auditing in a computer environment
TRANSCRIPT
-
8/6/2019 Auditing in a Computer Environment
1/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTER ENVIRONMENT
What isaudit in a
computer
environment?
-
8/6/2019 Auditing in a Computer Environment
2/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTER ENVIRONMENT
Approaches
Auditing around the computer
Auditing through the Computer
Auditing with the computer
-
8/6/2019 Auditing in a Computer Environment
3/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTER ENVIRONMENT
Use of computer of audit
automation
Working Papers
Statistical sampling andanalytical procedures
Decision Support System;
-
8/6/2019 Auditing in a Computer Environment
4/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTR ENVIRONMENT
Types of software on PC in order to aid his auditwork
Standard software for word processing ,spreadsheets
Expert systems.
Generally, an auditor can use his PC to assistfor
Production of time budget and budgetarycontrol.
Analytical procedures. The maintenance of permanent file
information
-
8/6/2019 Auditing in a Computer Environment
5/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTER ENVIROMENT
The computer systems challenges lack of visible evidence and
systematic errors. What to do?
techniques available to him, The internal controls,
the availability of the data
the length of time it is retained in areadily usable form.
-
8/6/2019 Auditing in a Computer Environment
6/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTER ENVIRONMENT
Controls over audit computersSecurity, and Accuracy (of input,
processing and output). The auditor
should exercise controls when PCsare used by auditor in their work are
as follows:
Access controls for users by means of
passwords
-
8/6/2019 Auditing in a Computer Environment
7/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
AUDITING IN COMPUTER ENVIRONMENT
Controls over audit computersBack up of data contained on files,
regular production of hard copy; back-up
disks held off the premises.Viral protection for programs and
Training users.
Evaluation and testing of programs use6.Proper recording of input data , to
ensure reasonableness of output.
-
8/6/2019 Auditing in a Computer Environment
8/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
INTERNAL CONTROLS IN CIS
The internal control over
computer based accountingsystem
Application controls
General controls
-
8/6/2019 Auditing in a Computer Environment
9/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants
INTERNAL CONTROLS IN CIS
The internal control over computer based
accounting system Application controls:
The objective of application
controls (manual or programmed)are to
Ensure completeness and
accuracyof accounting records
validity of entries made resulting
from both manual and
programmed processing.
-
8/6/2019 Auditing in a Computer Environment
10/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
INTERNAL CONTROLS IN CIS
The internal control over computer based
accounting system
General controls;
relates to the environment CIS
are developed, maintained and
operated, and which are thereforeapplicable to all the applications.
The objectives of general controls are .
The application controls and general controls
are inter-related.Strong general controls
contribute to assurance, which may be obtained
by an auditor in relation
-
8/6/2019 Auditing in a Computer Environment
11/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
INTERNAL CONTROLS IN CIS
The specific requirements in order to
achieve the overall objectives ofapplication controls are:-
Control over the completeness and
authorization of inputControl over the completeness and
accuracy of processing
Control over the maintenance of master
files and the standing data contained
therein
-
8/6/2019 Auditing in a Computer Environment
12/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
INTERNAL CONTROLS IN CIS
In order to achieve the overall objective of general
controls, the controls required are:-
Control over applications development
To prevent or detect unauthorized changes to
programs
To ensure that all programs changes are adequately
tested and documented
Control to prevent and detect errors during program
execution
To prevent unauthorized amendments to data files
To ensure that system software is properly installedand maintained
To ensure that proper documentation is kept
To ensure continuity of operations.
-
8/6/2019 Auditing in a Computer Environment
13/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COMPUTER ASSISTED AUDIT TECHNIQUES
(CAATs)
DefinitionTechniques in that the auditors are
afforded opportunities to use either the
enterprises or another computerto assistthem in performance of audit work.
CAATs, are ways in which the auditor may
use the computer in a computerized
information system to gather, or assist in
gathering, audit evidence.
-
8/6/2019 Auditing in a Computer Environment
14/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CATEGORIES OF CAAT
Audit software
Test data
Other techniques
-
8/6/2019 Auditing in a Computer Environment
15/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CATEGORIES OF CAAT
Audit software:
generalized audit softwarespecialized audit software or
Interrogation softwares
utility programs and existing entity programs.
Regardless of the source of the
programs, the auditor shouldsubstantiate their validity for auditpurposes prior to use.
-
8/6/2019 Auditing in a Computer Environment
16/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CATEGORIES OF CAAT
Audit software some usesStratify accounting population and
select monetary unit statistical
samples.
Carry out an aging /usage analysis
of stocks
Perform detailed analytical reviewsof financial statements
-
8/6/2019 Auditing in a Computer Environment
17/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
TYPES OF CAATs
Test data
Is a CAAT in which test data
prepared by the auditor isprocessed on the current
production version of the client's
software, but separately from theclient's normal input data.
-
8/6/2019 Auditing in a Computer Environment
18/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
TYPES OF CAATs
Other techniques embedded audit facilities
Integrated test facility
System Review and control file (SCARF)
Application program examination Internal control evaluation via; Flowchart
verification (Logical Path analysis ) ,Program
code verification (Code ComparisonPrograms), Printoutexamination.
-
8/6/2019 Auditing in a Computer Environment
19/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CAATs and Sustentative testing
During substantive testing some, CAATs
are used frequently.
Audit software is used extensively toexamine accounting records maintained
on computer files
CAATs assists in carrying out analytical
review procedures
-
8/6/2019 Auditing in a Computer Environment
20/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Limits of CAATs
Limits of CAATs
Evaluation of general controls
Use ICQ or the ICE approach.
-
8/6/2019 Auditing in a Computer Environment
21/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
PROGRAM AUTHENTICITY
Source Program authenticity
guarantee that the correct applicationprogram is being tested.
Live test data, integrated test
facilities and embedded audit facilities
as described above are audit
techniques, which help in this respect.
General controls
Copy must be identical to orignal
-
8/6/2019 Auditing in a Computer Environment
22/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
KNOWLEDGE BASED SYSTEM
Knowledge based systemsDecision Support Systems and
Expert systems can be used to
assist with the auditors ownjudgment and decisions.
-
8/6/2019 Auditing in a Computer Environment
23/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
MANUAL Vs CAATs
Factors to consider in choosing between CAATs
and manual Techniques:-
Practicability of carrying out audit tests manually
Cost effectiveness of the procedures under
considerations.
Availability of audit time
The availability of appropriate computer facilities and
independence issue
The level of audit experience and expertise. The extent of possible reliance upon internal audit
work
-
8/6/2019 Auditing in a Computer Environment
24/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
PLANNING AN AUDIT IN A COMPUTERENVIRONMENT
Planning an audit in a Computer
environment
Possibilities of attending during
system development stage
Consideration of use of CAATs
Practicability of manual audit
Expertise
-
8/6/2019 Auditing in a Computer Environment
25/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
Use of CAATS
The pattern cost associated with CAATs, The extent of tests of controls or substantive
procedures achieved by both alternatives,
Ability to incorporate within the use of CAAT a
number of different audit tests. Time of reporting
-
8/6/2019 Auditing in a Computer Environment
26/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT
In using CAAT, computer facilities, computer files
and programs are available;
the auditors should plan the use ofCAAT in good time so that these copies
are retained for their use.
Internal auditor CAATs , consider ISAAvailability of computer facilities
-
8/6/2019 Auditing in a Computer Environment
27/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
INTERNAL CONTROL EVALUATION
Internal control evaluation
ICQ .Weak controls = extensive
substantive procedures
In determining whether they wish toplace reliance on application controls or
general controls ,the auditors will be
influenced by the cost effectiveness and
ease of testing by the following matters
General controls and application
controls
-
8/6/2019 Auditing in a Computer Environment
28/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
INTERNAL CONTROL EVALUATION
Check systematic errors and program
intergrityManual examination may be useful in
small computer application
Observation, examination ofdocumentary evidence or reperforming
the procedures may be useful.
CAATs can also be useful
-
8/6/2019 Auditing in a Computer Environment
29/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
ev ew o nanc a statements
Review of financial statementsCAATs (audit software)
e.g analytical review.
The working papers should indicate thework performed by CAAT, the auditors
conclusion, the manner in which any
technical problems were resolved andmay include any recommendations
about modification of CAAT for future
audits.
-
8/6/2019 Auditing in a Computer Environment
30/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
AUDITTRAIL.
Audit trail. As the complexity of computer systems has
increased there has been a corresponding loss
of audit trail.Most systems have searching
facilities that are much quicker to use thansearching through print outs by hand.
This offsets the so- called loss of audit
trail to a significant extent. The trail is still
there, although it may have to be followedthrough in electronic form.
-
8/6/2019 Auditing in a Computer Environment
31/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COMPUTER SERVICE BUREAUX
These are third part service organization who
provide EDP facilities to their clients Factor to consider
make or buy decisions
Consider and Analyze the cost benefit; Level of managements own computing
knowledge and their willingness to take
risk to unknown third party;
-
8/6/2019 Auditing in a Computer Environment
32/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COMPUTER SERVICE BUREAUX
Factors to consider
The volume and frequency of processingrequirements ;
The complexity of the program package
required ;The simpler the program the easierit would be to process in house on Micro;
The importance of timelines in processing of
data check the efficiency and economy ofDP
The confidentiality of the data being
processed.
-
8/6/2019 Auditing in a Computer Environment
33/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Types of Bureaux
Independent companies formedto provide specialist computer
services
Computer manufacturers with
bureau
Computer users (e.g.universities)
-
8/6/2019 Auditing in a Computer Environment
34/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
PLANNING AND CONTROL EXERCISED BY THE USER
When the system using bureaux is
set up it is essential that a full feasibility study and
system design should be carriedout.
In practice the bureau may provide
assistance in performing thesetasks.
-
8/6/2019 Auditing in a Computer Environment
35/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
PLANNING AND CONTROL EXERCISED BY THE USER
The control should include :
Prior vetting of bureau standards ; Input controls at preparers end; bunching
and providing or authorizing in the same
way as usual;Transit controls ;Physical transfer of
documents ;
batch controls ,physical security andauthorized personnel;
-
8/6/2019 Auditing in a Computer Environment
36/90
-
8/6/2019 Auditing in a Computer Environment
37/90
-
8/6/2019 Auditing in a Computer Environment
38/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COMPUTER SERVICE BUREAUX
A third party review an independent firm to carry
out review of internal controls, both the generaland application based. The report is then made
available to the auditors of clients of the bureaus.
This saves the bureau having to make provision
for many different sets of auditors all asking to runCAATs on the bureaux system and complete
roughly similar ICQ/ICE forms.
Direct evaluation of the bureau by the auditor
using the CAATs , ICQ and ICE.; Standby /back up /emergency arrangement ;
-
8/6/2019 Auditing in a Computer Environment
39/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COMPUTER SERVICE BUREAUX
The compliance and substantive testing ofprogrammed procedures, the CAATs such
as discussed above are appropriate where
the client has the data and files on the
premises. They may not be possible in
context of the computer service bureau.
The client may have to arrange to have
files copied by the bureau or supplied tothe auditor for testing.
-
8/6/2019 Auditing in a Computer Environment
40/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONTROLS INON-LINEANDREALTIMESYSTEMS
Controls in real time systems
The main control problem is that primarily theconcern is on large, multiuser systems with
terminals (dumb terminals or networked PCs)
;The same person is often responsible for
producing and processing the same information.Internal check ,supervisory controls should be
strengthened (segregation of duties) ;The ability
of a person using remote terminal to gain access
to databases at will results in the need forspecial controls to ensure that files are neither
read nor written to (nor destroyed).
-
8/6/2019 Auditing in a Computer Environment
41/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONTROLS INON-LINEANDREALTIMESYSTEMS
Physical controls; Operating system; Use passwords( or lockwords)
or special badges or key; Restriction by the
operating system of a certain users to certain
files .eg wages dept can be given access to onlywages file; Logging of all attempted violation of
the above controls .eg Automatic shut down of
the PC or terminal used; All violations should be
speedily and thoroughly investigated
Application controls; Validity checks on input;
Reporting of unusual transactions; Passwords
-
8/6/2019 Auditing in a Computer Environment
42/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
DATABASE MANAGEMENT SYSTEMS (DBMS)
Main controls; Control to prevent or detect unauthorizedchanges to programs;
No access to live program file by any personnel
except for the operation personnel at the central
computer; Password protection on
programs;Restricted access to the central computerand terminal ;Maintenance of console; Periodic
comparison of live production programs to control
copies and supporting documentation.
-
8/6/2019 Auditing in a Computer Environment
43/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
DATABASE MANAGEMENT SYSTEMS (DBMS)
Main controls; Controls to prevent or detect errorduring operation;
Restriction of access to terminals by use of
password; Satisfactory application control over
input , processing and master file ;Use ofoperation manuals and training all
users;Maintenance of logs showing unauthorized
attempts to access; Physical protection over data
files ;Training in emergency procedures
Controls to ensure integrity of the database system;
Restriction of access to data dictionary
-
8/6/2019 Auditing in a Computer Environment
44/90
S S S
-
8/6/2019 Auditing in a Computer Environment
45/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
DATA BASE MANAGEMENT SYSTEM
The audit ofDBMS creates particular problems asthe two principal CAATs , test data and audit
software, tendto work unsatisfactorily on
programs and files contained within such system.
The auditor may, however, be able to useembedded audit facilities. Close liaison with the
internal auditor may provide audit comfort. The
auditors should if possible be involved at the
evaluation, design and development stages, so thatthey are able to determine their audit requirements
and identify control problems before
implementation.
SMALL COMPUTER SYSTEM
-
8/6/2019 Auditing in a Computer Environment
46/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
SMALL COMPUTER SYSTEM
Control problems in small computersystems
The problems surrounding PCs can be
grouped as ; Lack of planning over the acquisition
and use of PCs;
Lack of documentary evidence ; Lack of security and confidentiality.
COMPUTER FRAUD
-
8/6/2019 Auditing in a Computer Environment
47/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COMPUTER FRAUD
Input fraud :
Processing fraud;
Fraudulent use of computersystem;
Output fraud;
FACTORS RISK TO COMPUTER FRAUD
-
8/6/2019 Auditing in a Computer Environment
48/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
FACTORS- RISK TO COMPUTER FRAUD
Increase in computer literacyCommunications e.g. telephone and
PCs and hackers
Reduction of internal
Improvements in quality of software and
increase in implementation of good
software has not kept pace with
improvements in hard ware
-
8/6/2019 Auditing in a Computer Environment
49/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
COUNTERACT COMPUTER FRAUD
Planned approach to counteract computer fraud.
All staff should be properly trained and shouldfully appreciate their role in computer function
Management policy on fraud should be clear
and firm
A study should be carried to examine where the
company is exposed to possible fraud
A company should map out an approach or plan
in each area of the business to tackle andpreventfraud.
-
8/6/2019 Auditing in a Computer Environment
50/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONTROLSTOPREVENTCOMPUTERFRAUDS
As with a control system, three areas to examine are;prevention, detection and correction
Access to the computer terminals and other parts of the
computer should be restricted
Access to sensitive areas of the system should be logged
and monitored
Errors logs and reports should be monitored and
investigated on regular basis
Staff recruitment should include careful vetting ,include
taking up all references
Expert systems software may be used to monitor unusual
transactions
DEVELOPMENTS IN COMPUTERIZED
-
8/6/2019 Auditing in a Computer Environment
51/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
DEVELOPMENTS IN COMPUTERIZED
ENVIRONMENT
Many auditors are now finding their clients
conducting business through the internet.
As always, the principle audit concern ,
will be controls over the use of the
internet and the strength of audit
evidence obtained through the internet
INTERNET
-
8/6/2019 Auditing in a Computer Environment
52/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
INTERNET
Controls over the Internet Unauthorized use of the internet
Staffs may use internet for unauthorized
purchases
Staff may use internet for accessing data
which have a costs (call)
People may be able to access business
internal systems via the internetand obtainconfidential information or launch virus which
disrupts internal systems
CONTROLS IN INTERNET
-
8/6/2019 Auditing in a Computer Environment
53/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONTROLS IN INTERNET
Controls from these risks include Use of passwords,
Disabling certain terminals
Firewalls
Authorization the technique make sure that a
message has come from an authorized
sender
Virus control softwareregular updating Physical controls ;against fire, damage etc
AUDIT EVIDENCE IN THE INTERNET
-
8/6/2019 Auditing in a Computer Environment
54/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
AUDITEVIDENCE IN THE INTERNET
Audit evidence in the Internet Certain general observations can be made about
audit evidence obtained through the Internet
Internet evidence generated by the auditor will be
stronger than evidence generated by client. Comfort
may be obtained if the auditor can access the internet
and test what the client has posted
Internet evidence can be obtained in written form and
thus stronger than oral evidence
If the internal controls mentioned above are strong,the auditors will have more confidence in the quality
of evidence
WHAT ABOUT E MAIL?
-
8/6/2019 Auditing in a Computer Environment
55/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
WHAT ABOUT E-MAIL?
Email may have numerous advantages inreducing office paperwork and speeding up
communication, but it also has dangers from an
audit point of view. e.g. unscrupulous employee
in a large organization might find it quite easy tosend and e-mail from his or her bosss computer
authorizing a substantial bonus /payrise
H/W; what controls could you put to prevent thisfrom happening
CONTROL IN INTERNET SYSTEM
-
8/6/2019 Auditing in a Computer Environment
56/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONTROL IN INTERNET SYSTEM
Control of network system is of uttermost
importance .the auditors must be able to analysethe risk of unauthorized access such as line tapping
or interception and to evaluate preventive
measures
Authentication programs and encryption are usedfor security.the auditor must understand those
matter and should be able to make
recommendations on implementation.
Password securityis extremely important, and the
auditors may be called upon to recommend
complex password procedures for sophisticated
systems.
ELECTRONIC DATA INTERCHANGE
-
8/6/2019 Auditing in a Computer Environment
57/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
ELECTRONIC DATA INTERCHANGE
Electronic data interchange (EDI) is now used verywidely because it cuts the task of re-inputting data
that has already been input into a system inelectronic form, saving time and improvingaccuracy
EDI is authentic? What authorization measures
are in place to ensure that transactions abovecertain value are properly authorized beforebeing transmitted or accepted?
What is the legal position of the two parties if the
transaction is disputed?Encryption and authentication offer some help, as do
transaction logs that identify the originator or anytransactions generated and transmitted.
WHAT IS EDI
-
8/6/2019 Auditing in a Computer Environment
58/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
WHAT IS EDI
Is the automated computer-to-computer exchange of structured
business transactions between an
enterprise and its vendors,customers, or other trading
partners in a standard format,
with a minimum of human
intervention
CONSIDERATION OF AUDIT
-
8/6/2019 Auditing in a Computer Environment
59/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONSIDERATION OF AUDIT
STANDARDS
ISA 315, Understanding the Entityand Its Environment and
Assessing the Risks of Material
Misstatement and ISA 330, The Auditors
Procedures in Response to
Assessed Risks became effective.
CONSIDERATION OF AUDIT STANDARDS
-
8/6/2019 Auditing in a Computer Environment
60/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONSIDERATION OF AUDIT STANDARDS
Major issues to be considered by an
auditor as per ISA
An auditor should consider new CIS
environment affects the audit
The overall objective of audit in CIS auditnever changes.
The design and performance of appropriate
tests of Controls and Substantiveprocedures to achieve the audit objective
are likely to change.
CONSIDERATION OF AUDIT STANDARDS
-
8/6/2019 Auditing in a Computer Environment
61/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CONSIDERATION OF AUDIT STANDARDS
Major issues to be considered by an
auditor as per ISA
The existence of computer is likely to have
an impact on the clients inherent risk and
control risk.The auditor should have sufficient
knowledge of CIS to plan, direct supervise
and review the work performed.
The auditor should consider whether
specialized CIS skills are needed in an
audit.
ISA
-
8/6/2019 Auditing in a Computer Environment
62/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
ISA
The ISA makes it clear that auditors should have
sufficient knowledge of the CIS to perform such
audit effectively.I t is not necessary for overlymember of audit team to be a computer expert
auditors must consider need for specialized CIS
skills.ISA 620 using the work of expert is relevant.
In planning the portions of audit which may be
affected by the clients environment the auditor
should obtain an understanding of significance and
complexity of CIS activities and the availability of
data for use in the audit.
ISA
-
8/6/2019 Auditing in a Computer Environment
63/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
ISA
Auditor must obtain understanding of
accounting and IC sufficient to plan an
effective approach.
Where CIS is significant, the auditor must
assess the effect of the CIS on in hereunto
control risk.
Complexity normally increases risk and
pensive deficiencies in program
development, mtc, physical security andaccess controls would have an effect on
all applications that the system served.
ELECTRONIC COMMERCE
-
8/6/2019 Auditing in a Computer Environment
64/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
ELECTRONIC COMMERCE
IAPS 1013
Is any Commercial activity that takes place by means
of connected computers. E.g. offering goods for sale
directly from office computer; the purchasers
computer and office computer is connected over
Internet.
How do we audit ex-commerce?
International Audit Practice Standard ISPS 1013
(IAPs) in intended to assist auditors in identifying andassessing the new risk to which the business in
exposed when it undertakes e-commerce
transactions.
MAJOR AREAS OF FOCUS BY THE IAPS 1013
-
8/6/2019 Auditing in a Computer Environment
65/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
MAJOR AREAS OFFOCUS BY THE IAPS 1013
The skill and knowledge requiredto understand the implications of e-
commerce on audit
The extent of knowledge an auditor
should have about the clients
business environment and
activities.
MAJOR AREAS OF FOCUS BY THE IAPS 1013
-
8/6/2019 Auditing in a Computer Environment
66/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
MAJOR AREAS OFFOCUS BY THE IAPS 1013
The business, legal, regulatory andother risk faced by entries engaged
in e-commerce transactions.
The effect of electronic records onaudit evidence.
The statement may be also helpful
to the auditor of any business
engaged in e-commerce.
Wh i IT di ?
-
8/6/2019 Auditing in a Computer Environment
67/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
What is an IT audit?
Like operational, financial and compliance auditors,Information Technology (IT) auditors work to:
Understand the existing internal control
environment
Identify high risk areas through a formalmethodology
Ensure that adequate internal controls are in place
and operate effectively (through the testing of
said controls)
Recommend control implementation where risk
exists
Wh IT AUDIT?
-
8/6/2019 Auditing in a Computer Environment
68/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Why IT AUDIT?
Because of Information TechnologyR
ISK!! Risk: The probability that a particularthreat
exploits a particularvulnerability(i.e. an issue
which may impact ability to meet objective).
Threat: Event or entity with the potential tocause unauthorized access, modification,
disclosure, or destruction of info resources.
Vulnerability: Weakness in a system control, or a
design flaw, that can be exploited to violate
system, network, or data integrity.
What Reduces IT Risk and
-
8/6/2019 Auditing in a Computer Environment
69/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
What Reduces IT Riskand
What about any Remaining Risk?
Internal Controls (i.e.safeguards)
Control: Protective measure implementedto ensure company assets (IT orotherwise) are both available and accurate
in order to meet the businessrequirements of that asset.
Residual Risk: The risk that is left overafterreasonable internal controls havebeen both evaluated and implemented.
Internal Controls do not eliminate all risk!!
INTERNAL CONTROLS OTHER MATTERS
-
8/6/2019 Auditing in a Computer Environment
70/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
The are two major types of controls:Application Controls
General Controls.
-
8/6/2019 Auditing in a Computer Environment
71/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
What about OTHER types of audits that may impact
-
8/6/2019 Auditing in a Computer Environment
72/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
What about OTHER types ofaudits that may impact
Security Administrationfunctions
Traditional Audit Types: Financial opinion audits (CPAs)
Operational process audits now
includes environmental & construction
Compliance laws/regulations and
policies, standards, and procedures
IT usually considered operational
unless performed so opinion auditorsmay rely on financial info provided
Hybrid - Integrated Audit today almost all
audits are actually hybrid
-
8/6/2019 Auditing in a Computer Environment
73/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Operational Audits
Review operating policies/procedures Documented policies/procedures?
Informal policies/procedures?
Work flow examined (thru flowchart ordescription requested/developed)
Controls identified and documented
Examine the business process andrecommend improvements control
related or efficiency/effectiveness
INTERNAL CONTROLS OTHER MATTERS
-
8/6/2019 Auditing in a Computer Environment
74/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
General Controls: The purpose of General controls is to
establish a framework of overall control
over the CIS activities and to provide a
reasonable level of assurance that the
overall objectives of IC are achieved.
INTERNAL CONTROLS OTHER MATTERS
-
8/6/2019 Auditing in a Computer Environment
75/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Categories of General Controls:
Organizational and Management control
-Helps to provide a proper organizational
framework including regression of
incompatible functions.Application development and Mtc controls
-To ensure that applications are properly
developed, tested and maintained.
INTERNAL CONTROLS OTHER MATTERS
-
8/6/2019 Auditing in a Computer Environment
76/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Categories of General Controls:
Operational controls To ensure properlyauthorized access to system and the
detection of errors.
Systems software controls to ensure theintegrity of the development and usage of
systems software.
Data entry & program controls to ensurethe integrity of data and program files.
CIS APPLICATION CONTROLS
-
8/6/2019 Auditing in a Computer Environment
77/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
CIS application controls.
The purpose of this control is to
establish specific control procedures
over the acting applications toprovide reasonable assurances that
all transactions are authorized,
recorded and processed, completely,accurately and on a timely bases.
CIS APPLICATION CONTROLS
-
8/6/2019 Auditing in a Computer Environment
78/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
The Controls Include:
Controls over input designed to providereasonable assurance that:-
Transactions are properly authorized before
being processed by the computer transactions
are accurately converted into machinedreadable form and recorded in the compute
data files.
Transactions are not lost, duplicated or
improperly changed.
Processing errors are identified and corrected
on timely basis
CIS APPLICATION CONTROLS
-
8/6/2019 Auditing in a Computer Environment
79/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
The Controls Include:
Controls over output designed to providereasonable assurance that:-
Results of processing are accounts; Access to
output is restricted to authorized personnel;
Output is provided to appropriate authorizedpersonnel on timely basis ;Normally the
technique which control the accuracy of input
and processing while help to control master file
date; Since master file standing data items areused many times over in processing, they take
on greaten importance than transaction date
and more costly controls such as one - for one
checks ma be ustified.
MANUAL AND PROGRAMMED CONTROLS
-
8/6/2019 Auditing in a Computer Environment
80/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Many controls over computers are manual controls, and
prodding that the manual controls exercised byusers are sufficient to provide reasonable assurance
of the completeness, accuracy and authorization of
output, test of control may be limited to those
manual controls. In a payroll system, for example, ifusers test check gross pay, deductions net pay and
authorization at the output stage, and if they
compare net pay with approved bank transfer
documentation and perform regular bankreconciliations; there may be no need to test
programmed controls.
MANUAL CONTROLS
-
8/6/2019 Auditing in a Computer Environment
81/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Other Controls:
Manual Controls
Physical Controls:
-Is a matter of common sense.
-Limit access to a computer room, -
Locks and keys, only to specified people -Prevention of smooking.
Back-up of disks:
-Create and update an identical back updisk for every disk in the system; Data
files&Program files; The disk should be
stored in separate place.
MANUAL CONTROLS
-
8/6/2019 Auditing in a Computer Environment
82/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Other Controls:
Manual Controls
Data filing:
-Each disk should be labeled clearly and filed
securely.The labeled disks should be filed in special disk
boxes to provide a degree of protection against liquid
being spoilt on the disks or their being bent or plied. Documentation: It is vital, as it provides both a support
system for work already stored on disk and filed, and
progress report on data currently being processed or
updated.
StaffTraining:
Proofing:There is always room for manual checking or
proofing, to control data on disk.
PROGRAMMED CONTROLS
-
8/6/2019 Auditing in a Computer Environment
83/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Programmed Controls:
Passwords; Date/time stamps for compass on
of two revisions of data; Prompts Asking the
user to continue with an action or not.
Check Digit:A means of control on that theyascertain whether or not a number, such as
ISBN is valid. E.g. customer account No. The
computer will detect of the number is ever inputincorrectly.
Batch totals and hash totals:
-
8/6/2019 Auditing in a Computer Environment
84/90
SMALL STAND ALONE MICRO-COMPUTER
-
8/6/2019 Auditing in a Computer Environment
85/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Main problems.
Internal Controls.
Major controls appropriate in
this environment are:-
Authorization:
Physical security
AUDIT PROCEDURES
Substantive tests
Internal controls
-
8/6/2019 Auditing in a Computer Environment
86/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Inherent limitations of the system of IC inelimination of frauds & errors.
The need to balance the cost of control with its
benefits; The fact that IC are applied to systematic
transaction, not one-off year-end adjustments,which are often larger and subject to error; The
potential human error; Possibility of circumvention
of IC through coolness in of managers or
employees with other parts inside /outside theentity; Abuse of controls or override of controls e.g.
ordering of personal goods; Obsolescent of
controls
FURTHER CONSIDERATION OF CAATs
-
8/6/2019 Auditing in a Computer Environment
87/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Further considerations of CAATs
ISA requires auditors to obtain appropriate auditevidence to be able to allow reasonableconditions on which to base their opinion.
Advantages of CAATS: Helps to test larger number of data hence increase
confidence in their opinion; Helps to test AccountingSystems its records (Tables & Disk files) rather thanrelying on testing printout; Are cost effective once
set up for obtaining audit evidence; Comparison caneasily be made from clerical audit work henceincrease confidence.
OTHER DETAIL MATTERS
-
8/6/2019 Auditing in a Computer Environment
88/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Difficulties of using computer
programs cost.Cost; Changes to clients system; Small
installations PC; Over elaboration;
Larger quantities of output; Version of
file used for lest.
Test Data:
Is a data submitted by the auditor for
processing the clients computer-based
accounting system.
OTHER DETAIL MATTERS
-
8/6/2019 Auditing in a Computer Environment
89/90
APT FINANCIAL CONSULTANTSMwakalobo@apt financial
consultants
Major approached to the use of test data
Using live dataUsing dummy data in a normal
production nun.
Using dummy data in special nun.Difficulties of test data:
Cost
Limited objectiveDangers of live testing
Difficult in recording audit evidence
-
8/6/2019 Auditing in a Computer Environment
90/90