Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | brett-nicholson |
View: | 213 times |
Download: | 0 times |
SECTION 8
Auditing Complex EDP Systems
Auditing Complex EDP Systems
• Computer used extensively– simple batch processing
– complex on-line, real-time processing
• Computer affect two aspects if audit risk– assessing control risk
– managing detection risk
Around vs. Through the Computer
• Around
– manually calculate INPUT and trace to OUTPUT
• Through
– test the controls in the computer
Impact of Computer Controls
• Change in the Audit Trail
– less documentation offset by programmed controls
– file storage reduces need for hard copy
– testing shift to examination of EDP controls
• Combination of Functions
– computer processing allows combining functions that are usually separate in manual systems
– e.g. input editing of a sales transaction» customer number» credit limit» inventory number and price
Types of EDP Accounting Systems
• Batch Processing
– accumulated and processed in groups
– what is the main form of control?
– the main problem?
Batch Processing System
Convert to machine
readable form
Input
T/A TapeOutput
CompareBatchTotal
Process
Transactions
Old Master New Master
• Real-Time Processing
– transactions are edited on-line as they occur
– continuous file updating
– more complex than batch
– how does this method affect the audit trail?
Batch Processing System
Input
Terminal
Master
File 2
Master
File 3
Master
File 1
Update
Time Sharing and Service Bureaus• Time sharing
– an entity processes data for itself and other entities» i.e. shares its computer
• Service bureau
– process transactions for other entities» i.e. this is their business
Separate Files vs. Integrated Data Base
• File System
– main characteristic?
• Data Base
– main characteristic?
Hardware Configurations• Electronic Data Interchange (EDI)
– on-line format
– computer-to-computer exchange
– public standard format» Accredited Standards Committee of the American National
Standards Institute ANSI X12
Two methods for EDI
1. The Direct Approach
Suppliers
Computer
Manufacturers
Computer
2. The Indirect Approach
Third Party NetworkCompany Computer
Customer 1
Customer 3
Customer 2
• Small Computer Systems
– small firms
– low cost and advanced hardware
• Distributed Data Processing
– companies with branches and divisions
– geographic dispersion
A Distributed System
Head Office Mainframe
Branch 1
Computer
Branch 3
Computer
Branch 2
Computer
Branch 4
Computer
– Types of computers at the branches?
Kinds of EDP Controls
• Two main classifications
1. General controls
2. Application controls
General Controls
a. Organization and Operating Controls
– segregation of duties very important
EDP Manager
ProgrammersSystems
Analysts
Computer
OperatorsData Control
Data
Librarian
Input
Preparation
Director of MIS
Chief Operating
Officer
b. Systems Development & Documentation
– control over definition, design, development, testing, and documentation of systems
– once designed and developed, the system must be thoroughly tested
– systems and programs must be documented1.
2.
3.
c. Access Controls
– prevents unauthorized use
– batch systems» who controls access in this case?
– on-line systems» primary control for access?
d. Data and Procedural Controls
– to control daily operations
– backup files on and off the premises
– environmental controls
Application Controls
– a separate set for each application controls
– How are application controls classified?
a. Input Controls
– computer edit controls
– ensure completeness and accuracy of input
b. Process Controls
– concerned with data manipulation once it is in the computer
– what type of control can used as a process control?
c. Output Controls
– verification and distribution of output
Techniques for Testing EDP-Based Controls
• Best to understand as a number of steps as shown in the following flowchart
Understand
EDP Controls
Assess Control
Risk
Design
Substantive Tests
Document
Understanding
NOTest
further
Test ControlsYES
Gaining an Understanding of EDP Controls
Two main ways:– observation and enquiry– studying the system and program documentation
1. Observation and Enquiry– should look for the following:
a Segregation of functions
b Control of access to files and programs
c Approval of new systems and programs
d Existence of hardware and environmental controls
e The functioning of data and procedural controls
f Backup files
2. Systems and Program Documentation
– Documentation is an integral part
– Should include1.
2.
The Testing of EDP Controls
– Auditor should be able to identify those controls that are necessary for the effectiveness of the application
– by testing these controls, which component of audit risk may be reduced?
– Two ways to look at testing1.
2.
1. Auditing Around the Computer
Client Input
CPU
Client Output
Client InputAuditor Predetermines
Output
Predetermined Output
Audit Comparison
2. Auditing Through the Computer
Auditor Input
CPU
Output
Auditor InputAuditor Predetermines
Results
Predetermined Results
Comparison
Techniques for Auditing Through the Computer
1. Test Data Approach
– simulated data
– of what should this data consist?
– main problems of this approach1.
2.
2. Mini Company Approach
– also called the Integrated Test Facility
– a fictitious entity is created
– fictitious transactions are processed along with regular transactions
– any problems with this approach?
3. Simulation / Auditor’s Program Approach– Auditor creates an application program that simulates the system– uses client data as input
– potential uses of this approach» sampling
» computations
» comparing
» summarizing
4. Generalized Audit Software
– most common type of audit software
– transportable from one client to another
– independent
– limited by the availability of the clients data files
Small Computer Systems
• Widespread
• Weaknesses in General Controls
1. Lack of segregation of duties
2. Location of the computer
3. Limited Knowledge of EDP
• Special Consideration for Application Controls
1. Data Entry
2. Data processing
3. Absence of Limit and Reasonableness Tests
• Study and Evaluation of Internal Control
– The effect of computer size on the auditor
– General controls are often weak
– More reliance on application controls
– If application controls and any manual controls are not reliable, what should the auditor do with regards to testing?