Professional Documents
Culture Documents
Performance Evaluation
Performance Evaluation
Performance Evaluation
Introduction
1|Page
1.1 INTRODUCTION
Most of the companies have computer-based accounting systems. The main area of
analysis in this written report is to ensure a full and complete understanding of the
controls in a computer-based environment, whether there is an impact on the
assessment of risks, and the subsequent control procedures. This is very useful in
auditing the computer based environment. The procedures regarding the risk
assessment will involve the use of computer-assisted audit techniques (CAATs).
The general controls include all policies and procedures that relate to applications and
support the effective functioning of application controls. These apply to mainframe,
mini-frame and end-user environments.
The general controls purposes are to:
Maintain the information integrity and data security;
Control over the following:
i. Software acquisition, changing and maintenance;
ii. Network operations;
iii. Access security;
iv. Applications acquisition, development, and maintenance.
2|Page
• Controls over installation and maintenance of system software: – many of the
controls mentioned above are relevant, e.g. authorization of changes, good
documentation, access controls and segregation of duties.
The computer environment is tidily linked to the ‘end-user environment’ and refers to
the situation in which the users of the computer systems are involved in all stages of
the system development. In this respect we can mention that the end-user environment
is related to:
Administrative controls: these are controls over ‘data centre and network
operations’ and ‘access security’. These include controls that:
1. prevent or detect errors during program execution, e.g. procedure manuals,
libraries of programs, job scheduling, training and supervision; all these
prevent errors such as using wrong data files or wrong versions of production
programs;
2. prevent unauthorized amendments to data files, e.g. authorization of jobs prior
to processing, back up and physical protection of files and access controls
such as passwords ensure the continuity of operations, e.g. testing of back-up
procedures, protection against fire and floods, virus checks, use of read only
memory, maintenance of programs loggs.
System development controls: these type of controls cover the areas of system
software acquisition development and maintenance, program changing and
application system acquisition, development and maintenance. The ‘system software’
refers to the operating system, database management systems and other software that
increases the efficiency of processing. Application software refers to particular
applications such as sales or wages. The controls over the development and
maintenance of both types of software are similar and include:
Application controls
The procedures used within the application controls are manual or automated. These
operate at a business process level and apply to the processing of transactions by
individual applications.
The application controls main characteristics are:
preventive or detective in nature;
designed to ensure the integrity of the accounting records;
3|Page
relating to procedures used to initiate, record, process and report transactions
or other financial data;
helping ensure that transactions occurred are authorized, complete and
accurately recorded and processed.
The application controls apply generally to data processing tasks such as sales,
purchases and wages procedures. These are divided into the following categories:
Input controls: document counts, batch control totals, manual scrutiny of documents
to ensure they have been authorized. A common example of programmed controls
over the accuracy and completeness of input are edit checks (data validation) when
the software checks the data fields included on transactions. This is done by
performing: o reasonability check, e.g. alphabetical characters in a sales invoice
number field;
range check, e.g. no employee’s weekly wage is more than € 1,000;
check digit, e.g. an extra character added to the account reference field on a
purchase invoice to detect mistakes such as transposition errors during input;
when data is input via a keyboard, the software will often display a screen
message if any of the above checks reveal an anomaly, e.g. ‘Supplier account
number does not exist’.
Processing controls: e.g. a run-to-run control i.e. the totals from one processing run,
plus the input totals from the second processing, should equal the result from the
second processing run. Example: the beginning balances on the payables ledger plus
the purchases invoices (processing run 1) less the cheques issued (processing run 2)
should equal the closing balances on the purchases ledger.
Output controls: batch processing matches input to output, therefore this is also a
control over processing and output. Other examples of output controls include the
controlled resubmission of rejected transactions or the review of exception reports
(e.g. the wages exception report showing employees being paid more than € 500).
Master files and standing data controls: for example a one-for-one checking of
changes to master files, e.g. customer price changes are checked to an authorized list.
A regular printout of master files such as the wages master file could be forwarded
monthly to the personnel department to ensure employees listed have personnel
records.
4|Page
1.2 Objectives of the Study
Broad Objective: The broad objectives are Internal Control System in a
Computerized Accounting Environment.
Specific Objectives:
Define an accounting system and describe its implementation.
Define internal control.
Identify the principles of internal control.
Explain the applications of internal control principles to cash receipts.
Apply computerized accounting to the revenue and collection cycle.
Journalize and post transactions in a manual accounting system that uses
subsidiary ledgers and special journals.
5|Page
1.4 Limitations of the Study
1. To collect information I faced difficulty because of the excessive nature of
6|Page
CHAPTER TWO
Literature Review
7|Page
2.1 Literature Review
Examining the literature concerned with the effectiveness evaluation of CAIS
control systems conclude the rareness of available studies in this particular area
of
research. One reason for this is that this area of research is relatively new. Also,
most of the studies in this field are conducted on a micro level and connected
with
consolidated studies from the fields of business management, computer
science, and sometimes engineering and they are usually in the form of reports
or descriptive studies, and rarely empirical ones. Starting with the text books,
Romeny and Steinbart (1999) listed twelve points of general controls that
should exist in the CS in order to achieve its goals effectively; these twelve
controls are:
1. Developing security plans.
2. Segregation of duties within the system function.
3. Project development controls.
4. Physical access controls.
5. Logical access controls.
6. Data storage controls.
7. Data transmission controls.
8. Documentation standards
9. Minimizing system downtime.
10. Disaster recovery plans.
11. Protection of personal computer and client/server networks.
12. Internal controls.
They provided an empirical justification for each control and specified the
threats that control procedure could prevent, which gives creditability and
greater chances to find these controls in practice. Furthermore, Boockholdt
,(1999),
mentiond four categories of general controls as follows:
8|Page
- Data center operation controls. This includes Data Backup Procedures,
Contingency Plans (DRP) and Segregation of Duties.
- System software acquisition and maintenance controls.
- Access security controls.
- Application system development and maintenance controls. These controls
are;
formal review and authorization of each new system, Adequate documentation
for
manual and programmed procedures, A plan for testing each new system
adequately and authorization and documentation for change to existing systems
Boockholdt (1999) classified the system software acquisition and maintenance
controls into two main sections:
Fixed Responsibilities
A) Network administration. Selecting and updating network communication
software.
B) PC help center. Answering user’s questions on personal computers,
scheduling maintenance.
C) Database Administration. Selecting and updating software, limiting
access to data, maintaining efficiency.
9|Page
Disaster Recovery Plan - DRP). The current study depends mainly on
Romeny’s categorization, and formulates a detailed procedure list for each
category.
In the following section we preview the available peer reviewed studies,
starting with the ones that cover partial areas of CS evaluation and ending with
those that
cover this area in more comprehensive views.
Jacob & Weiner ,(1997) carried out a theoretical study in which they listed
eleven points to build effective Disaster Recovery Plan (DRP). These points
according to Jacob et. al. study ensure building a comprehensive DRP, respond
to the worst-case scenario and enable organizations to recover their operations
quickly.
These points are:
1. Define mission critical company functions & establish a hierarchy of
operational importance.
2. List the critical personnel and their job function.
3. List equipment needs of critical persons.
4. Determine a site relocation contingency.
5. Establish a recovery even task list.
6. Document current computer data backup methods and frequencies.
7. Identify those hard copy documents which are vital to the company and
not able to be re-created electronically, and provide solutions to
eliminate susceptibility to loss of such documents.
8. Identify mission critical items vital to company operations which would
be required in the event of disaster emergency.
9. Form an internal emergency response (“crises”) committee with
employees assigned to specific crises functions.
10. Create a crises management “media kit”.
11. Create a systematic schedule for updating the plan.
10 | P a g e
Warigon ,(1998) conducted a theoretical study in which he clarified a group of
protective measures that should exist to safeguard data warehouses. These
measures can be illustrated as follows:
- The Human wall: A proper number of computer security staff should
exist.
- User Access Classification: Data warehouses (DW) users should be
classified as General Access Users, Limited Access Users or Unlimited
Access users.
- Access Controls: End-users can access only the data or programs for
which they have legitimate privilege.
- Integrity Controls: These controls include well designed and tested
Disaster recovery plans.
Data Encryption: This encryption is for the sensitive data in the DW to ensure
that the data is accessed on an authorized basis only.
Partitioning:
A mechanism should be developed to partition sensitive data into separate
tables, so that only authorized users can access these tables according to their
needs. Buttross and Ackers ,(1990) conducted a theoretical study in which they
discussed microcomputer security practice. In addition, Buttross and Ackers
study provided security controls checklist that could be used to help the internal
auditors in evaluating computer security. This helps in identifying security
weakness and correcting it. The checklist was designed for the small and
medium size companies. This checklist included four security controls
categories. Each category included several security controls elements. These
categories are:
- Organizational controls.
- Hardware controls.
- Software controls.
- Data and data integrity controls.
Dougan ,(1994) suggested an internal control checklist for computer systems.
11 | P a g e
This checklist could be used to check security controls in place; and to ensure
the
implemented security procedures are sufficient and effective to prevent
computer data losses. Dougan grouped his checklist into four main categories:
- Computer room site (physical access)
- Documentation.
- Maintenance.
- Protection.
Henry ,(1997) carried out a survey on 261 companies in the US, to determine
the nature of their accounting systems and security in use. Seven basic security
methods were presented in his study. These methods were encryption,
password access, backup of the data, viruses’ protection, and authorization for
system changes, physical system security and periodic audit. Henry’s study
results indicated that 80.3% of the companies backup their accounting systems,
74.4% of the companies secure their accounting systems with passwords,
where only 42.7% use antivirus in their systems. The results also revealed that
less than 6% of the companies use data encryption, lastly, 45% of companies
underwent some sort of periodic audit for their accounting information
systems. Another study, carried out by Qurashi & Siegel ,(1997), assured the
accountant’s responsibility to check the security of the computer system. The
researchers carried out a theoretical study to develop a security checklist. This
list covers the following four security controls groups, which are Client policy,
Software security, Hardware security and Data security.
Cerullo and Michael ,(1999) conducted a survey using a questionnaire of
twenty potential security and control mechanisms, which was circulated among
audit directors of two hundred fortune companies in the US. These mechanisms
were placed by Cerullo study in four categories, namely Client-based,
Network-based,
Server-based and Application-based.
Hardy et. al. (2000) examined information system (IS) managers' and
computerized information system (CIS) auditors' judgments of the relative
12 | P a g e
importance of elements of the internal control structure for EDI systems, using
the
analytic hierarchy process (AHP).
The data were collected by self administrated questionnaire by means of a mail
survey. The target population comprised IS managers and CIS internal auditors
from organizations which were members of Tradegate ECA, and CIS external
auditors from Big six accounting firms. The survey yielded 54 responses from
159
questionnaires mailed, of which 48 were useable.
The results indicate that there is a lack of consensus between IS managers and
CIS auditors in encryption techniques and operational security controls, and
this is require further investigation, for example in areas where IS managers
perceive controls to be less important than do CIS auditors, there may be a
weakness in control because the IS manager did not consider it worthwhile or
cost-effective enough to implement what the CIS auditor considers to be
sufficient control. The reverse may also be true, i.e., those unnecessary controls
have been implemented. If so, discontinuing the operation of the unnecessary
controls may result in cost savings.
Moscove and Stephan (2001) consider that e-business organizations should
maintain a group of control procedures to protect their systems form any
possible
threats, such procedures includes:
1. Physical access control procedures.
2. Password control procedures.
3. Data encryption such as public key encryption.
4. Disaster recovery plan (DRP).
5. Software-based security control, such as firewalls.
6. Intrusion detection software to detect unauthorized entrance into the system.
Abu Musa ,(2004) performed an empirical study to investigate the adequacy of
Security Controls implemented in the Egyptian banking industry (EBI), where
13 | P a g e
the respondents were restricted to the head of the computer department and the
head of
internal audit department. Abu Musa tried to check whether the applied
Security Controls in the EBI are adequate to protect against the perceived
security threats through self-administrated checklist.
The CAIS security checklist included eighty security procedures which were
categorized under the following ten groups.
1. Organizational information security controls.
2. Hardware and physical access security controls.
3. Software and electronic access security controls.
4. Data and data integrity security controls.
5. Off-line programs and data security controls.
6. Utility security Controls.
7. Bypassing of normal access security controls.
8. User programming security controls.
9. Division of duties.
10. Output security controls.
14 | P a g e
CHAPTER THREE
Internal Control and Accounting
System of a Company
15 | P a g e
3.1 Company Overview
The Zealous Rent a car Company will be the largest company in the India. It will
provide a vast variety of vehicles to individuals, institutions, organizations and the
visitor though the India. It will provide luxurious vehicles to the people of India in all
provinces. Vehicles for special purposes shall also be provided, Such as on the
wedding ceremonies, tours etc.
The company will also provide online booking all over the major cities of India to
facilitate its customers. Company has large number braches all over India.
The company believes in providing best quality services to its customers.
Following Are the Major Strengths of the Company
Green Revolution: Zealous follows the international going green policies in
maintaining its cars. This strategy will be cost effective for its customers and it will be
Environment friendly as well.
Quality: Company meets its specifications and provides reliable, durable and
Aesthetic Vehicles, and Quality services.
Customizations: The Company provides customized accessories i.e. Music, Media,
Interior looks in accordance with the specifications of the customers.
Online Connectivity: Having provided the facility of online easy reservations and
booking all over the Major cities of India.
Marketing and Innovations: The Company’s aggressive marketing and its
innovative products and services attract customers and fulfill their quality standard
(Esteem Needs) needs.
16 | P a g e
3.4 Memorandum Of Association
The name of the company is “ZEALOUS Rent a Car Pvt. Ltd.”.
Registered office of the company will be situated in province of the Punjab at
Lahore.
The objective of the company is to provide vehicles on rent on daily, weekly,
monthly, and annual basis, to individuals, organizations, institutions, and
visitors all over India. Second hand vehicles would also be sold by the
company.
The liability of the shareholders is limited up to the nominal value of the
shares they have purchased, whether paid in full or not.
The share capital of the company is thirty billion (3,000,000,000) rupee,
divided into three hundred million (300,000,000) share of ten rupees each
17 | P a g e
Directors
The number of the first directors and the name of the first directors shall be
determined in writing by the subscribers of the memorandum of association,
so, however, that such number shall not in any case be less than as specified in
section 174 of company ordinance 1984.
Power and duties of the directors
The business of the company shall be managed by the directors, who may
exercise all such powers of the company as are not by ordinance required to be
exercised by the company in general meeting.
Chief Executive Officer
The CEO shall be appointed by the directors for such terms, at such
remuneration and upon such conditions as they may think fit.
The Seal
The director shall provide for the safe custody of the seal. It shall be used as
the signature of the company and is affixed on all necessary documents of the
company. Mr. Jawad Abbas the director of the company will be the custodian
of the seal.
18 | P a g e
Finance Department
The CFO would the head of this department.
He would be responsible for:
Arranging the credit Policy – To what extent the credit is allowed to the
customers
Making contracts for getting loans
Mobilizing the additional funds
Setting the safety Margin on Inventories
Making in time payments to the Creditors
The following persons will work under the CFO
1. Finance manager
2. Manager Taxation
3. Manager of planning and budget
Finance Manager
It would be responsible for:
Approving fund up to Rs.40,000
Keeping the record of payment of fund to each department
Financial Forecasting
One assistant mangers and one clerk will help him in his work.
Manager Taxation
He would be responsible for:
making tax returns
keeping record of about deferred tax
paying sales tax
dealing with property tax
Two persons will help him in his work.
Manager of Planning and Budget
He would be responsible for:
Preparing annual budgets of different departments with the involvement of
their representatives
keeping the record of matching their actual record with the estimated
keep the fuel average of each vehicle estimated
keeping the repair and maintenance expense estimated
19 | P a g e
On the site investigation to gather data for estimation
Inspection of inventory for budget preparation.
Accounts Department
The CAO would the head of this department.
He would be responsible for:
Forming policies about Maintenance of Accounts
Approval of Purchase orders
Communicating with higher management
Motivating subordinates
The following persons will work under the CAO:
Accountant Manager
Financial Reporting Manager
Special Reporting Manager
Accounts Manager
Maintaining books of accounts in accordance with the Company’s Ordinance
1984
Recording the transactions in the general Journal
Keeping proper record of vouchers
Recording adjustment entries
The two assistants will help him in his work.
Financial Reporting Manager
Preparation of financial statements in self decrypted form
Providing the notes along with the financial statements
The two assistants will help him in his work.
20 | P a g e
3.7 Basic Information “QuickBooks Accounts”
Receivables
Account Receivables
Lease and rent accounts
Retail vehicles
Allowance for doubtful Receivables
Other receivables
Vehicles
Rental Vehicles
Driver training Vehicles
21 | P a g e
Prepaid expenses
Prepaid Expenses
Prepaid Rent
Prepaid Insurance on Vehicles
Life and Disability Insurance
Other prepaid
Fixed Assets
Land and Improvements
Building and Improvements
Computers
Laptops
Furniture and fixture
Company Vehicles
Other fixed assets
Accumulated Depreciation
Acc Dep. - Land and Improvements
Acc Dep. – Building and Improvements
Acc Dep. – Computers
Acc Dep. – Laptops
Acc Dep. – Furniture and fixture
Acc Dep. - Company Vehicles
Acc Dep. - Other fixed assets
22 | P a g e
LIABILITIES
Accounts Payables
Trade Creditors
Customers Deposit
License and Registration Fee
Other Accounts Payables
Accrued Liabilities
Interest Payable
Salaries, Wages and Commission Payable
Insurance payable
Payroll Taxes Payable
Sales Tax Payable
Income Tax Payable
Other Taxes Payable
Employees Bonus Payable
Dividends Payable
Profit Sharing Payable
Other Payables
Other liabilities
Long term Debts
Notes payable of affiliated companies
Mortgage payable
Deferred Income Tax
Other liabilities
STOCKHODER’S EQUITY
Capital Stock
Additional paid in capital
Retained earnings
Dividends
Investments
Profit & Loss Current
23 | P a g e
3.9 Internal Controls
“Internal Controls are policies and procedures used as internal checks and balances over
an organization’s assets and financial statements”. These controls:
Reduce the misuse of assets.
Reduce the risk of misstatement of the financial statements.
Help to determine fraud and errors.
Help to provide effective and efficient operations.
Help the organization maintain a good reputation.
24 | P a g e
All lower management and employees are also responsible for implementing
internal controls. Also they will communicate weaknesses in our system to
management.
3. Risk Assessment
It is related to the identification and management of risk those are faced by our rental
company.
The most common risks related to protecting our organization’s assets and preventing
misstatement of the organization’s financial statements. These risks occur due to
following events:
When our rental business expands or grows to other cities.
Hiring of new employees (Higher or lower management, especially in leadership).
Launching new services and activities.
If we change our internal environment.
4. Control Activities
These are the actions our company will take to deal with the risks we face in running our
business.
This includes:
Insurance of Cars
GPS system
We’ll save our assets (cars) from loss or unauthorized use by implementing
controls to minimize opportunities for the employees or others to misuse them.
Taking control the flow of information and accuracy of the transaction. We’ll
record day to day transactions on correct amounts, proper classification, specific
accounting periods and financial statements.
Management would do accurate financial reporting of the organizational activities.
We shall divide or separate duties by proper allocation of tasks, so that anyone
does not get the chance to commit errors or do fraud and then cover it up.
Especially when it comes to recording transactions, one individual can not control
all phases of the process (one who record transaction can’t directly involve in
actual cash handling). Also we’ll do job rotations time to time (change guards,
drivers).
Also still some duties (management related) can’t be completely separated (as we
have low employee strength initially). So for solving this, we’ll reconcile the bank
25 | P a g e
statements time to time, remove variances, reviewing reports and most important
is to compare physical inventory (tires, materials, tools, office equipment
inventory) with the accounting records.
5. Monitoring
Monitoring internal controls is a process that assesses the quality of the organization’s
internal controls over time. Deficiencies are reported and addressed.
26 | P a g e
Internal control plays an important role in the prevention and detection of
fraud. Under the Sarbanes-Oxley Act, companies are required to perform a fraud
risk assessment and assess related controls. This typically involves identifying
scenarios in which theft or loss could occur and determining if existing control
procedures effectively manage the risk to an acceptable level. The risk that senior
management might override important financial controls to manipulate financial
reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and
ACFE also sponsored a guide published during 2008 that includes a framework for
helping organizations manage their fraud risk.
Controls can be evaluated and improved to make a business operation run more
effectively and efficiently. For example, automating controls that are manual in
nature can save costs and improve transaction processing. If the internal control
system is thought of by executives as only a means of preventing fraud and
complying with laws and regulations, an important opportunity may be missed.
Internal controls can also be used to systematically improve businesses,
particularly in regard to effectiveness and efficiency.
27 | P a g e
Auditors within the organization evaluate the effectiveness of the internal
control structure and determine whether company policies and procedures
are being followed. All employees are part of a communications network
that enables an internal control structure to work effectively.
28 | P a g e
ESTABLISHMENT OF RESPONSIBILITY
Control is most effective when only one person is responsible for a given task.
SEGREGATON OF DUTIES
Related duties, including physical custody and record keeping, should be assigned
to different individuals.
DOCUMENTATION PROCEDURES
Companies should use prenumbered documents for all documents should be
accounted for.
29 | P a g e
OTHER CONTROLS
1. Bond employees.
2. Rotate employees’ duties and require vacations.
3. Conduct background checks.
30 | P a g e
CHAPTER FOUR
Basic Accounting System
31 | P a g e
4.1 Objectives of Internal Control
To provide reasonable assurance that:
Assets are safeguarded and used for business purposes.
Business information is accurate.
Employees comply with laws and regulations.
32 | P a g e
Control Procedures
Competent Personnel
Rotating Duties
Mandatory Vacations
Separating Responsibilities for Related Operations
Separating Operations, Custody of Assets, and Accounting
Proofs and Security Measures
33 | P a g e
4.3 MANUAL ACCOUNTING SYSTEMS
Special Journals
34 | P a g e
CHAPTER FIVE
Accounting in Computerized Environment
35 | P a g e
5.1 Accounting in Computerized Environment
Significance of computerized accounting system
Codification and grouping of accounts
Maintaining the hierarchy of ledgers
Prepackaged accounting software
36 | P a g e
2. Complete Visibility & Scalability:
With Computerized accounting the company will have greater visibility into the
day-to-day business operations and access to vital information. Computerized
accounting adapts to the current and future needs of the business, irrespective of its
size or style.
3. Customized:
Computerized accounting allows the company to enter data in a variety of ways
which makes work a pleasure. Adapting to the specific business needs is possible.
Hence, a software can be tailor-made accordingly to the need of the business.
4. For quick decision making & improved Business Performance:
Computerized accounting is a highly integrated application that transforms the
business processes with its performance enhancing features which encompass
accounting, inventory, reporting and statutory processes.
Role / Benefits / Advantages
Speeding up the process
Automation of ledger posting, Trial balance and subsidiary ledger
Accuracy
Reduced error
Eliminating duplication of work
Immediate availability of information
Easy access
Flexibility
Better quality of work, clean and neat
Scalable
Lower operating cost
Improved efficiency
Relieves employee monotony
Facilitates standardization
Minimization of frauds
37 | P a g e
5.4 Limitations / Disadvantages
Security / Integrity / Virus / Hacking
May lead to unemployment
High cost of installation
Requires special skills for operation
Frequent repairs
Frequent power failures
38 | P a g e
The major heads, sub-heads and detailed heads together constitute a 4-tier structure
• The detailed head is often termed as an object classification for control
purposes. Ex:
–Salaries
–Office Expenses
–Salesman Expenses
–Workshop Overhead, etc.
• The classification system should be approved by the top management and
auditor before coding and computerization
39 | P a g e
Prepackaged Software
• Prepackaged software are generic accounting systems purchased from the
market rather than developed in-house (ex: Tally accounting s/w)
• These s/w are easy to use, relatively inexpensive and readily available
• The installation of these s/w are very simple
• A network version is generally available which works on client-server
architecture
• User manuals guide the user on how to use the s/w
• Vendor provides regular updates
40 | P a g e
CHAPTER 6
Findings Recommendations and
Conclusion
41 | P a g e
6.1 Findings
Risk assessment procedures using computer techniques
The computer-assisted risk assessments techniques are related to controls that are
characterized by the application of control and audit procedures using the computer as an
audit tool. These are known as CAATs and are normally placed in three main categories:
1. Audit software: computer programs used by the auditor to interrogate a client’s
computer files mainly for substantive testing. These can be further categorized into:
a. Package programs (generalized audit software): these are pre-prepared programs for
which the auditor will specify detailed requirements. These are written to be used on
different types of computer systems, therefore the auditor will be able to perform data
processing function which include reading computer files, selecting information and
performing calculations.
b. Purpose-written programs: these perform specific functions based on auditor’s
choices. The auditor may have no option but to have this software developed, since
package programs cannot be adapted to the client’s system (however, this can be
costly).
c. Enquiry programs: these are programs that are part of the client’s system, often used
to sort and print data and can be adapted for audit purposes, e.g. accounting software
which may have search facilities on some modules, or that could be used for audit
purposes such as searching for all customers with credit balances (on the customers’
module) or all inventory items exceeding a specified value (on the inventory module).
Using this audit software, you can scrutinize large volumes of data and present results
that can then be investigated further. The software consists of program logic needed to
perform most of the functions required in case of an audit, such as:
• sample selection;
• reporting exceptional items;
• files comparison;
• analyzing, summarizing and stratifying data.
For example, this software can be used to determine which of the following functions you
wish to use, and select the criteria. Example: review and audit the property plant &
equipments process:
42 | P a g e
• Select a random sample of additions from the fixed asset master file. This
allows you to trace the sample back to contracts and invoices to confirm
existence.
• Report all additions more that are more expensive than €1,000.
• Compare fixed assets register from the beginning of the month with the
one the end of the month in order to trace the disposals during the month.
• Trace the disposals identified back to evidence, such as sales invoice and
disposal minute.
• Assess the reasonability of the depreciation expenses.
2. Data testing: consists of techniques used in conducting control procedures by entering
data as a sample of transactions, into an entity’s computer system and compare the results
obtained with pre-defined results. The prime objective is to test the operation of
application controls. In this respect it is ideal to arrange for the dummy data to be
processed, fact that might include many error conditions. This is done in order to ensure
that the client’s application controls can identify particular problems. Examples of errors
that might occur:
supplier account codes that do not exist;
sales invoices that contain addition errors;
employees earning in excess of a certain limit;
submitting data with incorrect batch control totals. The data without errors will
also be included to ensure that the ‘correct’ transactions are properly processed.
The data test can be used ‘live’, during the client’s normal production run, but the main
disadvantage with this choice is represented by the danger of corrupting the client’s
master files. In order to avoid this, it is useful to use an integrated facility test. The
alternative is to perform a special run outside normal processing, using copies of the
client’s master files. In this case, the danger of corrupting the client’s files is avoided,
however the level of assurance is lower that if the normal production programs have been
used.
3. Other techniques There is an increasing number of other techniques that can be used.
The main ones are:
Integrated test facility: the technique runs data test live; it involves the establishment of
dummy records, such as departments or customer accounts to which the dummy data can
43 | P a g e
be processed. These can then be ignored when the client records are printed out, and
reversed out afterwards.
Embedded audit facilities (embedded audit monitor): requires the auditor’s own program
code to be embedded into the client’s application software. The embedded code is
designed to perform audit functions and can be switched on at selected times or activated
each time the application program is used. Embedded facilities can be used to:
Gather and store information relating to transactions at the time of processing for
subsequent audit review. The selected transactions are written to audit files for
subsequent examination, often called system control and review file.
44 | P a g e
6.2 Recommendations
Impact of computer-based systems on the general approach
The fact that systems are computer-based does not alter the key stages of the review
process. This explains why references to the computer-based systems have been
subsumed into the following:
(i) Planning: represents one of the characteristics of the review and control process that
needs to be considered in developing the overall strategy.
(ii) Risk assessment: the application allows to identify the information system as one of
the five components of internal control. It is required to obtain an understanding of the
information system, including the procedures within both IT and manual systems. In other
words, if s/he relies on internal control in assessing risk at an assertion level, s/he needs to
understand and test the controls, whether these are manual or automated.
(iii) Testing: this stage is very important irrespective of the accounting system (any other
internal reporting system), therefore it is useful to design the compliance and substantive
tests that reflect the strengths and weaknesses of the system. When testing a computer
information system, the it is likely to use a mix of manual and computer-assisted review
and monitoring tests. ‘Round the machine’ vs. ‘through the machine ’ approaches to
testing.
45 | P a g e
6.3 Conclusion
During the past recent years, the computer assisted risk assessments techniques
was developed especially for large companies in various fields of activities such as
banking, financial companies or retail stores. These are increasingly growing in
importance and are helping in achieving a true and fair view over the financial
results and mitigate the risks that might occur. The assessment of the key controls
will determine the level of internal testing. If these are programmed controls, you
will need to ‘review through the computer’ and use CAATs to ensure controls are
operating effectively.
46 | P a g e
References:
1. AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information
Technology on the Auditor’s Consideration of Internal Control in a Financial
Statement Audit”. April 2001
2. Berenson M., Levine D and Krehbiel T. "Basic Business Statistics, Concepts and
Applications" 8th edition, 2001.
3. Boritz J. Efrim. “IS practitioners' views on core concepts of information integrity”
International Journal of Accounting Information Systems ; Vol. 6 Issue 4, p260-
279, 20p , Dec2005.
4. Boockholdt J., “Accounting Information Systems, Transaction Processing and
Controls”, 5th Edition, McGRAW-HILL Publisher, pp. 433-444, 1999.
5. Boynton W.,Johnson R. and Kell W.," Modern Auditing ",John Wiley & Sons Inc.
, Seventh edition, p322,400,401, 2001.
6. Buttross T. and Ackers M.D, “A Time-saving Approach to Microcomputer
Security”, Journal of accounting and EDP, Vol. 6, pp.31-35, 1990.
7. http://www.barclaysimpson.com/document_uploaded/Introduction%20to%
20Computer%20Audit.pdf
8. http://www.deloitte.com/view/en_GR/gr/services/enterprise-risk-services/it-
control-assurance/information-systems-and-controls-audit/index.htm
4. www.accaglobal.com
5. www.google.com
6. www.zealous rentacar.com
47 | P a g e