Introduction to External Auditing [AU1]: Module 7 course notes

advertisement
External Auditing [AU1]
Module 7: Computer auditing
Overview
In this module, you learn about the effects that computer processing has on both the control environment and
the audit of financial systems. You also learn about the approaches to auditing computerized systems and the
ways to use computers for an audit.
When you have worked through the module, you should have a thorough understanding of the audit
implications of a computer-based system for a company’s internal controls. Throughout the module, you
apply what you have learned to scenarios involving a company planning to computerize its accounting
systems.
Test your knowledge
Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the
depth of study required.
Learning objectives
7.1
Explain the major effects of computerization of accounting systems on a company’s operations and
the audit approach. (Level 1)
7.2
Describe the major elements of audit significance in today’s computer environment. (Level 2)
7.3
Explain the audit implications of a simple computer-based system for a company’s internal control
as it relates to the organizational structure and the processing of transactions. (Level 1)
7.4
Explain the audit implications of a simple computer-based system for a company’s internal control
as it relates to system design, access, backup, and data recovery. (Level 1)
7.5
Describe general controls and application controls and how they relate to accounting controls.
(Level 2)
7.6
Explain the impact of EDI and the Internet on a company’s operations and the implications of
electronic commerce for the company’s internal control and for its audit. (Level 2)
7.7
Describe how an audit is conducted in a computer environment. (Level 1)
7.8
Describe the phases of auditing a computerized system. (Level 1)
7.9
Identify internal control considerations in personal computer, online, and database environments.
(Level 1)
7.10
Explain the difference between auditing around/without the computer and auditing through/with the
computer to test internal control. (Level 1)
Page 1 of 32
External Auditing [AU1]
7.11
Describe how an auditor could use computers in conducting audits by using test data and
generalized audit software. (Level 1)
7.12
Describe ways to use computers for an audit. (Level 1)
7.1 Company operations and computer systems
Learning objective
Explain the major effects of computerization of accounting systems on a company’s operations and the
audit approach. (Level 1)
Required readings
Chapter 7, pages 211-215 (up to “Elements of an IT-Based Information System”) and pages 223-225
(Level 1)
Chapter 9, pages 314-317 (Level 1)
CICA Handbook — Assurance, section 5141 Appendix B, section titled "Information system,
including the related business processes, relevant to financial reporting, and communication" (Level 1)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," sections 1-3 (Level 2)
LEVEL 1
Computerization of accounting systems has some major effects on a company’s operations. Understanding
these effects will help you understand the audit implications better. Read Handbook section 5141 Appendix
B, the section entitled "Information system, including the related business processes, relevant to financial
reporting, and communication," which provides an overview of how the client’s information system
correlates between the management assertion, audit objectives, and the functions of the information system.
Scenario
Teresa is the Director of Finance for TRP Inc. As part of the business planning for the following year, the
Chief Financial Officer (CFO) has tabled a project to computerize TRP’s accounting systems. Teresa has
been assigned the task of identifying and analyzing the major effects of this project on the company’s
organizational structure and data processing. As TRP Inc.’s auditor, you must help Teresa gather information
for the project. What information will Teresa need to know?
Hint: Start by organizing the information into three categories:
effect/impact
risk
management responsibility
Solution
Page 2 of 32
External Auditing [AU1]
Transaction processes
Another effect of computerization is dramatic changes in the transaction processes. On pages 223 to 225, the
text describes these changes and provides a general statement of the audit implication for each of the
characteristics. Topic 7.3, which covers the control environment in computer-based systems, looks at the
implications of these characteristics in more detail.
Auditing approach
Computerization also causes changes in the approach to auditing. Read sections 1-3 of Reading 7-1 (CGA
Auditing Guideline No. 6) for an overview of computer environment issues, and, as you read, think about
how a computer environment will affect internal controls and the audit.
In this topic, you learned about the impact of computerization on a company’s operations. If you were the
auditor assigned to audit TRP Inc., what changes would you make in the approach to auditing?
Solution
7.1 Company operations and computer systems - Content Links
Solution
Effect/Impact
Change to the organizational structure:
Implementation of computer systems
requires additional resources for the systems
to function properly. These resources
include qualified personnel and investment
in capital assets (appropriate computer
equipment).
Risk
Appropriate
internal controls
lacking in
computerized
environment
Management responsibility
Management is responsible for establishing
internal controls, regardless of the
environment in which the company operates
(computerized or non- computerized).
Therefore, implementation of computer
systems forces management to ensure that:
Centralization of data processing and
resulting efficiencies: Centralization and the
resulting efficiencies are usually the reasons
why the company implements computer
systems. Rather than having separate
accounts payable or accounts receivable
departments doing the data processing
Greater risk of
losing large
amount of data
in case of
breakdown of
computer
system
Page 3 of 32
adequate procedures are in place and
computer systems are properly
documented
an adequate audit trail for significant
classes of transactions exists
knowledgeable personnel are in place
to support the computer system and
assist management and auditors
Internal controls, policies, and procedures
must be in place to make sure that data can
be recovered in case of an accident. (The
users of the computer processing
department, such as the accounts receivable
and accounts payable departments, become
more dependent on centralized processing).
External Auditing [AU1]
independently, for example, more data
processing is done through one department
— the computer centre or computer
processing department.
Solution 2
There might be more stress on evaluating the internal controls of the IT department.
The auditor will have to determine if an IT specialist needs to be brought into the audit team and how
this will affect the nature, extent, and timing of audit procedures.
Make planning decisions regarding other resources that will be needed for the audit, such as the use of
computer-assisted audit techniques.
7.2 Major elements in today’s computer environment
Learning objective
Discuss the major elements of audit significance in today’s computer environment. (Level 2)
Required readings
Chapter 7, page 215-216, "Elements of an IT-Based Information System" (Level 2)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," sections 9 and 10 (Level 2)
LEVEL 2
Be aware of major elements in today’s computer environment. You have already studied basic elements of
computer-based systems in Managing Information Systems [MS1] or its equivalent.
The major elements of audit significance include microcomputers, databases, online systems, and electronic
commerce, specifically Electronic Data Interchange (EDI) and the Internet. Microcomputers are explained in
section 9 of CGA AuG-6 "Auditing in an EDP Environment" (Reading 7-1). Internal controls with respect to
microcomputers will be explained in detail in Topic 7.5.
Paragraphs 10.2 to 10.4 of Reading 7-1 describe the features and characteristics of online systems, and
paragraphs 10.5 to 10.11 outline the characteristics of database systems.
Electronic commerce is transforming the business environment and is likely to give rise to a wide range of
assurance engagements for public accountants. You consider some of the audit implications of electronic
commerce in Topic 7.6.
Microcomputers
Experienced auditors are concerned about their ability to keep up with the advances in information
Page 4 of 32
External Auditing [AU1]
technology. Companies used to only use mainframe computers and terminals; now, many companies are
using computer networks.
Concerns for auditors
The auditor used to be concerned about the integrity of computer programs that ran on the mainframe; now,
the auditor is concerned about the proliferation of stand-alone computers and software. With this
proliferation, there is a tendency to decentralize data processing. This, in turn, increases the amount of work
an auditor needs to do to understand and rely on the computer controls. At one time, only programmers could
change the programs used to process the company’s data. Now, each employee with access to a computer
could also have access to the software that runs on that computer and could alter it unless adequate
safeguards are in place.
Database systems
These systems store data in a central location under the control of the database administrator. The use of
centralized database management systems can result in more reliable data because there is no redundant
(duplicate) data, thus removing the chance of conflicting information.
However, the database administrator typically exercises substantial power over the databases. This
concentration of data and lack of segregation of duties create significant risk. In light of this risk, the auditor
must carefully review the activities of the database administrator and examine any audit trail provided by the
database management system to ensure that there are adequate compensating controls over the activities of
the database administrator.
The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection
of databases. Because all the systems rely on the databases for accurate processing, the auditor should
confirm that there is adequate internal control to ensure the integrity of the databases.
Online systems
The most common forms of online systems are real-time processing and online batch processing. The ATM
you use to make withdrawals from or deposits to your bank account is an example of an online real-time
processing system.
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there
may be no evidence of unauthorized access. Access issues apply to both users and programmers. A user with
unauthorized access to an online accounts receivable file may, intentionally or unintentionally, wipe out the
balances in individual accounts. A programmer with unauthorized access may modify the code of a program
to the detriment of the company.
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online
systems because it may be possible to access such systems from any location using a terminal and a phone
line. The backup and recovery procedures of online systems should also be carefully reviewed by the auditor.
This is especially important because the lack of source documents will likely make it impossible to
reconstruct data files if backup is inadequate.
Page 5 of 32
External Auditing [AU1]
Control over online systems
Unlike traditional systems, online systems permit transactions to be entered directly through terminals,
without requiring the use of source documents on paper. To exercise control over online systems,
management can require that transactions first be recorded on paper-based source documents and then the
source documents be approved before entry into the computer system. Such paper-based source documents
form the audit trail needed by the auditor.
What are the implications for the auditor's ability to obtain evidence if no paper-based source documents are
used? What checks and control can be instituted instead of the use of source documents?
Solution
EDI (Electronic Data Interchange)
EDI consists of the exchange of electronic documents between two companies. Effectively, transactions and
contracts are created through two interacting computer systems. EDI allows organizations with dissimilar
computing environments to exchange electronic business documents without using paper.
What are the benefits of EDI?
Some obvious benefits are the elimination of paperwork, the reduction of document processing costs, access
to more information on a timely basis, and increased accuracy of recordkeeping. There are some drawbacks
as well, but the increasing use of EDI suggests that the benefits outweigh the costs.
How do EDI transactions impact the auditor’s work?
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of
human intervention resulting in total dependence on the electronic system. These characteristics significantly
increase risk, making control assurance the key objective for EDI environments. Auditors, in turn, need to
monitor EDI controls throughout the period under audit, for example, through the use of software that allows
tagging of transactions to trace their processing.
To control potential legal risks, businesses may require their trading partners to enter into trading partner
agreements (TPAs). TPAs frequently include an obligation to report and disclose compliance with a set of
specified standards of EDI control. Increasingly, auditors will be asked to provide opinions on the EDI
control environment. Such audit opinions may become mandatory, which will likely encourage development
of generalized control standards and criteria. Consequently, auditors will have to be better trained in this
emerging area of information technology.
7.2 Major elements in today's computer environment - Content Links
Solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized. In such
cases, the auditor may need to perform more extensive tests of details of balances.
Page 6 of 32
External Auditing [AU1]
A common characteristic and desirable control for online systems that permit direct data entry without source
documents is subjecting data to immediate validation checks by the system. To continue with the ATM
example, the system checks for a correct PIN number, then accesses the information from the customer’s
bank account file to determine if there are enough funds to allow the customer to withdraw money from the
ATM.
7.3 Audit implications — Computer-based systems
Learning objective
Explain the audit implications of a simple computer-based system for a company’s internal control as
it relates to the organizational structure and the processing of transactions. (Level 1)
Required readings
Chapter 7, page 234 (Level 2)
CICA Handbook — Assurance, paragraphs 5141.057-.063 (Level 1)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," section 4 (Level 2)
LEVEL 1
Implications of computer processing for internal control
Internal control objectives are the same under manual systems and computer systems; however, their
evaluation is different. The auditor must be aware of the differences between these two systems. Certain
differences between manual and computerized systems may result in improved controls, while other
differences may result in reduced controls. Some differences — for example, the centralization of processing
— may be a mixed blessing.
Reading 7-1, section 4, provides a perspective for assessing risk and internal control in a computer
processing environment. The characteristics of computer-based systems are such that either new internal
controls must be implemented or existing ones modified. Read paragraph 4.2 of Reading 7-1 to become
familiar with all the characteristics that have internal control implications. In this topic, you look at the
organizational structure required to manage the computer system, the nature of transaction processing, and
the effect on auditing. Review Handbook paragraphs 5141.057-.063, which highlight the risks and benefits
of manual and automated elements of internal control relevant to the auditor’s risk assessment.
Topic 7.4 describes audit implications as they relate to system access and design, and backup and recovery
procedures. Note that the guidelines deal with internal controls over computer activities; they do not describe
computer processing as part of internal controls over an organization’s operations. By themselves, computerbased systems are tools; they are not policies and procedures. The more important implications of simple
computer-based systems on internal controls are explained below.
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk
associated with the concentration of functions.
Page 7 of 32
External Auditing [AU1]
Scenario
Your audit manager informs you that in general, implementation of computer-based systems requires new
policies and procedures to ensure that proper segregation of duties is maintained. For you, the audit
implication is to ensure that appropriate controls are in place, which may include segregating the following
functions:
data control
data entry
computer operation
data and programs custody
Do you agree that this is possible for traditional large systems? If so, outline the appropriate function
segregation (key players involved and their functions) in a typical computer department that will facilitate
detection of errors and prevent fraudulent manipulation.
Solution
In general, a clear segregation of duties is a feature of traditional large systems. Can segregation of duties be
applied to microcomputer systems?
Solution
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for
the auditor. Additional controls are necessary to achieve the objectives of validity, authorization, and
completeness that are traditionally supported by documentation.
Documentation deficiencies can take the following forms:
Input documentation, such as batch entry sheet and purchase invoices, which normally contains
evidence of authorization and validity, does not exist.
Audit trail documents, such as ledgers, reports, and records, are not available, except for machinereadable documents.
Output documentation providing evidence of transactions, including trial balances and invoices, is not
produced by the computer system.
Data may be input into the system without leaving an audit trail of transactions.
Example
A customer may order goods by accessing the client’s system directly; therefore, no hard copy purchase
order would exist. The internal accounting, the preparation of the invoice and shipping documents, the debit
to accounts receivable and the related credit to sales, the debit to cost of goods sold and the related credit to
inventory, and the reduction in the inventory records for the quantities sold will all be done without hard
copy documentation. The auditor must be able to confirm that the system is properly recording all these
activities.
Page 8 of 32
External Auditing [AU1]
Automatic transactions
Scenario
Teresa is the Director of Finance for TRP Inc. The Chief Financial Officer (CFO), as part of the business
planning for the following year, has tabled a project to computerize TRP’s accounting systems. The various
user groups within TRP Inc. have submitted their requirements. They would like to see internal accounting
transactions be initiated and completed within the computer automatically. For example, a sales commission
may be calculated and paid automatically by the system without human intervention. Another example is
pre-authorized bill payments. The CFO likes the idea of initiating automatic transactions within the system.
What comments should Teresa provide in light of controls that may be required for such transactions?
Solution
Another aspect of automatic transactions in computer systems is the multiple update of accounts that arises
from a single transaction. A single receipt of payment entry in a computer system can simultaneously update
the cash and accounts receivable, the customer’s account, and the credit profile of the client.
Another example arises in the capital markets. Worldwide, computers are instructed to initiate and complete
buy and sell transactions depending on predetermined conditions, such as the price of a stock. Can you
imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive
selling of financial assets such as stocks and derivatives?
The auditor should be aware of the extent to which a single transaction or entry affects accounts and other
files. Auditors should make certain that controls exist and are effective.
7.3 Audit implications - Computer-based systems - Content Links
Solution
Segregation of duties
In traditional large systems, it is possible to segregate the functions in the computer department to detect
errors and prevent fraudulent manipulation. The data control clerk in the computer processing department
receives transaction batches from user departments and confirms that the transactions have been
appropriately authorized before they are passed to the data entry clerks. Data entered into batches are verified
for completeness and accuracy before the operator inputs that batch of data for processing.
There is segregation of duties among the data control clerk, data entry clerk, and the operator. Operations
staff is not permitted to modify the computer programs. Only programmers and systems analysts (systems
development staff) can access and modify computer programs, provided they have authorization; however,
they are not allowed to work with actual live data. Thus, there is a clear segregation of duties between the
systems development staff on the one hand and the operations staff on the other, and the chance for
unauthorized changes to computer programs is minimized.
Page 9 of 32
External Auditing [AU1]
Solution
With microcomputer systems, the segregation of duties and functions is often impractical and unlikely in
practice. Usually, the same person (user) has complete control over the installation of the computer programs
and entry of data. Thus, it is possible for a user with the required technical knowledge to alter the programs
and data for personal gain without leaving any audit trail.
Solution
Automatic transaction processes must have appropriate controls in place. For example, input controls should
ensure that purchases or sales will not take place above a pre-specified amount, and organization controls
should ensure that changes to the program trading software are authorized and documented.
7.4 Audit implications — Access and design
Learning objective
Explain the audit implications of a simple computer-based system for a company's internal control as it
relates to system design, access, backup, and data recovery. (Level 1)
Required readings
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," section 4 (Level 2)
LEVEL 1
Unauthorized access
Concentration of data and programs as well as ease of access can lead to significant risks for the company.
For example, anybody can enter a system at almost any place on the system unless access is controlled by
such means as passwords and validation protocols. "Hackers" can break into any computer system.
Individuals within a company can access that company’s system, or part of it, without authorization. Often,
the company is not aware that its system has been compromised and is likely to be unaware of transactions
made by an unauthorized person. Unauthorized access can be made through breaking into a network, or
through not restricting access to sensitive areas where hardware and software are kept. In addition, because
there is a higher level of centralization in computer systems, unauthorized access can have catastrophic
consequences.
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures
to secure restricted or sensitive areas throughout the organization. Such controls include but are not limited
Page 10 of 32
External Auditing [AU1]
to:
password controls
physical restrictions to computer equipment
activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human
intervention. However, computer systems may produce errors that a human would never make; usually, the
fault is in the system. With manual processing, humans usually recognize absurd transactions and correct
them; computer systems do not, unless they are programmed to do so.
Example
A customer bought some furniture polish from the furniture department of a large department store on his
store credit card. The computer system was programmed to perform a limit check on each transaction, but
the limits were quite high because furniture tends to have a high unit price. The clerk erroneously punched in
the product code as the price, and the sale for the bottle of furniture polish was recorded at $2,045. Neither
the clerk nor the customer noticed the error.
Several days later, the customer tried to use his store credit card again and was told that he had exceeded his
credit limit, which was $2,000. This mistake would have been avoided if the sales clerk had manually
recorded the sale on an invoice.
Control procedures can be embedded in computer programs to avoid these types of errors, and the auditor
should ensure that such control procedures are in place.
In the case of the pricing error for furniture polish, what could have been included as part of the design
requirements to prevent or reduce such errors?
Solution
Vulnerability of hardware, software, and data files
What if there is a fire? Computer systems tend to centralize programs and data. In case of fire, files and
computers may be destroyed. If it is not possible to reconstruct the information files from another source, the
company could be in serious difficulties. From an audit standpoint, there may even be a denial of opinion,
because nothing can be verified without proper access to records.
Internal controls must be in place to make sure that data can be recovered in case of an accident. The auditor
would have to ensure that there are policies and procedures to back up and recover data, as well as adequate
insurance coverage for business interruption and for hardware replacement should it be destroyed or stolen.
7.4 Audit implications - Access and design - Content Links
Page 11 of 32
External Auditing [AU1]
Solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process.
Auditors should offer their expertise to clients in the design and implementation of new computer systems.
Information system designers design computer systems for efficiency and effectiveness. They are not as
concerned with controls as auditors and management are, and may omit important internal controls such as a
test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice.
7.5 Internal controls in a computer environment
Learning objective
Describe general controls and application controls and how they relate to accounting controls. (Level
2)
Required readings
Chapter 7, pages 226-228 and 235-246 (up to Review checkpoints) (Level 2)
CICA Handbook — Assurance, paragraph 5141.093 (Level 2)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," section 4 (Level 2)
LEVEL 2
Technology and technological changes can present risk to a business in different ways. Handbook paragraph
5141.093 provides recommendation relating to the auditor’s risk assessment process in an IT environment.
Internal controls in a computer environment are made up of general controls and application controls.
Section 4 of Reading 7-1 defines general and application controls in paragraphs 4.5 and 4.6. General controls
and application controls are also described on pages 235 to 245 of the text.
The control hierarchy diagram in Exhibit 7-1 illustrates how computer controls, including their general and
application controls components, fit into the overall internal control framework of the organization.
Page 12 of 32
External Auditing [AU1]
Exhibit 7-1
Control hierarchy diagram
General and application controls
A general control applies to overall computer processing activities (for example, controls over systems
development and maintenance, operations, and backup), while an application control is specific to
accounting applications (for example, controls over authorizing, recording, and processing of transactions).
General controls are an extension to computer controls of the control environment concept covered in
Module 5. Like the control environment, general controls are mostly preventive in nature and are the controls
that apply to all parts of the computer systems. The boxes on text pages 235 and 237 illustrate some general
controls that auditors should consider.
The general control procedures establish a structure of control over the management and operation of
information systems rather than the specific systems themselves.
Question
General controls include documentation and system development controls. Why do these controls ultimately
relate to the accurate processing of data and viewed as preventive in nature?
Solution
Backup, file security, and file retention
The general control procedures of backup, file security, and file retention described on pages 238-240 of the
text. Backup controls are one of the most important general controls, not only for audit planning purposes,
Page 13 of 32
External Auditing [AU1]
but also possibly for accounting disclosure purposes. Why is this so?
Solution
Management and the auditor should be equally concerned that backup control objectives are met.
Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system.
The lists on text pages 243 and 244 illustrate typical application controls organized by input, processing, and
output controls. Note that the application controls are often embedded in the software used by the client. The
boxes on pages 243 and 244 illustrate important input, processing, and output controls that the auditor should
consider for each application.
Scenario
Teresa, Director of Finance for TRP Inc. has met with Mario, TRP’s Payroll Manager. Mario has indicated
that in the current manual system, a payroll clerk was able to instantly recognize that 1,000 hours recorded
for a single employee during a one-week period is physically impossible. Mario would like to know how this
error could be detected if the same processing were done by computer. What do you think Teresa’s answer
would be?
Solution
Understanding internal control in a computer environment
The auditor’s objective of understanding internal control and assessing control risk is the same for a
computer system as for a manual system. The auditor wants to determine how much reliance can be placed
on internal control, given audit risk and inherent risk, and thus how much evidence must be obtained from
the tests of details of balances. If the computer system is very complex, the auditor may need the assistance
of a computer audit specialist.
Scenario
TRP Inc. is planning to change from a manual accounting system to a computer system. Having regard for
the fact that the auditor’s objective of understanding internal control and assessing control risk is the same
for the computer system as for a manual system, what special audit considerations would likely be triggered
in a conversion?
Solution
7.5 Internal controls in a computer environment - Content Links
Page 14 of 32
External Auditing [AU1]
Solution
These controls affect the integrity of the various application programs that are developed and documented by
the IT department, and as such, they ultimately relate to the accurate processing of data and are designed to
prevent errors from occurring.
Solution
Backup controls and control procedures are of particular interest because they have serious accounting
implications. One of the basic assumptions underlying a company’s financial statements is that the company
is a going concern. Researchers have estimated that a large company, which has computerized its system
extensively, would be out of business in less than two weeks if its system was extensively damaged and it
did not have backup systems and hardware.
Solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions.
Solution
To rely on internal control, the auditor must audit the internal controls of the original accounting system up
to the changeover date, audit the conversion to ensure that the correct balances were carried forward to the
new system, and audit the new internal controls to the year end.
In other words, a conversion forces the auditor to perform three sets of audit tests in the year of conversion.
The auditor may decide not to rely on one or both systems, and so would not audit either one or both, but
would in any case audit the conversion to ensure that the client correctly carried forward the account
balances from the old to the new system. This will apply as well in situations where there is a change from
one computer system to another.
7.6 Audit implications of electronic commerce
Learning objective
Explain the impact of EDI and the Internet on a company’s operations and the implications of
electronic commerce for the company’s internal control and for its audit. (Level 2)
Required reading
Chapter 9, pages 339-343 (Level 3)
Page 15 of 32
External Auditing [AU1]
LEVEL 2
Internet and electronic commerce
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce. This
impacts the auditor in the following ways:
The Internet provides a vast source of information auditors can use in the course of their work. This
information includes real-time access to financial indicators, clients’ public documents, news, and
quotes.
Companies can conduct some or all of their business through the Internet. Therefore, there is an
anticipated need to provide customized assurance services for these companies.
A company’s Internet web page is an open door into the company’s network systems. Therefore,
security problems may arise if proper controls are not in place.
Website security
In October 1997, the AICPA and CICA announced a joint program of developing and promoting assurance
services for websites on the Internet. The most immediate impact on business is the creation of business
websites. It is becoming commonplace for businesses to create an Internet presence through a website. Most
websites started as information sources about the company by converting existing brochures and other
documents into a web format.
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in
an increasingly "wired" society (more people have convenient access to the Internet). Websites are proving
to be a major link to customers and suppliers, with the result that companies are using websites to make sales
and purchases, to help in the design of products and marketing strategy, and to distribute and share financial
and other information.
More and more websites are turning into the major outlet or "store fronts" for companies as electronic
commerce (transactions over the Internet or other networks) increases in popularity.
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1] or
equivalent. Other important security technologies to help with other issues include
digital certificates (for authentication and non-repudiation)
secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) (for privacy)
access control lists (for authentication)
firewalls (part of organization’s overall security plan)
Question
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a
site to attract customers, making sales and purchase transactions secure, and ensuring customer privacy.
What are some of the control features an auditor should be looking for in order to address these concerns?
Highlight both technological controls as well as organizational controls.
Solution
Page 16 of 32
External Auditing [AU1]
7.6 Audit implications of electronic commerce - Content Links
Solution
One key control in designing a site is a firewall. Essentially, a firewall is a logical filter between an
organization’s internal network and the rest of the world. Firewalls monitor the data traffic both into and out
of the organization’s network and can be configured to both block certain kinds of data or to block all traffic
from particular locations.
Firewalls, however, are not sufficient. They simply form part of the organization’s overall security plan.
Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus, worm,
or similar destructive agent. A company engaged in electronic commerce needs to address issues related to
authentication, authorization, privacy, and non-repudiation.
Technological controls also need to be supplemented by organizational controls, such as educating
employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall. A
company should also set up policies regarding the use of e-mail because the security of sensitive information
sent via electronic mail is questionable.
7.7 Auditing computer systems — General considerations
Learning objective
Describe how an audit is conducted in a computer environment. (Level 1)
LEVEL 1
Complying with GAAS examination standards
Regardless of whether an entity operates a manual system, a computer system, or a combined manual and
computer system, the auditor should comply with GAAS in GAAS audits. Accordingly, the auditor may
complete the audit in a computer environment (or combined computer and manual environment) along the
following lines.
First examination standard of GAAS: As part of using sufficient knowledge of the entity’s business to
plan the audit, the auditor should obtain an understanding of the computer processing configuration, the
method of processing and related matters, in order to assess inherent risk in connection with planning the
audit. For instance, the auditor will consider the impact of computer processing in determining the nature,
timing, and extent of auditing procedures.
Page 17 of 32
External Auditing [AU1]
Second examination standard of GAAS: The auditor would obtain a sufficient understanding of general
controls (control environment factors) pertaining to accounting systems applications that are significant to
the audit. This can be done through questionnaires, enquiry, and prior-year working papers. Also, the auditor
should obtain an understanding of the application controls over input, processing, and output (control
systems) relating to major transaction classes and account balances that are significant to the audit. This can
be done through review of systems documentation, for example.
Based on the understanding of the computer processing system and related manual internal control policies,
and procedures with respect to specific assertions at the account balance or classes of transactions level, the
auditor would assess, on a preliminary basis, control risk at/near maximum or below maximum level, and use
a substantive approach or a combined approach accordingly. When using a combined approach, the auditor
would perform tests of controls on those internal control policies and procedures (covering both manual and
computer systems) that enhance the reliability of data and information. In this regard, the auditor may use a
computer for performing tests of controls or dual-purpose procedures.
Based on tests of controls, the auditor would finalize control risk for specific assertions at the account
balance or class of transactions level, and determine the nature, timing, and extent of substantive procedures
in light of materiality and inherent risk. Some of these procedures could be performed using computers and
others performed manually.
Third examination standard of GAAS: The auditor would perform the substantive procedures determined
previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance
and transactions level. In this regard, the auditor may consider using generalized audit software packages
where appropriate.
7.8 General strategy in auditing computerized systems
Learning objective
Describe the phases of auditing a computerized system. (Level 1)
Required readings
Chapter 9, pages 314-317 (Level 1)
CICA Handbook — Assurance, paragraphs 5141.080-.088 (Level 1)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," section 5 (Level 1)
LEVEL 1
Reading 7-1 section 5 describes audit planning considerations in a computer environment. Detailed guidance
on obtaining understanding of the accounting information system and the nature of the internal control
procedures is given in Handbook paragraphs 5141.080-.088. The steps in evaluating computer processing
controls can be summarized as follows.
Preliminary evaluation of internal control
Auditors should conduct a preliminary evaluation of the general and application controls that may be
effective and efficient for performing the audit. The general controls may have a pervasive effect on the
Page 18 of 32
External Auditing [AU1]
processing of transactions in applications systems. If these controls are not effective, the risk is that errors
might occur and go undetected in the application system. Thus, weaknesses in general controls may make
certain application controls unreliable. However, manual procedures exercised by the users may provide
effective compensating control at the application level. Can you identify a compensating control?
Solution
What happens if the auditor concludes that there are weaknesses in general or application controls that
preclude reliance on those controls?
Solution
Test of controls procedures and final evaluation
The purpose of the auditors’ test of controls procedures and final evaluation is to determine that the controls
that they intend to rely on were functioning properly throughout the period of intended reliance, and that they
can be relied on as planned in the preliminary evaluation. In a computer environment, the objectives of test
of controls procedures do not change from those in a manual environment; however, some audit procedures
may change. In addition to enquiry, observation, and sampling procedures, the auditor may find it necessary,
or may prefer, to use computer-assisted audit techniques (CAATs).
If the auditor obtains evidence that the controls were not operating as designed, or the test of controls
procedures indicate that the general controls do not provide reasonable assurance that the application
controls functioned during the period of reliance, the auditor’s final evaluation may be to discontinue the
planned reliance. Instead, the auditor may seek to accomplish the audit objectives through the application of
substantive procedures.
7.8 General strategy in auditing computerized systems - Content Links
Solution
To compensate for lack of appropriate processing controls, the payroll department can scan the detailed
listing of weekly or monthly salary payments for unusual amounts.
Solution
The auditor does not need to continue the review documentation or to perform compliance procedures.
Instead, the auditor may seek to accomplish the audit objectives through the application of substantive
procedures.
Page 19 of 32
External Auditing [AU1]
7.9 Specific internal control considerations
Learning objective
Identify internal control considerations in personal computer, online, and database environments.
(Level 1)
Required readings
Chapter 7, pages 246-249 (Level 1)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," sections 9 and 10 (paragraphs 10.1 to
10.11) (Level 1)
LEVEL 1
Internal control considerations in personal computer, online, and database environments
Text pages 246 to 249 and AuG-6, section 9, provide an overview of the audit considerations in a personal
computer environment.
Weaknesses
The control environment for stand-alone microcomputers is generally weak as a result of several factors:
lack of segregation of duties
lack of physical security of the microcomputer and its files
lack of computer knowledge
lack of reliable hardware and software
lack of documentation for software and software changes
Typically, there are no application controls (such as use of batch totals or passwords) in small systems. In a
typical microcomputer environment, it may not be easy to distinguish between general controls and
application controls. Frequently, it may not be practicable or cost-effective for management to implement
sufficient controls to reduce risks of undetected errors to a minimum level.
The auditor may often assume the control risk is high in such systems. Nevertheless, the auditor may be able
to rely on owner/manager controls to compensate for the poor control environment.
Reading 7-1, paragraphs 10.1 to 10.11, outlines the internal control considerations for online and database
systems.
7.10 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing around/without the computer and auditing through/with the
Page 20 of 32
External Auditing [AU1]
computer to test internal control. (Level 1)
Required reading
Chapter 9, pages 348-349, Exhibit 9-14 on page 348 (Level 1)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems — auditing around the
computer and auditing through the computer.
Auditing around the computer
When auditing around the computer, no attempt is made to evaluate the internal processes of the computer.
This method of bypassing the computer, or treating it like a "black box," consists of vouching or tracing to
and from source documents and outputs. Exhibit 9-14 on page 348 illustrates this process of manually
processing sample documents and comparing those results to the same documents processed by the client’s
system.
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to
determine how much reliance can be placed on the various internal controls programmed into the system.
Exhibit 7-2 summarizes the two approaches.
Exhibit 7-2
Auditing around the computer and through the computer
How is it done?
Advantage(s)
Auditing around the
computer
No attempt is made to
evaluate the internal
processes of the
computer. Consists of
vouching or tracing to
and from source
documents and outputs.
Simplicity – does
not require
computerproficient
personnel
Auditing through the computer
Auditing the computer processing
system or data produced by the system
to test the programmed controls.
Sophisticated method and may be the
only method if significant parts of the
internal controls are embedded in the
computer system.
May be more cost
effective
Requires sufficient
audit trail of visible
This method must be used if any one
evidence
of the following exists:
What are the "ideal"
conditions for each?
Page 21 of 32
External Auditing [AU1]
Large volumes of input/output
(direct examination of the
records is difficult)
Lack of visible audit trail
(significant parts of the internal
controls are embedded in the
computer system)
System is complex and includes
key parts of the accounting
system
Bypasses the computer Two main approaches
(auditing without the
computer)
1. Test data
2. Parallel simulation
Approaches
7.11 Approaches to auditing through the computer
Learning objective
Describe how an auditor could use computers in conducting audits by using test data and generalized
audit software. (Level 1)
Required readings
Chapter 9, pages 349-357, Exhibits 9-15 and 9-16 on pages 351 and 352 (Level 1)
Reading 7-1: CGA AuG-6, "Auditing in an EDP Environment," section 6 (Level 1)
LEVEL 1
There are several approaches to auditing through the computer. The text describes two of these approaches to
"auditing with the computer" to test a company’s programmed controls:
the test data approach
the auditor’s computer program approach, including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination. As
clients’ computer systems perform more and more of the accounting functions, the audit trail becomes less
visible. If the audit trail is non-existent, the auditor is forced to audit through the computer using one of the
two approaches described. Exhibit 7-3 compares the two approaches.
Page 22 of 32
External Auditing [AU
Exhibit 7-3
Test data and parallel simulation approaches
Strengths
Weaknesses
Test data approach
Uses the uniformity principle
(once a computer is programmed
to handle transactions in a certain
logical way, it will handle every
transaction in a similar fashion).
A computer system may contain
errors that offset each other,
providing output that appears to
be correct. Without examining
the internal processing logic of
the computer systems, the auditor
can only "prove" that the
computer system works correctly
with the test data used. The
auditor has no means to confirm
that the computer system will
correctly handle transactions not
included in the test data.
Parallel simulation approach
The auditor’s own programs can
be tailored to the client’s system.
The programs may be costly to
develop and modify. Generalized
audit software (GAS) makes the
parallel simulation approach more
attractive. GAS contains
prepackaged subroutines that can
perform most tasks needed in
auditing and business applications.
The test data approach involves developing simulated data that are processed using the client’s actual
computer program (or a copy thereof), and then comparing the output to predetermined results.
When using the test data approach, the auditor must ascertain that the computer system being tested is the
same one the client used to process data for the entire period under review, and that none of the test data has
contaminated the client’s records and files. Because of the high risks of not detecting system errors in
complex systems, the test data approach is not the best approach to use in auditing such systems.
Parallel simulation consists of processing client data using the auditor’s program and comparing the result
to the output of the same data processed by the client’s program. This process can be performed by
generalized audit software (GAS).
Exhibit 9-16 on page 352 illustrates how an auditor would use developed software as a parallel simulation.
Some larger firms develop software for the audit of specific clients (for example, life insurance companies).
Generalized audit software
Generalized audit software has the advantages of being relatively easy to use and widely applicable.
GAS can be used to process a variety of files in different formats or media to perform a number of functions,
such as sampling, calculating totals and subtotals, selecting specific records, and so on. Text page 354 lists a
number of techniques (with excellent examples) that the auditor can perform if the client’s data are in
machine-readable form.
Reading 7-1, CGA AuG-6 section 6, "Computer-assisted audit techniques (CAATs)," explains the uses of
CAATs.
Page 23 of 32
External Auditing [AU1]
7.12 Computer-aided auditing
Learning objective
Describe ways to use computers for an audit. (Level 1)
Required reading
Chapter 9, pages 357-358 (Level 1)
LEVEL 1
On pages 357 to 358, the text describes several ways to use computers for an audit. The future of computers
in auditing is firmly established because of their small size yet large computing power. Hardware is being
developed that is more powerful yet more compact, such as laptop and notebook computers. The
development of software to support the new hardware is keeping pace. Many public accounting firms
provide staff with computers; laptop and notebook computers are becoming as ubiquitous as the auditor’s
briefcase.
This exciting area of audit practice creates new opportunities as well as risks. The CICA study "Assurance
Engagement Working Paper" (1997) provides a good analysis of the issues. For example, industry
information and information on comparable companies can be obtained on the Internet as a means to
improve the auditor’s knowledge of the business and in performing analytical procedures. Only a lack of
creativity prevents the auditor from maximizing the potential of the Internet.
The summary below highlights some of the software programs and aids available to auditors.
Commercial general use software. Spreadsheet programs such as Microsoft Excel or Lotus 1-2-3 can be
used for analysis or for sampling (see Computer activity 6-1 in Topic 6.11). Word-processing programs such
as Microsoft Word or WordPerfect are useful for drafting statements or preparing reports and letters.
Pre-built spreadsheet templates. Pre-built spreadsheet templates are often used by auditors (for example,
model working papers and financial statements).
Special use software. Some academics and public accountants see the development of expert systems as one
of the next major developments in auditing. The work on expert systems is slow and very expensive. There
are some applications in auditing — one application developed in the United States by KPMG Peat Marwick
can be used to assess the collectibility of bank loans. Expert systems are being developed for audit planning
and for assessing EDP controls.
Custom programs. These special programs are written by auditors to audit specific areas. For example, one
large accounting firm uses custom programs to audit policy reserves of casualty insurance companies.
Working paper software. Almost all public accounting firms now use working paper software developed
either in-house or purchased from an outside vendor (for example, CaseWare). The purchased software may
be modified with specialized templates or electronic forms to prepare working papers and letters such as
confirmations, engagement, and management letters. The main purpose of working paper software is to
automate calculations such as footings and extensions, as well as to perform the carryforward functions such
as updating from journal entries and worksheets to working papers, lead sheets, trial balances, and financial
statements.
Page 24 of 32
External Auditing [AU1]
Networked files. Adopting technological advances allows several auditors to work independently on
different sections of the audit on their laptop computers hooked up to a network. The network continually
integrates their work with a master working paper file and keeps working paper references and indexing upto-date.
Team members in different locations can coordinate their work by sending each other copies of their portion
of the audit file, while supervisors can monitor progress and provide feedback without being physically
present at the audit location(s). This alternative provides great flexibility in organizing the team’s work.
Standardized document templates. The use of standardized templates provides a common starting point for
all documents. A database of templates can be useful in customizing documents such as internal control
questionnaires, audit programs, and sample letters. Links can also be established to other databases or even
to websites so that data or information from these sources can be cross-referenced or transferred to the
working papers. Thus, not only various staff but also various sources of information can be integrated to
support the auditor’s opinion. Of course, to obtain such efficiencies, the audit firms would need to invest in
hardware, software, and training of staff.
Audio lectures
Audio lectures are available for this module. System requirements and instructions on how to access the
online lectures are included.
Module 7 Summary
Computer auditing
This module considers the effect that computer processing has on both the control environment and the audit
of financial statements.
Explain the major effects of computerization of accounting systems and describe the major
elements in today’s computer environment.
Effects on the company’s operations
absence or short life of transaction trails
uniform processing of transactions
concentration of functions
increased potential for certain types of errors and irregularities
potential for increased management supervision and review
existence of system-generated transactions
Effects on the approach to auditing
Consider IT-related matters when planning the audit
Page 25 of 32
External Auditing [AU1]
The impact of the computer environment on internal controls and the audit
Major elements of audit significance include microcomputers, databases, online systems, and ecommerce (Electronic Data Interchange and the Internet).
Explain the implications of a simple computer-based system for a company’s internal
control.
Although control objectives do not change, the procedures used to achieve control and the means of
evaluation will change. Increased concern must be placed on controls related to
the concentration of functions
documentation of transactions
controls over access to programs and data
controls over system design and maintenance
controls over online authorizations and system-generated transactions
protection of the system against hazards of nature and against potential sabotage
Explain how audits are affected by simple computer-based systems.
When acquiring sufficient knowledge of the client’s business, the auditor should obtain an
understanding of the client’s computer systems and how they are used.
The auditor must sufficiently understand the internal controls related to the computer systems. This
understanding includes both general controls and application controls.
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating
evidence concerning the assertions at the account balance and transaction level.
Describe general controls and application controls and how they relate to accounting
controls.
General controls apply to all or many computerized accounting activities. They include controls over
segregation of duties, physical access to the computer, programs, data, documentation, systems
development controls, hardware controls, backup and recovery procedures, and so on.
Application controls are related to specific applications such as order processing and payroll. They
include input controls, processing controls, and output controls.
Application controls are usually evaluated using flowcharts and internal control questionnaires in
much the same way that accounting controls are evaluated for manual systems.
The auditor must consider the potential weaknesses in the computer controls as well as the manual
controls over the data before and after computer processing.
Explain the implications of electronic commerce for a company’s internal control and for
its audit.
The main implications for internal control are related to security issues. These include control over
access to websites and protection from viruses, and so on. Both websites and the transactions carried
out on the Internet must be secure.
Page 26 of 32
External Auditing [AU1]
The main implications for the audit are an expansion of the area of knowledge required of the auditor,
who will have to gain knowledge of the additional controls and almost certainly test their performance.
Explain the effect of EDI (Electronic Data Interchange) and the Internet on a company’s
operations.
The two main effects of EDI for auditors are
a paperless environment, resulting in the loss of an audit trail
the lack of human involvement in the data interchange, resulting in a complete dependence on
the electronic system
The main concerns about the use of the Internet are related to security issues such as the need for
firewalls to keep external users outside the organization’s internal networks and systems.
Describe how an audit is conducted in a computer environment.
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a
manual system or a computer system.
The auditor should conduct a preliminary evaluation of internal control. This should include general
and application controls the auditor might consider effective to rely on when conducting the audit.
The auditor must then test the controls to see if they were functioning properly throughout the period
being audited.
The auditor should take into account any unique internal control considerations for personal
computers, online, and database environment.
Explain the difference between auditing around/without the computer and auditing
through/with the computer to test internal controls.
Auditing around (or without) the computer consists of manually processing client transactions and
comparing the results to the computer output.
This does not necessarily violate generally accepted auditing standards and may be the most efficient
approach in some circumstances.
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very
large, there is little or no audit trail, or the system is complex.
Two of the approaches that can be used in auditing through the computer are the test data and parallel
simulation approaches.
Describe how an auditor could use computers in conducting audits by using test data and
generalized audit software.
The test data approach is used by developing simulated data and processing it through the client’s
system and comparing the output to predetermined results.
Generalized audit software can be used for a variety of audit purposes. Such programs will extract data
from the client system, sort data, perform calculations, match data from different files, select statistical
Page 27 of 32
External Auditing [AU1]
samples, and generate worksheets or databases for further analysis.
The auditor should consider the extent to which it will be efficient to use computer-assisted audit
techniques in carrying out the compliance or substantive testing required for the audit.
Module 7: Self-test
Question 1
As a potential CGA, you should be aware of the auditing guidelines issued by CGA Canada in order to
properly audit a computer processing installation. Describe the skills and competence required to perform
such an audit, and explain why they are so important.
Solution
Question 2
Review checkpoint 7.19, page 226.
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new
information system?
Solution
Question 4
a. Review checkpoint 7.41, page 246.
b. Review checkpoint 9.1, page 317.
Solution
Question 5
Review checkpoint 7.31, page 245.
Solution
Question 6
Review checkpoint 9.91, page 353.
Solution
Page 28 of 32
External Auditing [AU1]
Question 7
a. Review checkpoint 9.94, page 359.
b. Review checkpoint 9.103, page 360.
Solution
Self-test - Content Links
Question 1 solution
CGA Auditing Guideline No. 6, "Auditing in an EDP Environment" (Reading 7-1), paragraph 3.3 under
"Skills and competence" describes the skills and competence an auditor should have in order to properly
audit an EDP system. They are:
a. "Sufficient understanding of the EDP environment to plan the audit." An important part of planning an
audit is gaining knowledge of the client’s business and the environment in which the business
operates. This includes a knowledge of the client’s information processing capability, whether it be
manual or EDP, or a mixture of both.
b. "Sufficient knowledge of EDP to implement the auditing procedures." General Standard of GAAS
5100.02 requires an auditor to have "adequate technical training and proficiency in auditing." A logical
extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP
in order to audit an EDP system, which includes assessing inherent and control risk for specific
assertions in an EDP environment, and determining substantive auditing procedures for gathering and
evaluating sufficient appropriate audit evidence.
c. "Sufficient skills to competently evaluate the results." The comments pertaining to (b) apply equally to
(c).
Question 2 solution
The six characteristics important to the auditor’s understanding of IT controls are:
1. Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only
for a short time or only in computer-readable form. (A transaction trail is a chain of evidence provided
through coding, cross-references, and documentation connecting account balances and other summary
results with the original transaction documents and calculations.) Continuous auditing methods may be
required to continuously select and monitor the processing of data (for example, embedded audit
modules).
2. Uniform processing
Page 29 of 32
External Auditing [AU1]
Computers process uniformly subjects like transactions to the same processing instructions, potentially
eliminating random errors normally associated with manual processing. Conversely, programming
errors (or other similar systematic errors in either the computer hardware or software) will result in all
like transactions being processed incorrectly when those transactions are processed under the same
conditions. The approach in auditing computerized files will be to test a small number of unusual or
exceptional transactions (rather than a large number of similar transactions, as is the case in manual
systems), and testing that the software tested has not been tampered with between tests. This assurance
is obtained through justified reliance on control systems that are in place to prevent unauthorized
changes and to document all changes to the software.
3. Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in
an IT system that could have been controlled by segregating functions in manual systems. Password
control procedures are a control method to separate incompatible functions, such as access to assets
and access to records through an online terminal. The auditing approach puts more emphasis on the
evaluation of general internal controls of the computer centre.
4. Visibility of alterations
The potential for individuals, including those performing control procedures, to gain unauthorized
access or alter data without visible evidence, as well as to gain access (direct or indirect) to assets, may
be greater in computerized accounting systems.
5. Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the
company. This can enhance the entire system of internal control and reduce control risk.
6. Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in
management’s acceptance of the system design. Auditors need to assess general controls over system
development and design.
Question 3 solution
The auditor’s greatest concern is whether the data have been accurately converted to the new system. If the
new system or changed system starts with inaccurate data, the errors might never be caught. In addition, the
cost of tracking down and converting discovered errors is very high. The auditor should also be concerned
with potential fraudulent manipulation of data during the conversion process. The auditor should always
attempt to be involved in any system conversion to ensure that data integrity is maintained. Because of the
conversion, control risk may have increased and audit procedures will have to be changed.
Accurate cut-off between the two systems is essential. Documentation of conversion process should be
required. The auditor needs to test the accuracy and completeness of the conversion.
Page 30 of 32
External Auditing [AU1]
Question 4 solution
a. Evaluating general and environmental controls before evaluating the more specific application controls
is often most cost effective because the general and environmental controls have a more pervasive
impact and tend to be preventive in nature. Generally, a weak control environment cannot be
compensated by strong application controls because of the risks of control override and unauthorized
access and program changes, so there is no point testing specific application controls unless the overall
control environment and general controls are adequate.
b. The extent of IT use has an impact on how a client produces financial information. The information
systems and IT used in the client’s significant accounting processes influence the nature, timing, and
extent of planned audit procedures. Significant accounting processes are those relating to accounting
information that can materially affect the financial statements. Important matters to consider include
its complexity, how the IT function is organized and its place in the overall business organization, data
availability, availability of CAATs, and the need for IT specialist skills.
Question 5 solution
General control procedures include:
organization and physical access
documentation and systems development
hardware controls and preventive maintenance
data file and program control and security
backup and recovery procedures
file security
file retention
system conversion controls (procedures to ensure the data is transferred completely and accurately,
and that an accurate cut-off between the two systems is achieved)
Application control procedures include:
Input controls:
input authorization
check digits
record counts
batch financial totals
batch hash totals
valid character tests
valid sign tests
missing data tests
sequence tests
limit/reasonableness tests
error correction and resubmission
Processing controls:
run-to-run totals
control total reports
file logs
limit/reasonableness tests
Page 31 of 32
External Auditing [AU1]
Output controls:
control totals
master file changes
output distribution
Question 6 solution
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of ITbased controls in an information system. This conclusion is used to assess the control risk and determine the
nature, timing, and extent of substantive audit procedures for auditing the related account balances in the
overall audit plan. This control risk assessment decision determines whether subsequent audit work may be
performed using machine-readable files that are produced in the system. The data-processing control over
such files is important because their content is utilized later in computer-assisted work using generalized
audit software.
Question 7 solution
a. Advantages of a generalized auit software package are:
Original programming is not required.
Designing tests is easy. Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs.
For special-purpose analysis of data files, GAS is more efficient than special programs written from
scratch because of the little time required for writing the instructions to call up the appropriate
functions of the generalized audit software package.
The same software can be used on various clients’ computer systems. Control and specific tailoring are
achieved through the auditors’ own ability to program and operate the system.
b. Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical
steps such as preparing working trial balance, posting adjusting entries, grouping accounts into lead
schedules, computing ratios, producing draft financial statements; also to prepare audit working
papers, programs, and memos. PCs can also be used in audit planning and administration.
Page 32 of 32
E-106(1)
Reading 7-1
CGA-Canada
Auditing Guideline No. 6
Auditing in an EDP environment
1.
Introduction
1.1
International Standards on Auditing and Related
Services ISA 200, “Objective and General
Principles Governing an Audit of Financial
Statements”, published by IFAC, states that the
objective of an audit of financial statements is to
“express an opinion whether the financial
statements are prepared, in all material respects, in
accordance with an identified financial reporting
framework. ”
1.2
The overall objective and scope of an audit does
not change in an electronic data processing (EDP)
environment. However, an EDP environment may
significantly affect the processing and storage of
financial information and related internal controls.
Accordingly, the nature, timing and extent of the
audit procedures may be affected.
1.3
In the context of CGA-Canada Auditing
Guidelines, an EDP environment exists when a
computer of any type or size is involved in the
processing of financial information which is of
significance to the audit, whether that computer is
operated by the entity or by a third party. The EDP
environment comprises computer hardware,
software, manual procedures, and related support
resources and services.
1.4
To determine the significance of the effect of the
EDP environment on the audit, the auditors should
assess the impact of the EDP environment on the
operations of the client. The significance depends
on the complexity and pervasiveness of the EDP
operations. In other words, the more complex the
EDP applications are, and the more pervasive the
EDP environment is to the day-to-day operations
of the client, the more dominant the EDP
environment will be. Consequently, the EDP
environment will have a greater impact on the
audit.
1.5
May 2006
In general, an EDP environment will affect the
application of both tests of control and substantive
procedures in several ways. First, changes may
have to be made in the audit techniques due to the
possible absence of input and output documents,
the lack of a visible audit trail and the possible
weakening in the internal control system. Second,
the timing of audit procedures may be affected,
because data may not be retained in computer files
for an indefinite time. Third, the effectiveness and
efficiency of audit procedures may be improved by
the use of computer-assisted audit techniques.
The overall objective and scope of an audit does
not change in an EDP environment. However,
the nature, timing and extent of the audit
procedures may be affected, depending on the
impact of the EDP environment on the
operations of the business, especially the
processing of financial information.
2.
Objectives
2.1
The objective of this Guideline is to provide
auditors in an EDP environment with the
additional guidance necessary to attain the overall
audit objective. At the same time, it will assist the
auditors to conform with Canadian generally
accepted auditing standards (Canadian GAAS) and
the CGA-Canada Code of Ethical Principles and
Rules of Conduct (CEPROC). This Guideline will
assist auditors in determining how to plan for an
audit in an EDP environment, what skills and
competence are required, and when to use
computer-assisted audit techniques (CAATs).
Guidance for auditing microcomputers, on-line
systems, databases, and computer service bureaus
is also provided.
3.
Skills and competence
3.1
The skills required when auditing in an EDP
environment include a knowledge of computer
hardware, software and processing systems. The
level of knowledge will depend on the nature of
the computerized accounting system. However, as
a minimum, it should be at a level required to
manage the internal controls of the particular EDP
environment.
3.2
Auditors must understand how EDP affects the
study and evaluation of internal controls and the
application of auditing procedures, including the
use of CAATs.
3.3
Auditors must have sufficient understanding of the
EDP environment to plan the audit. Auditors must
also have sufficient knowledge of EDP to
E-106(2)
implement the auditing procedures; alternatively,
they should involve other professionals who
possess the required skills to assist in applying
auditing procedures. Where the audit involves
other professionals, the auditors continue to be
responsible for forming and expressing an opinion
on the financial statements.
•
•
•
•
•
Auditors must have:
•
•
•
sufficient understanding of the EDP,
environment to plan the audit,
sufficient knowledge of EDP to implement
the auditing procedures,
sufficient skills to competently evaluate the
results.
4.
Internal controls in an EDP
environment
4.1
Internal controls comprise the plan of organization
and all the coordinated systems established by the
management of an entity to assist in achieving
management’s objective of ensuring the orderly
and efficient conduct of the business. The auditors
should, as a first step, gain and document an
understanding of the overall control environment
and flow of transactions. If the auditors plan to
assess control risk at less than maximum, they
should also review, test and document the relevant
control systems.
4.2
4.4
The auditors should understand what impact the
EDP environment has on the internal controls of
the entity. The internal controls in the EDP
environment include both the manual procedures
and computer procedures, such as controls built
into computer programs. Two types of internal
controls can be identified. General EDP controls
are concerned with overall controls over the EDP
function. EDP application controls are concerned
with specific controls over the computerized
accounting applications.
4.5
General EDP controls establish a structure of
control over the management and operation of the
EDP function. Such controls may include:
•
•
•
•
•
•
•
The auditors should understand and consider those
characteristics of the EDP environment that may
have an impact on the control environment, the
accounting system and related control systems.
Such characteristics may include:
•
•
•
•
•
•
•
•
•
4.3
•
•
concentration of functions and knowledge,
absence of visible audit trail,
absence of input and output documents,
existence of, and control over, system generated
transactions,
built-in control procedures within computer
programs,
concentration of data and computer programs,
vulnerability of storage media,
increased exposure to fraud, or
internal audit staff’s knowledge of EDP
systems.
•
the absence of a visible audit trail,
system-generated transactions,
the existence of proper internal controls and
their classification,
the competence of management with respect to
the EDP environment,
organization and management controls,
application systems development controls,
computer operation controls,
systems software controls,
program and data access controls,
physical security, or
backup and recovery controls.
General EDP controls will affect the auditor’s
assessment of the control environment.
4.6
EDP application controls establish specific
controls over the accounting applications, in order
to ensure that all transactions are authorized,
recorded and processed completely, accurately and
on a timely basis. EDP application controls include
input/output controls, and processing controls.
4.7
Auditors should understand the inherent
limitations of internal controls in an EDP
environment. These limitations include human
error, exposure to collusion due to concentration of
functions and knowledge, varying efficiency with
changes in EDP staff, and lack of sufficient
controls because of the cost involved.
The auditors must be aware of the areas of concern
and changes in risk due to the EDP environment.
Some potential areas of risk include:
•
•
•
the pervasiveness and the complexity of the
EDP environment,
conversion from manual procedures to EDP
procedures,
conversion from one EDP application to
another,
data access controls,
unwarranted reliance on computer-generated
information,
segregation of incompatible functions, or
security and backup procedures.
Auditors should understand the inherent
limitations of internal controls in an EDP
environment.
5.
Audit planning
5.1
The audit engagement should be planned in
accordance with the guidelines provided in
May 2006
E-106(3)
5.2
CGA-Canada Auditing Guideline No. 3, “Audit
Planning and Control.” [E-103] “Planning the
Audit” in Volume II of the CGA-Canada Public
Practice Manual also provides guidance for audit
planning. In addition, auditors should consider
special audit procedures required in an EDP
environment.
5.6
When the auditors have an expectation that the
controls operate effectively, they should include
procedures in the overall audit plan to identify
relevant EDP controls and to test the reliability of
such controls. The use of an EDP internal control
checklist, such as [Exhibit 6-2], should be
considered.
Special plans should be set up for first
engagements. These plans include procedures to
gather information on the EDP environment that is
relevant to the audit plan, including:
5.7
The auditors must determine how, when and where
the EDP function will be reviewed. Based on this
information, the auditors must assess the level of
EDP expertise required to carry out the audit plan,
and determine whether the necessary technical
skills are available. The auditors may use
independent EDP professionals to augment the
technical skills of the audit team.
5.8
The auditors must obtain an overall understanding
of the internal control structure in an EDP
environment as part of the audit planning. If the
auditors have an expectation that the controls
operate effectively, they should review and
evaluate the relevant general EDP controls and
EDP application controls. Where such controls are
found to be materially deficient, the level of
control risk should not be reduced. Instead, other
methods should be undertaken to accomplish the
audit objectives.
5.9
The audit plan must include procedures to obtain
sufficient and appropriate audit evidence. An EDP
environment may affect the existence and nature of
the audit evidence. The timing of procedures to
obtain audit evidence may be affected inasmuch as
data may not be retained in computer files for a
sufficient length of time for audit use. The auditors
may have to make special arrangements to retain
the needed audit evidence, or time the audit
procedures to examine the audit evidence when it
is available.
•
•
•
•
•
•
•
the organization of the EDP function,
the extent of concentration of functions and
knowledge,
the computer hardware and software
configurations,
the major applications which are computerized
and which affect the financial information,
planned implementation of new applications,
revisions to existing applications, or
applications currently under development,
the policies guiding the EDP function, and
the competence of management with respect to
the EDP environment.
Information should be gathered on the EDP
environment relevant to the audit.
5.3
5.4
5.5
There are many ways to gather such information.
A very effective technique is the use of a general
review questionnaire. A sample is provided in
[Exhibit 6-1]. It comprises two sections: part 1 is a
general review of internal controls, while part 2 is
a more detailed examination of potential
applications that can be served by the EDP
department. This latter part would serve to
document whether the application in question is
present in the EDP environment of the firm. If it is
present, then the auditors can formulate the
investigation knowing that it will be necessary to
review these applications.
5.10 The use of CAATs should be considered. Such
techniques may improve the effectiveness and
efficiency of auditing procedures.
Audit plans must consider the:
If the audit is a repeat engagement, the previously
obtained information on the EDP environment
must be updated to reflect all changes which have
occurred since the last audit.
•
•
•
If there has been a changeover to an EDP
environment, or significant changes have occurred
within the EDP environment, the auditors should:
•
•
review the documentation relating to the
changeover process and ensure that the controls
over the process were adequate, and
where appropriate, attend, or have a specialist
attend, all, or a portion, of the implementation
or the changeover, to ensure that all procedures
are followed, and all data has been transferred.
•
•
•
6.
Computer-assisted audit techniques
(CAATs)
6.1
CAATs involve the use of computer programs and
data to assist in the auditing procedures. Some
examples of CAATs are:
•
•
May 2006
the control environment in the EDP area,
level of EDP expertise required,
changes that have occurred in the EDP
environment,
need for involvement of EDP professionals,
nature, timing and extent of audit evidence,
use of CAATs.
recalculating data,
test of internal controls,
E-106(4)
testing of extensions and footings,
analytical review procedures,
statistical selection of random and/or key audit
samples,
selection and printing of confirmations, and
summarizing of data.
•
•
•
•
•
6.2
6.3
7.1
When auditing in an EDP environment, the
auditors may decide to engage the services of an
EDP professional to assist in the audit. The
auditors should be satisfied with the technical
qualifications of the EDP professional when it is
planned to use that professional’s work as audit
evidence. The auditors should consider the
professional certification, licence or other evidence
of the competence of the EDP professional. Other
relevant considerations include the EDP
professional’s
experience,
reputation
and
membership in an appropriate professional body.
When an EDP professional is engaged to assist
in the audit, the auditors should be satisfied that
the EDP professional is qualified to carry out
the audit procedures.
CAATs may be used during test of control and
substantive procedures, such as:
detailed dual purpose tests of transactions and
balances,
analytical review procedures,
tests of EDP application controls,
financial analyses, and
statistical sampling.
•
•
•
•
Factors affecting the use of CAATs include:
the level of computer expertise of the audit
team,
the availability of suitable computer facilities,
the effectiveness and efficiency of alternative
means of testing,
the availability of, and access to, data, and
the cost-benefit involved.
•
•
•
•
•
The auditors should be aware of the potential
benefits of using CAATs, such as improved
efficiency of some audit procedures, and savings
in audit costs/time.
6.5
Reliance on evidence obtained from
other professionals
CAATs can be broadly classified into two groups:
those which are used to review systems controls,
and those which are used to review production
data. The first group includes test data methods,
integrated test facilities, automated program logic
analyzers, and code comparison programs. The
second group includes techniques to examine,
retrieve, manipulate and report on actual
production data. Refer to the Appendix for a
description of some of the more common CAATs
available to the auditor.
•
6.4
7.
7.2
Additional guidance for the reliance on evidence
obtained from other professionals can be found in
the ISA 620 entitled “Using the Work of an
Expert.”
8.
Evaluate potential for fraud
8.1
An EDP environment provides easy access to data
for those who have legitimate purposes. However,
such access may also be used to perpetrate fraud.
Because vital operating information is often stored
on the computer, computer fraud can be a major
threat to the entity. The auditors should assess the
risk of material misstatements in the financial
statements due to fraud and/or embezzlement.
8.2
Control weaknesses which may indicate the
potential for fraud include:
•
•
The use of CAATs may be required when:
•
a visible audit trail is lacking, thereby
precluding the auditor from tracing transactions
through the computerized system manually,
data is stored in the computer and manual
means of examining the data is unfeasible or
uneconomical, and
input and output documents are not available
(e.g., system-generated transactions).
•
•
•
•
It must be stressed that these examples of potential
weaknesses are by no means exhaustive. Auditors
must be aware that there may be other equally
serious deficiencies in the entity’s controls.
Computer-assisted audit techniques (CAATs)
should be considered when:
•
•
cost savings can be achieved, and
there are no other means of performing the
audit procedures.
inadequate control over systems development
and computer operations,
inadequate segregation of jobs requiring
technical knowledge,
inadequate segregation of record keeping duties
from physical operations and custodianship over
assets, and
inadequate access control.
Auditors should assess the risk of material
misstatements caused by computer fraud.
9.
Auditing microcomputers
9.1
Microcomputers are being used either as standalone computers, or as part of a network of
computers. In the former case, microcomputers are
May 2006
E-106(5)
used to process the accounting applications. In the
latter case, microcomputers are often used as
terminals attached to the main computers where
the major accounting applications are processed or
are attached to local area networks (LANs).
9.2
9.3
Generally, the EDP environment in which
microcomputers are used is less structured than a
centrally-controlled EDP environment. In the
former, application programs can be developed
relatively quickly by users possessing only basic
data processing skills. In such cases, controls over
the data development process and operations,
which are essential to the effective control of a
large computer environment, may not be viewed
by the developer, the user or management as being
important or cost-effective in a microcomputer
environment. However, because the data are being
processed on a computer, users of such data may
tend to place unwarranted reliance on the financial
information stored or generated by a microcomputer. Since microcomputers are oriented to
individual end-users, the degree of accuracy and
dependability of financial information produced
will depend upon the internal controls prescribed
by management and adopted by the user.
9.5
Where microcomputers are used to process
applications, either as a stand-alone workstation or
as part of a LAN, auditors should pay special
attention to the internal controls over the
operations of the microcomputers.
Within the microcomputer environment, auditors
should be aware of the following control policies:
•
•
•
•
•
physical security of equipment,
physical security of removable and nonremovable media,
program and data security,
software and data integrity, and
hardware, software and data back-up.
Management can contribute to the effective
operation of microcomputers in an EDP
May 2006
9.6
Auditors will find that, in many cases, one person
in the entity assumes the role of the “expert”,
programming as well as operating the
microcomputer. In such cases, the auditors should
review the degree of segregation of functions,
particularly over the processing of accounting
records. Where there is inadequate segregation,
compensating audit procedures should be
undertaken.
9.7
Auditors should review the software used on the
microcomputer for the processing of accounting
records. In particular, the adequacy of security,
data integrity, back-up provisions, and audit trails
should be reviewed.
9.8
Auditors should be particularly concerned with the
following control weaknesses, which tend to be
prevalent in a microcomputer environment:
•
•
•
Where microcomputers are used as computing
devices attached to main computers, the control
problems are similar to those encountered in a
normal EDP environment. The major exception is
the ability of microcomputers to retrieve
information from the main computer and store a
copy on some form of storage media, such as
floppy disks. Such information may then be used
for unauthorized purposes. Auditors should review
the controls over access to information stored in
the main computers.
Where microcomputers are used as terminals,
auditors should pay special attention to controls
on access to information stored in the main
computer.
9.4
environment by prescribing and enforcing policies
for their control and use such as the ones noted
above.
•
•
•
•
lack of segregation of incompatible functions,
such as having the programmer responsible for
posting the general ledger transactions,
lack of audit trails,
excessive dependency on the technical
knowledge of one person,
lack of access security, both physical and
logical, and
limited knowledge of the user,
lack of policies and standards regulating the use
and control of microcomputer resources, and
lack of management involvement with the
operation of the microcomputer.
It must be stressed that these examples of potential
weaknesses are by no means exhaustive. Auditors
must be aware that there may be other equally
serious deficiencies in the entity’s controls.
9.9
The effect of microcomputers on the EDP
environment, the accounting system and the
associated risks, will generally depend on:
•
•
•
the extent to which the microcomputer is being
used to process accounting applications,
the type of financial transactions being
processed and the significance of these
transactions, and
the nature of the data and programs utilized
within the applications.
9.10 In general, auditors should assume that control risk
may be high in a microcomputer EDP
environment. Accordingly, it may be more costeffective and efficient for the auditors to simply
obtain an understanding of the control
environment and transaction flow, rather than
perform a detailed review of the general and EDP
application controls. Consequently, the auditors
E-106(6)
may wish to concentrate the audit efforts on
substantive tests to gain audit assurance.
Where microcomputers are used to process
accounting applications, auditors should review
the internal controls over the operations of the
microcomputers and evaluate the level of
reliance to be placed on the controls in order to
determine the nature, extent and timing of the
substantive procedures to be performed.
9.11 The following are examples of control procedures
that auditors may consider when the auditor’s
assessment of internal accounting controls related
to a microcomputer environment includes an
expectation that controls are operating effectively:
•
•
•
•
segregation of duties,
balancing controls,
access to the microcomputer and its files, and
use of third-party software.
9.12 Additional guidance on the effects of
microcomputers on the audit function can be found
in IAPS 1001 “CIS Environments — Stand-alone
Microcomputers.”
10. Special topics in EDP auditing
10.1 Three types of EDP environments require special
attention by auditors. These are:
•
•
•
on-line systems,
databases, and
computer service bureaus.
10.2 On-line systems typically involve the use of
terminals connected to computers by some form of
telecommunications link. Often, terminals are
scattered over a wide geographical area.
Applications are activated through terminals and
controlled by some means of access control
mechanism, such as passwords. The most
significant characteristics of on-line systems relate
to on-line data entry and validation, on-line access
to the system by users, potential programmer
access to the system and possible lack of visible
audit trail(s).
10.3 Certain general EDP controls are particularly
important to on-line systems. These include (but
are not limited to):
•
•
•
•
•
•
•
•
access controls to terminals, programs and data,
back-up controls and standby procedures,
data transmission controls,
data integrity controls,
user and transaction logs,
controls over passwords,
system development and maintenance controls,
and
programming controls.
10.4 Certain EDP application controls are particularly
important to on-line systems. These include (but
are not limited to):
•
•
•
•
•
•
pre-processing authorization,
terminal device edit, reasonableness and other
validation tests,
cut-off procedures,
file controls,
master file controls, and
balancing.
Additional guidance on the implications of on-line
systems on the audit function can be found in IAPS
1002 “CIS Environments — On-line Computer
Systems.”
10.5 A database is a collection of interrelated data that
is shared and used by a number of different
applications for different purposes, but is
independent of the applications. The multi-users
and multi-uses of the data implies that the
information in the database is a common resource
shared within the organization. The data sharing
requires that the data should be independent of the
uses thereof. This is achieved by having the
DBMS record the data once for use by the various
application programs, thereby avoiding data
redundancy. In non-database management
systems, separate data files are maintained for each
application, and similar data used by several
applications may be repeated in several files.
10.6 The use of the data by various application
programs emphasizes the importance of
centralized coordination of the use and definition
of data and maintenance of its integrity, security,
accuracy and completeness. These activities are
provided by the database administrator, who, out
of necessity, has vast powers over the database.
10.7 Generally, internal control in a database
environment requires effective controls over the
database, the DBMS and the applications. The
effectiveness of internal control depends to a great
extent on the nature of the database administrator’s
tasks.
10.8 Due to data sharing, data independence and other
characteristics of database systems, general EDP
controls normally have a greater importance than
EDP applications controls on database systems.
The general EDP controls of particular importance
in a database environment can be classified as
follows:
•
•
•
•
standard approaches for development and
maintenance of applications programs,
data ownership,
access to the database, and
segregation of duties.
May 2006
E-106(7)
controls of the computer service bureau. In such
cases, the auditors may have to rely on the
reports of the computer service bureau’s
auditors.
10.9 The effect of a database on the accounting system
and the associated risks will generally depend on:
extent of use by accounting applications,
type and significance of financial transactions
processed,
nature of the database, the DBMS, the database
administrator’s tasks and the applications, and
general EDP controls which are particularly
important in a database environment.
•
•
•
•
10.10 Auditors should assess the impact that the database
environment has on the audit. Auditors should pay
special attention to the additional controls required
in this environment:
controls over access to, and updating of, data,
controls to ensure data and applications
independence,
controls to ensure integrity of data,
controls over the activities of the database
administrator, and
controls over access by the database
administrator to the data.
•
•
•
•
•
Where a computer service bureau is used,
auditors should pay special attention to the
contract between the entity and the computer
service bureau.
Appendix
A.1
The following paragraphs provide a brief
description of some of the more common
computer-assisted audit techniques available for
the auditors’ use.
A.2
The test data method is one of the techniques
used to review system controls and other system
procedures. It involves the insertion of test data
(e.g., a stream of transactions) into the computer
system being audited. The results obtained from
processing the test data are then compared with
predetermined results. The auditor may use
actual or live data or dummy data may be
created to test cases related to specific
situations. Generally, test data is processed
separately from the entity’s normal processing.
A.3
The use of an integrated test facility can be of
two techniques. One approach is to create
dummy units (e.g., departments or individuals)
to which test transactions are directed as part of
normal processing. The output associated with
these dummy units will then be examined for
completeness and accuracy. When using this
technique, auditors must ensure that the dummy
units and their associated transactions are
removed from the entity’s records after the audit
has been completed.
A.4
The second approach to the use of an integrated
test facility is to embed audit computer
programs into the computer system being
audited. These hidden programs act as audit
monitors, which the auditors can turn on or off,
in order to selectively audit different aspects of
the processing cycle at different times.
A.5
There are programs that can convert a source
program into a logical path printout, sometimes
in flow chart form. Such programs are known as
automated program logic analysis routine. The
auditors are thus relieved of the often tedious
flowcharting activities that are sometimes
necessary to analyze program logic. However, it
must be pointed out that the capability of these
programs is limited, in that they will only
interpret simple source programs with adequate
accuracy.
In auditing a database environment, auditors
should pay special attention to:
•
•
•
•
access to and updating of data,
data and application independence,
data integrity, and
activities of the data administrator.
10.11 Additional guidance on the implications of
database systems on the audit function can be
found in IAPS 1003 “CIS Environments —
Database Systems.”
10.12 Where the entity under audit uses a computer
service bureau instead of an in-house EDP facility,
the auditors should be aware of the special audit
considerations. In general, there are three ways
whereby EDP services are provided by a computer
service bureau:
•
•
•
computer time and standard application
software,
systems development and maintenance, and
some combination of the above.
10.13 It is important that the relationship between the
entity and the computer service bureau be
precisely specified in a contractual agreement.
Typically, the entity has very limited control over
the computer service bureau. The special audit
considerations are:
•
•
May 2006
The contractual arrangements between the
entity and the computer service bureau should
be examined for adequate protection for the
entity in the event of non-performance or
business failure of the computer service bureau.
Auditors may not be permitted to carry out
certain audit procedures to test the internal
E-106(8)
A.6
A.7
Code comparison programs are either source or
object versions of operational computer
programs being audited. These programs are
generally utilized when the auditors want to
ensure that the version of the operational
computer program used for processing is in fact
identical to the authorized version. This
technique can thus be used to detect
unauthorized or undocumented program
changes.
Generalized audit software is a set of computer
programs developed to perform various dataprocessing functions specific to auditing
procedures. These functions included statistical
sampling, data manipulation, computation,
selection and printing of reports, etc. The
auditors can specify the desired functions by
coding pre-defined instructions to the
generalized audit software. The advantage of
such generalized software is that it can be used
for many different audit engagements.
A.8
In addition to the descriptions provided by
paragraph A.2 to A.7, paragraphs 5 and 6 of
IAPS 1009 entitled “Computer-assisted Audit
Techniques,” provide further information on
audit software available for use by auditors.
May 2006
E-106(9)
Exhibit 6-1 — part 1
Questionnaire: General review of EDP internal controls
(sample)
Client:
Year end:
Location:
Date:
Equipment
Central processing unit:
Mfr.
Model
Memory Size
Serial #
Peripheral devices:
Type
Number
Model
Device capacity, speed, etc.
Equipment on order:
Software
Operating system
Version
DBMS
Version
Other software
May 2004
Date &
initials
Prepared
Reviewed
Index
E-106(10)
Exhibit 6-1 — part 2
Questionnaire: Applications
(sample)
Client:
Applications
Year end:
Yes
No
In use
Comments
Sales
Accounts receivable
Cash receipts
Cash disbursements
Accounts payable
Payroll
Inventory
General ledger
Budgets
Tangible capital assets
Others:
Proposed applications:
May 2004
Date &
initials
Prepared
Reviewed
Index
E-106(11)
Exhibit 6-2 — part 1
EDP Internal control checklist
(sample)
Client:
A.
Year end:
Control objective: Segregation of functions between the EDP department and users
Y/N
1.
EDP personnel are organizationally independent users.
2.
EDP personnel are not involved in the functions of:
W/P
Comments
W/P
Comments
• recording of transactions,
• initiation or authorization of transactions, and
• custody of assets.
3.
B.
Users actively participate in the development and testing of new
and revised systems.
Control objective: Segregation of functions within the EDP department
Y/N
1.
The functions of systems design and programming are separated
from computer operations.
2.
An independent data control group exists.
May 2004
Date &
initials
Prepared
Reviewed
Index
E-106(12)
Exhibit 6-2 — part 2
EDP Internal control checklist
(sample)
Client:
C.
Control objective: Management exercises effective control over the EDP department
1.
The EDP department reports to an executive level which has
sufficient authority to ensure that the EDP department is effectively
managed.
2.
An EDP steering committee exists and meets regularly.
D.
Year end:
Y/N
W/P
Comments
Y/N
W/P
Comments
Control objective: Other considerations
1.
There is a backup program library available, and it is maintained
off-site.
2.
There is a backup system available in the event of a total system
failure.
3.
Business interruption insurance is held, and it is current and
adequate for the circumstances.
4.
More than one individual (management/EDP) has a working
knowledge of the EDP functions.
5.
The system is accessible by other personnel in the event of a loss of
some or all key staff.
May 2004
Date &
initials
Prepared
Reviewed
Index
Download