Académique Documents
Professionnel Documents
Culture Documents
CIS AUDIT
A Research about Audit Objectives,
Procedures and Program for Computerbased Accounting System
Submitted by:
Clarice I. Guintibano
Submitted to:
Dr. William Baltazar, CPA
July 18, 2016
TABLE OF CONTENTS
INTRODUCTION..........3
GENERAL
PRINCIPLES..4-7
AUDITING OF COMBUTER-BASED ACCOUNTING SYSTEM:
AUDIT
OBJECTIVES.
...8-10
AUDIT
PROCEDURES..
.11-18
AUDIT
PROGRAMS..
..19-21
EXAMPLE OF AN AUDIT PROGRAM........22
2 | Page
INTRODUCTION
Students need to ensure they have a complete understanding of the controls in a
computer-based environment, how this impact on the auditors assessment of risk, and
the subsequent audit procedures. These procedures will often involve the use of
computer-assisted audit techniques (CAATs).
Information technology (IT) is integral to modern accounting and management
information systems. It is, therefore, imperative that auditors should be fully aware of the
impact of IT on the audit of a clients financial statements, both in the context of how it is
used by a client to gather, process and report financial information in its financial
statements, and how the auditor can use IT in the process of auditing the financial
statements.
The purpose of this research is to provide guidance on following aspects of auditing in a
computer-based accounting environment:
Application controls, comprising input, processing, output and master file control
established by an audit client, over its computer-based accounting system and
Computer-assisted audit techniques (CAATs) that may be employed by auditors to test
and conclude on the integrity of a clients computer-based accounting system.
3 | Page
GENERAL PRINCIPLES
Relevant auditing standards
References will be made throughout this research to the most recent guidance in
standards:
Application controls
These are manual or automated procedures that typically operate at a business process
level and apply to the processing of transactions by individual applications. Application
controls can be preventative or detective in nature and are designed to ensure the
integrity of the accounting records.
Accordingly, application controls relate to procedures used to initiate, record, process
and report transactions or other financial data. These controls help ensure that
transactions occurred, are authorised and are completely and accurately recorded and
processed (ISA 315 (Redrafted).
Application controls apply to data processing tasks such as sales, purchases and
wages procedures and are normally divided into the following categories:
(i) Input controls
Examples include batch control totals and document counts, as well as manual
scrutiny of documents to ensure they have been authorised. An example of the
operation of batch controls using accounting software would be the checking of a
manually produced figure for the total gross value of purchase invoices against
that produced on screen when the batch-processing option is used to input the
invoices. This total could also be printed out to confirm the totals agree.
4 | Page
The most common example of programmed controls over the accuracy and
completeness of input are edit (data validation) checks when the software checks
that data fields included on transactions by performing:
When data is input via a keyboard, the software will often display a screen
message if any of the above checks reveal an anomaly, eg Supplier account
number does not exist.
(ii) Processing controls
An example of a programmed control over processing is a run-to-run control. The
totals from one processing run, plus the input totals from the second processing,
should equal the result from the second processing run. For instance, the
beginning balances on the receivables ledger plus the sales invoices (processing
run 1) less the cheques received (processing run 2) should equal the closing
balances on the receivable ledger.
(iii) Output controls
Batch processing matches input to output, and is therefore also a control over
processing and output. Other examples of output controls include the controlled
resubmission of rejected transactions, or the review of exception reports (eg the
wages exception report showing employees being paid more than $1,000).
(iv) Master files and standing data controls
Examples include one-for-one checking of changes to master files, eg customer
price changes are checked to an authorised list. A regular printout of master files
such as the wages master file could be forwarded monthly to the personnel
department to ensure employees listed have personnel records.
General controls
5 | Page
These are policies and procedures that relate to many applications and support the
effective functioning of application controls. They apply to mainframe, mini-frame and
end-user environments. General IT controls that maintain the integrity of information
and security of data commonly include controls over the following:
End-user environment refers to the situation in which the users of the computer
systems are involved in all stages of the development of the system.
(i) Administrative controls
Controls over data centre and network operations and access security
include those that:
6 | Page
7 | Page
AUDIT
OBJECTIVE
S
8 | Page
AUDIT OBJECTIVES
Most often, IT audit objectives concentrate on substantiating that the internal controls
exist and are functioning as expected to minimize business risk.
The objectives of IT audits include:
Verify that controls are in place to protect data, programs, and computers from
unauthorized access, manipulation, destruction, and theft.
Verify that adequate supervision and operating procedures exist to compensate
for lack of segregation between the duties of users, programmers, and operators.
Verify that backup procedures are in place to prevent data and program loss due
to system failures, errors and so on.
Verify that systems selection and acquisition procedures produce applications
that are high quality, and protected from unauthorized changes.
Verify that the system is free from viruses and adequately protected to minimize
the risk of becoming infected with a virus or similar object.
The auditors objectives is to ensure that the established system audit trail is adequate
for preventing and defecting abuses, reconstructing key events that precede systems
failures, and planning resource allocation.
Audit Objectives Relating to Passwords
The auditors objective here is to ensure that the organization has an adequate and
effective password policy for controlling access to the operating systems
10 | P a g e
11 | P a g e
AUDIT
PROCEDUR
ES
AUDIT PROCEDURES
Audit Procedures Associated with PC Security
12 | P a g e
The auditor should observe that PCs are physically anchored to reduce the
opportunity of theft.
The auditor should verify from organizational charts, job descriptions, and
observation that programmers of accounting systems do not also operate those
systems. In smaller organizational units where functional segregation is
impractical, the auditor should verify that there is adequate supervision over
these tasks.
The auditor should confirm that reports of processed transactions, listings of
updated accounts, and control totals are prepared, distributed, and reconciled by
appropriate management at regular and timely intervals.
Where appropriate, the auditor should determine that multilevel password control
is used to limit access to data and application and that the access authority
granted is consistent with the employees job descriptions.
If removable or external hard drives are used, the auditor should verify that the
drives are removed and stored in a secure location when not in use.
By selecting a sample of backup files, the auditor can verify that backup
procedures are being followed. By comparing data values and dates on the
backup disks to production files, the auditor can assess the frequency and
adequacy of backup procedures. If an online backup service is used, the auditor
should verify that the contract is current and adequate to meet the organization
needs.
By selecting a sample of PCs, the auditor should verify that their commercial
software packages were purchased from reputable vendors and are legal copies.
The auditor should review the selection and acquisition procedures to ensure that
end-user needs were fully considered and that the purchased software satisfies
those needs.
The auditor should review the organizations policy for using antiviral software.
This policy may include the following points:
1. Antiviral software should be installed on all microcomputers and invoked
as part of the startup procedure when the computers are turned on. This
will ensure that all key sectors of the hard disk are examined before any
data are transferred through the network.
2. All upgrades to vendor software should be checked for viruses before
they implemented.
3. All public-domain software should be examined for virus infection before
it is used.
13 | P a g e
Most operating systems provide some form of audit manager function to specify
the events that are to be audited. The auditor should verify that the audit trail has
been activated according to organization policy.
Many operating systems provide an audit log viewer that allows the auditor to
scan the log for unsusual activity. These can be reviewed on screen or by
archiving the file for subsequent review. The auditor can use general-purpose
data extraction tools for accessing archived log files to search for defined
conditions such as:
Unauthorized or terminated user
14 | P a g e
Periods of inactivity
Activity by user, workgroup, or department
Log-on and log-off times
Failed log-on attempts
Access to specific files or applications
The organizations security group has responsibility for monitoring and reporting
security violations. The auditor should select a sample of security violation cases and
evaluate their disposition to assess the effectiveness of the security group.
select a sample
report exceptional items
compare files
analyse, summarise and stratify data.
15 | P a g e
The auditor needs to determine which of these functions they wish to use, and the
selection criteria.
EXAMPLE (AUDIT PROCEDURE FOR WAGES)
The following is an example of how this could be applied to the audit of wages:
Select a random sample of employees from the payroll master file; the auditor
could then trace the sample back to contracts of employment in the HR
department to confirm existence
Report all employees earning more than $1,000 per week
Compare the wages master file at the start and end of the year to identify starters
and leavers during the year; the auditor would then trace the items identified
back to evidence, such as starters and leavers forms (in the HR department) to
ensure they were valid employees and had been added or deleted from the
payroll at the appropriate time (the auditor would need to request that the client
retain a copy of the master file at the start of the year to perform this test)
Check that the total of gross wages minus deductions equates to net pay.
Data without errors will also be included to ensure correct transactions are processed
properly.
Test data can be used live, ie during the clients normal production run. The obvious
disadvantage with this choice is the danger of corrupting the clients master files. To
avoid this, an integrated test facility will be used (see other techniques below). The
alternative (dead test data) is to perform a special run outside normal processing, using
copies of the clients master files. In this case, the danger of corrupting the clients files
16 | P a g e
is avoided but there is less assurance that the normal production programs have been
used.
(iii)
Other techniques
There are increasing numbers of other techniques that can be used; the main two are:
Integrated test facility used when test data is run live; involves the establishment of
dummy records, such as departments or customer accounts to which the dummy data
can be processed. They can then be ignored when client records are printed out, and
reversed out later.
Embedded audit facilities (embedded audit monitor) also known as resident audit
software; requires the auditors own program code to be embedded into the clients
application software. The embedded code is designed to perform audit functions and
can be switched on at selected times or activated each time the application program is
used. Embedded facilities can be used to:
Gather and store information relating to transactions at the time of processing for
subsequent audit review; the selected transactions are written to audit files for
subsequent examination, often called system control and review file (SCARF)
Spot and record (for subsequent audit attention) any items that are unusual; the
transactions are marked by the audit code when selection conditions (specified by the
auditor) are satisfied. This technique is also referred to as tagging.
The attraction of embedded audit facilities is obvious, as it equates to having a
perpetual audit of transactions. However, the set-up is costly and may require the
auditor to have an input at the system development stage. Embedded audit facilities are
often used in real time and database environments.
Impact of computer-based systems on the audit approach
The fact that systems are computer-based does not alter the key stages of the audit
process; this explains why references to the audit of computer-based systems have
been subsumed into ISAs 300, 315 and 330.
(i) Planning
The Appendix to ISA 300 (Redrafted) states the effect of information technology on the
audit procedures, including the availability of data and the expected use of computer assisted audit techniques as one of the characteristics of the audit that needs to be
considered in developing the overall audit strategy.
17 | P a g e
files that have been downloaded on to a PC or laptop. However, cost considerations still
appear to be a stumbling block.
In the through the machine approach, the auditor uses CAATs to ensure that computer
- based application controls are operating satisfactorily.
19 | P a g e
AUDIT
PROGRAMS
20 | P a g e
b.
Updated assessments of risks and effectiveness of risk management and
control processes.
c.
d.
e.
Major changes in the business, operations, programs, systems, and
controls.
f.
g.
Changes to and capabilities of the audit staff. (Work schedules should be
sufficiently flexible to cover unanticipated demands on the internal audit activity.)
The content of the IT audit plan should be a direct reflection of the risk assessment
described in previous sections.
The plan also should have different types of IT audits, for example:
Integrated business process audits.
21 | P a g e
22 | P a g e
EXAMPLE
OF AN
AUDIT
PROGRAM
23 | P a g e