Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | ajju-k-ajju |
View: | 214 times |
Download: | 0 times |
of 17
8/13/2019 Guide 8.1 EDP
1/17
Risk Based Audit Approach Session 8.1
Session Title: Auditing in EDP Environment Session uide
!nstructor"s uide: Re#erence Participant Response
Session $vervie%
Tell: &e %ill have a discussion on characteristics o#
EDP s'stem #ollo%ed (' (asic principles o# auditing in
an EDP environment and approach to audit o#computeri)ed accounts on audit risk consideration.
Tell:T%o * hal# hours are assigned #or this session.+,minutes are assigned #or the e-ercises and remaining
1, minutes %ill (e used #or discussion.
Learning Objectives:
Tell:At the end o# the session 'ou %ill (e a(le to
understand the (asic principles o# auditing in EDPenvironment/ and uses o# 0AATs in identi#'ing risk in
an EDPenvironment/
Key Teaching Points
CHARACTERISTICS OF A E!P
E"IRO#ET $Ris% i&enti'ication 'or thea(&itor)
Sho% slide
Tell:An understanding o# the maor characteristics o#an EDP environment/ particularl' inso#ar as the' di##er
#rom those o# a manual s'stem/ is essential #or the
auditor as a tool #or risk identi#ication and #or
#ormulating his general approach and speci#ictechni2ues to audit o# such a s'stem
Slide 8.134
Slide 8.135
uide 8.1 RT!/ 6A!P7R 1
8/13/2019 Guide 8.1 EDP
2/17
Risk Based Audit Approach Session 8.1
Tell: 0haracteristics o# an EDP environment/
%hich have a (earing on the %ork o# the auditor
and proper assessment o# these characteristics/ %ill
help in proper planning and e-ecution o# audit.
Tell: !n an EDP environment/ the num(er o#
persons involved in the processing o# in#ormation is
signi#icantl' lo%er than that in a manual s'stem.
Tell: There#ore/ man' conventional controls (ased
on segregation o# duties ma' not e-ist or ma' (eless e##ective.
Tell: 0ertain data processing personnel/ (' virtue
o# their specialised kno%ledge/ ma' (e intimatel'
connected %ith the input preparation/ processing/
and distri(ution and use o# the output. Thus/ the'ma' (e in a position to alter programs or data
during processing or storage.
Tell:!n a manual accounting s'stem/ a transaction
is recorded on the (asis o# a supporting document/
e.g. voucher/ invoice/ receipt/ etc. o%ever/ suchdocumentation ma' not al%a's (e availa(le in the
case o# a computerised s'stem/ %here some data
ma' (e entered directl' into the s'stem %ithoutsupporting documents. 9or e-ample/ sale orders
and discounts ma' (e #ed directl' into an on3line
s'stem. %ithout visi(le authorisation o# individual
transactions.
uide 8.1 RT!/ 6A!P7R +
8/13/2019 Guide 8.1 EDP
3/17
Risk Based Audit Approach Session 8.1
Tell: &here a manual accounting s'stem is in
operation/ the process o# recording transactionsgenerall' #ollo%s a set pattern. 9irstl'/ a (asic
document/ i.e. voucher/ invoice or receipt/ etc. isprepared. This is the #irst recognition o# atransaction having taken place. Then an entr' is
made in a prime (ook o# account/ i.e. ournal or
da'(ook 9inall'/ a posting is made in the principal
(ook/ i.e. ledger. Thus/ #or each transaction/ there isa visi(le trail"/ %hich the auditor can #ollo%.
Tell: 7nder the computerised s'stem/ the a(oveorder is not strictl' #ollo%ed. !n a computerised
s'stem/ the auditor ma' o#ten #ind that the audittrail is mostl' in machine3reada(le #orm. Also/ itma' e-ist onl' #or a limited period o# time.
Tell: !n man' EDP s'stems/ the results o#
processing ma' not (e printed or ma' (e printed in
a summar' #orm. The data ma' (e retained on the#iles/ %hich are reada(le/ onl' (' the computer.
Tell:!n a computerised s'stem/ data and programs
ma' (e easil' accessed and altered at the computeror through the use o# remote terminals. There#ore/
unless appropriate controls are instituted/ there is an
increased potential #or unauthori)ed access/ to/ andalteration o#/ data and programs.
uide 8.1 RT!/ 6A!P7R
8/13/2019 Guide 8.1 EDP
4/17
Risk Based Audit Approach Session 8.1
Tell:EDP s'stems are normall' more relia(le than
manual s'stems/ inasmuch as the' per#orm
#unctions e-actl' as programmed. $n the other
hand/ a #ault' computer program ma' consistentl'process transactions or other data erroneousl'.
Tell: !n a computerised s'stem/ man' internal
control procedures are incorporated in computerprograms. These procedures can (e designed to
provide controls %ith limited visi(ilit'; #or
e-ample/ unauthori)ed access to data ma' (e
prevented (' pass%ords. arge volumes o# data and the computer
programs ma' (e stored on porta(le or #i-ed
storage media such as magnetic tapes/ disks/ etc.These media are vulnera(le to the#t/ loss/ or
intentional or accidental destruction.
uide 8.1 RT!/ 6A!P7R 4
8/13/2019 Guide 8.1 EDP
5/17
Risk Based Audit Approach Session 8.1
Tell 0ode num(ers are e-tensivel' used to
represent names and descriptions in a computeriseds'stem. The auditor has to #amiliarise himsel# %ith
such codes. This ma' create some pro(lems/especiall' in the initial stages. The auditor ma' #aceanother di##icult' due to the #act that narratives ma'
(e totall' a(sent in the computerised records. Thus/
it ma' (ecome di##icult #or him to understand the
various transactions.
Tell:!t should (e recognised that %hile computers
can process in#ormation %ith incredi(le e##icienc'/
the' are also ver' vulnera(le to #rauds.
Sho% slide
E*+lain:0omputer #rauds can (e divided into #ive
general categories as (elo%.
1. 9inancial #rauds/ e.g. %here #und trans#ersare made to the criminals personal account.
+. Propert' #rauds/ e.g. %here #alse orders areplaced on the computer #or goods %hich are
misappropriated.
. !n#ormation the#t including unauthorised
access to data (ase records and computerprograms.
4. The#t o# services including unauthorised useo# computer.
5. ?andalism o# e2uipment and destruction o#
records.
Slide 8.13@
uide 8.1 RT!/ 6A!P7R 5
8/13/2019 Guide 8.1 EDP
6/17
Risk Based Audit Approach Session 8.1
Tell: 9ive principal #acets o# computer
operations have (een #ound to (e particularl'
vulnera(le to manipulation.
1. Data input/ %here #alse data is programmed
into the s'stem or the e-isting dataremoved.
+. Programming/ %here the#t/ destruction or
#ull or partial modi#ication is possi(le.
. 0entral processing/ %here the s'stem is
e-posed to %iretaps and interception o# the
data.
4. $utput/ %here the#t o# con#idential data
occurs.
5. 0ommunication o# data to another computeror #rom computer to terminal. There is/
there#ore/ a strong need #or ade2uate
controls in all these areas.Sho% slide
E*+lain:!nternal controls %hich are speci#ic toan EDP environment include (oth manual
procedures and procedures designed into computer
programs. These manual and computer controlprocedures can (e classi#ied into a general EDP
controls and ( EDP application controls.
Slide 8.13C
uide 8.1 RT!/ 6A!P7R @
8/13/2019 Guide 8.1 EDP
7/17
Risk Based Audit Approach Session 8.1
Tell:The purpose o# general EDP controls is to
esta(lish a #rame%ork o# overall control over EDP
activities. eneral EDP controls pertain to division
o# duties/ controls over development andmaintenance o# so#t%are/ controls over computer
operations/ error routine/ controls over stationer'/
data entr' and program controls/ #ile controls/ andsecurit' and stand(' arrangements.
Tell:The general EDP controls discussed a(ovein#luence the overall EDP environment and/ there#ore/
have an e##ect on all or most EDP applications. Besides
these controls/ it is also important to design and operateappropriate controls over each EDP application.
Tell: All EDP applications can (e divided into three
stages: input/ processing and output. !t is necessar' to
institute appropriate controls at each o# these stages
Tell:&e have alread' discussed the main
characteristics o# an EDP environment that have a(earing on the %ork o# an auditor. The various t'pes o#
controls applica(le in an EDP environment have also
(een discussed. o%/ (asic principles o# auditing in anEDP environment/ the approach to the audit o# EDP3
(ased accounts and some o# the speci#ic techni2ues o#
such audit %ill (e dealt %ith.
Sho% slide
E*+lain:The (asic principles governing an audit in
an EDP environment are similar to those in a manual
environment. o%ever/ some o# the auditingprocedures to (e applied #or compl'ing %ith these
(asic principles are speci#ic to the EDP environment
Slide 8.138
uide 8.1 RT!/ 6A!P7R C
8/13/2019 Guide 8.1 EDP
8/17
Risk Based Audit Approach Session 8.1
E*+lain:!t is a (asic principle o# auditing that an
auditor should have ade2uate training/ e-perience
and competence in auditing. !n the conte-t o#
auditing in an EDP environment/ this implies thatthe auditor should have su##icient understanding o#
computer hard%are/ so#t%are and processing
s'stems to (e a(le to plan the engagement and tounderstand ho% EDP a##ects the stud' and
evaluation o# internal control and the application o#
auditing procedures.
Tell: As in the case o# an' other audit
engagement/ the auditor can delegate %ork toassistants or use %ork per#ormed (' other auditors
or e-perts %hile auditing in an EDP environment.
o%ever/ he should have su##icient understandingo# EDP to direct/ supervise and revie% the %ork o#
assistants %ho have EDP skills or to o(tain
reasona(le assurance that the %ork per#ormed ('
other auditors or e-perts %ith EDP skills isade2uate #or his purpose.
Sho% slide
Tell: !n planning his audit/ the auditor should
gather su##icient * relevant in#ormation a(out the
EDP environment/ including the #ollo%ing:
- The manner in %hich the EDP #unction is
organised.
- The computer hard%are and so#t%are used
(' the entit'.
- Signi#icant computer applications/ thenature o# processing/ and policies regarding
retention o# data.- Plans regarding implementation o# ne%
applications or revisions to e-isting
applications.
Slide 8.131,
uide 8.1 RT!/ 6A!P7R 8
8/13/2019 Guide 8.1 EDP
9/17
Risk Based Audit Approach Session 8.1
Sho% slide
Tell: The computerisation o# an accounting
s'stem does not change the overall o(ective and
scope o# audit. o%ever/ the use o# a computer
results in changes in the processing and storage o#in#ormation and a##ects the organisation and
procedures emplo'ed (' the entit' to achieve
ade2uate internal control. Accordingl'/ theprocedures #ollo%ed (' the auditor in his stud' and
evaluation o# the accounting s'stem and related
internal controls and the nature/ timing and e-tento# his other audit procedures ma' (e a##ected (' an
EDP environment.
Tell:The special #eatures o# an EDP s'stem make it
necessar' #or the auditor to modi#' his compliance and
su(stantive procedures #or revie% o# internal controls
and e-amination o# data. Due to the a(sence o# audit
trail and primar' records/ lack o# visi(le output/ and the
use o# accounting codes/ etc. the auditor cannot carr'
out the traditional vouch3and3post audit o#
computerised records. e has to la' much more
emphasis on the evaluation o# internal control and on
anal'tical revie% procedures and has also to change his
veri#ication programme in consonance %ith the manner
in %hich the records are maintained.
Slide 8.13
uide 8.1 RT!/ 6A!P7R
8/13/2019 Guide 8.1 EDP
10/17
Risk Based Audit Approach Session 8.1
Distri(ute e-ercise 8.1.1/ tell time allo%ed is 1,
minutes
0ollect e-ercise a#ter 1, minutes and distri(ute
Solution
Discuss the solution in #ull group
Start the &isc(ssion again an& tell,
0omputerised s'stems o# accounting/ ho%ever/ also
o##er certain sa#eguards to the auditor. 9irstl'/ i# heis satis#ied a(out the controls/ the auditor can place
a higher degree o# reliance on the arithmeticalaccurac' o# the accounts maintained he need not
conduct a detailed veri#ication o# the arithmeticalaccurac' o# the records.
Tell: 9urther/ computerisation automaticall'
implies a constant revie% o# the s'stems to increase
their e##icienc' in producing relia(le data. As aresult/ the internal controls are normall' (etter
designed under computerised s'stems. Automatic
checks are instituted and the responsi(ilities o#
various people are clearl' stated. S'stems anal'sisand methods stud' are conducted periodicall'.
0onse2uentl'/ the movement o# papers is smoother
and speedier.
Tell: 0omputerisation o# accounts/ thus/ presentsspecial pro(lems and opportunities #or the auditor.
!nstituting special controls can mitigate the
pro(lems and the opportunities can (e e-ploited ('
the auditor to make his audit programme moree##ective. As in the case o# audit o# accounts
maintained manuall'/ the audit o# computerised
accounts can (e divided into t%o maor phases:
1. Revie% o# internal controls; and
+. E-amination o# records produced (' the data
processing s'stem.
E-ercise8.1.1
Sol. To
e-ercise8.1.1/
uide 8.1 RT!/ 6A!P7R 1,
8/13/2019 Guide 8.1 EDP
11/17
Risk Based Audit Approach Session 8.1
Tell:The revie% o# internal controls ac2uires
special signi#icance in an EDP environment. This is
due to the limitations on the auditor=s e-amination
o# computerised records arising out o# man'#actors/ e.g. a(sence o# audit trail/ lack o# visi(le
output.
Tell: %hile %ell3de#ined internal controls
ensure the arithmetical accurac' o# records/
%eaknesses in the s'stem ma' lead to #rauds anderrors
Tell:The auditor=s revie% o# internal controls involvesascertaining the s'stem/ testing compliance through the
per#ormance o# compliance procedures/ and #inall'/
making an evaluation o# the s'stem as a (asis #orascertaining the degree o# reliance %hich he can place
on the s'stem in determining the nature/ timing and
e-tent o# his su(stantive procedures.
Tell:The auditor can per#orm tests o# compliance ('
o(taining documentar' evidence regarding theapplication o# internal controls; he can also make
ver(al en2uiries or actuall' o(serve the #unctioning o#
the controls. 9or e-ample/ the auditor ma' scrutinise
the reection records to check %hether reections %erepromptl' dealt %ith and %hether a periodic revie% %as
made o# the contents o# the suspense #ile.
Tell:Apart #rom e-amination o# documentar'
evidence/ en2uir' and o(servation procedures/ the
auditor ma' also use computer assisted audit
techni2ues in per#orming compliance tests.
Tell:0ompliance tests as a(ove ena(le the auditor todetermine %hether the controls on %hich he intends to
rel' %ere #unctioning properl' throughout the period o#
intended reliance. Based on his udgment/ the auditordetermines the nature/ timing and e-tent o# his
su(stantive procedures.
uide 8.1 RT!/ 6A!P7R 11
8/13/2019 Guide 8.1 EDP
12/17
Risk Based Audit Approach Session 8.1
uide 8.1 RT!/ 6A!P7R 1+
8/13/2019 Guide 8.1 EDP
13/17
Risk Based Audit Approach Session 8.1
Tell:aving determined the degree o# his reliance on
the internal control s'stem/ the ne-t step #or the auditor
is to select and e-amine the records produced (' the
data processing s'stem %ith a vie% to assessing theiraccurac'/ validit' and completeness. !n doing so/ the
auditor has to deal %ith a pro(lem peculiar to EDP
s'stems/ namel'/ lack o# a complete and visi(le audittrail.
Sho% slides
Tell:The audit trail re#ers to the links (' %hich an
original transaction can (e traced #or%ard to its #inaloutput or %here(' each item o# the output can (e traced
(ack to the source documents. The vouchers/ ournal/
ledger/ and other (ooks o# account provide the links inthe audit trail. These are important #or an auditor since
he can trace the #inal impact o# all transactions on the
#inancial statements onl' through such links. Asdiscussed earlier/ in manual accounting/ the audit trail
is clear.
Tell The introduction o# electronic data processors
a##ects the audit trail. There are direct input devices/
%hich eliminate the source documents. Similarl'/ theprocessing re#erences ma' (e missing/ making it
di##icult to o(serve the se2uence o# records and
transactions. ence/ the auditor has to #ind outsu##icient printed records/ listings/ etc. to reconstruct
and #ollo% the se2uence o# transactions.
Slide 8.1311
*Slide 8.131+/1 and
14
uide 8.1 RT!/ 6A!P7R 1
8/13/2019 Guide 8.1 EDP
14/17
Risk Based Audit Approach Session 8.1
Tell: !n man' cases/ special printouts ma' (especi#icall' re2uired to reconstruct the audit trail. This
ma'/ ho%ever/ re2uire retention o# data in a machine3
reada(le #orm #or long periods. Alternativel'/ the
printouts re2uired #or audit purposes ma' (e prepared%hen the data are processed initiall'.
Tell The auditor ma' trace certain selected
transactions #rom input documents to regular output
statements or to error listings. The sampled items sotraced provide evidence regarding the actual activities
o# the period. !n this approach/ the auditor does not
make use o# the computer in conducting audit tests. emerel' traces the transactions #rom the original
documents to the statements and compilations
produced on the computer.
Tell:Such an approach is use#ul in the case o#
computer s'stems/ %hich per#orm relativel'
uncomplicated processing and produce detailed output.The auditor ensures that su##icient audit trail %ill (e
availa(le to him so that he can conduct his tests in
essentiall' the same manner as in the case o# a
traditional audit o# manual accounting s'stems. This/ho%ever/ ma' not al%a's (e the case.
Distri(ute e-ercise 8.1.+/ tell time allo%ed is 1,
minutes
0ollect e-ercise a#ter 1, minutes and distri(ute
Solution
Discuss the solution in #ull group
!istrib(te: 0ase 8.1
E-plain the stud' #or #ive minutes and give 4,
minutes to solve it.
0ollect the ans%ers distri(ute the solution and
discuss
Tell:!n man' cases/ it ma' (e impractica(le #or
E-ercise8.1.+
Sol. to
e-ercise8.1.+
0ase 8.1
solution
0ase 8.1
uide 8.1 RT!/ 6A!P7R 14
8/13/2019 Guide 8.1 EDP
15/17
Risk Based Audit Approach Session 8.1
the auditor to per#orm tests o# details o# transactions
manuall'/ and he ma' have to use %hat are commonl'
kno%n as =computer3assisted audit techni2ues=.0AATs
E*+lain an& &isc(ss
Tell:!n an EDP environment/ the auditor ma'per#orm his compliance procedures as %ell as tests o#
details o# transactions %ith or %ithout the help o# the
computer
Tell:
8/13/2019 Guide 8.1 EDP
16/17
Risk Based Audit Approach Session 8.1
0ompliance tests o# EDP controls; #or e-ample/ the
auditor ma' use test data to test the #unctioning o# aprogrammed procedure.
Tell: &hen an auditor uses 0AATs/ he should keepade2uate %orking papers relating to the application o#
such techni2ues. The %orking papers should containsu##icient documentation to descri(e the 0AAT
application/ such as:
Planning
$(ectives o# 0AAT.
Speci#ic 0AAT to (e used.
0ontrols to (e e-ercised.
Sta##ing/ timing and cost
E-ecution
0AAT preparation and testing procedures
and controls.
Details o# the tests per#ormed (' the 0AAT.
Details o# input/ processing and output.
Relevant technical in#ormation a(out the
entit'=s accounting s'stem/ such as
computer #ile la'outs.
Audit Evidence
$utput provided.
Description o# the audit %ork per#ormed on the
output.
Audit conclusions.
$ther
Recommendations to entit' management.
E*+lain an& &ic(ss: Ty+es, A&vantages an&
!isa&vantages o' CAATs in vario(s a(&iting
sit(ations
ote 8.1
uide 8.1 RT!/ 6A!P7R 1@
8/13/2019 Guide 8.1 EDP
17/17
Risk Based Audit Approach Session 8.1
Tell: &e %ill no% discuss one o# the generali)ed auditso#t%are !DEA. $ur discussion %ill (e #ocused on the
#ollo%ing points:
!DEA an introduction
9unctions
Do%nloading o# data
7se o# !DEA
To s(- (+
!t %ill (e o(served #rom the a(ove discussion
that approach and techni2ues to (e #ollo%ed (' anauditor in auditing EDP (ased in#ormation e.g.
accounts processed on computers are in certain
respects di##erent #rom those to (e #ollo%ed in manual
environment re2uiring more skills and kno%ledge.Audit risks are a #act/ #ollo%ing necessar' preventing
methods must (e adopted to estimate and control risks
e##ectivel': Re#orming audit techni2ues and
methodolog'/
!mproving preliminar' and #ollo%
up audit on !T S'stem/
Strengthening audit on internal
controls and urging audited entities
to esta(lish and improve the internalcontrol s'stem in !T Environment/
Enhancing the training o# auditors;
and
Speeding up the development o#audit so#t%are.
Better understanding o# 0AATs and
use o# !DEA so#t%are #or data/
anal'sis and sampling
Slide
8.1.+/+4
Slide 8.13+5/+@
Slide 8.13
+C/+8
Slide 8.13
+to4,
uide 8.1 RT!/ 6A!P7R 1C