CHAPTER 7
processing
COMPUTER INFORMATION SYSTEM (CIS)
- Become feasible, perhaps essential, for use
even in small scale business operations.
- This widespread use of computers has
offered new opportunities for professional
accountant.
GENERAL CONTROL
- Are those control policies and procedures
that relate to overall computer information
system.
1. ORGANIZATIONAL CONTROLS
- There should be a written plan of the
organization, with clear assignment of
authority and responsibility.
- a. Segregation between the CIS department
and user department
CIS department must be independent
of all department within the entity
- b. Segregation of duties within the CIS
department
CIS department should be properly
segregated for good organizational
controls.
CIS DIRECTOR
- Exercise control over the CIS operation.
SYSTEMS ANALYST
- Design new systems, evaluates and
improves existing system, and prepares
specification for programmers.
PROGRAMMER
- Guided by the specification of the systems
analyst, the programmer writes a program,
test and debugs such program, and prepares
the computer operating instructions.
COMPUTER OPERATOR
- Using the program and detailed operating
instruction prepared by the programmer,
computer operator operates the computer to
process transactions.
DATA ENTRY OPERATOR
- Prepare and verifies input data for
LIBRARIAN
- Maintains custody of systems
documentation programs and files.
CONTROL GROUP
- Reviews all input procedures, monitors
computer processing, follows-up data
processing errors, reviews the
reasonableness of output, and distributes
output to authorized personnel.
2. SYSTEMS DEVELOPMENT AND
DOCUMENTATION CONTROLS
- software development as well as changes
thereof must be approved by the appropriate
level of management and the user
department.
3. ACCESS CONTROLS
- every computer system should have
adequate security controls to protect
equipment, files and programs.
- Access to the computer should be limited
only to operators and other authorized
employees.
4. DATA RECOVERY CONTROLS
- One of characteristics of the CIS is the
vulnerability of files and programs,
- Provides for the maintenance of back-up
files and off-site storage procedures.
Computer files should be copied daily to
tape or disks and secured off-site.
- Grand-father, father, son practice requires
an entity to keep the two most recent
generation of master files and transaction
files in order to permit reconstruction of
master files if needed.
5. MONITORING CONTROLS
- Are designed to ensure that CIS control are
working effectively as planned.
- These include periodic evaluation of the
adequacy and effectiveness of the overall
CIS operation conducted by person within or
outside the entity.
APPLICATION CONTOLS
 - Are those policies and procedures that relate
to specific use of the system.
- These are designed to provide reasonable
assurance that all transaction are authorized,
and that they are processed.
- Processing of transaction involves three
stages: the input, processing, and output
stage.
THE INPUT STAGE
- Involves capturing of a mass of data
THE PROCESSING STAGE
- Involves converting the mass of raw data
into useful information.
OUTPUT STAGE
- Involves preparation of information in a
form useful to those who wish to use it.
INPUT CONTROLS
- are designed to provide reasonable
assurance that data submitted for processing
are complete, properly authorized and
accurately translated into machine readable
form.
 KEY VERIFICATION
Requires data to be entered twice
(usually by different operators) to
provide assurance that there are no key
entry errors committed.
 FIELD CHECK
This ensure that the input data agree
with the required field format.
 VALIDITY CHECK
Information entered are compared with
valid information in the master files to
determine the authenticity of the input.
 SELF-CHECKING DIGIT
Is a mathematically calculated digit
which is usually added to a document
number to detect common
transpositional errors in data submitted
for processing.
 LIMIT CHECK
Or reasonable check is designed to
ensure that data submitted for processing
do not exceed a pre-determined limit or
a reasonable amount.
 CONTROL TOTALS
- These are totals computed based on the
data submitted for processing.
- Ensure the completeness of data before
and after the are processed.
- These Includes Financial totals, hash
total and record count.
PROCESSING CONTROLS
- Are designed to provide reasonable
assurance that input data are processed
accurately, and that data are not lost, added,
excluded, duplicated or improperly changed.
OUTPUT CONTROLS
- Are designed to provide reasonable
assurance that the results of processing are
complete, accurate and that these outputs are
distributed only to authorized personnel.
AUDITING AROUND THE COMPUTER
- Auditing around the computer is similar to
testing control in a manual control structure
in that it involves examination of documents
and reports to determine that reliability of
the system.
- Using this, auditor ignores the client’s data
processing procedures, focusing solely on
the input documents and the CIS output
- Is based on the assumption that if the input
reconciles with output, then the computer
program must have processed the
transaction accurately.
- Auditing around the computer can be used
only if there are visible input documents and
detailed output that will enable the auditors
to trace individual transaction back and
forth.
- Also known as “black box approach”
COMPUTERR ASSISTED AUDIT
TECHNIQUES (CAATs)
- When computerized accounting system
perform tasks for which no visible evidence
is available, it may be impracticable for the
auditor to test manually.
- Also called “white box approach”
1. TEST DATA
 Is primarily designed to test the
effectiveness of the internal control
 procedures which are incorporated in the
client’s computer program.
 To accomplish this objective the auditor
prepares test data (fictitious transaction)
that consist of valid and invalid
conditions.
2. INTEGRATED TEST FACILITY (ITF)
 Using ITF, the auditor creates dummy or
fictitious employee or other appropriate
unit for testing within the entity’s
computer system.
 ITF integrates the processing of test
data with the actual processing of
ordinary transactions without
management being aware of the testing
process.
3. PARALLEL SIMULATION
 Requires the auditor write a program that
simulates key features or processes of
the program under review.
 Can be accomplish by using generalized
audit software or purpose written
programs.
GENERALIZED AUDIT SOFTWARE
- Consists of generally available computer
package which have been designed to
perform common audit tasks.
PURPOSE-WRITTEN PROGRAMS
- Are designed to perform audit tasks in
specific circumstances.
OTHER CAATs
SNAPSHOT
- This technique involves taking a picture of a
transaction as it flows through the computer
systems.
SYSTEM CONTROL AUDIT REVIEW FILES
(SCARF)
- This involves embedding audit software
modules within an application system to
provide continuous monitoring of the system
transaction
CHAPTER 8
SUBSTANTIVE TEST
- Are audit procedures designed to
substantiate the account balance or to
detect material misstatement in the
financial statements.
ANALYTICAL PROCEDURES
- Applied as substantive test enable the
auditor to obtain corroborative evidence
about a particular account.
- involves comparison of financial
information with auditor’s expectations to
determine the reasonableness of an account
balance reported in a financial statement.
TEST OF DETAILS
- involves examining the actual details
making up the various account balances.
TEST OF DETAILS OF BALANCE
- Involves direct testing of the ending balance
of an account.
TEST OF BALANCES
- Will used account balance are affected by
large volume of relatively immaterial
transactions.
TEST OF DETAILS OF TRANSACTION
- Involves testing the transactions which give
rise to the ending balance of an account.
TEST OF TRANSACTION
- Is useful if account balances are comprised
of a smaller volume of transactions
representing relatively material amounts.
EFFECTIVENESS OF SUBSTANTIVE TEST
- The potential effectiveness of the auditor’s
substantive test is affected by its nature,
timing, and extent.
NATURE OF SUBSTANTIVE TEST
- Relates to the quality of evidence. The
auditor should determine the appropriate
quality of evidence needed to support the
desired level of detection risk.
TIMING OF SUBSTANTIVE TEST
 - Substantive test may be performed at interim
date or at year end.
EXTENT OF SUBSTANTIVE TEST
- Relates to the amount of evidence needed to
satisfy a particular objective.
- Is base on the auditor’s judgment after
considering the materiality, the assessed
risk, and the degree of assurance the auditor
plans to obtain.
TEST CONTROL
- Provide evidence that indicates a -
misstatement is likely to occur.
SUBSTANTIVE TEST
- On the other hand, provide evidence about
the existence of misstatement in an account
balance.
AUDIT EVIDENCE
- Consists of underlying accounting data and
corroborating information.
- Auditor should obtain SAE to draw
reasonable conclusion
- Is typically obtained as a result of
performing test of control and substantive
test
EVIDENCE
- Refers to the information obtained by the
auditor in arriving at the conclusion on
which the audit opinion is based.
UNDERLYING ACCOUNTING DATA
- Refers to the accounting records underlying
the financial statement.
CORROBORATING INFORMATION
- Supporting the underlying accounting data
obtained from client and other sources.
QUALITIES OF EVIDENCE
- The auditor should consider the sufficiency
and appropriateness of audit evidence
obtained.
SUFFICIENCY
- Refers to the amount of evidence that the
auditor should accumulate.
APPROPRIATENESS
- Is the measure of the quality of audit
evidence and its relevance to a particular
assertion and its reliability
RELEVANCE
- Relates the timeliness of evidence and its
ability to satisfy the audit objective.
RELIABILITY
Relates to the objectivity of evidence and is
influenced by its source and by its nature.
WORKING PAPERS
- Are records kept by the auditor that
documents the audit procedures applied,
information obtained and conclusions
reached.
PERMANENT FILE
- Contains information of continuing
significance to the auditor in performing
recurring audits.
CURRENT FILE
- Contains evidence gathered and conclusions
reached relevant to the audit of a particular
year.
RELATED PARTIES
- Refers to person or entities that may have
dealings with one another in which one
party has the ability to exercise significant
influence or control over the other party in
making financial and operating decision.
EXPERT
- Is a person or firm possessing special skill,
knowledge and experience in a particular
field other than accounting and auditing.
AUDITOR’S EXPERT
- An expert, whose work in his/her field of
specialization, is used by the auditor to
assist the auditor in obtaining sufficient
appropriate audit evidence.
MANAGEMENT’S EXPERT
 - An expert, whose work in his/her field of
expertise, is used by the entity to assist the
entity in preparing the financial
statements.
INTERNAL AUDITING
- Is an appraisal activity established within an
entity as a service to the entity, the external
auditor should obtain a sufficient
understanding of the internal audit activities
to assist in planning the audit and
developing an effective audit approach.
COMPETENCE
- Consider the professional qualifications and
experience of the internal auditors.
OBJECTIVITY
- Consider the organizational level to which
the internal auditors report the results to
their work.
DUE PROFESSIONAL CARE
- Consider proper planning, supervision and
documentation of internal auditor’s work
SCOPE OF FUNCATION
- Consider the nature and extent of the
internal auditor’s assignment.
CHAPTER 9
AUDIT SAMPING
- PSA; as the application of audit procedures
to less than 100% of the items within an
account balance or class of transaction such
that all sampling units have a chance of
selection
- Is performed on the assumption that the
sample selected for testing is
representative of the population.
SAMPLING RISK
- Refers to the possibility that the auditor’s
conclusion, based on a sample may be
different from the conclusion reached if the
entire population were subjected to the same
audit procedures.
ALPHA RISK
- Risk results in an auditor performing audit
procedures more than what is necessary,
thus affecting audit efficiency.
- Risk of underreliance
- Risk of incorrect rejection
BETA RISK
- Risk result in an auditor performing audit
procedures less than what is necessary
thereby affecting the auditor’s ability to
detect material misstatement in FS
NON-SAMPLING RISK
- Refers to the risk that the auditor may draw
incorrect conclusion about the account
balance or class of transaction because of
human error
- All aspects of audit risk that are not due to
sampling
ATTRIBUTE SAMPLING
- A sampling plan used to estimate the
frequency of occurrence of a certain
characteristic in a population
- Generally used when performing test of
controls to estimate the rate of deviation
VARIABLE SAMPLING
- A sampling plan used to estimate a
numerical measurement of a population such
as peso value.
- Generally used in performing substantive
test to estimate the amount of
misstatement
SAMPLING FOR TEST OF CONTROLS
ACCEPTABLE SAMPLING RISK
- Inverse relationship sample size
- The smaller sampling risk, larger the
sample size
TOLERABLE DEVIATION RATE
- Is the maximum rate of deviations the
auditor willing to accept
- Inversely related to sample size
- Decrease in tolerable deviation rate,
increase sample size
EXPECTED DIVIATION RATE (EDR)
- Is the rate of deviation the auditor expects to
find the population before testing begins.
- Has a direct effect on sample size
- The larger expected population deviation
rate, larger sample size.
- EDR Should not exceed the tolerable
deviation rate.
SAMPLE SELECTION METHOD FOR TEST
OF CONTROLS
RANDOM NUMBER SELECTION
- The auditor selects the sample by
matching random numbers,
generated by a random number table
or a computer software generator.
SYSTEMATIC SELECTION
- This method involves determining a
constant sampling interval and then
selects the sample based on the size
of the interval
HAPHAZARD SELECTION
- the sample is selected without
following an organized or structured
technique.
- Is useful for non-statistical sampling
test, the auditor should consider the
components of audit risk – inherent,
control and detection risk.
TOLERABLE MISSTATEMENT
- Is the maximum amount of
misstatement that the auditor will
permit in the population and still be
willing to conclude that the account
balance is fairly stated.
EXPECTED MISSTATEMENT
- Is the amount of misstatement that
the auditor believes exists in the
population like the expected
deviation rate in test of control.
VARIATION IN THE POPULATION
- When using statistical sampling, this
variability is measured by the
standard deviation
SAMPLE SELECTION METHOD FOR
SUBSTANTIVE TEST
STRATIFIED SAMPLING
- The sample size should be
determined for each stratum and
selected from that stratum.

OTHER SAMPLING APPLICATION FOR VALUE WEIGHTED SELECTION

TEST OF CONTROLS - Value weighted selection also given
SEQUENTIAL SAMPLING each item in the population an
opportunity to be selected
- Under this method, the auditor does - Sometimes called probability
not use fixed sampling size it is proportional to size sampling
sometimes called stop-or-go
sampling
DISCOVERY SAMPLING
- This form of attribute sampling is
most appropriate when no deviations
are expected in the population and
therefore even one deviation would
cause concern.
SAMPLING FOR SUBSTANTIVE TEST
ACCEPTABLE SAMPLING RISK
- When determining the acceptable
level of sampling risk for substantive