potential for errors and irregularities
 can be errors in _______________, __________________
and _______________________of system
 Potential _______________________________ to data or
to alter data without ______________________ is greater
 decreased human involvement in handling transactions
can reduce the potential for ___________________errors
and irregularities
 errors or irregularities in design or modification of
system can remain undetected for ________________
16
Risks in CIS environments
5. _____________ or ________________ of transactions
 capability to initiate or execute transactions
________________________
 authorisation not documented in the same way as in
manual system
 mgmt authorisation of these transactions -
________________in ________________ and
____________________ of CIS
17
Risks in CIS environments
6. Dependence of __________________________over
computer processing
 computer processing may produce reports and outputs
to be used in performing ______________________
control procedures
 effectiveness depends on controls over
_____________________ and _____________________ of
computer processing
18
Effects of use of computer on auditor’s work
 Objective and scope of audit - ____________________
 Procedures may be affected
 in study and evaluation of ____________,
 in _____________ and ____________________of audit procedures
 Potential for use of CAATs
 processing and analysing ____________________________of data
 provide auditors opportunities to apply CAATs in
____________________of ___________________________
 computer audit is an _______________________of the overall audit
activity
 Skills and competence - knowledge of hardware, software and
processing system
 should have all these skills, or should involve others possess such
skills
19
Effects of use of computer on auditor’s work
Audit procedures
 Nature, timing and extent of audit procedures may be
affected
 necessary to perform certain substantive tests earlier when
the data to be tested exist only for a limited period of time
 scope to reduce audit work if there is an integrated
computerised accounting system
 option to use computer as an audit tool
 Detailed audit procedures may differ from those
applied to unsophisticated computerised environment.
 Additional skills may be required for some audit
procedures, I.e., CAATs
20
Effects of use of computer on auditor’s work
2 different audit approaches
 Audit ‘___________________’ the computer
 check the adequacy of system controls and output
by using the computer, I.e. use of CAATs
 Audit ‘_________________’ the computer
 perform audit with printed records and output, I.e.
concentrate solely on input and output
 ________________ the computer and its programs
 May not be adequate if


System _______________
_____________ of audit ______________
21
Testing Computer Application
Controls
 Black box (_____________)
 White box (______________)
22
White Box Test Methods
1.
_____________________ tests:
 Individuals / users
 Programmed procedure
 Messages to access system (e.g., logons)
 All-American University, student lab: logon, reboot,
logon *
2. _________________ tests:
 System only processes data values that conform to
specified tolerances
3.
____________________ tests:
 Identify missing data (field, records, files)
23
White Box Test Methods
4. ____________________tests:
 Process each record exactly once
5. ________________________tests:
 Ensure application and/or system creates an
adequate audit trail
 Transactions listing
 Error files or reports for all exceptions
6. ________________________tests:
 “Salami slicing”
 Monitor activities – excessive ones are serious
exceptions; e.g, rounding and thousands of
entries into a single account for $1 or 1¢
24
CAATTs
 Purposes
 Auditor adopts techniques that use computer as an audit
tool
 Perform ________________and ____________________
tests
 Computer ___________________/ files - interrogation
 More efficient in ___________________ of __________
and testing
25
Small EDP system
 Risks & Internal controls
 In general:
 Relatively _____________to operate and program
 Controlled and operated by __________________
 Interactive data processing vs. ___________
 Commercial applications vs. _____________
 Often used to access data on mainframe or
network
 Allows users to develop their own applications
 Operating Systems:
 Are located on the _____(_________________)
 _______family dictates applications (e.g.,
Windows)
26
Small EDP System - Controls
 Risk assessment
 __________________ weaknesses


PCs were designed to be __________________,
______________ systems, facilitate access – not restrict it.
rests heavily on ___________________security controls & need
for effective ________________control system
 Weak ______________ control
 Booting from floppy or hard drive or CD-ROM to
invoke logon security procedures.
 Inadequate ________________________________
 Multilevel password control – multifaceted access
control
27
Small EDP system - Risks
 Risk of _________________________

Laptops, etc. can “walk off”
 Risk of ____________________



Easy for multiple users to access data
End user can steal, destroy, manipulate
Inadequate backup procedures
 Local backups on appropriate medium
 Dual hard drives on PC
 External/removable hard drive on PC
28
 Risk associated with __________________________
 Policy of obtaining software
 Policy for use of anti-virus software
 Verify no unauthorized software on PCs
 Risk of improper ______________procedures
 Use of commercial software
 Formal software selection procedures
29
Audit of Small EDP systems
1.
Verify ____________ are in place to protect data, programs,
and computers from



unauthorized access,
manipulation, destruction, and
theft
2. Verify that adequate ____________________ and
_________________________________________exist

3.
to compensate for lack of segregation between the duties of
______________, __________________, and _____________
Verify that _____________________ procedures are in place

to prevent data and program loss due to system failures, errors
4. Verify that backup procedures are being __________.
5. Verify that __________selection and acquisition procedures

To ensure applications that are high quality, and protected from
unauthorized changes
30
6. Verify the system is free from ____________and
adequately ________________

to minimize the risk of becoming infected with a virus or
similar object
7. Verify that microcomputers and their files are
______________________controlled
8. Verify that the programmers of applications performing
financially significant functions do not also
________________ those systems.
1.
Based on organizational charts, job descriptions, and
observation
9. Confirm that (1)________________ of processed
transactions, listings of (2) ____________ accounts, and
(3) control ______________ are prepared, distributed, and
reconciled. by appropriate management at regular and
timely intervals
31
10. Determine that _______________ password control
or multifaceted access control is used

to limit access to data and applications, where
applicable.
11. Verify that the drives are removed and stored in a
_______________when not in use, where applicable.
12. Verify that application _______________is physically
secured (such as in a locked safe) and that only the
compiled version is stored on the microcomputer.
13. Review systems selection and acquisition _________
14. Review virus control _________________.
32
Computer Service Bureau
 What is it?
 Third party organisation which provides computer
services to clients
 Problems when using CSB
 ______________ information - disclosed to outsiders
 Problems in transfer of data to and from Bureau
 Little or no control over _______________________
33
 User’s internal controls (CSB)
 General controls






system designed by bureau - adequate documentation
required
feasibility study, and that both user and bureau are aware of
tasks being performed
details set out in writing, particularly on the control
procedures
system test sufficiently carried out
adequate checks on standing data files on initial set up
liaison defined
34
 Application controls






keep copies of data to bureau
control movement of data
bureau to provide errors report - resubmission procedures
all printouts received
test check details on output and standing data
amendments with user authorisation only
35