- 1. AUDITING IN COMPUTER ENVIRONMENT What is audit in a computer
environment?
2. AUDITING IN COMPUTER ENVIRONMENT
- Auditing around the computer
- Auditing through the Computer
- Auditing with the computer
3. AUDITING IN COMPUTER ENVIRONMENT
- Use of computer of audit automation
-
- Statistical sampling and analytical procedures
4. AUDITING IN COMPUTR ENVIRONMENT
- Types of software on PC in order to aid his audit work
-
- Standard softwarefor word processing , spreadsheets
- Generally, an auditor can use his PC to assist for
-
- Production of time budget and budgetary control.
-
- The maintenance of permanent file information
5. AUDITING IN COMPUTER ENVIROMENT
-
- The computer systemschallenges
-
-
- lack of visible evidenceandsystematic errors. What to do?
-
-
-
- techniques available to him,
-
-
-
- the availability of the data
-
-
-
- the length of time it is retained in a readily usable form
.
6. AUDITING IN COMPUTER ENVIRONMENT
- Controls over audit computers
-
- Security, and Accuracy (of input, processing and output). The
auditor should exercise controls when PCs are used by auditor in
their work are as follows:
-
- Access controls for users by means of passwords
7. AUDITING IN COMPUTER ENVIRONMENT
- Controls over audit computers
-
- Back up of data contained on files, regular production of hard
copy; back-up disks held off the premises.
-
- Viral protection for programs and Training users.
-
- Evaluation and testing of programs use 6.Proper recording of
input data , to ensure reasonableness of output.
8. INTERNAL CONTROLS IN CIS
- The internal control over computer based accounting system
9. INTERNAL CONTROLS IN CIS
- The internal control over computer based accounting system
-
-
- The objective of applicationcontrols (manual or programmed) are
to
-
-
-
- Ensure completenessand accuracyof accounting records
-
-
-
- validity of entries made resulting from both manual and
programmed processing.
10. INTERNAL CONTROLS IN CIS
- The internal control over computer based accounting system
-
-
-
- relates to the environment CIS
-
-
-
-
- are developed, maintained and operated , and which are
therefore applicable to all the applications.
-
-
- The objectives of general controls are.
- The application controls and general controlsare inter-related
.Strong general controls contribute to assurance, which may be
obtained by an auditor in relation
11. INTERNAL CONTROLS IN CIS
- Thespecific requirementsin order to achieve theoverall
objectives of applicationcontrols are:-
-
- Control over the completeness and authorization of input
-
- Control over the completeness and accuracy of processing
-
- Control over the maintenance of master files and the standing
data contained therein
12. INTERNAL CONTROLS IN CIS
- In order to achieve theoverall objective of generalcontrols,
the controls required are:-
-
- Control over applications development
-
- To prevent or detect unauthorized changes to programs
-
- To ensure that all programs changes are adequately tested and
documented
-
- Control to prevent and detect errors during program
execution
-
- To prevent unauthorized amendments to data files
-
- To ensure that system software is properly installed and
maintained
-
- To ensure that proper documentation is kept
-
- To ensure continuity of operations.
13. COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs)
-
- Techniques in that the auditors are afforded opportunities to
use either the enterprises or another computerto assistthem in
performance of audit work.
-
- CAATs, are ways in which the auditor may use the computer in a
computerized information system to gather, or assist in gathering,
audit evidence.
14. CATEGORIES OF CAAT
15. CATEGORIES OF CAAT
-
- generalized audit software
-
- specialized audit software or
-
- existing entity programs .
-
-
- Regardless of the source of the programs, the auditor should
substantiate their validity for audit purposes prior to use.
16. CATEGORIES OF CAAT
-
- Stratify accounting population and select monetary unit
statistical samples.
-
- Carry out an aging /usage analysis of stocks
-
- Perform detailed analytical reviews of financial
statements
17. TYPES OF CAATs
- Is a CAAT in which test data prepared by the auditor is
processed on the current production version of the client's
software, but separately from the client's normal input data.
18. TYPES OF CAATs
-
- embedded audit facilities
-
-
- System Review and control file ( SCARF)
-
-
- Application program examination
-
-
-
- Internal control evaluation via;Flowchart verification (Logical
Path analysis ) ,Program code verification (Code Comparison
Programs), Printoutexamination.
19. CAATs and Sustentative testing
- During substantive testing some, CAATs are used
frequently.
-
- Audit software is used extensively to examine accounting
records maintained on computer files
-
- CAATs assists in carrying out analytical review procedures
20. Limits of CAATs
-
- Evaluation of general controls
-
-
- Use ICQ or the ICE approach.
21. PROGRAM AUTHENTICITY
- Source Program authenticity
-
- guarantee that the correct application program is being
tested.
-
-
- Live test data, integrated test facilities and embedded audit
facilities as described above are audit techniques, which help in
this respect.
-
-
- Copy must be identical to orignal
22. KNOWLEDGE BASED SYSTEM
-
- Decision Support Systems and Expert systemscan be used to
assist with the auditors own judgment and decisions.
23. MANUAL Vs CAATs
- Factors to consider in choosing between CAATs and manual
Techniques:-
- Practicability of carrying out audit tests manually
- Cost effectiveness of the procedures under considerations
.
- Availability of audit time
- The availability of appropriate computer facilities and
independence issue
- The level of audit experience and expertise.
- The extent of possible reliance upon internal audit work
24. PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
- Planning an audit in a Computer environment
-
- Possibilities of attending during system development stage
-
- Consideration of use of CAATs
-
- Practicability of manual audit
25. PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
-
- The pattern cost associated with CAATs,
-
- The extent of tests of controls or substantive procedures
achieved by both alternatives,
-
- Ability to incorporate within the use of CAAT a number of
different audit tests.
26. PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
-
- computer facilities, computer files and programs are available
;
-
- the auditors should plan the use of CAAT in good time so that
these copies are retained for their use.
-
- Internal auditor CAATs , consider ISA
-
- Availability of computer facilities
27. INTERNAL CONTROL EVALUATION
- Internal control evaluation
-
- Weak controls = extensive substantive procedures
-
- In determining whether they wish to place reliance on
application controls or general controls ,the auditors will be
influenced by the cost effectiveness and ease of testing by the
following matters
-
- General controls and application controls
28. INTERNAL CONTROL EVALUATION
- Check systematic errors and program intergrity
-
- Manual examination may be useful in small computer
application
-
- Observation, examination of documentary evidence or
reperforming the procedures may be useful.
29. Review of financial statements
- Review of financial statements
-
- The working papers should indicate the work performed by CAAT,
the auditors conclusion, the manner in which any technical problems
were resolved and may include any recommendations about
modification of CAAT for future audits.
30. AUDIT TRAIL.
- As the complexity of computer systems has increased there has
been a corresponding loss of audit trail.Most systems have
searching facilities that are much quicker to use than searching
through print outs by hand.
- This offsets the so- called loss of audit trail to a
significant exten t.The trail is still there , although it may have
to be followed through in electronic form.
31. COMPUTER SERVICE BUREAUX
- These are third part service organization who provide EDP
facilities to their clients
-
- Consider and Analyzethe cost benefit;
-
- Level of managements own computing knowledge and their
willingness to take risk to unknown third party;
32. COMPUTER SERVICE BUREAUX
-
- The volume and frequency of processing requirements ;
-
- The complexity of the program package required ;The simpler the
program the easier it would be to process in house on Micro;
-
- The importance of timelines in processing of data check the
efficiency and economy of DP
-
- The confidentiality of the data being processed.
33. Types of Bureaux
-
- Independent companies formed to provide specialist computer
services
-
- Computer manufacturers with bureau
-
- Computer users (e.g. universities)
34. PLANNING AND CONTROL EXERCISED BY THE USER
- When the system using bureaux is set up it is essential
that
- a full feasibility study and
- system design should be carried out.
- In practice the bureau may provide assistance in performing
these tasks.
35. PLANNING AND CONTROL EXERCISED BY THE USER
- The control should include :
-
- Prior vetting of bureau standards ;
-
- Input controls at preparers end; bunching and providing or
authorizing in the same way as usual;
-
- Transit controls ;Physical transfer of documents ;
-
- batch controls ,physical security and authorized
personnel;
36. PLANNING AND CONTROL EXERCISED BY THE USER
- The control should include :
-
- Electronic transmission of data ;batch totals, passwords and
possibly encryption coding for very sensitive data;
-
- Control over and action on rejection; there must be strong
control over the level of rejections; whose fault, the bureaus or
ours?;
37. COMPUTER SERVICE BUREAUX
- Output controls :logging /registering receipt of output
material and original documentation ,distribution and filing;
Master file amendment controls; suggested control include the usual
use of pre-numbered properly authorized forms. Special control of
periodic print out of all master file amendments;
- Adequate insurance covering loss of data or documents and
computer breakdown at the bureau itself ;The external auditor
review of bureau controls ;
38. COMPUTER SERVICE BUREAUX
- A third party review an independent firm to carry out review of
internal controls, both the general and application based. The
report is then made available to the auditors of clients of the
bureaus. This saves the bureau having to make provision for many
different sets of auditorsall asking to run CAATs on the bureaux
system and complete roughly similar ICQ/ICE forms.
- Direct evaluation of the bureau by the auditor using the CAATs
, ICQand ICE.;
- Standby /back up /emergency arrangement ;
39. COMPUTER SERVICE BUREAUX
- The compliance and substantive testing of programmed
procedures, the CAATs such as discussed above are appropriate where
the client has the data and files on the premises. They may not be
possible in context of the computer service bureau. The client may
have to arrange to have files copied by the bureau or supplied to
the auditor for testing.
40. CONTROLS IN ON-LINE AND REAL TIME SYSTEMS
- Controls in real time systems
- The main control problem is that primarily the concern is on
large, multiuser systems with terminals (dumb terminals or
networked PCs) ;The same person is often responsible for producing
and processing the same information. Internal check ,supervisory
controls should be strengthened (segregation of duties) ;The
ability of a person using remote terminal to gain access to
databases at will results in the need for special controls to
ensure that files are neither read nor written to (nor
destroyed).
41. CONTROLS IN ON-LINE AND REAL TIME SYSTEMS
-
- Operating system;Use passwords( or lockwords) or special badges
or key; Restriction by the operating system of a certain users to
certain files .eg wages dept can be given access to only wages
file; Logging of all attempted violation of the above controls .eg
Automatic shut down of the PC or terminal used; All violations
should be speedily and thoroughly investigated
-
- Application controls;Validity checks on input; Reporting of
unusual transactions;Passwords
42. DATABASE MANAGEMENT SYSTEMS (DBMS)
- Main controls;Control to prevent or detect unauthorized changes
to programs;
-
- No access to live program file by any personnel except for the
operation personnel at the central computer; Password protection on
programs;Restricted access to the central computer and terminal
;Maintenance of console; Periodic comparison of live production
programs to control copies and supporting documentation.
43. DATABASE MANAGEMENT SYSTEMS (DBMS)
- Main controls;Controls to prevent or detect error during
operation;
-
- Restriction of access to terminals by use of password;
Satisfactory application control over input , processing and master
file ;Use of operation manuals and training all users;Maintenance
of logs showing unauthorized attempts to access; Physical
protection over data files ;Training in emergency procedures
- Controls to ensure integrity of the database system;Restriction
of access to data dictionary
44. DATABASE MANAGEMENT SYSTEMS (DBMS)
- Controls to ensure integrity of the database system;Restriction
of access to data dictionary( point of definition and
interrelationship of data); Segregation of duties between data
processing manager and data base administration personnel; Liaison
between database administration function and systems development
personnel ;Preparation and update as necessary of user manual in
conjunction with data dictionary
45. DATA BASE MANAGEMENT SYSTEM
- The audit of DBMS creates particular problems as the two
principal CAATs ,test data and audit software , tendto work
unsatisfactorily on programsand files contained within such system.
The auditor may, however, be able to useembedded audit facilities .
Close liaison with the internal auditor may provide audit comfort.
The auditors should if possible be involved at the evaluation,
design and development stages, so that they are able to determine
their audit requirements and identify control problems before
implementation.
46. SMALL COMPUTER SYSTEM
- Control problems in small computer systems
- The problems surrounding PCs can be grouped as ;
-
- Lack of planning over the acquisition and use of PCs;
-
- Lack of documentary evidence ;
-
- Lack of security and confidentiality .
47. COMPUTER FRAUD
-
- Fraudulent use of computer system;
48. FACTORS- RISK TO COMPUTER FRAUD
-
- Increase in computer literacy
-
- Communicationse.g. telephone and PCs and hackers
-
- Improvements in quality of softwareand increase in
implementation of good software has not kept pace withimprovements
in hard ware
49. COUNTERACT COMPUTER FRAUD
- Planned approach to counteract computer fraud.
-
- All staff should be properly trained and should fully
appreciate their role in computer function
-
- Management policy on fraud should be clear and firm
-
- A study should be carried to examine where the company is
exposed to possible fraud
-
- A company should map out an approach or plan in each area of
the business to tackle and preventfraud.
50. CONTROLS TO PREVENT COMPUTER FRAUDS
- As with a control system, three areas to examine
are;prevention, detection and correction
-
- Access to the computer terminals and other parts of the
computer should be restricted
-
- Access to sensitive areas of the system should be logged and
monitored
-
- Errors logs and reports should be monitored and investigated on
regular basis
-
- Staff recruitment should include careful vetting ,include
taking up all references
-
- Expert systems software may be used to monitor unusual
transactions
51. DEVELOPMENTS IN COMPUTERIZED ENVIRONMENT
- Many auditors are now finding their clients conducting business
through theinternet . As always, the principle auditconcern , will
be controlsover the use of the internet and thestrength of audit
evidenceobtained through the internet
52. INTERNET
- Controls over the Internet
-
- Unauthorized use of the internet
-
- Staffs may use internet for unauthorized purchases
-
- Staff may use internet for accessing data which have a costs
(call)
-
- People may be able to access business internal systems via the
internetand obtain confidential information or launch virus which
disrupts internal systems
53. CONTROLS IN INTERNET
- Controls from these risks include
-
- Disabling certain terminals
-
- Authorizationthe technique make sure that a message has come
from an authorized sender
-
- Virus control softwareregular updating
-
- Physical controls;against fire, damage etc
54. AUDIT EVIDENCE IN THE INTERNET
- Audit evidence in the Internet
-
- Certain general observations can be made about audit evidence
obtained through the Internet
-
- Internet evidence generated by the auditor will be stronger
than evidence generated by client. Comfort may be obtained if the
auditor can access the internet and test what the client has
posted
-
- Internet evidence can be obtained in written form and thus
stronger than oral evidence
-
- Ifthe internal controls mentioned above are strong ,the
auditors will have more confidence in the quality of evidence
55. WHAT ABOUTE-MAIL ?
- Email may have numerous advantages in reducing office paperwork
and speeding up communication, but it also has dangers from an
audit point of view. e.g. unscrupulous employee in a large
organization might find it quite easy to send and e-mail from his
or her bosss computer authorizing a substantial bonus /payrise
- H/W;what controls could you put to prevent this from
happening
56. CONTROL ININTERNETSYSTEM
- Control of network system is of uttermost importance .the
auditors must be able to analyse the risk of unauthorized access
such as line tapping or interception and to evaluate preventive
measures
- Authentication programs and encryption are used for
security.the auditor must understand those matter and should be
able to make recommendations on implementation.
- Password securityis extremely important, and the auditors may
be called upon to recommend complex password procedures for
sophisticated systems.
57. ELECTRONIC DATA INTERCHANGE
- Electronic data interchange (EDI)is now used very widely
because it cuts the task of re-inputting data that has already been
input into a system in electronic form, saving time and improving
accuracy
-
- EDI is authentic ?What authorization measuresare in place to
ensure that transactions above certain value are properly
authorized before being transmitted or accepted?
- What is the legal position of the two parties if the
transaction is disputed?
- Encryption and authentication offer some help, as do
transaction logs that identify the originator or any transactions
generated and transmitted .
58. WHAT IS EDI
- Is the automated computer-to-computer exchange of structured
business transactions between an enterprise and its vendors,
customers, or other trading partners in a standard format, with a
minimum of human intervention
59. CONSIDERATION OF AUDIT STANDARDS
- ISA 315, Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement and
- ISA 330, The Auditors Procedures in Response to Assessed Risks
became effective.
60. CONSIDERATION OF AUDIT STANDARDS
- Major issues to be considered by an auditor as per ISA
-
- An auditor should consider new CIS environment affects the
audit
-
- The overall objective of audit in CIS audit never changes.
-
- The design and performance of appropriate tests of Controls and
Substantive procedures to achieve the audit objective are likely to
change.
61. CONSIDERATION OF AUDIT STANDARDS
- Major issues to be considered by an auditor as per ISA
-
- The existence of computer is likely to have an impact on the
clients inherent risk and control risk.
-
- The auditor should have sufficient knowledge of CIS to plan,
direct supervise and review the work performed.
-
- The auditor should consider whether specialized CIS skills are
needed in an audit.
62. ISA
- The ISA makes it clear that auditors should have sufficient
knowledgeof the CIS to perform such audit effectively.I t is not
necessary for overly member of audit team to be a computer expert
auditors must consider need for specialized CIS skills.ISA 620
using the work of expert is relevant.
- In planning the portions of audit which may be affected by the
clients environment the auditor should obtain an understanding of
significance and complexity of CIS activities and the availability
of data for use in the audit.
63. ISA
- Auditor must obtain understanding of accounting and IC
sufficient to plan an effective approach.
- Where CIS is significant, the auditor must assess the effect of
the CIS on in hereunto control risk.
- Complexity normally increases risk and pensive deficiencies in
program development, mtc, physical security and access controls
would have an effect on all applications that the system
served.
64. ELECTRONIC COMMERCE IAPS 1013
- Is any Commercial activity that takes place by means of
connected computers. E.g. offering goods for sale directly from
office computer; the purchasers computer and office computer is
connected over Internet.
- How do we audit ex-commerce?
- International Audit Practice Standard ISPS 1013 (IAPs) in
intended to assist auditors in identifying and assessing the new
risk to which the business in exposed when it undertakes e-commerce
transactions.
65. MAJOR AREAS OF FOCUS BY THE IAPS 1013
- The skill and knowledge required to understand the implications
of e-commerce on audit
- The extent of knowledge an auditor should have about the
clients business environment and activities.
66. MAJOR AREAS OF FOCUS BY THE IAPS 1013
- The business, legal, regulatory and other risk faced by entries
engaged in e-commerce transactions.
- The effect of electronic records on audit evidence.
- The statement may be also helpful to the auditor of any
business engaged in e-commerce.
67. What is an IT audit?
- Like operational, financial and compliance auditors,
Information Technology (IT) auditors work to:
- Understand the existing internal control environment
- Identify high risk areas through a formal methodology
- Ensure that adequate internal controls are in placeand operate
effectively (through the testing of said controls)
- Recommend control implementation where risk exists
68. Why IT AUDIT?
- Because of Information TechnologyRISK!!
- Risk : The probability that a particularthreat exploits a
particularvulnerability(i.e. an issue which may impact ability to
meet objective).
- Threat : Event or entity with the potential to cause
unauthorized access, modification, disclosure, or destruction of
info resources.
- Vulnerability : Weakness in a system control, or a design flaw,
that can be exploited to violate system, network, or data
integrity.
69. WhatReduces IT Riskand Whatabout any Remaining Risk?
- Internal Controls (i.e. safeguards)
- Control : Protective measure implemented to ensure company
assets (IT or otherwise) are both available and accurate in order
to meet the business requirements of that asset.
- Residual Risk : The risk that is left over
afterreasonableinternal controls have been both evaluated and
implemented.
- Internal Controls donoteliminateallrisk!!
70. INTERNAL CONTROLS OTHER MATTERS
- The are two major types of controls:
71. 72. What about OTHER types of audits that may impact
Security Administration functions
-
- Financial opinion audits (CPAs)
-
- Operational process audits now includes environmental &
construction
-
- Compliance laws/regulations and policies, standards, and
procedures
-
- IT usually considered operational unless performed so opinion
auditors may rely on financial info provided
- Hybrid - Integrated Audit today almost all audits are actually
hybrid
73. Operational Audits
- Review operating policies/procedures
-
- Documented policies/procedures?
-
- Informal policies/procedures?
- Work flow examined (thru flowchart or description
requested/developed)
- Controls identified and documented
- Examine the business process and recommend improvements control
related or efficiency/effectiveness
74. INTERNAL CONTROLS OTHER MATTERS
- The purpose of General controls is to establish a framework of
overall control over the CIS activities and to provide a reasonable
level of assurance that the overall objectives of IC are achieved
.
75. INTERNAL CONTROLS OTHER MATTERS
- Categories of General Controls :
-
- Organizational and Management control
-
-
- -Helps to provide a proper organizational framework including
regression of incompatible functions.
-
- Application development and Mtc controls
-
-
- -To ensure that applications are properlydeveloped,
testedandmaintained.
76. INTERNAL CONTROLS OTHER MATTERS
- Categories of General Controls :
-
- Operational controls To ensure properly authorized access to
system and the detection of errors.
-
- Systems software controls to ensure the integrity of the
development and usage of systems software.
-
- Data entry & program controls to ensure the integrity of
data and program files.
77. CIS APPLICATION CONTROLS
- CIS application controls.
- The purpose of this control is to establish specific control
procedures over the acting applications to provide reasonable
assurances that all transactions are authorized, recorded and
processed, completely,accuratelyand on atimely bases.
78. CIS APPLICATION CONTROLS
- Controls over input designed to provide reasonable assurance
that:-
-
- Transactions are properly authorized before being processed by
the computer transactions are accurately converted into machined
readable form and recorded in the compute data files.
-
- Transactions are not lost, duplicated or improperly
changed.
-
- Processing errors are identified and corrected on timely
basis
79. CIS APPLICATION CONTROLS
- Controls over output designed to provide reasonable assurance
that:-
-
- Results of processing are accounts; Access to output is
restricted to authorized personnel; Output is provided to
appropriate authorized personnel on timely basis ;Normally the
technique which control the accuracy of input and processing while
help to control master file date; Since master file standing data
items are used many times over in processing, they take on greaten
importance than transaction date and more costly controls such as
one - for one checks may be justified.
80. MANUAL AND PROGRAMMED CONTROLS
- Many controls over computers are manual controls, and prodding
that the manual controls exercised by users are sufficient to
provide reasonable assurance of the completeness, accuracy and
authorization of output, test of control may be limited to those
manual controls.In a payroll system, for example, if users test
check gross pay, deductions net pay and authorization at the output
stage, and if they compare net pay with approved bank transfer
documentation and perform regular bank reconciliations; there may
be no need to test programmed controls.
81. MANUAL CONTROLS
-
-
-
- -Is a matter of common sense.
-
-
-
- -Limit access to a computer room, -Locks and keys, only to
specified people
-
-
-
- -Create and update an identical back up disk for every disk in
the system; Data files&Program files; The disk should be stored
in separate place.
82. MANUAL CONTROLS
-
-
- -Each disk should be labeled clearly and filed securely.The
labeled disks should be filed in special disk boxes to provide a
degree of protection against liquid being spoilt on the disks or
their being bent or plied.
-
-
- Documentation : It is vital, as it provides both a support
system for work already stored on disk and filed, and progress
report on data currently being processed or updated.
-
-
- Proofing: There is always room for manual checking or proofing,
to control data on disk .
83. PROGRAMMED CONTROLS
- Passwords ; Date/time stamps for compass on of two revisions of
data;Prompts Asking the user to continue with an action or
not.
- Check Digit:A means of control on that they ascertain whether
or not a number, such as ISBN is valid. E.g. customer account No.
The computer will detect of the number is ever input
incorrectly.
- Batch totals and hash totals:
84. PROGRAMMED CONTROLS
- Reasonable checks:Checks to ensure that data input is
reasonable given the type of input it is e.g. A payroll system
would check that his recorded for a falls within a range of 30 to
50.
- Existence checks:Checks to ensure that the data input is valid
by checking that the entity already exists in the system. E.g.
employee number.
- Dependency checks:Data input fields can be compared with other
fields for reasonableness.
85. SMALL STAND ALONE MICRO-COMPUTER
-
-
-
- Major controls appropriate in this environment are:-
86. Internal controls
- Inherent limitations of the system of IC in elimination of
frauds & errors.
- The need to balance the cost of control with its benefits; The
fact that IC are applied to systematic transaction, not one-off
year-end adjustments, which are often larger and subject to error;
The potential human error; Possibility of circumvention of IC
through coolness in of managers or employees with other parts
inside /outside the entity; Abuse of controls or override of
controls e.g. ordering of personal goods; Obsolescent of
controls
87. FURTHER CONSIDERATION OF CAATs
- Further considerations of CAATs
-
-
- ISA requires auditors to obtain appropriate audit evidence to
be able to allow reasonable conditions on which to base their
opinion.
-
- Helps to test larger number of data hence increase confidence
in their opinion; Helps to test Accounting Systems its records
(Tables & Disk files) rather than relying on testing printout;
Are cost effective once set up for obtaining audit evidence;
Comparison can easily be made from clerical audit work hence
increase confidence.
88. OTHER DETAIL MATTERS
- Difficulties of using computer programs cost.
-
- Cost; Changes to clients system; Small installations PC; Over
elaboration; Larger quantities of output; Version of file used for
lest.
-
- Is a data submitted by the auditor for processing the clients
computer-based accounting system.
89. OTHER DETAIL MATTERS
- Major approached to the use of test data
-
- Using dummy data in a normal production nun.
-
- Using dummy data in special nun.
- Difficulties of test data:
-
- Difficult in recording audit evidence
90.