Chapter 9.4 & 11.4 Paper F8 Audit and Assurance (International) http://www.accaglobal.com/pubs/students/public ations/student_accountant/archive/sa_aug09_byrn e.pdf IK University of Greenwich December 14, 10 1 Understand controls in a computer-based environment and the impact on the audit. IK University of Greenwich December 14, 10 2 Identify weaknesses and associated risks within a computerised environment. Suggest internal control improvements to a computerised environment, make this applicable to particular control objectives and assertions. Discuss the impact a computerised environment has on audit risk and audit procedures. IK University of Greenwich December 14, 10 3 Discuss the application and general controls within a computerised environment. Discuss the use of CAATs and practically incorporate CAATs in audit procedures; discuss benefits and disadvantages associated with CAATs. IK University of Greenwich December 14, 10 4 IK University of Greenwich December 14, 10 5 2 Types of IT controls: 1. General 2. Application • Controls in a computerised environment comprise of: 1. Manual procedures & 2. Procedures designed into the computer program • IK University of Greenwich December 14, 10 6 Remember: 1. ISA 300 – Planning an audit of f/s 2. ISA 315 – Identify and assess the risk of material misstatement through understanding the entity and its environment 3. ISA 330 – The auditor’s responses to assessed risks IK University of Greenwich December 14, 10 7 IK University of Greenwich December 14, 10 8 IK University of Greenwich December 14, 10 9 IK University of Greenwich December 14, 10 10 DEFINITION “(1)application controls relate to procedures(manual/operated) used to initiate, record, process and report (2)transactions or other financial data. These controls help(3) ensure that transactions occurred, are authorised and are completely and accurately recorded and processed (ISA 315 (Redrafted)).” (ensure integrity of accounting records) IK University of Greenwich December 14, 10 11 DEFINITION continued… (4)Application controls normally function at business process level for instance sales, purchases and wages procedures. (5)These controls can be both preventative or detective. IK University of Greenwich December 14, 10 12 IK University of Greenwich December 14, 10 13 IK University of Greenwich December 14, 10 14 IK University of Greenwich December 14, 10 15 DEFINITION Policies and procedures that relate to many applications and support the effective functioning of application controls by ensuring continued proper operation of information systems. General IT controls that maintain the integrity of information and security of data. IK University of Greenwich December 14, 10 16 DEFINITION continued Commonly include controls over data centre and network operations, system software acquisition, change and maintenance, access security, application system acquisition, development and maintenance . Effectiveness usually essential to effectiveness of application controls. First assess general controls before assessing application controls. IK University of Greenwich December 14, 10 17 IK University of Greenwich December 14, 10 18 IK University of Greenwich December 14, 10 19 IK University of Greenwich December 14, 10 20 IK University of Greenwich December 14, 10 21 The auditors will have to consider how general controls affect the computer applications that are significant to the audit. Based on this they will test some or all general controls. First review general controls as these play a big role in application controls. IK University of Greenwich December 14, 10 22 Give two examples of each type of General control: IK University of Greenwich December 14, 10 23 Should manual controls provide reasonable assurance that system output is: 1. Complete 2. Accurate 3. Authorised Auditor may decide to focus on manual controls instead of computerised controls. IK University of Greenwich December 14, 10 24 If the auditor needs to test information produced by the computer or contained within the computer->test controls by examining output (manually or computerised). Output can be printouts, microfilm or magnetic media. The auditor can also choose to test the control via computer. IK University of Greenwich December 14, 10 25 If IMPRACTICLE OR IMPOSSIBLE to test controls by examining user controls or system output, test controls by: 1. Using computer 2. Reprocessing data OR 3. Examining coding of application program. IK University of Greenwich December 14, 10 26 Generalised audit software Packaged computer programs used on a variety of computers during audit field work to read computer files, select information, perform calculations, create data files, and print reports in a format specified by the auditor. IK University of Greenwich December 14, 10 27 Application of auditing procedures using the computer as audit tool. 3 Main categories of CAATs: 1. Audit software 2. Test data 3. Other IK University of Greenwich December 14, 10 28 Definition: Computer software used to interrogate a client’s computer files; mainly used for SUBSTANTIVE testing. Types of programs: 1. Package (Generalised, pre-prepared for use on different types of systems. Not adapted for a specific system.) 2. Purpose-written (Perform specific functions. Can be adapted to client’s system. Costly) IK University of Greenwich December 14, 10 29 3. Enquiry programs (These are part of the client’s system. Used to do things like: Sort and print data Accounting software with search facilities within modules could be used for things like finding customers with credit balances or inventory items in excess of a certain amount. IK University of Greenwich December 14, 10 30 The auditor uses this to scrutinise LARGE volumes of data. The review of the data by the software produces results that should be investigated further. The software has program logic to perform functions like: 1. Select a sample 2. Report exceptional items 3. Compare files IK University of Greenwich December 14, 10 31 4. Analyse, summarise and stratify (group based on certain criteria). See further examples p 206 of BPP set text IK University of Greenwich December 14, 10 32 Definition: Data submitted by the auditor to be processed by the client’s computer system. The results are compared with predetermined results Can be used to test controls such as access controls. Can also be used to test processing characteristics (eg input invalid data). Dummy data will be processed that include errors & data that are correct IK University of Greenwich December 14, 10 33 Examples of errors. Input: supplier account codes that do not exist employees earning in excess of a certain limit sales invoices that contain addition errors data with incorrect batch control totals. Two test environments: Live (within client’s production run; could corrupt client’s master files) IK University of Greenwich December 14, 10 34 Dead – Outside normal processing, use copies of master files. Less assurance that client’s normal/actual production programs were used. IK University of Greenwich December 14, 10 35 Live test data can corrupt files – removal of data may be difficult. Dead test data does not necessarily use the same programme as the actual client system used within the accounting process. Test data only tests the operation of the system at a single point in time. IK University of Greenwich December 14, 10 36 Integrated test facility – run test data live, but use dummy records, such as dummy departments or dummy customers to which dummy data can be processed. These dummy items can then be ignored when records are printed out and can easily be reversed. Note that this can also be grouped under Test data. Embedded audit facilities-the auditor’s own program code is resident in the client’s application software.(use at selected times or every time the application program is used) IK University of Greenwich December 14, 10 37 1)Create a SCARF (system control and review file. Gather and review live info for subsequent audit review.) 2)Spot and record/tagging. (Gather transactions that meet the auditors’ definition of exceptional as per the code in the auditor software). Disadvantages of embedded audit software: Costly & might require auditor input at development stage of client software. IK University of Greenwich December 14, 10 38 It does not alter the key stages in the process. Impact on planning (ISA 300): The overall audit strategy must incorporate the availability of data and the expected use of CAATS. Impact on risk assessment (ISA 315) Auditor needs to understand information systems as part of understanding internal control relevant to the client. IK University of Greenwich December 14, 10 39 If the auditor places reliance on internal controls on an assertion level he needs to understand and test both manual and automated controls. Impact on testing (ISA 330) Auditor needs to design and perform audit procedures whose nature, timing and extent are based on the assessed risk of material misstatement at the assertion level. IK University of Greenwich December 14, 10 40 Def: The auditor reconciles input to output and does not test the processing of transactions. Why? In the past this was done because of limited audit software . Cost is still an issue. What is the antonym of around the machine? Through the machine, this is the approach where we use CAATs to test satisfactory operation of computer-based application controls. IK University of Greenwich December 14, 10 41 In small computer-based systems IF the auditor can gain sufficient evidence by testing input and output. IK University of Greenwich December 14, 10 42 Auditors can test programme controls and general internal controls associated with computers. Increases the speed at which items can be tested & testing is more accurate. Actual transactions instead of paper records are tested, paper records might not reflect actual transactions. IK University of Greenwich December 14, 10 43 Cost-effective in the long term IF the client does not change his/her system. Results from CAATs can be compared with results from non-CAATs. Correlation increases confidence. See steps in applying CAATs – p205. IK University of Greenwich December 14, 10 44 http://www.ais-cpa.com/glosa.html IK University of Greenwich December 14, 10 45 1. Read chapter 9, section 4 of the textbook.(p152) 2. Read chapter 11, section 4 of the textbook(p205) 3.Readhttp://www.accaglobal.com/pubs/students/publications/student_acc ountant/archive/sa_aug09_byrne.pdf 3. BPP ACCA F8 Textbook Q9.3 (p156) +11(p341) 4. BPP ACCA F8 Textbook Q11.5 (p213) 5. Give examples of how you’d use CAATS to test wages. IK University of Greenwich December 14, 10 46 1. You are the audit manager for a new client PPP Ltd – a client with a highly computerised accounting environment. Discuss your considerations in planning the financial statement audit. 2.Upon receiving a management report with numerous control weaknesses, the audit committee of AAA Plc mandated a review of the total internal control structure of the company. IK University of Greenwich December 14, 10 47 As manager of the accounting department, a department that relies heavily on computers, they’ve asked you to draft a proposal of general and application controls that can be implemented in your department. IK University of Greenwich December 14, 10 48