Professional Documents
Culture Documents
Topic Thirteen
Topic Thirteen
SERVICES II
TOPIC:AUDITING OF COMPUTERIZED
SYSTEM
Learning Objectives
Definitions and explanations of Computer terms
Internal controls in a Computer Environment
General Computer (CIS) Installation Controls
Computer (CIS) Application Controls
Computer-Assisted Audit techniques (CAATs)
Uses of Computer-Assisted Audit techniques (CAATs)
Auditor’s Operational Standards with Computers (CIS).
Introduction
Information technology (IT) is integral to modern accounting and
management information systems.
Auditors should be fully aware of the impact of IT on the audit of a
client’s financial statements, both in the context of how it is used by a
client to gather, process and report financial information in its
financial statements, and how the auditor can use IT in the process
of auditing the financial statements and reporting.
According to international standard in Auditing, a computer
information system (CIS) environment exist when a computer of any
type or size is involved by the entity in the processing of financial
information of significance to the audit, whether that computer is
operated by the entity or by a third party
Cont….
Therefore, this topic will provide guidance on;
General computer information system controls,
Application controls, comprising input, processing, output and
master file controls established by the client under audit, over its
computer-based accounting system and,
Computer-assisted audit techniques (CAATs) that may be
employed by auditors to test and conclude on the integrity of a
client’s computer-based accounting system. The use of computer-
assisted audit techniques (CAATs) may enable more extensive
testing of electronic transactions and account files.
Such techniques can be used to select sample transactions from
key electronic files, to sort transactions with specific
characteristics, or to test an entire population instead of a sample
Internal Control in Computer
Environment
These are mechanisms, rules and procedures implemented
by the company to ensure integrity, promote accountability
and prevent fraud.
There are two classes of internal control under computer
information system environment. These are;
i. General (CIS) Controls
ii. Application (CIS) Controls, which include
-Input Controls
-Processing Controls
-Output Controls
General Controls
These are policies and procedures that relate to the overall
computer information system.
They are evaluated before the Application controls, and they go
through the whole system of the CIS as they are applied to all
functions of the IT.
General control applies to all the aspects of the IT function
General controls include but not limited to the following;
i. Documentation Controls
ii. Access Controls
iii. Data Recovery Controls
iv. Monitoring Controls
Application Controls
These are policies and procedures that relate to the
specific use of the system. They are specific to a given
application and their objectives are to ensure the
completeness and accuracy of the accounting records
and the validity of entries made in those records.
An effective computer based system will ensure that
there are adequate controls existing at the point of input,
processing and output stages of the computer processing
cycle and over standing data contained in master files.
Cont….
Input Control
Control activities designed to ensure that input is authorized, complete,
accurate and timely are referred to as input controls.
Dependent on the complexity of the application program in question,
such controls will vary in terms of quantity and sophistication.
Factors to be considered in determining these variables include cost
considerations, and confidentiality requirements with regard to the
data input.
Input controls common to most effective application programs include
on-screen prompt facilities (for example, a request for an authorized
user to ‘log-in’) and a facility to produce an audit trail allowing a user to
trace a transaction from its origin to disposition in the system.
Cont….
Processing Control
Processing controls exist to ensure that all data input is
processed correctly and that data files are appropriately
updated accurately in a timely manner.
The processing controls for a specified application program
should be designed and then tested prior to ‘live’ running with
real data.
These may typically include the use of run-to-run controls,
which ensure the integrity of cumulative totals contained in the
accounting records is maintained from one data processing run
to the next.
Cont…..
Output Controls
Output controls exist to ensure that all data is processed
and that output is distributed only to prescribed
authorized users.
While the degree of output controls will vary from one
organization to another (dependent on the confidentiality
of the information and size of the organization).
Computer Assisted Audit
Techniques (CAATs)
Computer-assisted audit techniques (CAATs) refer to the practice of using
computers to automate the IT audit processes.
CAATs may involves software packages that apply statistical analysis and
business intelligence tools.
The nature of computer-based accounting systems is such that auditors may
use the client/company’s computer, or their own, as an audit tool, to assist
them in their audit procedures.
By the use of CAATs, an auditor can go through a lot of data in a minimum
time than if the audit was done manually
Also with CAATs the auditor can quickly go through 100% of the clients
records.
Classes of CAATs
There are two classes of CAATs
i. Audit Software
Audit software is a generic term used to describe computer programs
designed to carry out tests of control and/or substantive procedures. Audit
software is used to interrogate a client's system. It can be either packaged,
off-the-shelf software or it can be purpose written to work on a client's
system.
They may be used to carry out numerous audit tasks, for example, to select a
sample, either statistically or judgementally, during arithmetic calculations
and checking for gaps in the processing of sequences, calculating ratios,
providing reports and checking arithmetical accuracy.
Typically, they may be used to re-perform computerised control procedures
(for example, cost of sales calculations) or perhaps to carry out an aged
analysis of trade receivable (debtor) balances.
Cont…..
ii. Test Data
Is used to test the existence and effectiveness of controls built into
an application program used by an audit client. As such, dummy
transactions are processed through the client’s computerised
system.
The results of processing are then compared to the auditor’s
expected results to determine whether controls are operating
efficiently and systems’ objectiveness are being achieved.
Test data involves the auditor submitting 'dummy' data into the
client's system to ensure that the system correctly processes it and
that it prevents or detects and corrects misstatements.
The objective of this is to test the operation of application controls
within the system.
To be successful test data should include both data with errors
built into it and data without errors.
Cont…..
The basis for which an auditor may choose between CAATs and
manual in audit engagement, depends on the following aspects;
i. The practicality of carrying out manual testing
ii. The cost effectiveness of using CAATs
iii. The availability of audit time
iv. The availability of the audit client’s computer facility
v. The level of audit experience and expertise in using a specified
CAAT
vi. The level of CAATs carried out by the audit client’s internal
audit function and the extent to which the external auditor can
rely on this work.
INFORMATION SYSTEMS
AUDITS
The purpose of an information systems audit is to review
and evaluate the internal controls that protect the system.
When performing an information system audit, auditors
should ascertain that the following objectives are met:
Security provisions protect computer equipment, programs,
communications, and data from unauthorized access,
modification, or destruction.
Program development and acquisition are performed in
accordance with management’s general and specific
authorization.
Program modifications have management’s authorization and
approval.
INFORMATION SYSTEMS
AUDITS cont…
Processing of transactions, files, reports, and other
computer records is accurate and complete.
Source data that are inaccurate or improperly
authorized are identified and handled according to
prescribed managerial policies.
Computer data files are accurate, complete, and
confidential.
OBJECTIVE 1: OVERALL SECURITY