AUDITING IN COMPUTER ENVIRONMENT. What is audit in a computer environme nt?

(1)

Sako Mayrick

AUDITING IN COMPUTER ENVIRONMENT

What is

audit in a

computer

environme

nt?

Wherever computer based accounting system, large or small are operated by an enterprise, or by a third party on behalf of the enterprise, for processing information supporting the amounts included in the financial statements. The audit is said to be performed in computer environment.

1 APT Financial Consultants

Auditing in Computer Environment

Issues

The audit objective remain “to enable the

auditor to express an opinion whether the

financial statements are prepared, in all

material respects, in accordance with an

applicable financial reporting framework.

However, the methods of applying audit

procedures in gathering audit evidence may

be influenced by the way accounting data is

processed.

Sako Mayrick 2

APT Financial Consultants

Auditing in Computer Environment

Computer Environment

Audit Trail

In manual processing, clerical errors in

computer environment programming errors or

systematic errors in hardware or software

Central Processing of transactions (keep

incompatible duties separate.)

Alteration of data or files without being

(2)

Sako Mayrick

Auditing in computer environment

Approaches

Auditing around the computer

Auditing through the Computer

Auditing with the computer

Approaches to auditing in Computer Environment

1. Auditing around the computer

Computer as a black box

Test transaction method e.g. multiplying unit price with

number of products

No attempt is made to establish and evaluate existence

of controls

Appropriate where no significant computer controls are required, for example where computers are used only for calculation purposes

Should not be used because of auditor’s lack of

knowledge on computerized systems.

Audit around the computer ONLY WHEN; the audit trail is complete, processing operations are straight forward and system documentation is complete and readily available.

Sako Mayrick 5

Approaches to auditing in Computer Environment

1. Auditing through the computer

Auditor evaluate client’s software and hardware for reliability hard for human eyes to view

Test operating effectiveness of related computer

controls (Access Controls)

Controls are embedded in the IS of most companies It is impractical to ignore them due to legal and

compliance requirements

External auditors use this to test the controls

Internal auditors frequently uses this to ensure that errors are discovered and corrected.

(3)

Approaches to auditing in Computer Environment Around or through the computer

Nothing is wrong with auditing around the computer

But auditor should be satisfied with the control system in

place and able to gather sufficient evidence.

But what about various requirements of gaining sufficient understanding of system (internal control)

Auditing through the computer is the best for auditors to

follow

Some standards restricts auditors to issue opinions on

the operating effectiveness of internal control of the business if auditing around the computer approach is used.

Which approach minimize auditor’s risk?

Sako Mayrick 7

Sako Mayrick

Approaches to auditing in the computer environment

Auditing with the computer

Use of computer of audit

automation

Working Papers

Statistical sampling and analytical

procedures

Decision Support System;

Audit Review and Reporting

Auditing with the Computer

Types of software on PC in order to aid audit work

Standard softwarefor word processing , spreadsheets

Expert systems such as teammate,

Generally, an auditor can use the PC to assist for

Production of time budget and budgetary

control .

Analytical procedures.

The maintenance of permanent file

(4)

Sako Mayrick

Auditing in computer environment

The computer systems

challenges

lack of visible evidence

and

systematic errors.

What to do?

techniques available to an auditor,

The internal controls,

the availability of the data

the length of time it is retained in a

readily usable form

.

Sako Mayrick

AUDITING IN COMPUTER ENVIRONMENT

Controls over audit computers

Security, and Accuracy (of input,

processing and output).

The auditor should exercise controls

when PCs are used by auditor in their

work are as follows:

Access controls for users by means

of passwords

Controls over audit computers

Back up of data contained on files,

regular production of hard copy;

back-up disks held off the premises.

Viral protection for programs and

Training users.

Evaluation and testing of programs use

Proper recording of input data , to

(5)

Sako Mayrick

INTERNAL CONTROLS IN CIS

The internal control over

computer based accounting

system

General controls

Application controls

General controls;

relates to the environment CIS

are developed, maintained and operated,

and which are therefore applicable to all the applications.

The application controls and general controls are inter-related. Strong general controls contribute to assurance, which may be obtained by an auditor in relation

If general controls are ineffective, there may be potential for material misstatement in each computer based accounting application.Sako Mayrick 14 APT Financial Consultants

(6)

Sako Mayrick

Specific Requirements in order to achieve the overall objective of general

Control over applications development

To prevent or detect unauthorized changes to programs To ensure that all programs changes are adequately

tested and documented

Control to prevent and detect errors during program

execution

To prevent unauthorized amendments to data files

To ensure that system software is properly installed and maintained

To ensure that proper documentation is kept To ensure continuity of operations.

Types of General Controls

1. Organizational controls of EDP unit

No one individual should be able to

a.

access the data;

b.

Alter the computer system or

programme,

c.

Access the computer

Sako Mayrick 17

Types of General Controls

2.

Application development and

maintenance controls

Computer programs and related

applications

design and use of

systems manuals, program flow

charts, narratives, records and file

layout and operators instructions.

3.

Hardware controls

(7)

Types of General Controls

4. Access to Computer equipment, data files and programs

Safeguarding equipment and records e.g. locked doors, locked cabinets, segregation of duties, locked cabinets, cabinets containing data files, passwords or security codes and job reports for the computer.

5. Data or procedural controls

Keeping the files and programmes off site. This may prevent losses due to accidental erasure, intentional vandalism or catastrophic loss (fire). Grandfather-father-son method Sako Mayrick 19 APT Financial Consultants

Sako Mayrick

Application controls:

The objective of application

controls (manual or programmed)

are to

Ensure completeness

and

accuracy

of accounting records

validity of entries made resulting

from both manual and

programmed processing.

The specific requirements

in order to

achieve the overall objectives of

application

controls

Control over the completeness and

authorization of input

Control over the completeness and

accuracy of processing

Control over the maintenance of master

files and the standing data contained

therein

(8)

Internal Controls in CIS

Application Controls

They are specific to particular accounting application Major types of application controls

1. Input Controls

Ensures validity, completeness and accuracy of processed information e.g. Check digits, batch totals, hash totals, limits or reasonableness checks, and validity checks.

2. Processing Controls

Accurate processing of data input into the system Data are processed, processed only once and processed

accurately.

Most of processing controls are also programmed controls i.e. the computer is programmed to do the checking. Examples, control totals, logic tests and completeness tests.

Sako Mayrick

Internal Controls in CIS 3. Output Controls

Ensures that data generated by computer are valid, accurate, and complete.

Output distributed in appropriate quantities only to authorized people. The most important output controls is

review of the data for reasonableness by someone who knows what the output should look like.

Sako Mayrick 23

Internal Controls in CIS

4. Controls over master file information

Most transactions depends on the accuracy of information on the master file. For example

Sales transactions depends on price list or

all payroll amounts depends on hourly rate or salary rate.

User departments should get periodic reports containing content of the master file.

There should be procedures in place to

verify that the correct version of Master File is being used.

(9)

Internal Control in CIS

Auditors obtain information on the

general and application controls by

Interviewing EDP staff

Reviewing flowcharts and

documents

Reviewing internal control

questionnaires

Sako Mayrick 25

5 Minutes Break

Sako Mayrick 26

AUDITING IN THE COMPUTER

ENVIRONMENT - Techniques

What are the tools to use?

What are the techniques?

What are the tricks?

What are the risks ?

(10)

Sako Mayrick

COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs)

Definition

Techniques in that the auditors are

afforded opportunities to use either the

enterprises or another computer

to assist

them in performance of audit work.

CAATs, are ways in which the auditor may

use the computer in a computerized

information system to gather, or assist in

gathering, audit evidence.

CAATs Advantages

Are independent of the system being audited and will use

a read-only copy of file to avoid corruption of an organization's data

Simplifies audit routines such as sampling

Provides documentation of each test performed in the

software that can be used as documentation in auditor’s work papers

Can perform activities such as data queries, data stratification, sample extraction, missing sequence identification, statistical analysis, calculations, duplicate inquiries, pivot tables and cross tabulation

Sako Mayrick 29

CAATs

Uses

Creation of electronic work papers

Fraud detection

Analytical tests

Data analysis reports

Continuous monitoring

(11)

Sako Mayrick

CATEGORIES OF CAAT

Audit software

Test data

Other techniques

Sako Mayrick

CATEGORIES OF CAAT

1. Audit software:

generalized audit software

specialized audit software or

Interrogation software

utility programs and

existing entity programs

.

Regardless of the source of the

programs, the auditor should

substantiate their validity for audit

purposes prior to use.

CATEGORIES OF CAAT

Audit software some uses

Stratify accounting population and

select monetary unit statistical

samples.

Carry out an aging /usage analysis

of stocks

Perform detailed analytical reviews

(12)

Sako Mayrick

TYPES OF CAATs

Test data

Is a CAAT in which test data

prepared by the auditor is

processed on the current

production version of the client's

software, but separately from the

client's normal input data.

Sako Mayrick

TYPES OF CAATs

Other techniques

embedded audit facilities

Integrated test facility

System Review and control file (

SCARF)

Application program examination

Internal control evaluation via; Flowchart

verification (Logical Path analysis ) ,Program code verification (Code Comparison Programs), Printoutexamination.

CAATs and Sustentative testing

During substantive testing some, CAATs

are used frequently.

Audit software is used extensively to

examine accounting records maintained

on computer files

CAATs assists in carrying out analytical

(13)

Sako Mayrick

Limits of CAATs

Evaluation of general controls

Use ICQ or the ICE approach.

Sako Mayrick

Program authenticity

Source Program authenticity

guarantee that the correct application

program is being tested.

“Live test” data, integrated test

facilities and embedded audit facilities

as described above are audit

techniques, which help in this respect.

General controls

Copy must be identical to orignal

Knowledge based system

Knowledge based systems

Decision Support Systems

and Expert systems

can be

used to assist with the

auditors own judgment and

decisions.

(14)

Sako Mayrick

MANUAL Vs CAATs

Factors to consider in choosing between CAATs and manual

Practicability of carrying out audit tests manually Cost effectiveness of the procedures under

considerations.

Availability of audit time

The availability of appropriate computer facilities and independence issue

The level of audit experience and expertise. The extent of possible reliance upon internal audit

work

Sako Mayrick

Factors to consider in using CAATs

IT knowledge and experience of the

audit team

Availability of CAATs and suitable

computer facilities and data

Impracticability of manual tests

Effectiveness and efficiency

timing

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

Planning an audit in a

Computer environment

Possibilities of attending during

system development stage

Consideration of use of CAATs

Practicability of manual audit

Expertise

(15)

Sako Mayrick

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT Use of CAATS

The pattern cost associated with CAATs, The extent of tests of controls or substantive

procedures achieved by both alternatives,

Ability to incorporate within the use of CAAT a number of different audit tests.

Time of reporting

Sako Mayrick

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

In using CAAT,

computer facilities, computer files

and programs should be available

;

the auditors should plan the use of

CAAT in good time so that these copies

are retained for their use.

Internal auditor CAATs , consider ISA

Availability of computer facilities

INTERNAL CONTROL EVALUATION

Internal control evaluation

ICQ .

Weak controls = extensive

substantive procedures

In determining whether they wish to

place reliance on application controls or

general controls ,the auditors will be

influenced by the cost effectiveness and

ease of testing by the following matters

(16)

Sako Mayrick

INTERNAL CONTROL EVALUATION

Check systematic errors and program

intergrity

Manual examination may be useful in

small computer application

Observation, examination of

documentary evidence or reperforming

the procedures may be useful.

CAATs can also be useful

Sako Mayrick

Review of financial statements

CAATs (audit software)

e.g analytical review.

The working papers should indicate the

work performed by CAAT, the auditors

conclusion, the manner in which any

technical problems were resolved and

may include any recommendations

about modification of CAAT for future

audits.

AUDIT TRAIL.

Audit trail.

As the complexity of computer systems has increased there has been a corresponding loss of audit trail. Most systems have searching facilities that are much quicker to use than searching through print outs by hand. This offsets the so- called loss of “audit

trail” to a significant extent. The trail is still there, although it may have to be followed through in electronic form.

(17)

2 MINUTES BREAK

Sako Mayrick 49

Sako Mayrick

COMPUTER SERVICE BUREAUX

These are third part service organization who

provide EDP facilities to their clients

Factor to consider in using CSB

make or buy decisions

Consider and Analyze the cost benefit;

Level of management’s own computing

knowledge and their willingness to take

risk to unknown third party;

Factors to consider

The volume and frequency of processing

requirements ;

The complexity of the program package

required ;The simpler the program the easier

it would be to process in – house on Micro;

The importance of timelines in processing of

data check the efficiency and economy of DP

The confidentiality of the data being

(18)

Sako Mayrick

Types of Bureaux

Independent companies formed

to provide specialist computer

services

Computer manufacturers with

bureau

Computer users (e.g.

universities)

Sako Mayrick

PLANNING AND CONTROL EXERCISED BY THE USER

When the system using CSB is set

up it is essential that

a full feasibility study and

system design should be carried

out.

In practice the bureau may provide

assistance in performing these

tasks.

The control should include :

Prior vetting of bureau standards ;

Input controls at preparer’s end; bunching

and providing or authorizing in the same

way as usual;

Transit controls ;Physical transfer of

documents ;

batch controls ,physical security and

(19)

Sako Mayrick

The control should include :

Electronic transmission of data ;batch

totals, passwords and possibly

encryption coding for very sensitive data;

Control over and action on rejection;

there must be strong control over the

level of rejections; whose fault, the

bureaus or ours?;

Sako Mayrick

Output controls :logging /registering receipt of output material and original documentation ,distribution and filing; Master file amendment controls; suggested control include the usual use of pre-numbered properly authorized forms. Special control of periodic print out of all master file amendments;

Adequate insurance covering loss of data or documents and computer breakdown at the bureau itself ;The external auditor review of bureau controls ;

A third party review –an independent firm to carry out review of internal controls, both the general and application based. The report is then made available to the auditors of clients of the bureaus. This saves the bureau having to make provision for many different sets of auditors all asking to run CAATs on the bureaux system and complete roughly similar ICQ/ICE forms.

Direct evaluation of the bureau by the auditor using the CAATs , ICQ and ICE.;

(20)

Sako Mayrick

The compliance and substantive testing of

programmed procedures, the CAATs such

as discussed above are appropriate where

the client has the data and files on the

premises. They may not be possible in

context of the computer service bureau.

The client may have to arrange to have

files copied by the bureau or supplied to

the auditor for testing.

2 Minutes Break

Sako Mayrick 59

CONTROLS IN ON-LINE AND REAL TIME SYSTEMS

Controls in real time systems

The main control problem is that primarily the concern is on large, multi–user systems with terminals (dumb terminals or networked PCs)

The same person is often responsible for producing and processing the same information. Internal check ,supervisory controls should be strengthened (segregation of duties) ;

The ability of a person using remote terminal to gain access to databases at will results in the need for special controls to ensure that files are

(21)

Sako Mayrick

CONTROLS IN ON-LINE AND REAL TIME SYSTEMS

Physical controls;

Operating system;

Use passwords( or lockwords) or special badges or

key;

Restriction by the operating system of a certain users

to certain files .eg wages dept can be given access to only wages file;

Logging of all attempted violation of the above

controls .eg Automatic shut down of the PC or terminal used;

All violations should be speedily and thoroughly investigated

Application controls; Validity checks on input; Reporting

of unusual transactions; Passwords

Sako Mayrick

DATABASE MANAGEMENT SYSTEMS (DBMS)

Main controls;Control to prevent or detect unauthorized changes to programs;

No access to live program file by any personnel

except for the operation personnel at the central computer;

Password protection on programs;

Restricted access to the central computer and terminal ;

Maintenance of console;

Periodic comparison of live production programs to

control copies and supporting documentation.

DATABASE MANAGEMENT SYSTEMS (DBMS) Main controls;

Controls to prevent or detect error during operation;

Restriction of access to terminals by use of password;

Satisfactory application control over input , processing and

master file ;

Use of operation manuals and training all users;

Maintenance of logs showing unauthorized attempts to access;

Physical protection over data files ;Training in emergency

procedures

Controls to ensure integrity of the database system;

(22)

Sako Mayrick

DATABASE MANAGEMENT SYSTEMS (DBMS)

Controls to ensure integrity of the database system;

Restriction of access to data dictionary( point of definition and interrelationship of data); Segregation of duties between data

processing manager and data base administration personnel;

Liaison between database administration function and systems development personnel Preparation and update as necessary of user

manual in conjunction with data dictionary 64 APT Financial Consultants

Sako Mayrick

DATA BASE MANAGEMENT SYSTEM

The audit of DBMS creates particular problems as the two principal CAATs , test data and audit software, tend to work unsatisfactorily on programsand files contained within such system. The auditor may, however, be able to use

embedded audit facilities.

Close liaison with the internal auditor may provide audit comfort.

The auditors should if possible be involved at the evaluation, design and development stages, so that they are able to determine their audit requirements and identify control problems before

implementation. ₆₅

5 Minutes Break

QUESTION 3 ( P18. MAY, 2010)

You have been asked to evaluate the system of internal control in an electronic date processing system. REQUIRED:

Specify some of the matters to which you would give

attention in relation to:

Division of responsibilities File storage

What will be the auditor’s work or the areas in which he

requires to pay special attention in auditing:

(23)

2 MINUTES BREAK

REQUIRED: (NBAA –CPA - Nov. 2009)

a) (i) List the audit procedures to be followed by your assistant in verifying the bank reconciliation in sufficient details for an inexperienced staff member to follow.(6marks) (ii) Explain the purpose of each procedure in terms of audit

objectives.(5 marks)

(b) Discuss the reliability of bank statements as audit evidence. What steps can be taken if it is considered desirable to increase their reliability? (3 marks)

(c) (i) Distinguish between ‘auditing around the computer’ and auditing through the computer’.(3 marks) (ii) Explain the circumstances when it would be inappropriate for the auditor to rely on auditing around the computer. (3 marks)

(Total = 20 marks)

Sako Mayrick 67

Sako Mayrick

SMALL COMPUTER SYSTEM

Control problems in small computer

systems

The problems surrounding PC’s can be

grouped as ;

Lack of planning over the acquisition

and use of PCs;

Lack of documentary evidence ;

Lack of security and confidentiality

.

2 MINUTES BREAK

NBAA: QUESTION 5 – NOVEMBER, 2010

The auditors of Malaga Co. a large engineering company, are now in the course of auditing the company's financial statements for the year ended 31st_{October, 2010. At the audit briefing, the audit manager made the} following statements:

'Whilst we are all aware of the benefits that Malaga Co. should have gained from using a computer based accounting system, we need to be alert to the specific risks that a computer-based accounting system poses to an entity's internal controls. We will be using audit software.

REQUIRED:

(a) State four benefits that Malaga Co.. should have gained from using a computer-based accounting system.

(b) State six specific risks that the use of a computer-based accounting system poses to an entity's internal controls.

c) Explain the term audit software.

(24)

Sako Mayrick

COMPUTER FRAUD

Input fraud :

Processing fraud;

Fraudulent use of computer

system;

Output fraud;

Sako Mayrick

FACTORS- RISK TO COMPUTER FRAUD

Increase in computer literacy

–

Communications

e.g. telephone and

PCs and hackers

Reduction of internal Check

Improvements in quality of software

and

increase in implementation of good

software has not kept pace with

improvements in hard ware

COUNTERACT COMPUTER FRAUD

Planned approach to counteract computer fraud.

All staff should be properly trained and should

fully appreciate their role in computer function

Management policy on fraud should be clear

and firm

A study should be carried to examine where the

company is exposed to possible fraud

A company should map out an approach or plan

in each area of the business to tackle and preventfraud.

(25)

Sako Mayrick

CONTROLS TO PREVENT COMPUTER FRAUDS

As with a control system, three areas to examine are; prevention, detection and correction

Access to the computer terminals and other parts of the

computer should be restricted

Access to sensitive areas of the system should be logged and monitored

Errors logs and reports should be monitored and investigated on regular basis

Staff recruitment should include careful vetting ,include

taking up all references

Expert systems software may be used to monitor unusual

transactions

2 Minutes Break

See the separate question –

detailed one

Sako Mayrick 74

DEVELOPMENTS IN COMPUTERIZED ENVIRONMENT

Many auditors are now finding their clients

conducting business through the

internet

.

As always, the principle audit

concern ,

will be controls

over the use of the

internet and the

strength of audit

evidence

obtained through the internet

(26)

Sako Mayrick

INTERNET

Controls over the Internet

Unauthorized use of the internet Staffs may use internet for unauthorized

purchases

Staff may use internet for accessing data which have a costs (call)

People may be able to access “business “

internal systems via the internetand obtain confidential information or launch virus which disrupts internal systems

Sako Mayrick

CONTROLS IN INTERNET…

Controls from these risks include

Use of passwords,

Disabling certain terminals – Firewalls

Authorizationthe technique make sure that a message has come from an authorized sender

Virus control software–regular updating Physical controls;against fire, damage etc

AUDIT EVIDENCE IN THE INTERNET Audit evidence in the Internet

Certain general observations can be made about audit evidence obtained through the Internet

Internet evidence generated by the auditor will be

stronger than evidence generated by client. Comfort may be obtained if the auditor can access the internet and test what the client has posted

Internet evidence can be obtained in written form and

thus stronger than oral evidence

If the internal controls mentioned above are strong

,the auditors will have more confidence in the quality of evidence

(27)

Sako Mayrick

WHAT ABOUT

E-MAIL

?

Email may have numerous advantages in reducing office paperwork and speeding up communication, but it also has dangers from an audit point of view. e.g. unscrupulous employee in a large organization might find it quite easy to send and e-mail from his or her boss’s computer authorizing a substantial bonus /payrise

H/W;what controls could you put to prevent this from happening

Sako Mayrick

CONTROL IN

INTERNET

SYSTEM

Control of network system is of uttermost importance .the auditors must be able to analyse the risk of unauthorized access such as line tapping or interception and to evaluate preventive

measures

Authentication programs and encryption are used for security, the auditor must understand those matter and should be able to make

recommendations on implementation.

Password securityis extremely important, and the auditors may be called upon to recommend complex password procedures for sophisticated

systems. 80

ELECTRONIC DATA INTERCHANGE

Electronic data interchange (EDI)is now used very widely because it cuts the task of re-inputting data that has already been input into a system in electronic form, saving time and improving accuracy

EDI is authentic? What authorization measures are in place to ensure that transactions above certain value are properly authorized before being transmitted or accepted?

What is the legal position of the two parties if the transaction is disputed?

Encryption and authentication offer some help, as do transaction logs that identify the originator or any

(28)

Sako Mayrick

WHAT IS EDI

Is the automated

computer-to-computer exchange of structured

business transactions between an

enterprise and its vendors,

customers, or other trading

partners in a standard format,

with a minimum of human

intervention

Sako Mayrick

CONSIDERATION OF AUDIT

STANDARDS

ISA 315, “Understanding the Entity

and

Its

Environment

and

Assessing the Risks of Material

Misstatement” and

ISA

330,

“The

Auditor’s

Procedures

in

Response

to

Assessed Risks” became effective.

CONSIDERATION OF AUDIT STANDARDS

Major issues to be considered by an

auditor as per ISA

An auditor should consider new CIS

environment affects the audit

The overall objective of audit in CIS audit

never changes.

The design and performance of appropriate

tests of Controls and Substantive

(29)

Sako Mayrick

CONSIDERATION OF AUDIT STANDARDS

Major issues to be considered by an

auditor as per ISA

The existence of computer is likely to have

an impact on the clients inherent risk and

control risk.

The auditor should have sufficient

knowledge of CIS to plan, direct supervise

and review the work performed.

The auditor should consider whether

specialized CIS skills are needed in an

audit.

85

Sako Mayrick

ISA

The ISA makes it clear that auditors should have sufficient knowledge of the CIS to perform such audit effectively. It is not necessary for overly member of audit team to be a computer expert auditors must consider need for specialized CIS skills.ISA 620 “using the work of expert” is relevant.

In planning the portions of audit which may be affected by the clients environment the auditor should obtain an understanding of significance and complexity of CIS activities and the availability of data for use in the audit.

ISA

Auditor must obtain understanding of

accounting and IC sufficient to plan an

effective approach.

Where CIS is significant, the auditor must

assess the effect of the CIS on in hereunto

control risk.

Complexity normally increases risk and

deficiencies in program development, mtc,

physical security and access controls

would have an effect on all applications

(30)

Sako Mayrick

ELECTRONIC COMMERCE

IAPN

Is any Commercial activity that takes place by means of connected computers. E.g. offering goods for sale directly from office computer; the purchasers’ computer and office computer is connected over Internet.

How do we audit ex-commerce?

International Audit Practice Note (IAPN) in intended to assist auditors in identifying and assessing the new risk to which the business in exposed when it undertakes e-commerce transactions.

Sako Mayrick

MAJOR AREAS OF FOCUS BY THE IAPS 1013

The skill and knowledge required

to understand the implications of

e-commerce on audit

The extent of knowledge an auditor

should have about the client’s

business environment and

activities.

MAJOR AREAS OF FOCUS BY THE IAPS 1013

The business, legal, regulatory and

other risk faced by entities engaged

in e-commerce transactions.

The effect of electronic records on

audit evidence.

The statement may be also helpful

to the auditor of any business

engaged in e-commerce.

(31)

5 MINUTES BREAK

See the Class Presentation on the

question

Sako Mayrick 91

Sako Mayrick

What is an IT audit?

Like operational, financial and compliance auditors, Information Technology (IT) auditors work to:

Understand the existing internal control environment

Identify high risk areas through a formal methodology

Ensure that adequate internal controls are in place and operate effectively (through the testing of said controls)

Recommend control implementation where risk exists

Why IT AUDIT?

Because of Information Technology RISK!! Risk: The probability that a particular threat

exploits a particular vulnerability(i.e. an issue which may impact ability to meet objective).

Threat: Event with the potential to cause unauthorized access, modification, disclosure, or destruction of info resources.

Vulnerability: Weakness in a system control, or a design flaw, that can be exploited to violate system, network, or data integrity.

(32)

Sako Mayrick

WhatReduces IT Risk and

Whatabout any Remaining Risk?

Internal Controls (i.e. safeguards)

Control: Protective measure implemented

to ensure company assets (IT or

otherwise) are both available and accurate

in order to meet the business

requirements of that asset.

Residual Risk: The risk that is left over

after

reasonable

internal controls have

been both evaluated and implemented.

Internal Controls do not eliminate all risk!!

Sako Mayrick

INTERNAL CONTROLS OTHER MATTERS

The are two major types of controls:

Application Controls

General Controls.

(33)

Sako Mayrick

What about OTHER types of audits that may impact IT

Traditional Audit Types:

Financial – “opinion” audits (CPAs) Operational – process audits – now

includes environmental & construction Compliance – laws/regulations and

policies, standards, and procedures IT – usually considered “operational”

unless performed so “opinion” auditors may “rely” on financial info provided

Hybrid - Integrated Audit – today almost all audits are actually hybrid

Sako Mayrick

Operational Audits

Review operating policies/procedures

Documented policies/procedures?

Informal policies/procedures?

Work flow examined (thru flowchart or

description requested/developed)

Controls identified and documented

Examine the business process and

recommend improvements – control

related or efficiency/effectiveness

MANUAL AND PROGRAMMED CONTROLS Many controls over computers are manual controls, and

prodding that the manual controls exercised by users are sufficient to provide reasonable assurance of the completeness, accuracy and authorization of output, test of control may be limited to those manual controls. In a payroll system, for example, if users test check gross pay, deductions net pay and authorization at the output stage, and if they compare net pay with approved bank transfer documentation and perform regular bank reconciliation’s; there may be no need to test

(34)

Sako Mayrick

MANUAL CONTROLS Other Controls:

Manual Controls Physical Controls:

-Is a matter of common sense. Limit access to a computer room,

-Locks and keys, only to specified people -Prevention of smooking.

Back-up of disks:

-Create and update an identical back up disk for every disk in the system; Data files&Program files; The disk should be stored in separate place.

Sako Mayrick

MANUAL CONTROLS

Other Controls: Manual Controls

Data filing:

-Each disk should be labeled clearly and filed

securely.The labeled disks should be filed in special disk boxes to provide a degree of protection against liquid being spoilt on the disks or their being bent or plied.

Documentation: It is vital, as it provides both a support system for work already stored on disk and filed, and progress report on data currently being processed or updated.

Staff Training:

Proofing:There is always room for manual checking or proofing, to control data on disk.

PROGRAMMED CONTROLS Programmed Controls:

Passwords

; Date/time stamps for compass on

of two revisions of data;

Prompts

– Asking the

user to continue with an action or not.

Check Digit:

A means of control on that they

ascertain whether or not a number, such as

ISBN is valid. E.g. customer account No. The

computer will detect of the number is ever input

incorrectly.

(35)

Sako Mayrick

PROGRAMMED CONTROLS

Programmed Controls:

Reasonable checks: Checks to ensure that data input is reasonable given the type of input it is e.g. A payroll system would check that his recorded for a falls within a range of 30 to 50.

Existence checks: Checks to ensure that the data input is valid by checking that the entity already exists in the system. E.g. employee number.

Dependency checks: Data input fields can be compared with other fields for reasonableness.

Sako Mayrick

SMALL STAND ALONE MICRO-COMPUTER

Main problems.

Internal Controls.

Major controls appropriate in

this environment

Authorization:

Physical security

AUDIT PROCEDURES

Substantive tests

Internal controls

Inherent limitations of the system of IC in elimination of frauds & errors.

The need to balance the cost of control with its benefits;

The fact that IC are applied to systematic transaction, not one-off year-end adjustments, which are often larger and subject to error;

The potential human error;

Possibility of circumvention of IC through collusion of managers or employees with other parts inside /outside the entity;

Abuse of controls or override of controls e.g. ordering of personal goods; Obsolescent of controls

(36)

Sako Mayrick

FURTHER CONSIDERATION OF CAATs

Further considerations of CAATs

ISA requires auditors to obtain appropriate audit

evidence to be able to allow reasonable conditions on which to base their opinion. Advantages of CAATS:

Helps to test larger number of data hence increase confidence in their opinion;

Help’s to test Accounting Systems its records

(Tables & Disk files) rather than relying on testing printout;

Are cost effective once set up for obtaining audit

evidence;

Comparison can easily be made from clerical audit work hence increase confidence.