audit in cis environment
TRANSCRIPT
Module 7 Computer auditingOverview
In this module you learn about the effects that computer processing has on both the control environment and the audit of financial systems You also learn about the approaches to auditing computerized systems and the ways to use computers for an audit
When you have worked through the module you should have a thorough understanding of the audit implications of a computer-based system for a companyrsquos internal controls Throughout the module you apply what you have learned to scenarios involving a company planning to computerize its accounting systems
Assignment reminder Assignment 2 is due this week (see the Course Schedule) Be sure to allocate time to complete and submit the assignment by the deadline
Test your knowledge
Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required
Learning objectives
71 Company operations and computer systems Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach (Level 1)
72 Major elements in todayrsquos computer
environmentDescribe the major elements of audit significance in todayrsquos computer environment (Level 2)
73 Audit implications Internal control processes Explain the audit implications of a simple computer-
based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
74 Audit implications System access and design Explain the audit implications of a simple computer-
based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
75 General controls and application controls Describe general controls and application controls
and explain how they relate to accounting controls (Level 2)
76 Audit implications of electronic commerce Summarize the impact of EDI and the Internet on a
companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
77 Auditing computerized systems mdash General
considerationsExplain how an audit is conducted in a computer environment (Level 1)
78 General strategy in auditing computerized
systemsIdentify the phases of auditing a computerized accounting system (Level 1)
fileF|Courses2010-11CGAAU106coursem07introhtm
fileF|Courses2010-11CGAAU106coursem07introhtm (1 of 2) [04102010 31641 PM]
fileF|Courses2010-11CGAAU106coursem07introhtm
79 Internal control considerations in personal computer online and database environments
Identify internal control considerations in personal computer online and database environments (Level 1)
710 Approaches to auditing computerized systems Explain the difference between auditing around
without the computer and auditing throughwith the computer to test internal control (Level 1)
711 Approaches to auditing through the computer Explain how an auditor can use computers in
conducting audits by using test data and generalized audit software (Level 1)
712 Computer-aided auditing Identify ways to use computers in conducting an
audit (Level 1) Module summary
Print this module
fileF|Courses2010-11CGAAU106coursem07introhtm (2 of 2) [04102010 31641 PM]
71 Company operations and computer systems
Learning objective
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach (Levels 1)
Required reading
Chapter 7 pages 231 234 and 251ndash252 Chapter 9 Appendix 9A pages 1ndash4 (available online) Chapter 9 pages 339-344 CAS 315 Appendix 1 (CICA Handbook section 5141 Appendix B) (section titled
Information System Including the Related Business Processes Relevant to Financial Reporting and Communication) and CAS 315A53ndashA59
Reading 7-1 AuG-6 Auditing in an EDP environment Sections 1ndash3
LEVEL 1
Computerization of accounting systems has some major effects on a companyrsquos operations Understanding these effects will help you understand the audit implications better Read CAS 315 Appendix 1 (CICA Handbook section 5141 Appendix B) the section entitled ldquoInformation System Including the Related Business Processes Relevant to Financial Reporting and Communicationrdquo which provides an overview of how the clientrsquos information system correlates with the management assertion audit objectives and the functions of the information system
Scenario 71-1 TRP Inc
Teresa is the Director of Finance for TRP Inc As part of the business planning for the following year the Chief Financial Officer (CFO) has tabled a project to computerize TRPrsquos accounting systems Teresa has been assigned the task of identifying and analyzing the major effects of this project on the companyrsquos organizational structure and data processing As TRP Incrsquos auditor you must help Teresa gather information for the project What information will Teresa need to have
Hint Start by organizing the information into three categories
Effect (or impact) Risk Management responsibility
Solution
Transaction processes
Another effect of computerization is dramatic changes in transaction processes On pages 344 to 345 the text describes the control benefits and control risks of IT systems Topic 73 which covers the control environment in computer-based systems looks at the implications of these characteristics in more detail
Auditing approach
Computerization also causes changes in the approach to auditing Read Sections 1ndash3 of Reading 7-1 (CGA Auditing Guideline No 6) for an overview of computer environment issues and as you read think about how a computer environment will affect internal controls and the audit
Scenario 71-2 TRP Inc
fileF|Courses2010-11CGAAU106coursem07t01htm
fileF|Courses2010-11CGAAU106coursem07t01htm (1 of 2) [04102010 31642 PM]
fileF|Courses2010-11CGAAU106coursem07t01htm
In this topic you learned about the impact of computerization on a companyrsquos operations If you were the auditor assigned to audit TRP Inc what changes would you make in your approach to the audit
Solution
fileF|Courses2010-11CGAAU106coursem07t01htm (2 of 2) [04102010 31642 PM]
72 Major elements in todayrsquos computer environment
Learning objective
Describe the major elements of audit significance in todayrsquos computer environment (Level 2)
Required reading
Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10
LEVEL 2
Be aware of major elements in todayrsquos computer environment You have already studied basic elements of computer-based systems in Managing Information Systems [MS1] or its equivalent
The major elements of audit significance include microcomputers databases online systems and electronic commerce specifically Electronic Data Interchange (EDI) and the Internet Microcomputers are explained in Section 9 of CGA AuG-6 (Reading 7-1) Internal controls with respect to microcomputers are explained in detail in Topic 75
Paragraphs 102 to 104 of Reading 7-1 describe the features and characteristics of online systems and paragraphs 105 to 1011 outline the characteristics of database systems
Electronic commerce is transforming the business environment and is likely to give rise to a wide range of assurance engagements for public accountants You consider some of the audit implications of electronic commerce in Topic 76
Microcomputers
Experienced auditors are concerned about their ability to keep up with the advances in information technology Companies used to use mainframe computers and terminals only now many companies use computer networks
The auditor used to be concerned about the integrity of computer programs that ran on the mainframe now the auditor is concerned about the proliferation of stand-alone computers and software With this proliferation there is a tendency to decentralize data processing This in turn increases the amount of work an auditor needs to do to understand and rely on the computer controls At one time only programmers could change the programs used to process the companyrsquos data Now each employee with access to a computer could also have access to the software that runs on that computer and could alter it unless adequate safeguards are in place
Database systems
Database systems store data in a central location under the control of the database administrator The use of centralized database management systems can result in more reliable data because there is no redundant (duplicate) data thus removing the chance of conflicting information
However the database administrator typically exercises substantial power over the databases This concentration of data and lack of segregation of duties create significant risk In light of this risk the auditor must carefully review the activities of the database administrator and examine any audit trail provided by the database management system to ensure that there are adequate compensating controls over the activities of the database administrator
The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection of databases Because all the systems rely on the databases for accurate processing the auditor should confirm that there is adequate internal control to ensure the integrity of the databases
fileF|Courses2010-11CGAAU106coursem07t02htm
fileF|Courses2010-11CGAAU106coursem07t02htm (1 of 2) [04102010 31644 PM]
fileF|Courses2010-11CGAAU106coursem07t02htm
Online systems
The most common forms of online systems are real-time processing and online batch processing The ATM you use to make withdrawals from or deposits to your bank account is an example of an online real-time processing system
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access Access issues apply to both users and programmers A user with unauthorized access to an online accounts receivable file may intentionally or unintentionally wipe out the balances in individual accounts A programmer with unauthorized access may modify the code of a program to the detriment of the company
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line Auditors should carefully review the backup and recovery procedures of online systems This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate
Control over online systems
Unlike traditional systems online systems permit transactions to be entered directly through terminals without requiring the use of source documents on paper To exercise control over online systems management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system Such paper-based source documents form the audit trail needed by the auditor
Activity 72-1
What are the implications for the auditorrsquos ability to obtain evidence if no paper-based source documents are used What checks and control can be instituted instead of the use of source documents
Solution
EDI (Electronic data interchange)
EDI consists of the exchange of electronic documents between two companies Effectively transactions and contracts are created through two interacting computer systems EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper
What are the benefits of EDI
Some obvious benefits are the elimination of paperwork the reduction of document processing costs access to more information on a timely basis and increased accuracy of recordkeeping There are some drawbacks as well but the increasing use of EDI suggests that the benefits outweigh the costs
How do EDI transactions affect the auditorrsquos work
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system These characteristics significantly increase risk making control assurance the key objective for EDI environments Auditors in turn need to monitor EDI controls throughout the period under audit for example through the use of software that allows tagging of transactions to trace their processing
To control potential legal risks businesses may require their trading partners to enter into trading partner agreements (TPAs) TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control Increasingly auditors will be asked to provide opinions on the EDI control environment Such audit opinions may become mandatory which will likely encourage development of generalized control standards and criteria Consequently auditors will have to be better trained in this emerging area of information technology
fileF|Courses2010-11CGAAU106coursem07t02htm (2 of 2) [04102010 31644 PM]
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07introhtm
79 Internal control considerations in personal computer online and database environments
Identify internal control considerations in personal computer online and database environments (Level 1)
710 Approaches to auditing computerized systems Explain the difference between auditing around
without the computer and auditing throughwith the computer to test internal control (Level 1)
711 Approaches to auditing through the computer Explain how an auditor can use computers in
conducting audits by using test data and generalized audit software (Level 1)
712 Computer-aided auditing Identify ways to use computers in conducting an
audit (Level 1) Module summary
Print this module
fileF|Courses2010-11CGAAU106coursem07introhtm (2 of 2) [04102010 31641 PM]
71 Company operations and computer systems
Learning objective
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach (Levels 1)
Required reading
Chapter 7 pages 231 234 and 251ndash252 Chapter 9 Appendix 9A pages 1ndash4 (available online) Chapter 9 pages 339-344 CAS 315 Appendix 1 (CICA Handbook section 5141 Appendix B) (section titled
Information System Including the Related Business Processes Relevant to Financial Reporting and Communication) and CAS 315A53ndashA59
Reading 7-1 AuG-6 Auditing in an EDP environment Sections 1ndash3
LEVEL 1
Computerization of accounting systems has some major effects on a companyrsquos operations Understanding these effects will help you understand the audit implications better Read CAS 315 Appendix 1 (CICA Handbook section 5141 Appendix B) the section entitled ldquoInformation System Including the Related Business Processes Relevant to Financial Reporting and Communicationrdquo which provides an overview of how the clientrsquos information system correlates with the management assertion audit objectives and the functions of the information system
Scenario 71-1 TRP Inc
Teresa is the Director of Finance for TRP Inc As part of the business planning for the following year the Chief Financial Officer (CFO) has tabled a project to computerize TRPrsquos accounting systems Teresa has been assigned the task of identifying and analyzing the major effects of this project on the companyrsquos organizational structure and data processing As TRP Incrsquos auditor you must help Teresa gather information for the project What information will Teresa need to have
Hint Start by organizing the information into three categories
Effect (or impact) Risk Management responsibility
Solution
Transaction processes
Another effect of computerization is dramatic changes in transaction processes On pages 344 to 345 the text describes the control benefits and control risks of IT systems Topic 73 which covers the control environment in computer-based systems looks at the implications of these characteristics in more detail
Auditing approach
Computerization also causes changes in the approach to auditing Read Sections 1ndash3 of Reading 7-1 (CGA Auditing Guideline No 6) for an overview of computer environment issues and as you read think about how a computer environment will affect internal controls and the audit
Scenario 71-2 TRP Inc
fileF|Courses2010-11CGAAU106coursem07t01htm
fileF|Courses2010-11CGAAU106coursem07t01htm (1 of 2) [04102010 31642 PM]
fileF|Courses2010-11CGAAU106coursem07t01htm
In this topic you learned about the impact of computerization on a companyrsquos operations If you were the auditor assigned to audit TRP Inc what changes would you make in your approach to the audit
Solution
fileF|Courses2010-11CGAAU106coursem07t01htm (2 of 2) [04102010 31642 PM]
72 Major elements in todayrsquos computer environment
Learning objective
Describe the major elements of audit significance in todayrsquos computer environment (Level 2)
Required reading
Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10
LEVEL 2
Be aware of major elements in todayrsquos computer environment You have already studied basic elements of computer-based systems in Managing Information Systems [MS1] or its equivalent
The major elements of audit significance include microcomputers databases online systems and electronic commerce specifically Electronic Data Interchange (EDI) and the Internet Microcomputers are explained in Section 9 of CGA AuG-6 (Reading 7-1) Internal controls with respect to microcomputers are explained in detail in Topic 75
Paragraphs 102 to 104 of Reading 7-1 describe the features and characteristics of online systems and paragraphs 105 to 1011 outline the characteristics of database systems
Electronic commerce is transforming the business environment and is likely to give rise to a wide range of assurance engagements for public accountants You consider some of the audit implications of electronic commerce in Topic 76
Microcomputers
Experienced auditors are concerned about their ability to keep up with the advances in information technology Companies used to use mainframe computers and terminals only now many companies use computer networks
The auditor used to be concerned about the integrity of computer programs that ran on the mainframe now the auditor is concerned about the proliferation of stand-alone computers and software With this proliferation there is a tendency to decentralize data processing This in turn increases the amount of work an auditor needs to do to understand and rely on the computer controls At one time only programmers could change the programs used to process the companyrsquos data Now each employee with access to a computer could also have access to the software that runs on that computer and could alter it unless adequate safeguards are in place
Database systems
Database systems store data in a central location under the control of the database administrator The use of centralized database management systems can result in more reliable data because there is no redundant (duplicate) data thus removing the chance of conflicting information
However the database administrator typically exercises substantial power over the databases This concentration of data and lack of segregation of duties create significant risk In light of this risk the auditor must carefully review the activities of the database administrator and examine any audit trail provided by the database management system to ensure that there are adequate compensating controls over the activities of the database administrator
The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection of databases Because all the systems rely on the databases for accurate processing the auditor should confirm that there is adequate internal control to ensure the integrity of the databases
fileF|Courses2010-11CGAAU106coursem07t02htm
fileF|Courses2010-11CGAAU106coursem07t02htm (1 of 2) [04102010 31644 PM]
fileF|Courses2010-11CGAAU106coursem07t02htm
Online systems
The most common forms of online systems are real-time processing and online batch processing The ATM you use to make withdrawals from or deposits to your bank account is an example of an online real-time processing system
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access Access issues apply to both users and programmers A user with unauthorized access to an online accounts receivable file may intentionally or unintentionally wipe out the balances in individual accounts A programmer with unauthorized access may modify the code of a program to the detriment of the company
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line Auditors should carefully review the backup and recovery procedures of online systems This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate
Control over online systems
Unlike traditional systems online systems permit transactions to be entered directly through terminals without requiring the use of source documents on paper To exercise control over online systems management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system Such paper-based source documents form the audit trail needed by the auditor
Activity 72-1
What are the implications for the auditorrsquos ability to obtain evidence if no paper-based source documents are used What checks and control can be instituted instead of the use of source documents
Solution
EDI (Electronic data interchange)
EDI consists of the exchange of electronic documents between two companies Effectively transactions and contracts are created through two interacting computer systems EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper
What are the benefits of EDI
Some obvious benefits are the elimination of paperwork the reduction of document processing costs access to more information on a timely basis and increased accuracy of recordkeeping There are some drawbacks as well but the increasing use of EDI suggests that the benefits outweigh the costs
How do EDI transactions affect the auditorrsquos work
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system These characteristics significantly increase risk making control assurance the key objective for EDI environments Auditors in turn need to monitor EDI controls throughout the period under audit for example through the use of software that allows tagging of transactions to trace their processing
To control potential legal risks businesses may require their trading partners to enter into trading partner agreements (TPAs) TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control Increasingly auditors will be asked to provide opinions on the EDI control environment Such audit opinions may become mandatory which will likely encourage development of generalized control standards and criteria Consequently auditors will have to be better trained in this emerging area of information technology
fileF|Courses2010-11CGAAU106coursem07t02htm (2 of 2) [04102010 31644 PM]
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
71 Company operations and computer systems
Learning objective
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach (Levels 1)
Required reading
Chapter 7 pages 231 234 and 251ndash252 Chapter 9 Appendix 9A pages 1ndash4 (available online) Chapter 9 pages 339-344 CAS 315 Appendix 1 (CICA Handbook section 5141 Appendix B) (section titled
Information System Including the Related Business Processes Relevant to Financial Reporting and Communication) and CAS 315A53ndashA59
Reading 7-1 AuG-6 Auditing in an EDP environment Sections 1ndash3
LEVEL 1
Computerization of accounting systems has some major effects on a companyrsquos operations Understanding these effects will help you understand the audit implications better Read CAS 315 Appendix 1 (CICA Handbook section 5141 Appendix B) the section entitled ldquoInformation System Including the Related Business Processes Relevant to Financial Reporting and Communicationrdquo which provides an overview of how the clientrsquos information system correlates with the management assertion audit objectives and the functions of the information system
Scenario 71-1 TRP Inc
Teresa is the Director of Finance for TRP Inc As part of the business planning for the following year the Chief Financial Officer (CFO) has tabled a project to computerize TRPrsquos accounting systems Teresa has been assigned the task of identifying and analyzing the major effects of this project on the companyrsquos organizational structure and data processing As TRP Incrsquos auditor you must help Teresa gather information for the project What information will Teresa need to have
Hint Start by organizing the information into three categories
Effect (or impact) Risk Management responsibility
Solution
Transaction processes
Another effect of computerization is dramatic changes in transaction processes On pages 344 to 345 the text describes the control benefits and control risks of IT systems Topic 73 which covers the control environment in computer-based systems looks at the implications of these characteristics in more detail
Auditing approach
Computerization also causes changes in the approach to auditing Read Sections 1ndash3 of Reading 7-1 (CGA Auditing Guideline No 6) for an overview of computer environment issues and as you read think about how a computer environment will affect internal controls and the audit
Scenario 71-2 TRP Inc
fileF|Courses2010-11CGAAU106coursem07t01htm
fileF|Courses2010-11CGAAU106coursem07t01htm (1 of 2) [04102010 31642 PM]
fileF|Courses2010-11CGAAU106coursem07t01htm
In this topic you learned about the impact of computerization on a companyrsquos operations If you were the auditor assigned to audit TRP Inc what changes would you make in your approach to the audit
Solution
fileF|Courses2010-11CGAAU106coursem07t01htm (2 of 2) [04102010 31642 PM]
72 Major elements in todayrsquos computer environment
Learning objective
Describe the major elements of audit significance in todayrsquos computer environment (Level 2)
Required reading
Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10
LEVEL 2
Be aware of major elements in todayrsquos computer environment You have already studied basic elements of computer-based systems in Managing Information Systems [MS1] or its equivalent
The major elements of audit significance include microcomputers databases online systems and electronic commerce specifically Electronic Data Interchange (EDI) and the Internet Microcomputers are explained in Section 9 of CGA AuG-6 (Reading 7-1) Internal controls with respect to microcomputers are explained in detail in Topic 75
Paragraphs 102 to 104 of Reading 7-1 describe the features and characteristics of online systems and paragraphs 105 to 1011 outline the characteristics of database systems
Electronic commerce is transforming the business environment and is likely to give rise to a wide range of assurance engagements for public accountants You consider some of the audit implications of electronic commerce in Topic 76
Microcomputers
Experienced auditors are concerned about their ability to keep up with the advances in information technology Companies used to use mainframe computers and terminals only now many companies use computer networks
The auditor used to be concerned about the integrity of computer programs that ran on the mainframe now the auditor is concerned about the proliferation of stand-alone computers and software With this proliferation there is a tendency to decentralize data processing This in turn increases the amount of work an auditor needs to do to understand and rely on the computer controls At one time only programmers could change the programs used to process the companyrsquos data Now each employee with access to a computer could also have access to the software that runs on that computer and could alter it unless adequate safeguards are in place
Database systems
Database systems store data in a central location under the control of the database administrator The use of centralized database management systems can result in more reliable data because there is no redundant (duplicate) data thus removing the chance of conflicting information
However the database administrator typically exercises substantial power over the databases This concentration of data and lack of segregation of duties create significant risk In light of this risk the auditor must carefully review the activities of the database administrator and examine any audit trail provided by the database management system to ensure that there are adequate compensating controls over the activities of the database administrator
The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection of databases Because all the systems rely on the databases for accurate processing the auditor should confirm that there is adequate internal control to ensure the integrity of the databases
fileF|Courses2010-11CGAAU106coursem07t02htm
fileF|Courses2010-11CGAAU106coursem07t02htm (1 of 2) [04102010 31644 PM]
fileF|Courses2010-11CGAAU106coursem07t02htm
Online systems
The most common forms of online systems are real-time processing and online batch processing The ATM you use to make withdrawals from or deposits to your bank account is an example of an online real-time processing system
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access Access issues apply to both users and programmers A user with unauthorized access to an online accounts receivable file may intentionally or unintentionally wipe out the balances in individual accounts A programmer with unauthorized access may modify the code of a program to the detriment of the company
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line Auditors should carefully review the backup and recovery procedures of online systems This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate
Control over online systems
Unlike traditional systems online systems permit transactions to be entered directly through terminals without requiring the use of source documents on paper To exercise control over online systems management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system Such paper-based source documents form the audit trail needed by the auditor
Activity 72-1
What are the implications for the auditorrsquos ability to obtain evidence if no paper-based source documents are used What checks and control can be instituted instead of the use of source documents
Solution
EDI (Electronic data interchange)
EDI consists of the exchange of electronic documents between two companies Effectively transactions and contracts are created through two interacting computer systems EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper
What are the benefits of EDI
Some obvious benefits are the elimination of paperwork the reduction of document processing costs access to more information on a timely basis and increased accuracy of recordkeeping There are some drawbacks as well but the increasing use of EDI suggests that the benefits outweigh the costs
How do EDI transactions affect the auditorrsquos work
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system These characteristics significantly increase risk making control assurance the key objective for EDI environments Auditors in turn need to monitor EDI controls throughout the period under audit for example through the use of software that allows tagging of transactions to trace their processing
To control potential legal risks businesses may require their trading partners to enter into trading partner agreements (TPAs) TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control Increasingly auditors will be asked to provide opinions on the EDI control environment Such audit opinions may become mandatory which will likely encourage development of generalized control standards and criteria Consequently auditors will have to be better trained in this emerging area of information technology
fileF|Courses2010-11CGAAU106coursem07t02htm (2 of 2) [04102010 31644 PM]
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t01htm
In this topic you learned about the impact of computerization on a companyrsquos operations If you were the auditor assigned to audit TRP Inc what changes would you make in your approach to the audit
Solution
fileF|Courses2010-11CGAAU106coursem07t01htm (2 of 2) [04102010 31642 PM]
72 Major elements in todayrsquos computer environment
Learning objective
Describe the major elements of audit significance in todayrsquos computer environment (Level 2)
Required reading
Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10
LEVEL 2
Be aware of major elements in todayrsquos computer environment You have already studied basic elements of computer-based systems in Managing Information Systems [MS1] or its equivalent
The major elements of audit significance include microcomputers databases online systems and electronic commerce specifically Electronic Data Interchange (EDI) and the Internet Microcomputers are explained in Section 9 of CGA AuG-6 (Reading 7-1) Internal controls with respect to microcomputers are explained in detail in Topic 75
Paragraphs 102 to 104 of Reading 7-1 describe the features and characteristics of online systems and paragraphs 105 to 1011 outline the characteristics of database systems
Electronic commerce is transforming the business environment and is likely to give rise to a wide range of assurance engagements for public accountants You consider some of the audit implications of electronic commerce in Topic 76
Microcomputers
Experienced auditors are concerned about their ability to keep up with the advances in information technology Companies used to use mainframe computers and terminals only now many companies use computer networks
The auditor used to be concerned about the integrity of computer programs that ran on the mainframe now the auditor is concerned about the proliferation of stand-alone computers and software With this proliferation there is a tendency to decentralize data processing This in turn increases the amount of work an auditor needs to do to understand and rely on the computer controls At one time only programmers could change the programs used to process the companyrsquos data Now each employee with access to a computer could also have access to the software that runs on that computer and could alter it unless adequate safeguards are in place
Database systems
Database systems store data in a central location under the control of the database administrator The use of centralized database management systems can result in more reliable data because there is no redundant (duplicate) data thus removing the chance of conflicting information
However the database administrator typically exercises substantial power over the databases This concentration of data and lack of segregation of duties create significant risk In light of this risk the auditor must carefully review the activities of the database administrator and examine any audit trail provided by the database management system to ensure that there are adequate compensating controls over the activities of the database administrator
The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection of databases Because all the systems rely on the databases for accurate processing the auditor should confirm that there is adequate internal control to ensure the integrity of the databases
fileF|Courses2010-11CGAAU106coursem07t02htm
fileF|Courses2010-11CGAAU106coursem07t02htm (1 of 2) [04102010 31644 PM]
fileF|Courses2010-11CGAAU106coursem07t02htm
Online systems
The most common forms of online systems are real-time processing and online batch processing The ATM you use to make withdrawals from or deposits to your bank account is an example of an online real-time processing system
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access Access issues apply to both users and programmers A user with unauthorized access to an online accounts receivable file may intentionally or unintentionally wipe out the balances in individual accounts A programmer with unauthorized access may modify the code of a program to the detriment of the company
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line Auditors should carefully review the backup and recovery procedures of online systems This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate
Control over online systems
Unlike traditional systems online systems permit transactions to be entered directly through terminals without requiring the use of source documents on paper To exercise control over online systems management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system Such paper-based source documents form the audit trail needed by the auditor
Activity 72-1
What are the implications for the auditorrsquos ability to obtain evidence if no paper-based source documents are used What checks and control can be instituted instead of the use of source documents
Solution
EDI (Electronic data interchange)
EDI consists of the exchange of electronic documents between two companies Effectively transactions and contracts are created through two interacting computer systems EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper
What are the benefits of EDI
Some obvious benefits are the elimination of paperwork the reduction of document processing costs access to more information on a timely basis and increased accuracy of recordkeeping There are some drawbacks as well but the increasing use of EDI suggests that the benefits outweigh the costs
How do EDI transactions affect the auditorrsquos work
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system These characteristics significantly increase risk making control assurance the key objective for EDI environments Auditors in turn need to monitor EDI controls throughout the period under audit for example through the use of software that allows tagging of transactions to trace their processing
To control potential legal risks businesses may require their trading partners to enter into trading partner agreements (TPAs) TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control Increasingly auditors will be asked to provide opinions on the EDI control environment Such audit opinions may become mandatory which will likely encourage development of generalized control standards and criteria Consequently auditors will have to be better trained in this emerging area of information technology
fileF|Courses2010-11CGAAU106coursem07t02htm (2 of 2) [04102010 31644 PM]
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
72 Major elements in todayrsquos computer environment
Learning objective
Describe the major elements of audit significance in todayrsquos computer environment (Level 2)
Required reading
Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10
LEVEL 2
Be aware of major elements in todayrsquos computer environment You have already studied basic elements of computer-based systems in Managing Information Systems [MS1] or its equivalent
The major elements of audit significance include microcomputers databases online systems and electronic commerce specifically Electronic Data Interchange (EDI) and the Internet Microcomputers are explained in Section 9 of CGA AuG-6 (Reading 7-1) Internal controls with respect to microcomputers are explained in detail in Topic 75
Paragraphs 102 to 104 of Reading 7-1 describe the features and characteristics of online systems and paragraphs 105 to 1011 outline the characteristics of database systems
Electronic commerce is transforming the business environment and is likely to give rise to a wide range of assurance engagements for public accountants You consider some of the audit implications of electronic commerce in Topic 76
Microcomputers
Experienced auditors are concerned about their ability to keep up with the advances in information technology Companies used to use mainframe computers and terminals only now many companies use computer networks
The auditor used to be concerned about the integrity of computer programs that ran on the mainframe now the auditor is concerned about the proliferation of stand-alone computers and software With this proliferation there is a tendency to decentralize data processing This in turn increases the amount of work an auditor needs to do to understand and rely on the computer controls At one time only programmers could change the programs used to process the companyrsquos data Now each employee with access to a computer could also have access to the software that runs on that computer and could alter it unless adequate safeguards are in place
Database systems
Database systems store data in a central location under the control of the database administrator The use of centralized database management systems can result in more reliable data because there is no redundant (duplicate) data thus removing the chance of conflicting information
However the database administrator typically exercises substantial power over the databases This concentration of data and lack of segregation of duties create significant risk In light of this risk the auditor must carefully review the activities of the database administrator and examine any audit trail provided by the database management system to ensure that there are adequate compensating controls over the activities of the database administrator
The auditor must also review the backup and recovery procedures to ensure that there is sufficient protection of databases Because all the systems rely on the databases for accurate processing the auditor should confirm that there is adequate internal control to ensure the integrity of the databases
fileF|Courses2010-11CGAAU106coursem07t02htm
fileF|Courses2010-11CGAAU106coursem07t02htm (1 of 2) [04102010 31644 PM]
fileF|Courses2010-11CGAAU106coursem07t02htm
Online systems
The most common forms of online systems are real-time processing and online batch processing The ATM you use to make withdrawals from or deposits to your bank account is an example of an online real-time processing system
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access Access issues apply to both users and programmers A user with unauthorized access to an online accounts receivable file may intentionally or unintentionally wipe out the balances in individual accounts A programmer with unauthorized access may modify the code of a program to the detriment of the company
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line Auditors should carefully review the backup and recovery procedures of online systems This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate
Control over online systems
Unlike traditional systems online systems permit transactions to be entered directly through terminals without requiring the use of source documents on paper To exercise control over online systems management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system Such paper-based source documents form the audit trail needed by the auditor
Activity 72-1
What are the implications for the auditorrsquos ability to obtain evidence if no paper-based source documents are used What checks and control can be instituted instead of the use of source documents
Solution
EDI (Electronic data interchange)
EDI consists of the exchange of electronic documents between two companies Effectively transactions and contracts are created through two interacting computer systems EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper
What are the benefits of EDI
Some obvious benefits are the elimination of paperwork the reduction of document processing costs access to more information on a timely basis and increased accuracy of recordkeeping There are some drawbacks as well but the increasing use of EDI suggests that the benefits outweigh the costs
How do EDI transactions affect the auditorrsquos work
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system These characteristics significantly increase risk making control assurance the key objective for EDI environments Auditors in turn need to monitor EDI controls throughout the period under audit for example through the use of software that allows tagging of transactions to trace their processing
To control potential legal risks businesses may require their trading partners to enter into trading partner agreements (TPAs) TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control Increasingly auditors will be asked to provide opinions on the EDI control environment Such audit opinions may become mandatory which will likely encourage development of generalized control standards and criteria Consequently auditors will have to be better trained in this emerging area of information technology
fileF|Courses2010-11CGAAU106coursem07t02htm (2 of 2) [04102010 31644 PM]
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t02htm
Online systems
The most common forms of online systems are real-time processing and online batch processing The ATM you use to make withdrawals from or deposits to your bank account is an example of an online real-time processing system
Access control and security of online systems
Auditors should be particularly concerned with access control and security of online systems because there may be no evidence of unauthorized access Access issues apply to both users and programmers A user with unauthorized access to an online accounts receivable file may intentionally or unintentionally wipe out the balances in individual accounts A programmer with unauthorized access may modify the code of a program to the detriment of the company
The security measures used to protect traditional batch systems (guards and locks) are ineffective for online systems because it may be possible to access such systems from any location using a terminal and a phone line Auditors should carefully review the backup and recovery procedures of online systems This is especially important because the lack of source documents will likely make it impossible to reconstruct data files if backup is inadequate
Control over online systems
Unlike traditional systems online systems permit transactions to be entered directly through terminals without requiring the use of source documents on paper To exercise control over online systems management can require that transactions first be recorded on paper-based source documents and then the source documents be approved before entry into the computer system Such paper-based source documents form the audit trail needed by the auditor
Activity 72-1
What are the implications for the auditorrsquos ability to obtain evidence if no paper-based source documents are used What checks and control can be instituted instead of the use of source documents
Solution
EDI (Electronic data interchange)
EDI consists of the exchange of electronic documents between two companies Effectively transactions and contracts are created through two interacting computer systems EDI allows organizations with dissimilar computing environments to exchange electronic business documents without using paper
What are the benefits of EDI
Some obvious benefits are the elimination of paperwork the reduction of document processing costs access to more information on a timely basis and increased accuracy of recordkeeping There are some drawbacks as well but the increasing use of EDI suggests that the benefits outweigh the costs
How do EDI transactions affect the auditorrsquos work
The implications for auditors are the loss of audit trail resulting from the paperless environment and lack of human intervention resulting in total dependence on the electronic system These characteristics significantly increase risk making control assurance the key objective for EDI environments Auditors in turn need to monitor EDI controls throughout the period under audit for example through the use of software that allows tagging of transactions to trace their processing
To control potential legal risks businesses may require their trading partners to enter into trading partner agreements (TPAs) TPAs frequently include an obligation to report and disclose compliance with a set of specified standards of EDI control Increasingly auditors will be asked to provide opinions on the EDI control environment Such audit opinions may become mandatory which will likely encourage development of generalized control standards and criteria Consequently auditors will have to be better trained in this emerging area of information technology
fileF|Courses2010-11CGAAU106coursem07t02htm (2 of 2) [04102010 31644 PM]
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
73 Audit implications Internal control processes
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions (Level 1)
Required reading
Chapter 9 Appendix 9A pages 5ndash6 CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
Internal control objectives are the same under manual systems and computer systems however their evaluation is different The auditor must be aware of the differences between the two systems certain differences may result in improved controls while other differences may result in reduced controls Some differences mdash for example the centralization of processing mdash may be a mixed blessing
Reading 7-1 Section 4 provides a perspective for assessing risk and internal control in a computer processing environment The characteristics of computer-based systems are such that either new internal controls must be implemented or existing ones modified Read paragraph 42 of Reading 7-1 to become familiar with all the characteristics that have internal control implications In this topic you look at the organizational structure required to manage the computer system the nature of transaction processing and the effect on auditing Review CAS 315A49ndashA55 (CICA Handbook paragraphs 5141057ndash063) which highlight the risks and benefits of manual and automated elements of internal control relevant to the auditorrsquos risk assessment
Topic 74 describes audit implications of computerized systems related to system access and design and backup and recovery procedures The guidelines deal with internal controls over computer activities they do not describe computer processing as part of internal controls over an organizationrsquos operations By themselves computer-based systems are tools they are not policies and procedures The following sections describe the more important implications of simple computer-based systems on internal controls
Concentration of functions
One of the most important issues related to a computer processing system is the potential control risk associated with the concentration of functions
Scenario 73-1 Segregation of duties
Your audit manager informs you that in general implementation of computer-based systems requires new policies and procedures to ensure that proper segregation of duties is maintained For you the audit implication is to ensure that appropriate controls are in place which may include segregating the following functions
data control data entry computer operation data and programs custody
Do you agree that this is possible for traditional large systems If so outline the appropriate function segregation (key players involved and their functions) in a typical computer department that will facilitate detection of errors and prevent fraudulent manipulation
Solution 1
fileF|Courses2010-11CGAAU106coursem07t03htm
fileF|Courses2010-11CGAAU106coursem07t03htm (1 of 2) [04102010 31645 PM]
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t03htm
In general a clear segregation of duties is a feature of traditional large systems Can segregation of duties be applied to microcomputer systems
Solution 2
Documentation of transactions
The use of computer systems will undoubtedly reduce the amount of physical documentation available for the auditor Additional controls are necessary to achieve the objectives of validity authorization and completeness that are traditionally supported by documentation Documentation deficiencies can take the following forms
Input documentation (such as batch entry sheet or purchase invoice) which normally contains evidence of authorization and validity does not exist
Audit trail documents such as ledgers reports and records are not available except for machine-readable documents Output documentation providing evidence of transactions including trial balances and invoices is not produced by
the computer system
Data may be input to a system without leaving an audit trail of transactions For example a customer may order goods by accessing the clientrsquos system directly in that case no hard copy purchase order would exist The internal accounting preparation of the invoice and shipping documents debit to accounts receivable and related credit to sales debit to cost of goods sold and the related credit to inventory and reduction in the inventory records for the quantities sold can be accomplished without generating hard copy documentation The auditor must be able to confirm that the system is properly recording all of these activities
Scenario 73-2 TRP Inc ndash Automatic transactions
Teresa is the Director of Finance for TRP Inc The Chief Financial Officer (CFO) as part of the business planning for the following year has tabled a project to computerize TRPrsquos accounting systems The various user groups within TRP Inc have submitted their requirements They would like to see internal accounting transactions be initiated and completed within the computer automatically For example a sales commission may be calculated and paid automatically by the system without human intervention Another example is pre-authorized bill payments The CFO likes the idea of initiating automatic transactions within the system What comments should Teresa provide in light of controls that may be required for such transactions
Solution
Another implication of automatic transactions in computer systems is the multiple updates to accounts that can arise from a single transaction A single receipt-of-payment entry in a computer system can simultaneously update the cash and accounts receivable the customerrsquos account and the credit profile of the client The auditor should be aware of the extent to which a single transaction or entry affects accounts and other files
Yet another risk arises in the capital markets Worldwide computers are instructed to initiate and complete buy and sell transactions depending on predetermined conditions such as the price of a stock Can you imagine the consequences if a glitch in computer systems (programs) started a chain reaction of massive selling of financial assets such as stocks and derivatives In these circumstances auditors should make certain that effective controls exist
fileF|Courses2010-11CGAAU106coursem07t03htm (2 of 2) [04102010 31645 PM]
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
74 Audit implications System access and design
Learning objective
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash18 Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 1
In a computerized environment concentration of data and programs as well as ease of access can lead to significant risks for companies
Unauthorized access
For example Anyone can enter a system unless access is controlled by barriers such as passwords and validation protocols individuals within a company may be able to access that companyrsquos system or parts of it without authorization and ldquohackersrdquo can break into any computer system
A company may not be aware that its system has been compromised and may be unaware of transactions made by an unauthorized person Unauthorized access can be the result of outside operators breaking into a network or of a company allowing unrestricted access to sensitive areas where hardware and software are kept Because there is a higher level of centralization of data in computerized systems unauthorized access can have catastrophic consequences
Audit implications
The auditor must ensure that there are controls to prevent unauthorized access and that there are procedures to secure restricted or sensitive areas throughout the organization Such controls include but are not limited to the following
password controls physical restrictions to computer equipment activity logs regarding all access and attempted access to data files or programs
System design
Properly designed systems enable data to be processed consistently and correctly with little human intervention However computer systems may produce errors that a human would never make and usually the fault is in the system With manual processing we usually recognize absurd transactions and correct them unless programmed to do so computer systems do not
Example 74-1 Design requirements
A customer bought some furniture polish from the furniture department of a large department store on his store credit card The computer system was programmed to perform a limit check on each transaction but the limits were quite high because furniture tends to have a high unit price The clerk erroneously punched in the product code as the price and the sale for the bottle of furniture polish was recorded at $2045 Neither the clerk nor the customer noticed the error
Several days later the customer tried to use his store credit card again and was told that he had exceeded his credit limit which was $2000 This mistake would have been avoided if the sales clerk had manually recorded the sale on an invoice
fileF|Courses2010-11CGAAU106coursem07t04htm
fileF|Courses2010-11CGAAU106coursem07t04htm (1 of 2) [04102010 31646 PM]
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t04htm
Control procedures can be embedded in computer programs to avoid these types of errors and the auditor should ensure that such control procedures are in place In the case of the pricing error for furniture polish what could have been included as part of the design requirements to prevent or reduce such errors
Solution
Auditors should offer their expertise to clients in the design and implementation of new computer systems Information system designers design computer systems for efficiency and effectiveness They are not as concerned with controls as auditors and management are and may omit important internal controls such as a test of the reasonableness of a price (as opposed to the arithmetic accuracy) on an invoice
Vulnerability of hardware software and data files
What happens if there is a fire Computer systems tend to centralize programs and data In case of fire files and computers may be destroyed If it is not possible to reconstruct the information files from another source the company could be in serious difficulties From an audit standpoint there may even be a denial of opinion because nothing can be verified without proper access to records
Internal controls must be in place to make sure that data can be recovered in case of an accident The auditor would have to ensure that there are policies and procedures to back up and recover data as well as adequate insurance coverage for business interruption and for replacement of hardware that is destroyed or stolen
fileF|Courses2010-11CGAAU106coursem07t04htm (2 of 2) [04102010 31646 PM]
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
75 General controls and application controls
Learning objective
Describe general controls and application controls and explain how they relate to accounting controls (Level 2)
Required reading
Chapter 7 pages 253ndash254 Chapter 9 Appendix 9A pages 6ndash15 CAS 31521 and CAS 315A91ndashA93 (CICA Handbook paragraph 5141093) Reading 7-1 AuG-6 Auditing in an EDP environment Section 4
LEVEL 2
Technology and technological changes can present risk to a business in different ways CAS 31521 requires that the auditor obtain an understanding of how the entity has responded to risks arising from its use of IT Section 4 of Reading 7-1 defines general and application controls in paragraphs 45 and 46 General controls and application controls are also described on pages 6 to 15 of Appendix 9A
The control hierarchy diagram in the following exhibit illustrates how computer controls including their general and application controls components fit into the overall internal control framework of the organization
Exhibit 75-1 Control hierarchy diagram
fileF|Courses2010-11CGAAU106coursem07t05htm
fileF|Courses2010-11CGAAU106coursem07t05htm (1 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t05htm
General controls
A general control applies to overall computer processing activities (for example controls over systems development and maintenance operations and backup) while an application control is specific to one or more accounting applications (for example controls over authorizing recording and processing of payroll or sales transactions)
General controls are an extension to computer controls of the control environment concept covered in Module 5 Like the control environment general controls are mostly preventive in nature and apply to all parts of the computer systems The boxes on pages 7 to 9 of Appendix 9A illustrate some general controls that auditors should consider
The general control procedures establish a structure of control over the management and operation of information systems rather than the specific systems themselves
Activity 75-1
General controls include documentation and system development controls Why are these controls ultimately related to the accurate processing of data and viewed as preventive in nature
Solution 1
The general control procedures of backup file security and file retention are described on pages 9 and 10 of Appendix 9A Backup controls are one of the most important general controls not only for audit planning purposes but also possibly for accounting disclosure purposes Why is this so
Solution 2
fileF|Courses2010-11CGAAU106coursem07t05htm (2 of 3) [04102010 31647 PM]
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t05htm
Management and the auditor should be equally concerned that backup control objectives are met
Application controls Reasonableness check
Application controls are needed to replace the loss of human review that normally exists in a manual system Pages 11 to 14 of Appendix 9A illustrate typical application controls organized by input processing and output controls Note that the application controls are often embedded in the software used by the client The boxes on pages 14 and 15 of Appendix 9A illustrate important input processing and output controls that the auditor should consider for each application
Scenario 75-1 TRP Inc mdash Application controls
Teresa Director of Finance for TRP Inc met with Mario TRPrsquos Payroll Manager Mario indicated that in the current manual system a payroll clerk was able to instantly recognize that 1000 hours recorded for a single employee during a one-week period is physically impossible Mario would like to know how this error could be detected if the same processing were done by computer What do you think Teresarsquos answer would be
Solution
Understanding internal control in a computer environment
The auditorrsquos objective of understanding internal control and assessing control risk is the same for a computer system as for a manual system The auditor wants to determine how much reliance can be placed on internal control given audit risk and inherent risk and thus how much evidence must be obtained from the tests of details of balances If the computer system is very complex the auditor may need the assistance of a computer audit specialist
Scenario 75-2 TRP Inc mdash Conversion to computer
TRP Inc is planning to change from a manual accounting system to a computer system Having regard for the fact that the auditorrsquos objective of understanding internal control and assessing control risk is the same for the computer system as for a manual system what special audit considerations would likely be triggered in a conversion
Solution
fileF|Courses2010-11CGAAU106coursem07t05htm (3 of 3) [04102010 31647 PM]
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
76 Audit implications of electronic commerce
Learning objective
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for the companyrsquos internal control and for its audit (Level 2)
Required reading
Chapter 7 Appendix 7E Chapter 9 pages 339ndash345
LEVEL 2
The Internet or World Wide Web is rapidly evolving in a variety of ways as a major force in commerce This affects the auditor in the following ways
The Internet provides a vast source of information auditors can use in the course of their work This information includes real-time access to financial indicators clientsrsquo public documents news and quotes
Companies can conduct some or all of their business through the Internet Therefore there is an anticipated need to provide customized assurance services for these companies
A companyrsquos Internet website is an open door into the companyrsquos network systems Therefore security problems may arise unless proper controls are put in place
Website security
Since 1997 the AICPA and CICA have run a joint program of developing and promoting assurance services for websites on the Internet It has become commonplace for businesses to create an Internet presence through a website Most websites started as information sources about the company by converting existing brochures and other documents into an online format
Business websites are rapidly becoming more promotional in nature and an important new marketing tool in an increasingly ldquowiredrdquo society (more people have convenient access to the Internet) Websites are proving to be a major link to customers and suppliers with the result that companies are using websites to make sales and purchases to help in the design of products and marketing strategy and to distribute and share financial and other information More and more websites are turning into the major outlet or ldquostore frontrdquo for companies as electronic commerce (transactions over the Internet or other networks) increases in popularity
Securing sales transactions
Security technologies and strategies should be familiar to you from Managing Information Systems [MS1 ] or equivalent Other important security technologies include
digital certificates for authentication and non-repudiation secure sockets layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) for privacy access control lists for authentication and firewalls a part of organizationrsquos overall security plan
Activity 76-1
Electronic commerce introduces a new set of concerns for companies such as designing and positioning a site to attract customers making sales and purchase transactions secure and ensuring customer privacy What are some of the control features an auditor should be looking for in order to address these concerns Highlight both technological controls as well as organizational controls
fileF|Courses2010-11CGAAU106coursem07t06htm
fileF|Courses2010-11CGAAU106coursem07t06htm (1 of 2) [04102010 31648 PM]
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t06htm
Solution
fileF|Courses2010-11CGAAU106coursem07t06htm (2 of 2) [04102010 31648 PM]
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
77 Auditing computerized systems mdash General considerations
Learning objective
Explain how an audit is conducted in a computer environment (Level 1)
No required reading
LEVEL 1
Regardless of whether an entity operates a manual system a computer system or a combined manual and computer system the auditor should comply with GAAS in GAAS audits Accordingly the auditor may complete the audit in a computer environment (or combined computer and manual environment) along the following lines
Complying with GAAS examination standards
First examination standard of GAAS As part of using sufficient knowledge of the entityrsquos business to plan the audit the auditor should obtain an understanding of the computer processing configuration the method of processing and related matters in order to assess inherent risk in connection with planning the audit For instance the auditor will consider the impact of computer processing in determining the nature timing and extent of auditing procedures
Second examination standard of GAAS The auditor would obtain a sufficient understanding of general controls (control environment factors) pertaining to accounting systems applications that are significant to the audit This can be done through questionnaires enquiry and prior-year working papers Also the auditor should obtain an understanding of the application controls over input processing and output (control systems) relating to major transaction classes and account balances that are significant to the audit This can be done through a review of systems documentation for example
Based on the understanding of the computer processing system and related manual internal control policies and procedures with respect to specific assertions at the account balance or classes of transactions level the auditor would assess on a preliminary basis control risk atnear maximum or below maximum level and use a substantive approach or a combined approach accordingly When using a combined approach the auditor would perform tests of controls on those internal control policies and procedures (covering both manual and computer systems) that enhance the reliability of data and information In this regard the auditor may use a computer for performing tests of controls or dual-purpose procedures
Based on tests of controls the auditor would finalize control risk for specific assertions at the account balance or class of transactions level and determine the nature timing and extent of substantive procedures in light of materiality and inherent risk Some of these procedures could be performed using computers and others performed manually
Third examination standard of GAAS The auditor would perform the substantive procedures determined previously for gathering sufficient appropriate audit evidence for specific assertions at the account balance and transactions level In this regard the auditor may consider using generalized audit software packages where appropriate
fileF|Courses2010-11CGAAU106coursem07t07htm
fileF|Courses2010-11CGAAU106coursem07t07htm [04102010 31649 PM]
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
78 General strategy in auditing computerized systems
Learning objective
Identify the phases of auditing a computerized accounting system (Level 1)
Required reading
Chapter 9 Appendix 9A pages 3ndash4
CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) Reading 7-1 AuG-6 Auditing in an EDP environment Section 5
LEVEL 1
Reading 7-1 Section 5 describes audit planning considerations in a computer environment Guidance on obtaining understanding of the accounting information system and the nature of the internal control procedures is given in CAS 315A77ndashA82 (CICA Handbook paragraphs 5141080ndash089) The steps in evaluating computer processing controls can be summarized as follows
1 Preliminary evaluation of internal control
Activity 78-1
Auditors should conduct a preliminary evaluation of the general and application controls that may be effective and efficient for performing the audit The general controls may have a pervasive effect on the processing of transactions in applications systems If these controls are not effective the risk is that errors might occur and go undetected in the application system Weaknesses in general controls may make certain application controls unreliable However manual procedures exercised by the users may provide effective compensating control at the application level Can you identify a compensating control
Solution 1
What alternate measures might the auditor look for when concluding that there are weaknesses in general or application controls that preclude reliance on those controls
Solution 2
2 Test of controls procedures
The purpose of the auditorsrsquo test of controls procedures and final evaluation is to determine that the controls that they intend to rely on were functioning effectively throughout the period of intended reliance and that they can be relied on as planned in the preliminary evaluation In a computer environment the objectives of test of controls procedures do not change from those in a manual environment however some audit procedures may change In addition to enquiry observation and sampling procedures the auditor may find it necessary or may prefer to use computer-assisted audit techniques (CAATs)
3 Final evaluation
If the auditor obtains evidence that the controls were not operating as designed or the test of controls procedures indicate that the general controls do not provide reasonable assurance that the application controls functioned during the period of reliance the auditorrsquos final evaluation may be to discontinue the planned reliance Instead the auditor may seek to accomplish the audit objectives through the application of more extensive substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08htm
fileF|Courses2010-11CGAAU106coursem07t08htm [04102010 31650 PM]
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
79 Internal control considerations in personal computer online and database environments
Learning objective
Identify internal control considerations in personal computer online and database environments (Level 1)
Required reading
Chapter 9 Appendix 9A pages 15ndash19 Reading 7-1 AuG-6 Auditing in an EDP Environment Sections 9 and 10 (paragraphs 101ndash 1011)
LEVEL 1
AuG-6 Section 9 provides an overview of the audit considerations in a personal computer environment
Personal computers (PCs)
The control environment for stand-alone computers (PCs) is generally weak because of a lack of
segregation of duties physical security of the microcomputer and its files computer knowledge reliable hardware and software and documentation for software and software changes
Typically there are no application controls (such as use of batch totals or passwords) in small systems In such computer environments it may not be easy to distinguish between general controls and application controls Frequently it may not be practicable or cost-effective for management to implement sufficient controls to reduce risks of undetected errors to a minimum level
The auditor may often assume the control risk is high in such systems Nevertheless the auditor may be able to rely on ownermanager controls to compensate for the poor control environment
Online and database systems
Paragraphs 101 to 1011 in Reading 7-1 outline the internal control considerations for online and database systems
fileF|Courses2010-11CGAAU106coursem07t09htm
fileF|Courses2010-11CGAAU106coursem07t09htm [04102010 31650 PM]
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
710 Approaches to auditing computerized systems
Learning objective
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control (Level 1)
Required reading
Chapter 9 Appendix 9A pages 18ndash20 (up to Review Checkpoints)
LEVEL 1
There are two terms to describe the methods of auditing computerized systems mdash auditing around the computer and auditing through the computer
Auditing around the computer
When auditing around the computer no attempt is made to evaluate the internal processes of the computer This method of bypassing the computer or treating it like a ldquoblack boxrdquo consists of vouching or tracing to and from source documents and outputs Exhibit 9A-2 on page 19 of Appendix 9A illustrates this process of manually processing sample documents and comparing those results to the same documents processed by the clientrsquos system
Auditing through the computer
This approach consists of auditing the computer processing system or data produced by the system to determine how much reliance can be placed on the various internal controls programmed into the system Exhibit 710-1 summarizes the two approaches
Exhibit 710-1 Auditing around the computer and through the computer
Auditing around the computer Auditing through the computer
How is it done No attempt is made to evaluate the internal processes of the computer Consists of vouching or tracing to and from source documents and outputs
Auditing the computer processing system or data produced by the system to test the programmed controls
Advantage(s) Simplicity mdash does not require computer-proficient personnel
May be more cost effective
Sophisticated method and may be the only method if significant parts of the internal controls are embedded in the computer system
fileF|Courses2010-11CGAAU106coursem07t10htm
fileF|Courses2010-11CGAAU106coursem07t10htm (1 of 2) [04102010 31651 PM]
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t10htm
What are the ldquoidealrdquo conditions for each
Requires sufficient audit trail of visible evidence
This method must be used if any one of the following exists
The presence of large volumes of inputoutput means that direct examination of the records is difficult
Lack of visible audit trail means that significant parts of the internal controls are embedded in the computer system
System is complex and includes key parts of the accounting system
Approaches Bypasses the computer (auditing without the computer)
Two main approaches
1 Test data
2 Parallel simulation
fileF|Courses2010-11CGAAU106coursem07t10htm (2 of 2) [04102010 31651 PM]
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
711 Approaches to auditing through the computer
Learning objective
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software (Level 1)
Required reading
Chapter 9 Appendix 9A pages 20ndash28 and Exhibits 9A-e and 9A-4 on pages 21 and 22
Reading 7-1 AuG-6 Auditing in an EDP Environment Section 6
LEVEL 1
There are several approaches to auditing through the computer The text describes two of these approaches to ldquoauditing with the computerrdquo to test a companyrsquos programmed controls
Test data approach Auditorrsquos computer program approach including generalized audit software (GAS)
Each approach has its particular strengths and weaknesses and may be used alone or in combination As clientsrsquo computer systems perform more and more of the accounting functions the audit trail becomes less visible If the audit trail is non-existent the auditor is forced to audit through the computer using one of the two approaches described Exhibit 711-1 compares the two approaches
Exhibit 711-1 Test data and parallel simulation approaches
Test data approach Parallel simulation approachStrengths Uses the uniformity principle
(once a computer is programmed to handle transactions in a certain logical way it will handle every transaction in a similar fashion)
The auditorrsquos own programs can be tailored to the clientrsquos system
Weaknesses A computer system may contain errors that offset each other providing output that appears to be correct Without examining the internal processing logic of the computer systems the auditor can only ldquoproverdquo that the computer system works correctly with the test data used The auditor has no means to confirm that the computer system will correctly handle transactions not included in the test data
The programs may be costly to develop and modify Generalized audit software (GAS) makes the parallel simulation approach more attractive GAS contains prepackaged subroutines that can perform most tasks needed in auditing and business applications
The test data approach involves developing simulated data that are processed using the clientrsquos actual computer program (or more likely a copy thereof) and then comparing the output to predetermined results
When using the test data approach the auditor must ascertain that the computer system being tested is the same one the client used to process data for the entire period under review and that none of the test data has contaminated the clientrsquos
fileF|Courses2010-11CGAAU106coursem07t11htm
fileF|Courses2010-11CGAAU106coursem07t11htm (1 of 2) [04102010 31652 PM]
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t11htm
records and files Because of the high risks of not detecting system errors in complex systems the test data approach is not the best approach to use in auditing such systems
Generalized audit software (GAS)
Parallel simulation consists of processing client data using the auditorrsquos program and comparing the result to the output of the same data processed by the clientrsquos program This process can be performed by GAS
Exhibit 9A-4 on page 22 of Appendix 9A illustrates how an auditor would use developed software as a parallel simulation Some larger firms develop software for the audit of specific clients (for example life insurance companies)
GAS has the advantages of being relatively easy to use and widely applicable GAS can be used to process a variety of files in different formats or media to perform a number of functions such as sampling calculating totals and subtotals selecting specific records and so on Appendix 9A pages 24 and 25 lists a number of techniques (with excellent examples) that the auditor can perform if the clientrsquos data are in machine-readable form
Reading 7-1 AuG-6 Section 6 Computer-assisted audit techniques (CAATs) explains the uses of CAATs
fileF|Courses2010-11CGAAU106coursem07t11htm (2 of 2) [04102010 31652 PM]
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
712 Computer-aided auditing
Learning objective
Identify ways to use computers in conducting an audit (Level 1)
Required reading
Chapter 9 Appendix 9A page 28
LEVEL 1
On page 28 of Appendix 9A the text describes several ways to use computers for an audit The future of computers in auditing is firmly established because of their small size yet large computing power The development of software to support the new hardware is keeping pace Many public accounting firms provide staff with computers laptop and notebook computers along with auditing software such as CaseWare are becoming as ubiquitous as the auditorrsquos briefcase
In addition industry information and information on comparable companies can be obtained on the Internet (for example via Statistics Canadarsquos website) as a means to improve the auditorrsquos knowledge of the business and in performing analytical procedures
Here are some highlights of the software programs and aids available to auditors
Commercial general use software mdash Spreadsheet programs such as Microsoft Excel can be used for analysis or for sampling (see Computer activity 611-1 in Topic 611) Word-processing programs such as Microsoft Word are useful for drafting statements or preparing reports and letters
Pre-built spreadsheet templates mdash Auditors often use pre-built spreadsheet templates (for example model working papers and financial statements)
Special use software mdash Some academics and public accountants see the development of expert systems as one of the next major developments in auditing The work on expert systems is slow and very expensive There are some applications in auditing mdash one application developed in the United States by KPMG LLP can be used to assess the collectibility of bank loans Expert systems are being developed for audit planning and for assessing EDP controls
Custom programs mdash These special programs are written by auditors to audit specific areas For example one large accounting firm uses custom programs to audit policy reserves of casualty insurance companies
Working paper software mdash Almost all public accounting firms now use working paper software developed either in-house or purchased from an outside vendor (for example CaseWare) The purchased software may be modified with specialized templates or electronic forms to prepare working papers and letters such as confirmations engagement and management letters The main purpose of working paper software is to automate calculations such as footings and extensions as well as to perform the carryforward functions such as updating from journal entries and worksheets to working papers lead sheets trial balances and financial statements
Networked files mdash Adopting technological advances allows several auditors to work independently on different sections of the audit on their laptop computers hooked up to a network The network continually integrates their work with a master working paper file and keeps working paper references and indexing up-to-date
Team members in different locations can coordinate their work by sending each other copies of their portion of the audit file while supervisors can monitor progress and provide feedback without being physically present at the audit location(s) This alternative provides great flexibility in organizing the teamrsquos work
Standardized document templates mdash The use of standardized templates provides a common starting point for all
fileF|Courses2010-11CGAAU106coursem07t12htm
fileF|Courses2010-11CGAAU106coursem07t12htm (1 of 2) [04102010 31653 PM]
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07t12htm
documents A database of templates can be useful in customizing documents such as internal control questionnaires audit programs and sample letters Links can also be established to other databases or even to websites so that data or information from these sources can be cross-referenced or transferred to the working papers Thus not only various staff but also various sources of information can be integrated to support the auditorrsquos opinion Of course to obtain such efficiencies the audit firms would need to invest in hardware software and training of staff
fileF|Courses2010-11CGAAU106coursem07t12htm (2 of 2) [04102010 31653 PM]
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Module 7 summary
Explain the major effects of computerization of accounting systems on a companyrsquos operations and on the audit approach
Effects on the companyrsquos operations absence or short life of transaction trails uniform processing of transactions concentration of functions increased potential for certain types of errors and irregularities potential for increased management supervision and review existence of system-generated transactions
Effects on the approach to auditing
Consideration of IT-related matters when planning the audit The impact of the computer environment on internal controls and the audit
When acquiring sufficient knowledge of the clientrsquos business the auditor should obtain an understanding of the
clientrsquos computer systems and how they are used
The auditor must sufficiently understand the internal controls related to the computer systems This understanding includes both general controls and application controls
The auditor can also consider using computer-assisted audit techniques when gathering and evaluating evidence concerning the assertions at the account balance and transaction level
Describe the major elements of audit significance in todayrsquos computer environment
Major elements of audit significance include microcomputers databases online systems and e-commerce (Electronic Data Interchange and the Internet)
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to the organizational structure and the processing of transactions
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
the concentration of functions documentation of transactions controls over online authorizations and system-generated transactions
Explain the audit implications of a simple computer-based system for a companyrsquos internal control as it relates to system access design backup and data recovery
Although control objectives do not change the procedures used to achieve control and the means of evaluation will change Increased concern must be placed on controls related to
controls over access to programs and data controls over system design and maintenance protection of the system against hazards of nature and against potential sabotage
Describe general controls and application controls and explain how they relate to accounting controls
General controls apply to all or many computerized accounting activities They include controls over segregation of duties physical access to the computer programs data documentation systems development controls hardware controls backup and recovery procedures and so on
Application controls are related to specific applications such as order processing and payroll They include input controls processing controls and output controls
fileF|Courses2010-11CGAAU106coursem07summaryhtm
fileF|Courses2010-11CGAAU106coursem07summaryhtm (1 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07summaryhtm
Application controls are usually evaluated using flowcharts and internal control questionnaires in much the same way that accounting controls are evaluated for manual systems
The auditor must consider the potential weaknesses in the computer controls as well as the manual controls over the data before and after computer processing
Summarize the impact of EDI and the Internet on a companyrsquos operations including the implications of electronic commerce for a companyrsquos internal control and for its audit
The two main effects of EDI for auditors are a paperless environment resulting in the loss of an audit trail the lack of human involvement in the data interchange resulting in a complete dependence on the electronic
system
The main concerns about the use of the Internet are related to security issues such as the need for firewalls to keep external users outside the organizationrsquos internal networks and systems
The main implications for internal control are related to security issues These include control over access to websites and protection from viruses and so on Both websites and the transactions carried out on the Internet must be secure
The main implications for the audit are an expansion of the area of knowledge required of the auditor who will have to gain knowledge of the additional controls and almost certainly test their performance
Explain how an audit is conducted in a computer environment
Auditors should comply with GAAS in GAAS audits regardless of whether an entity operates a manual system or a computer system
The audit should be properly planned The auditor should gain an understanding of the entity and its environment including its internal controls and should use that understanding to plan the audit
Sufficient appropriate evidence must be obtained from tests of control and substantive audit procedures
The auditor may be able to use computer assisted audit techniques to improve the effectiveness and efficiency of the audit
Identify the phases of auditing a computerized accounting system
The auditor should conduct a preliminary evaluation of internal control This should include general and application controls the auditor might consider effective to rely on when conducting the audit
The auditor must then test the controls to see if they were functioning properly throughout the period being audited
Identify internal control considerations in personal computer online and database environments
The auditor should take into account any unique internal control considerations for personal computers online and database environments
Guidance in auditing microcomputers online systems and database environments are found in Sections 9 and 10 of CGA-Canadarsquos Auditing Guideline No 6
Explain the difference between auditing aroundwithout the computer and auditing throughwith the computer to test internal control
Auditing around (or without) the computer consists of manually processing client transactions and comparing the results to the computer output
This does not necessarily violate generally accepted auditing standards and may be the most efficient approach in some circumstances
Auditing through (or with) the computer is usually necessary whenever the transaction volume is very large there is
fileF|Courses2010-11CGAAU106coursem07summaryhtm (2 of 3) [04102010 31654 PM]
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
fileF|Courses2010-11CGAAU106coursem07summaryhtm
little or no audit trail or the system is complex
Two of the approaches that can be used in auditing through the computer are the test data and parallel simulation approaches
Explain how an auditor can use computers in conducting audits by using test data and generalized audit software
The test data approach is used by developing simulated data and processing it through the clientrsquos system and comparing the output to predetermined results
Generalized audit software can be used for a variety of audit purposes Such programs will extract data from the client system sort data perform calculations match data from different files select statistical samples and generate worksheets or databases for further analysis
The auditor should consider the extent to which it will be efficient to use computer-assisted audit techniques in carrying out the compliance or substantive testing required for the audit
Identify ways to use computers in conducting an audit
commercial general-use software such as Excel pre-built spreadsheet templates special-use software such as expert systems custom programs for auditing specific areas working paper software networked files standardized document templates
fileF|Courses2010-11CGAAU106coursem07summaryhtm (3 of 3) [04102010 31654 PM]
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 71-1 solution
EffectImpact Risk Management responsibility
Change to the organizational structure Implementation of computer systems requires additional resources for the systems to function properly These resources include qualified personnel and investment in capital assets (appropriate computer equipment)
Appropriate internal controls lacking in computerized environment
Management is responsible for establishing internal controls regardless of the environment in which the company operates (computerized or non- computerized) Therefore implementation of computer systems forces management to ensure that
adequate procedures are in place and computer systems are properly documented
an adequate audit trail for significant classes of transactions exists and
knowledgeable personnel are in place to support the computer system and assist management and auditors
Centralization of data processing and resulting efficiencies Centralization and the resulting efficiencies are usually the reasons why the company implements computer systems Rather than having separate accounts payable or accounts receivable departments doing the data processing independently for example more data processing is done through one department mdash the computer centre or computer processing department
Greater risk of losing large amount of data in case of breakdown of computer system
Internal controls policies and procedures must be in place to make sure that data can be recovered in case of an accident (The users of the computer processing department such as the accounts receivable and accounts payable departments become more dependent on centralized processing)
fileF|Courses2010-11CGAAU106coursem07t01solhtm
fileF|Courses2010-11CGAAU106coursem07t01solhtm [04102010 31656 PM]
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 71-2 solution
There might be more emphasis on evaluating the internal controls of the IT department
The auditor will have to determine if an IT specialist needs to be brought in to the audit team and how this will affect the nature extent and timing of audit procedures
Make planning decisions regarding other resources that will be needed for the audit such as the use of computer-assisted audit techniques
fileF|Courses2010-11CGAAU106coursem07t01sol2htm
fileF|Courses2010-11CGAAU106coursem07t01sol2htm [04102010 31657 PM]
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Activity 72-1 solution
The auditor may not be able to obtain evidence that the transactions have been properly authorized In such cases the auditor may need to perform more extensive tests of details of balances
A common characteristic and desirable control for online systems that permit direct data entry without source documents is subjecting data to immediate validation checks by the system To continue with the ATM example the system checks for a correct PIN number then accesses the information from the customerrsquos bank account file to determine if there are enough funds to allow the customer to withdraw money from the ATM
fileF|Courses2010-11CGAAU106coursem07t02solhtm
fileF|Courses2010-11CGAAU106coursem07t02solhtm [04102010 31657 PM]
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 73-1 solution 1
Segregation of duties
In traditional large systems it is possible to segregate the functions in the computer department to detect errors and prevent fraudulent manipulation The data control clerk in the computer processing department receives transaction batches from user departments and confirms that the transactions have been appropriately authorized before they are passed to the data entry clerks Data entered into batches are verified for completeness and accuracy before the operator inputs that batch of data for processing
There is segregation of duties among the data control clerk data entry clerk and the operator Operations staff is not permitted to modify the computer programs Only programmers and systems analysts (systems development staff) can access and modify computer programs provided they have authorization however they are not allowed to work with actual live data Thus there is a clear segregation of duties between the systems development staff on the one hand and the operations staff on the other and the chance for unauthorized changes to computer programs is minimized
fileF|Courses2010-11CGAAU106coursem07t03sol1htm
fileF|Courses2010-11CGAAU106coursem07t03sol1htm [04102010 31658 PM]
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 73-1 solution 2
With microcomputer systems the segregation of duties and functions is often impractical and unlikely in practice Usually the same person (user) has complete control over the installation of the computer programs and entry of data Thus it is possible for a user with the required technical knowledge to alter the programs and data for personal gain without leaving any audit trail
fileF|Courses2010-11CGAAU106coursem07t03sol2htm
fileF|Courses2010-11CGAAU106coursem07t03sol2htm [04102010 31659 PM]
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 73-2 solution
Automatic transaction processes must have appropriate controls in place For example input controls should ensure that purchases or sales will not take place above a pre-specified amount and organization controls should ensure that changes to the program trading software are authorized fully tested before implementation and documented
fileF|Courses2010-11CGAAU106coursem07t03sol3htm
fileF|Courses2010-11CGAAU106coursem07t03sol3htm [04102010 31700 PM]
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Example 74-1 solution
Design requirements
A computer may prompt the user each time a transaction is out of the ordinary before continuing the process Product prices could be entered into a database and accessed by the point-of-sales terminal by electronically scanning the Universal Product Code (UPC) printed on each item The system could be programmed to prompt the user whenever a transaction would cause a customerrsquos account balance to exceed the customerrsquos credit limit
fileF|Courses2010-11CGAAU106coursem07t04solhtm
fileF|Courses2010-11CGAAU106coursem07t04solhtm [04102010 31701 PM]
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Activity 75-1 solution 1
These controls affect the integrity of the various application programs that are developed and documented by the IT department and as such they ultimately relate to the accurate processing of data and are designed to prevent errors from occurring
fileF|Courses2010-11CGAAU106coursem07t05sol1htm
fileF|Courses2010-11CGAAU106coursem07t05sol1htm [04102010 31701 PM]
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Activity 75-1 solution 2
Backup controls and control procedures are of particular interest because they have serious accounting implications One of the basic assumptions underlying a companyrsquos financial statements is that the company is a going concern Researchers have estimated that a large company which has computerized its system extensively would be out of business in less than two weeks if its system was extensively damaged and it did not have backup systems and hardware
fileF|Courses2010-11CGAAU106coursem07t05sol2htm
fileF|Courses2010-11CGAAU106coursem07t05sol2htm [04102010 31702 PM]
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 75-1 solution
The payroll software should have built-in limits or reasonableness checks to flag such transactions
fileF|Courses2010-11CGAAU106coursem07t05sol3htm
fileF|Courses2010-11CGAAU106coursem07t05sol3htm [04102010 31703 PM]
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Scenario 75-2 solution
To rely on internal control the auditor must audit the internal controls of the original accounting system up to the changeover date audit the conversion to ensure that the correct balances were carried forward to the new system and audit the new internal controls to the year-end
In other words a conversion forces the auditor to perform three sets of audit tests in the year of conversion The auditor may decide not to rely on one or both systems and so would not audit either one or both but would in any case audit the conversion to ensure that the client correctly carried forward the account balances from the old to the new system This will apply as well in situations where there is a change from one computer system to another
fileF|Courses2010-11CGAAU106coursem07t05sol4htm
fileF|Courses2010-11CGAAU106coursem07t05sol4htm [04102010 31704 PM]
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Activity 76-1 solution
One key control in designing a site is a firewall Essentially a firewall is a logical filter between an organizationrsquos internal network and the rest of the world Firewalls monitor the data traffic both into and out of the organizationrsquos network and can be configured to block both certain kinds of data and all traffic from particular locations
Firewalls however are not sufficient They simply form part of the organizationrsquos overall security plan Firewalls only help mitigate the risk of loss of privacy and reduce the likelihood of importing a virus worm or similar destructive agent A company engaged in electronic commerce needs to address issues related to authentication authorization privacy and non-repudiation
Technological controls also need to be supplemented by organizational controls such as educating employees about virus scanning and ensuring that unauthorized devices are not bypassing the firewall A company should also set up defined policies regarding the use of company networks e-mail and the Internet because sensitive information sent via the Internet unless specifically encrypted is unsecured
fileF|Courses2010-11CGAAU106coursem07t06solhtm
fileF|Courses2010-11CGAAU106coursem07t06solhtm [04102010 31705 PM]
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Activity 78-1 solution 1
To compensate for lack of appropriate processing controls the payroll department can scan the detailed listing of weekly or monthly salary payments for unusual amounts
fileF|Courses2010-11CGAAU106coursem07t08sol1htm
fileF|Courses2010-11CGAAU106coursem07t08sol1htm [04102010 31706 PM]
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Activity 78-1 solution 2
The auditor does not need to continue the review documentation or to perform compliance procedures Instead the auditor may seek to accomplish the audit objectives through the application of substantive procedures
fileF|Courses2010-11CGAAU106coursem07t08sol2htm
fileF|Courses2010-11CGAAU106coursem07t08sol2htm [04102010 31706 PM]
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Module 7 self-test
Question 1
As a potential CGA you should be aware of the auditing guidelines issued by CGA Canada in order to properly audit a computer processing installation Describe the skills and competence required to perform such an audit and explain why they are so important
Solution
Question 2
List six characteristics that are important to the auditorrsquos understanding of IT controls
Solution
Question 3
What concerns should an auditor have about the actual conversion when a client converts to a new information system
Solution
Question 4
a Review checkpoint 22 page 16 of Appendix 9A b Review checkpoint 5 page 4 of Appendix 9A
Solution
Question 5
Review checkpoint 12 page 15 of Appendix 9A
Solution
Question 6
Review checkpoint 29 Appendix 9A page 24
Solution
Question 7
a Review checkpoint 32 Appendix 9A page 28 b How are PCs used in small business audits
Solution
fileF|Courses2010-11CGAAU106coursem07selftesthtm
fileF|Courses2010-11CGAAU106coursem07selftesthtm [04102010 32945 PM]
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 1
In CGA Auditing Guideline No 6 Auditing in an EDP Environment (Reading 7-1) paragraph 33 under ldquoSkills and competencerdquo describes the skills and competence an auditor should have in order to properly audit an EDP system They are
a ldquoSufficient understanding of the EDP environment to plan the auditrdquo An important part of planning an audit is gaining knowledge of the clientrsquos business and the environment in which the business operates This includes a knowledge of the clientrsquos information processing capability whether it be manual or EDP or a mixture of both
b ldquoSufficient knowledge of EDP to implement the auditing proceduresrdquo Generally accepted auditing standards require an auditor to have adequate technical training and proficiency in auditing A logical extension is to require a CGA who is auditing an EDP system to have an adequate knowledge of EDP in order to audit an EDP system which includes assessing inherent and control risk for specific assertions in an EDP environment and determining substantive auditing procedures for gathering and evaluating sufficient appropriate audit evidence
c ldquoSufficient skills to competently evaluate the resultsrdquo The comments pertaining to (b) apply equally to (c)
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
fileF|Courses2010-11CGAAU106coursem07selftestsol1htm [04102010 32946 PM]
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 2
The six characteristics important to the auditorrsquos understanding of IT controls are
1 Audit trail
Some computer systems are so designed that a complete transaction trail (audit trail) may exist only for a short time or only in computer-readable form (A transaction trail is a chain of evidence provided through coding cross-references and documentation connecting account balances and other summary results with the original transaction documents and calculations)
2 Uniform processing
Computers process uniformly subjects like transactions to the same processing instructions potentially eliminating random errors normally associated with manual processing Conversely programming errors (or other similar systematic errors in either the computer hardware or software) will result in all like transactions being processed incorrectly when those transactions are processed under the same conditions The approach in auditing computerized files will be to test a small number of unusual or exceptional transactions (rather than a large number of similar transactions as is the case in manual systems) and testing that the software tested has not been tampered with between tests This assurance is obtained through justified reliance on control systems that are in place to prevent unauthorized changes and to document all changes to the software
3 Segregation of duties
Individuals who have access to the computer may be in a position to perform incompatible functions in an IT system that could have been controlled by segregating functions in manual systems Password control procedures are a control method to separate incompatible functions such as access to assets and access to records through an online terminal The auditing approach puts more emphasis on the evaluation of general internal controls of the computer centre
4 Visibility of alterations
The potential for individuals including those performing control procedures to gain unauthorized access or alter data without visible evidence as well as to gain access (direct or indirect) to assets may be greater in computerized accounting systems
5 Availability of analytical tools
The IT system provides tools that management may use to review and supervise the operations of the company This can enhance the entire system of internal control and reduce control risk
6 Transactions initiated or executed automatically by a computer system
The authorization of these transactions or procedures may not be documented and may be implicit in managementrsquos acceptance of the system design Auditors need to assess general controls over system development and design
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
fileF|Courses2010-11CGAAU106coursem07selftestsol2htm [04102010 32947 PM]
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 3
The auditorrsquos greatest concern is whether the data have been accurately and completely converted to the new system If the new system or changed system starts with inaccurate data the errors might never be caught In addition the cost of tracking down and converting discovered errors is very high The auditor should also be concerned with potential fraudulent manipulation of data during the conversion process The auditor should always attempt to be involved in any system conversion to ensure that data integrity is maintained Because of the conversion control risk may have increased and audit procedures will have to be changed
Accurate cut-off between the two systems is essential Documentation of conversion process should be required The auditor needs to test the accuracy and completeness of the conversion
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
fileF|Courses2010-11CGAAU106coursem07selftestsol3htm [04102010 32948 PM]
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 4
a Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature Generally a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes so there is no point testing specific application controls unless the overall control environment and general controls are adequate
b The extent of IT use has an impact on how a client produces financial information The information systems and IT used in the clientrsquos significant accounting processes influence the nature timing and extent of planned audit procedures Significant accounting processes are those relating to accounting information that can materially affect the financial statements Important matters to consider include its complexity how the IT function is organized and its place in the overall business organization data availability availability of CAATs and the need for IT specialist skills
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
fileF|Courses2010-11CGAAU106coursem07selftestsol4htm [04102010 32949 PM]
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 5
General control procedures include
organization and physical access documentation and systems development hardware controls and preventive maintenance data file and program control and security backup and recovery procedures file security file retention system conversion controls (procedures to ensure the data is transferred completely and accurately and that an
accurate cut-off between the two systems is achieved)
Application control procedures include
Input controls
input authorization check digits record counts batch financial totals batch hash totals valid character tests valid sign tests missing data tests sequence tests limitreasonableness tests error correction and resubmission
Processing controls
run-to-run totals control total reports file logs limitreasonableness tests
Output controls
control totals master file changes output distribution
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
fileF|Courses2010-11CGAAU106coursem07selftestsol5htm [04102010 32950 PM]
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 6
Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system This conclusion is used to assess the control risk and determine the nature timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system The data-processing control over such files is important because their content is utilized later in computer-assisted work using generalized audit software
CAATs can also be used when performing substantive testing
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
fileF|Courses2010-11CGAAU106coursem07selftestsol6htm [04102010 32951 PM]
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-
Self-test 7
Solution 7
a Advantages of a generalized audit software package include the folowing
Original programming is not required Designing tests is easy Many GAS packages are PC-based and menu-driven so they operate much like
commonly used spreadsheet programs For special-purpose analysis of data files GAS is more efficient than special programs written from scratch
because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package
The same software can be used on various clientsrsquo computer systems Control and specific tailoring are achieved through the auditorsrsquo own ability to program and operate the system
b Auditors can use PCs (most often using PC-based GAS) in small business audits to perform clerical steps such as preparing working trial balance posting adjusting entries grouping accounts into lead schedules computing ratios producing draft financial statements also to prepare audit working papers programs and memos PCs can also be used in audit planning and administration
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
fileF|Courses2010-11CGAAU106coursem07selftestsol7htm [04102010 32951 PM]
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07introhtm
- fileF|Courses2010-11CGAAU106coursem07t01htm
- fileF|Courses2010-11CGAAU106coursem07t02htm
- fileF|Courses2010-11CGAAU106coursem07t03htm
- fileF|Courses2010-11CGAAU106coursem07t04htm
- fileF|Courses2010-11CGAAU106coursem07t05htm
- fileF|Courses2010-11CGAAU106coursem07t06htm
- fileF|Courses2010-11CGAAU106coursem07t07htm
- fileF|Courses2010-11CGAAU106coursem07t08htm
- fileF|Courses2010-11CGAAU106coursem07t09htm
- fileF|Courses2010-11CGAAU106coursem07t10htm
- fileF|Courses2010-11CGAAU106coursem07t11htm
- fileF|Courses2010-11CGAAU106coursem07t12htm
- fileF|Courses2010-11CGAAU106coursem07summaryhtm
- fileF|Courses2010-11CGAAU106coursem07t01solhtm
- fileF|Courses2010-11CGAAU106coursem07t01sol2htm
- fileF|Courses2010-11CGAAU106coursem07t02solhtm
- fileF|Courses2010-11CGAAU106coursem07t03sol1htm
- fileF|Courses2010-11CGAAU106coursem07t03sol2htm
- fileF|Courses2010-11CGAAU106coursem07t03sol3htm
- fileF|Courses2010-11CGAAU106coursem07t04solhtm
- fileF|Courses2010-11CGAAU106coursem07t05sol1htm
- fileF|Courses2010-11CGAAU106coursem07t05sol2htm
- fileF|Courses2010-11CGAAU106coursem07t05sol3htm
- fileF|Courses2010-11CGAAU106coursem07t05sol4htm
- fileF|Courses2010-11CGAAU106coursem07t06solhtm
- fileF|Courses2010-11CGAAU106coursem07t08sol1htm
- fileF|Courses2010-11CGAAU106coursem07t08sol2htm
-
- module07stestpdf
-
- Local Disk
-
- fileF|Courses2010-11CGAAU106coursem07selftesthtm
- fileF|Courses2010-11CGAAU106coursem07selftestsol1htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol2htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol3htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol4htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol5htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol6htm
- fileF|Courses2010-11CGAAU106coursem07selftestsol7htm
-