Guide 8.1 EDP

8/13/2019 Guide 8.1 EDP

1/17

Risk Based Audit Approach Session 8.1

Session Title: Auditing in EDP Environment Session uide

!nstructor"s uide: Re#erence Participant Response

Session $vervie%

Tell: &e %ill have a discussion on characteristics o#

EDP s'stem #ollo%ed (' (asic principles o# auditing in

an EDP environment and approach to audit o#computeri)ed accounts on audit risk consideration.

Tell:T%o * hal# hours are assigned #or this session.+,minutes are assigned #or the e-ercises and remaining

1, minutes %ill (e used #or discussion.

Learning Objectives:

Tell:At the end o# the session 'ou %ill (e a(le to

understand the (asic principles o# auditing in EDPenvironment/ and uses o# 0AATs in identi#'ing risk in

an EDPenvironment/

Key Teaching Points

CHARACTERISTICS OF A E!P

E"IRO#ET $Ris% i&enti'ication 'or thea(&itor)

Sho% slide

Tell:An understanding o# the maor characteristics o#an EDP environment/ particularl' inso#ar as the' di##er

#rom those o# a manual s'stem/ is essential #or the

auditor as a tool #or risk identi#ication and #or

#ormulating his general approach and speci#ictechni2ues to audit o# such a s'stem

Slide 8.134

Slide 8.135

uide 8.1 RT!/ 6A!P7R 1

8/13/2019 Guide 8.1 EDP

2/17


Tell: 0haracteristics o# an EDP environment/

%hich have a (earing on the %ork o# the auditor

and proper assessment o# these characteristics/ %ill

help in proper planning and e-ecution o# audit.

Tell: !n an EDP environment/ the num(er o#

persons involved in the processing o# in#ormation is

signi#icantl' lo%er than that in a manual s'stem.

Tell: There#ore/ man' conventional controls (ased

on segregation o# duties ma' not e-ist or ma' (eless e##ective.

Tell: 0ertain data processing personnel/ (' virtue

o# their specialised kno%ledge/ ma' (e intimatel'

connected %ith the input preparation/ processing/

and distri(ution and use o# the output. Thus/ the'ma' (e in a position to alter programs or data

during processing or storage.

Tell:!n a manual accounting s'stem/ a transaction

is recorded on the (asis o# a supporting document/

e.g. voucher/ invoice/ receipt/ etc. o%ever/ suchdocumentation ma' not al%a's (e availa(le in the

case o# a computerised s'stem/ %here some data

ma' (e entered directl' into the s'stem %ithoutsupporting documents. 9or e-ample/ sale orders

and discounts ma' (e #ed directl' into an on3line

s'stem. %ithout visi(le authorisation o# individual

transactions.

uide 8.1 RT!/ 6A!P7R +

8/13/2019 Guide 8.1 EDP

3/17


Tell: &here a manual accounting s'stem is in

operation/ the process o# recording transactionsgenerall' #ollo%s a set pattern. 9irstl'/ a (asic

document/ i.e. voucher/ invoice or receipt/ etc. isprepared. This is the #irst recognition o# atransaction having taken place. Then an entr' is

made in a prime (ook o# account/ i.e. ournal or

da'(ook 9inall'/ a posting is made in the principal

(ook/ i.e. ledger. Thus/ #or each transaction/ there isa visi(le trail"/ %hich the auditor can #ollo%.

Tell: 7nder the computerised s'stem/ the a(oveorder is not strictl' #ollo%ed. !n a computerised

s'stem/ the auditor ma' o#ten #ind that the audittrail is mostl' in machine3reada(le #orm. Also/ itma' e-ist onl' #or a limited period o# time.

Tell: !n man' EDP s'stems/ the results o#

processing ma' not (e printed or ma' (e printed in

a summar' #orm. The data ma' (e retained on the#iles/ %hich are reada(le/ onl' (' the computer.

Tell:!n a computerised s'stem/ data and programs

ma' (e easil' accessed and altered at the computeror through the use o# remote terminals. There#ore/

unless appropriate controls are instituted/ there is an

increased potential #or unauthori)ed access/ to/ andalteration o#/ data and programs.

uide 8.1 RT!/ 6A!P7R

8/13/2019 Guide 8.1 EDP

4/17


Tell:EDP s'stems are normall' more relia(le than

manual s'stems/ inasmuch as the' per#orm

#unctions e-actl' as programmed. $n the other

hand/ a #ault' computer program ma' consistentl'process transactions or other data erroneousl'.

Tell: !n a computerised s'stem/ man' internal

control procedures are incorporated in computerprograms. These procedures can (e designed to

provide controls %ith limited visi(ilit'; #or

e-ample/ unauthori)ed access to data ma' (e

prevented (' pass%ords. arge volumes o# data and the computer

programs ma' (e stored on porta(le or #i-ed

storage media such as magnetic tapes/ disks/ etc.These media are vulnera(le to the#t/ loss/ or

intentional or accidental destruction.


8/13/2019 Guide 8.1 EDP

5/17


Tell 0ode num(ers are e-tensivel' used to

represent names and descriptions in a computeriseds'stem. The auditor has to #amiliarise himsel# %ith

such codes. This ma' create some pro(lems/especiall' in the initial stages. The auditor ma' #aceanother di##icult' due to the #act that narratives ma'

(e totall' a(sent in the computerised records. Thus/

it ma' (ecome di##icult #or him to understand the

various transactions.

Tell:!t should (e recognised that %hile computers

can process in#ormation %ith incredi(le e##icienc'/

the' are also ver' vulnera(le to #rauds.

Sho% slide

E*+lain:0omputer #rauds can (e divided into #ive

general categories as (elo%.

1. 9inancial #rauds/ e.g. %here #und trans#ersare made to the criminals personal account.

+. Propert' #rauds/ e.g. %here #alse orders areplaced on the computer #or goods %hich are

misappropriated.

. !n#ormation the#t including unauthorised

access to data (ase records and computerprograms.

4. The#t o# services including unauthorised useo# computer.

5. ?andalism o# e2uipment and destruction o#

records.

Slide 8.13@


8/13/2019 Guide 8.1 EDP

6/17


Tell: 9ive principal #acets o# computer

operations have (een #ound to (e particularl'

vulnera(le to manipulation.

1. Data input/ %here #alse data is programmed

into the s'stem or the e-isting dataremoved.

+. Programming/ %here the#t/ destruction or

#ull or partial modi#ication is possi(le.

. 0entral processing/ %here the s'stem is

e-posed to %iretaps and interception o# the

data.

4. $utput/ %here the#t o# con#idential data

occurs.

5. 0ommunication o# data to another computeror #rom computer to terminal. There is/

there#ore/ a strong need #or ade2uate

controls in all these areas.Sho% slide

E*+lain:!nternal controls %hich are speci#ic toan EDP environment include (oth manual

procedures and procedures designed into computer

programs. These manual and computer controlprocedures can (e classi#ied into a general EDP

controls and ( EDP application controls.

Slide 8.13C

uide 8.1 RT!/ 6A!P7R @

8/13/2019 Guide 8.1 EDP

7/17


Tell:The purpose o# general EDP controls is to

esta(lish a #rame%ork o# overall control over EDP

activities. eneral EDP controls pertain to division

o# duties/ controls over development andmaintenance o# so#t%are/ controls over computer

operations/ error routine/ controls over stationer'/

data entr' and program controls/ #ile controls/ andsecurit' and stand(' arrangements.

Tell:The general EDP controls discussed a(ovein#luence the overall EDP environment and/ there#ore/

have an e##ect on all or most EDP applications. Besides

these controls/ it is also important to design and operateappropriate controls over each EDP application.

Tell: All EDP applications can (e divided into three

stages: input/ processing and output. !t is necessar' to

institute appropriate controls at each o# these stages

Tell:&e have alread' discussed the main

characteristics o# an EDP environment that have a(earing on the %ork o# an auditor. The various t'pes o#

controls applica(le in an EDP environment have also

(een discussed. o%/ (asic principles o# auditing in anEDP environment/ the approach to the audit o# EDP3

(ased accounts and some o# the speci#ic techni2ues o#

such audit %ill (e dealt %ith.

Sho% slide

E*+lain:The (asic principles governing an audit in

an EDP environment are similar to those in a manual

environment. o%ever/ some o# the auditingprocedures to (e applied #or compl'ing %ith these

(asic principles are speci#ic to the EDP environment

Slide 8.138

uide 8.1 RT!/ 6A!P7R C

8/13/2019 Guide 8.1 EDP

8/17


E*+lain:!t is a (asic principle o# auditing that an

auditor should have ade2uate training/ e-perience

and competence in auditing. !n the conte-t o#

auditing in an EDP environment/ this implies thatthe auditor should have su##icient understanding o#

computer hard%are/ so#t%are and processing

s'stems to (e a(le to plan the engagement and tounderstand ho% EDP a##ects the stud' and

evaluation o# internal control and the application o#

auditing procedures.

Tell: As in the case o# an' other audit

engagement/ the auditor can delegate %ork toassistants or use %ork per#ormed (' other auditors

or e-perts %hile auditing in an EDP environment.

o%ever/ he should have su##icient understandingo# EDP to direct/ supervise and revie% the %ork o#

assistants %ho have EDP skills or to o(tain

reasona(le assurance that the %ork per#ormed ('

other auditors or e-perts %ith EDP skills isade2uate #or his purpose.

Sho% slide

Tell: !n planning his audit/ the auditor should

gather su##icient * relevant in#ormation a(out the

EDP environment/ including the #ollo%ing:

- The manner in %hich the EDP #unction is

organised.

- The computer hard%are and so#t%are used

(' the entit'.

- Signi#icant computer applications/ thenature o# processing/ and policies regarding

retention o# data.- Plans regarding implementation o# ne%

applications or revisions to e-isting

applications.

Slide 8.131,


8/13/2019 Guide 8.1 EDP

9/17


Sho% slide

Tell: The computerisation o# an accounting

s'stem does not change the overall o(ective and

scope o# audit. o%ever/ the use o# a computer

results in changes in the processing and storage o#in#ormation and a##ects the organisation and

procedures emplo'ed (' the entit' to achieve

ade2uate internal control. Accordingl'/ theprocedures #ollo%ed (' the auditor in his stud' and

evaluation o# the accounting s'stem and related

internal controls and the nature/ timing and e-tento# his other audit procedures ma' (e a##ected (' an

EDP environment.

Tell:The special #eatures o# an EDP s'stem make it

necessar' #or the auditor to modi#' his compliance and

su(stantive procedures #or revie% o# internal controls

and e-amination o# data. Due to the a(sence o# audit

trail and primar' records/ lack o# visi(le output/ and the

use o# accounting codes/ etc. the auditor cannot carr'

out the traditional vouch3and3post audit o#

computerised records. e has to la' much more

emphasis on the evaluation o# internal control and on

anal'tical revie% procedures and has also to change his

veri#ication programme in consonance %ith the manner

in %hich the records are maintained.

Slide 8.13

uide 8.1 RT!/ 6A!P7R

8/13/2019 Guide 8.1 EDP

10/17


Distri(ute e-ercise 8.1.1/ tell time allo%ed is 1,

minutes

0ollect e-ercise a#ter 1, minutes and distri(ute

Solution

Discuss the solution in #ull group

Start the &isc(ssion again an& tell,

0omputerised s'stems o# accounting/ ho%ever/ also

o##er certain sa#eguards to the auditor. 9irstl'/ i# heis satis#ied a(out the controls/ the auditor can place

a higher degree o# reliance on the arithmeticalaccurac' o# the accounts maintained he need not

conduct a detailed veri#ication o# the arithmeticalaccurac' o# the records.

Tell: 9urther/ computerisation automaticall'

implies a constant revie% o# the s'stems to increase

their e##icienc' in producing relia(le data. As aresult/ the internal controls are normall' (etter

designed under computerised s'stems. Automatic

checks are instituted and the responsi(ilities o#

various people are clearl' stated. S'stems anal'sisand methods stud' are conducted periodicall'.

0onse2uentl'/ the movement o# papers is smoother

and speedier.

Tell: 0omputerisation o# accounts/ thus/ presentsspecial pro(lems and opportunities #or the auditor.

!nstituting special controls can mitigate the

pro(lems and the opportunities can (e e-ploited ('

the auditor to make his audit programme moree##ective. As in the case o# audit o# accounts

maintained manuall'/ the audit o# computerised

accounts can (e divided into t%o maor phases:

1. Revie% o# internal controls; and

+. E-amination o# records produced (' the data

processing s'stem.

E-ercise8.1.1

Sol. To

e-ercise8.1.1/

uide 8.1 RT!/ 6A!P7R 1,

8/13/2019 Guide 8.1 EDP

11/17


Tell:The revie% o# internal controls ac2uires

special signi#icance in an EDP environment. This is

due to the limitations on the auditor=s e-amination

o# computerised records arising out o# man'#actors/ e.g. a(sence o# audit trail/ lack o# visi(le

output.

Tell: %hile %ell3de#ined internal controls

ensure the arithmetical accurac' o# records/

%eaknesses in the s'stem ma' lead to #rauds anderrors

Tell:The auditor=s revie% o# internal controls involvesascertaining the s'stem/ testing compliance through the

per#ormance o# compliance procedures/ and #inall'/

making an evaluation o# the s'stem as a (asis #orascertaining the degree o# reliance %hich he can place

on the s'stem in determining the nature/ timing and

e-tent o# his su(stantive procedures.

Tell:The auditor can per#orm tests o# compliance ('

o(taining documentar' evidence regarding theapplication o# internal controls; he can also make

ver(al en2uiries or actuall' o(serve the #unctioning o#

the controls. 9or e-ample/ the auditor ma' scrutinise

the reection records to check %hether reections %erepromptl' dealt %ith and %hether a periodic revie% %as

made o# the contents o# the suspense #ile.

Tell:Apart #rom e-amination o# documentar'

evidence/ en2uir' and o(servation procedures/ the

auditor ma' also use computer assisted audit

techni2ues in per#orming compliance tests.

Tell:0ompliance tests as a(ove ena(le the auditor todetermine %hether the controls on %hich he intends to

rel' %ere #unctioning properl' throughout the period o#

intended reliance. Based on his udgment/ the auditordetermines the nature/ timing and e-tent o# his

su(stantive procedures.

uide 8.1 RT!/ 6A!P7R 11

8/13/2019 Guide 8.1 EDP

12/17


uide 8.1 RT!/ 6A!P7R 1+

8/13/2019 Guide 8.1 EDP

13/17


Tell:aving determined the degree o# his reliance on

the internal control s'stem/ the ne-t step #or the auditor

is to select and e-amine the records produced (' the

data processing s'stem %ith a vie% to assessing theiraccurac'/ validit' and completeness. !n doing so/ the

auditor has to deal %ith a pro(lem peculiar to EDP

s'stems/ namel'/ lack o# a complete and visi(le audittrail.

Sho% slides

Tell:The audit trail re#ers to the links (' %hich an

original transaction can (e traced #or%ard to its #inaloutput or %here(' each item o# the output can (e traced

(ack to the source documents. The vouchers/ ournal/

ledger/ and other (ooks o# account provide the links inthe audit trail. These are important #or an auditor since

he can trace the #inal impact o# all transactions on the

#inancial statements onl' through such links. Asdiscussed earlier/ in manual accounting/ the audit trail

is clear.

Tell The introduction o# electronic data processors

a##ects the audit trail. There are direct input devices/

%hich eliminate the source documents. Similarl'/ theprocessing re#erences ma' (e missing/ making it

di##icult to o(serve the se2uence o# records and

transactions. ence/ the auditor has to #ind outsu##icient printed records/ listings/ etc. to reconstruct

and #ollo% the se2uence o# transactions.

Slide 8.1311

*Slide 8.131+/1 and

14


8/13/2019 Guide 8.1 EDP

14/17


Tell: !n man' cases/ special printouts ma' (especi#icall' re2uired to reconstruct the audit trail. This

ma'/ ho%ever/ re2uire retention o# data in a machine3

reada(le #orm #or long periods. Alternativel'/ the

printouts re2uired #or audit purposes ma' (e prepared%hen the data are processed initiall'.

Tell The auditor ma' trace certain selected

transactions #rom input documents to regular output

statements or to error listings. The sampled items sotraced provide evidence regarding the actual activities

o# the period. !n this approach/ the auditor does not

make use o# the computer in conducting audit tests. emerel' traces the transactions #rom the original

documents to the statements and compilations

produced on the computer.

Tell:Such an approach is use#ul in the case o#

computer s'stems/ %hich per#orm relativel'

uncomplicated processing and produce detailed output.The auditor ensures that su##icient audit trail %ill (e

availa(le to him so that he can conduct his tests in

essentiall' the same manner as in the case o# a

traditional audit o# manual accounting s'stems. This/ho%ever/ ma' not al%a's (e the case.

Distri(ute e-ercise 8.1.+/ tell time allo%ed is 1,

minutes

0ollect e-ercise a#ter 1, minutes and distri(ute

Solution

Discuss the solution in #ull group

!istrib(te: 0ase 8.1

E-plain the stud' #or #ive minutes and give 4,

minutes to solve it.

0ollect the ans%ers distri(ute the solution and

discuss

Tell:!n man' cases/ it ma' (e impractica(le #or

E-ercise8.1.+

Sol. to

e-ercise8.1.+

0ase 8.1

solution

0ase 8.1

uide 8.1 RT!/ 6A!P7R 14

8/13/2019 Guide 8.1 EDP

15/17


the auditor to per#orm tests o# details o# transactions

manuall'/ and he ma' have to use %hat are commonl'

kno%n as =computer3assisted audit techni2ues=.0AATs

E*+lain an& &isc(ss

Tell:!n an EDP environment/ the auditor ma'per#orm his compliance procedures as %ell as tests o#

details o# transactions %ith or %ithout the help o# the

computer

Tell:

8/13/2019 Guide 8.1 EDP

16/17


0ompliance tests o# EDP controls; #or e-ample/ the

auditor ma' use test data to test the #unctioning o# aprogrammed procedure.

Tell: &hen an auditor uses 0AATs/ he should keepade2uate %orking papers relating to the application o#

such techni2ues. The %orking papers should containsu##icient documentation to descri(e the 0AAT

application/ such as:

Planning

$(ectives o# 0AAT.

Speci#ic 0AAT to (e used.

0ontrols to (e e-ercised.

Sta##ing/ timing and cost

E-ecution

0AAT preparation and testing procedures

and controls.

Details o# the tests per#ormed (' the 0AAT.

Details o# input/ processing and output.

Relevant technical in#ormation a(out the

entit'=s accounting s'stem/ such as

computer #ile la'outs.

Audit Evidence

$utput provided.

Description o# the audit %ork per#ormed on the

output.

Audit conclusions.

$ther

Recommendations to entit' management.

E*+lain an& &ic(ss: Ty+es, A&vantages an&

!isa&vantages o' CAATs in vario(s a(&iting

sit(ations

ote 8.1

uide 8.1 RT!/ 6A!P7R 1@

8/13/2019 Guide 8.1 EDP

17/17


Tell: &e %ill no% discuss one o# the generali)ed auditso#t%are !DEA. $ur discussion %ill (e #ocused on the

#ollo%ing points:

!DEA an introduction

9unctions

Do%nloading o# data

7se o# !DEA

To s(- (+

!t %ill (e o(served #rom the a(ove discussion

that approach and techni2ues to (e #ollo%ed (' anauditor in auditing EDP (ased in#ormation e.g.

accounts processed on computers are in certain

respects di##erent #rom those to (e #ollo%ed in manual

environment re2uiring more skills and kno%ledge.Audit risks are a #act/ #ollo%ing necessar' preventing

methods must (e adopted to estimate and control risks

e##ectivel': Re#orming audit techni2ues and

methodolog'/

!mproving preliminar' and #ollo%

up audit on !T S'stem/

Strengthening audit on internal

controls and urging audited entities

to esta(lish and improve the internalcontrol s'stem in !T Environment/

Enhancing the training o# auditors;

and

Speeding up the development o#audit so#t%are.

Better understanding o# 0AATs and

use o# !DEA so#t%are #or data/

anal'sis and sampling

Slide

8.1.+/+4

Slide 8.13+5/+@

Slide 8.13

+C/+8

Slide 8.13

+to4,

uide 8.1 RT!/ 6A!P7R 1C

Date post:	04-Jun-2018
Category:	Documents
Upload:	ajju-k-ajju
View:	214 times
Download:	0 times

Guide 8.1 EDP

Documents