Risk Based Audit Approach Session Title: Auditing in EDP Environment !

nstructor"s uide: Session $vervie% Tell: &e %ill have a discussion on characteristics o# EDP s'stem #ollo%ed (' (asic principles o# auditing in an EDP environment and approach to audit o# computeri)ed accounts on audit risk consideration. Tell: T%o * hal# hours are assigned #or this session.+, minutes are assigned #or the e-ercises and remaining 1., minutes %ill (e used #or discussion. Learning Objectives: Tell: At the end o# the session 'ou %ill (e a(le to understand the (asic principles o# auditing in EDP environment/ and uses o# 0AATs in identi#'ing risk in an EDPenvironment/ Key Teaching Points CHARACTERISTICS OF A E!P E "IRO #E T $Ris% i&enti'ication 'or the a(&itor) Sho% slide Slide 8.135 Tell: An understanding o# the ma1or characteristics o# an EDP environment/ particularl' inso#ar as the' di##er #rom those o# a manual s'stem/ is essential #or the auditor as a tool #or risk identi#ication and #or #ormulating his general approach and speci#ic techni2ues to audit o# such a s'stem Slide 8.134 Re#erence

Session 8.1 Session uide Participant Response

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Tell: 0haracteristics o# an EDP environment/ %hich have a (earing on the %ork o# the auditor and proper assessment o# these characteristics/ %ill help in proper planning and e-ecution o# audit.

Tell: !n an EDP environment/ the num(er o# persons involved in the processing o# in#ormation is signi#icantl' lo%er than that in a manual s'stem.

Tell: There#ore/ man' conventional controls (ased on segregation o# duties ma' not e-ist or ma' (e less e##ective.

Tell: 0ertain data processing personnel/ (' virtue o# their specialised kno%ledge/ ma' (e intimatel' connected %ith the input preparation/ processing/ and distri(ution and use o# the output. Thus/ the' ma' (e in a position to alter programs or data during processing or storage.

Tell: !n a manual accounting s'stem/ a transaction is recorded on the (asis o# a supporting document/ e.g. voucher/ invoice/ receipt/ etc. 8o%ever/ such documentation ma' not al%a's (e availa(le in the case o# a computerised s'stem/ %here some data ma' (e entered directl' into the s'stem %ithout supporting documents. 9or e-ample/ sale orders and discounts ma' (e #ed directl' into an on3line s'stem. %ithout visi(le authorisation o# individual transactions.

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Tell: &here a manual accounting s'stem is in operation/ the process o# recording transactions generall' #ollo%s a set pattern. 9irstl'/ a (asic document/ i.e. voucher/ invoice or receipt/ etc. is prepared. This is the #irst recognition o# a transaction having taken place. Then an entr' is made in a prime (ook o# account/ i.e. 1ournal or da'(ook 9inall'/ a posting is made in the principal (ook/ i.e. ledger. Thus/ #or each transaction/ there is a visi(le :trail"/ %hich the auditor can #ollo%.

Tell: 7nder the computerised s'stem/ the a(ove order is not strictl' #ollo%ed. !n a computerised s'stem/ the auditor ma' o#ten #ind that the audit trail is mostl' in machine3reada(le #orm. Also/ it ma' e-ist onl' #or a limited period o# time. Tell: !n man' EDP s'stems/ the results o# processing ma' not (e printed or ma' (e printed in a summar' #orm. The data ma' (e retained on the #iles/ %hich are reada(le/ onl' (' the computer.

Tell: !n a computerised s'stem/ data and programs ma' (e easil' accessed and altered at the computer or through the use o# remote terminals. There#ore/ unless appropriate controls are instituted/ there is an increased potential #or unauthori)ed access/ to/ and alteration o#/ data and programs.

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Tell: EDP s'stems are normall' more relia(le than manual s'stems/ inasmuch as the' per#orm #unctions e-actl' as programmed. $n the other hand/ a #ault' computer program ma' consistentl' process transactions or other data erroneousl'. Tell: !n a computerised s'stem/ man' internal control procedures are incorporated in computer programs. These procedures can (e designed to provide controls %ith limited visi(ilit'; #or e-ample/ unauthori)ed access to data ma' (e prevented (' pass%ords. <an' other control procedures can (e manual in nature/ such as revie% o# reports printed #or e-ception or error reporting/ and reasona(leness or limit checks o# data.

Tell: 7nder an EDP s'stem/ a single input to the s'stem ma' automaticall' update all the records associated %ith the transaction. 9or e-ample/ a goods received note ma' update the purchase and supplier=s accounts #iles as %ell as the inventor' #ile. Thus/ an erroneous entr' in such an accounting s'stem ma' create errors in various accounts.

Tell: >arge volumes o# data and the computer programs ma' (e stored on porta(le or #i-ed storage media such as magnetic tapes/ disks/ etc. These media are vulnera(le to the#t/ loss/ or intentional or accidental destruction.

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Tell 0ode num(ers are e-tensivel' used to represent names and descriptions in a computerised s'stem. The auditor has to #amiliarise himsel# %ith such codes. This ma' create some pro(lems/ especiall' in the initial stages. The auditor ma' #ace another di##icult' due to the #act that narratives ma' (e totall' a(sent in the computerised records. Thus/ it ma' (ecome di##icult #or him to understand the various transactions.

Tell: !t should (e recognised that %hile computers can process in#ormation %ith incredi(le e##icienc'/ the' are also ver' vulnera(le to #rauds. Sho% slide E*+lain: 0omputer #rauds can (e divided into #ive general categories as (elo%. 1. 9inancial #rauds/ e.g. %here #und trans#ers are made to the criminals personal account. +. Propert' #rauds/ e.g. %here #alse orders are placed on the computer #or goods %hich are misappropriated. .. !n#ormation the#t including unauthorised access to data (ase records and computer programs. 4. The#t o# services including unauthorised use o# computer. 5. ?andalism o# e2uipment and destruction o# records. Slide 8.13@

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Tell: 9ive principal #acets o# computer operations have (een #ound to (e particularl' vulnera(le to manipulation. 1. Data input/ %here #alse data is programmed into the s'stem or the e-isting data removed. +. Programming/ %here the#t/ destruction or #ull or partial modi#ication is possi(le. .. 0entral processing/ %here the s'stem is e-posed to %iretaps and interception o# the data. 4. $utput/ %here the#t o# con#idential data occurs. 5. 0ommunication o# data to another computer or #rom computer to terminal. There is/ there#ore/ a strong need #or ade2uate controls in all these areas. Sho% slide E*+lain: !nternal controls %hich are speci#ic to an EDP environment include (oth manual procedures and procedures designed into computer programs. These manual and computer control procedures can (e classi#ied into AaB general EDP controls and A(B EDP application controls.

Slide 8.13C

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Tell: The purpose o# general EDP controls is to esta(lish a #rame%ork o# overall control over EDP activities. eneral EDP controls pertain to division o# duties/ controls over development and maintenance o# so#t%are/ controls over computer operations/ error routine/ controls over stationer'/ data entr' and program controls/ #ile controls/ and securit' and stand(' arrangements. Tell: The general EDP controls discussed a(ove in#luence the overall EDP environment and/ there#ore/ have an e##ect on all or most EDP applications. Besides these controls/ it is also important to design and operate appropriate controls over each EDP application. Tell: All EDP applications can (e divided into three stages: input/ processing and output. !t is necessar' to institute appropriate controls at each o# these stages Tell: &e have alread' discussed the main characteristics o# an EDP environment that have a (earing on the %ork o# an auditor. The various t'pes o# controls applica(le in an EDP environment have also (een discussed. Do%/ (asic principles o# auditing in an EDP environment/ the approach to the audit o# EDP3 (ased accounts and some o# the speci#ic techni2ues o# such audit %ill (e dealt %ith. Sho% slide E*+lain:The (asic principles governing an audit in an EDP environment are similar to those in a manual environment. 8o%ever/ some o# the auditing procedures to (e applied #or compl'ing %ith these (asic principles are speci#ic to the EDP environment Slide 8.138

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

E*+lain: !t is a (asic principle o# auditing that an auditor should have ade2uate training/ e-perience and competence in auditing. !n the conte-t o# auditing in an EDP environment/ this implies that the auditor should have su##icient understanding o# computer hard%are/ so#t%are and processing s'stems to (e a(le to plan the engagement and to understand ho% EDP a##ects the stud' and evaluation o# internal control and the application o# auditing procedures.

Tell: As in the case o# an' other audit engagement/ the auditor can delegate %ork to assistants or use %ork per#ormed (' other auditors or e-perts %hile auditing in an EDP environment. 8o%ever/ he should have su##icient understanding o# EDP to direct/ supervise and revie% the %ork o# assistants %ho have EDP skills or to o(tain reasona(le assurance that the %ork per#ormed (' other auditors or e-perts %ith EDP skills is ade2uate #or his purpose. Sho% slide Tell: !n planning his audit/ the auditor should gather su##icient * relevant in#ormation a(out the EDP environment/ including the #ollo%ing: The manner in %hich the EDP #unction is organised. The computer hard%are and so#t%are used (' the entit'. Signi#icant computer applications/ the nature o# processing/ and policies regarding retention o# data. Plans regarding implementation o# ne% applications or revisions to e-isting applications. Slide 8.131,

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Sho% slide Tell: The computerisation o# an accounting s'stem does not change the overall o(1ective and scope o# audit. 8o%ever/ the use o# a computer results in changes in the processing and storage o# in#ormation and a##ects the organisation and procedures emplo'ed (' the entit' to achieve ade2uate internal control. Accordingl'/ the procedures #ollo%ed (' the auditor in his stud' and evaluation o# the accounting s'stem and related internal controls and the nature/ timing and e-tent o# his other audit procedures ma' (e a##ected (' an EDP environment. Tell: The special #eatures o# an EDP s'stem make it necessar' #or the auditor to modi#' his compliance and su(stantive procedures #or revie% o# internal controls and e-amination o# data. Due to the a(sence o# audit trail and primar' records/ lack o# visi(le output/ and the use o# accounting codes/ etc. the auditor cannot carr' out the traditional vouch3and3post audit o# computerised records. 8e has to la' much more emphasis on the evaluation o# internal control and on anal'tical revie% procedures and has also to change his veri#ication programme in consonance %ith the manner in %hich the records are maintained.

Slide 8.13E

uide 8.1

RT!/ 6A!P7R

Risk Based Audit Approach

Session 8.1

Distri(ute e-ercise 8.1.1/ tell time allo%ed is 1, minutes 0ollect e-ercise a#ter 1, minutes and distri(ute Solution

E-ercise 8.1.1 Sol. To e-ercise 8.1.1/

Discuss the solution in #ull group

Start the &isc(ssion again an& tell, 0omputerised s'stems o# accounting/ ho%ever/ also o##er certain sa#eguards to the auditor. 9irstl'/ i# he is satis#ied a(out the controls/ the auditor can place a higher degree o# reliance on the arithmetical accurac' o# the accounts maintained he need not conduct a detailed veri#ication o# the arithmetical accurac' o# the records. Tell: 9urther/ computerisation automaticall' implies a constant revie% o# the s'stems to increase their e##icienc' in producing relia(le data. As a result/ the internal controls are normall' (etter designed under computerised s'stems. Automatic checks are instituted and the responsi(ilities o# various people are clearl' stated. S'stems anal'sis and methods stud' are conducted periodicall'. 0onse2uentl'/ the movement o# papers is smoother and speedier. Tell: 0omputerisation o# accounts/ thus/ presents special pro(lems and opportunities #or the auditor. !nstituting special controls can mitigate the pro(lems and the opportunities can (e e-ploited (' the auditor to make his audit programme more e##ective. As in the case o# audit o# accounts maintained manuall'/ the audit o# computerised accounts can (e divided into t%o ma1or phases: 1. Revie% o# internal controls; and

+. E-amination o# records produced (' the data processing s'stem.

uide 8.1

RT!/ 6A!P7R

1,

Risk Based Audit Approach

Session 8.1

Tell: The revie% o# internal controls ac2uires special signi#icance in an EDP environment. This is due to the limitations on the auditor=s e-amination o# computerised records arising out o# man' #actors/ e.g. a(sence o# audit trail/ lack o# visi(le output.

Tell: %hile %ell3de#ined internal controls ensure the arithmetical accurac' o# records/ %eaknesses in the s'stem ma' lead to #rauds and errors

Tell: The auditor=s revie% o# internal controls involves ascertaining the s'stem/ testing compliance through the per#ormance o# compliance procedures/ and #inall'/ making an evaluation o# the s'stem as a (asis #or ascertaining the degree o# reliance %hich he can place on the s'stem in determining the nature/ timing and e-tent o# his su(stantive procedures. Tell: The auditor can per#orm tests o# compliance (' o(taining documentar' evidence regarding the application o# internal controls; he can also make ver(al en2uiries or actuall' o(serve the #unctioning o# the controls. 9or e-ample/ the auditor ma' scrutinise the re1ection records to check %hether re1ections %ere promptl' dealt %ith and %hether a periodic revie% %as made o# the contents o# the suspense #ile. Tell: Apart #rom e-amination o# documentar' evidence/ en2uir' and o(servation procedures/ the auditor ma' also use computer assisted audit techni2ues in per#orming compliance tests. Tell: 0ompliance tests as a(ove ena(le the auditor to determine %hether the controls on %hich he intends to rel' %ere #unctioning properl' throughout the period o# intended reliance. Based on his 1udgment/ the auditor determines the nature/ timing and e-tent o# his su(stantive procedures.

uide 8.1

RT!/ 6A!P7R

11

Risk Based Audit Approach

Session 8.1

uide 8.1

RT!/ 6A!P7R

1+

Risk Based Audit Approach

Session 8.1

Tell: 8aving determined the degree o# his reliance on the internal control s'stem/ the ne-t step #or the auditor is to select and e-amine the records produced (' the data processing s'stem %ith a vie% to assessing their accurac'/ validit' and completeness. !n doing so/ the auditor has to deal %ith a pro(lem peculiar to EDP s'stems/ namel'/ lack o# a complete and visi(le audit trail.

Sho% slides

Slide 8.1311 *Slide 8.13 1+/1. and 14

Tell: The audit trail re#ers to the links (' %hich an original transaction can (e traced #or%ard to its #inal output or %here(' each item o# the output can (e traced (ack to the source documents. The vouchers/ 1ournal/ ledger/ and other (ooks o# account provide the links in the audit trail. These are important #or an auditor since he can trace the #inal impact o# all transactions on the #inancial statements onl' through such links. As discussed earlier/ in manual accounting/ the audit trail is clear. Tell The introduction o# electronic data processors a##ects the audit trail. There are direct input devices/ %hich eliminate the source documents. Similarl'/ the processing re#erences ma' (e missing/ making it di##icult to o(serve the se2uence o# records and transactions. 8ence/ the auditor has to #ind out su##icient printed records/ listings/ etc. to reconstruct and #ollo% the se2uence o# transactions.

uide 8.1

RT!/ 6A!P7R

1.

Risk Based Audit Approach

Session 8.1

Tell: !n man' cases/ special printouts ma' (e speci#icall' re2uired to reconstruct the audit trail. This ma'/ ho%ever/ re2uire retention o# data in a machine3 reada(le #orm #or long periods. Alternativel'/ the printouts re2uired #or audit purposes ma' (e prepared %hen the data are processed initiall'.

Tell The auditor ma' trace certain selected transactions #rom input documents to regular output statements or to error listings. The sampled items so traced provide evidence regarding the actual activities o# the period. !n this approach/ the auditor does not make use o# the computer in conducting audit tests. 8e merel' traces the transactions #rom the original documents to the statements and compilations produced on the computer.

Tell: Such an approach is use#ul in the case o# computer s'stems/ %hich per#orm relativel' uncomplicated processing and produce detailed output. The auditor ensures that su##icient audit trail %ill (e availa(le to him so that he can conduct his tests in essentiall' the same manner as in the case o# a traditional audit o# manual accounting s'stems. This/ ho%ever/ ma' not al%a's (e the case. Distri(ute e-ercise 8.1.+/ tell time allo%ed is 1, minutes 0ollect e-ercise a#ter 1, minutes and distri(ute Solution Discuss the solution in #ull group !istrib(te: 0ase 8.1 E-plain the stud' #or #ive minutes and give 4, minutes to solve it. 0ollect the ans%ers distri(ute the solution and discuss Tell: !n man' cases/ it ma' (e impractica(le #or uide 8.1 RT!/ 6A!P7R 14 solution 0ase 8.1 0ase 8.1 E-ercise 8.1.+ Sol. to e-ercise 8.1.+

Risk Based Audit Approach

Session 8.1

the auditor to per#orm tests o# details o# transactions manuall'/ and he ma' have to use %hat are commonl' kno%n as =computer3assisted audit techni2ues=. A0AATsB E*+lain an& &isc(ss Tell: !n an EDP environment/ the auditor ma' per#orm his compliance procedures as %ell as tests o# details o# transactions %ith or %ithout the help o# the computer Tell: <an' people have la(eled these approaches as =auditing around the computer= and =auditing through the computer=. Auditing around the computer has come to impl' that the audit is conducted in the traditional manner (' e-amining the computer printouts in the same %a' as the manual records are checked Tell: the auditor more or less ignores the computer and veri#ies the computer output %ith re#erence to the source documents. Tell: Auditing through the computer implies that the auditor in per#orming his compliance and su(stantive procedures uses the computer. !# the auditor has a reasona(le e-pertise in electronic data processing/ he can make use o# the capacities o# the computer to improve the e##ectiveness and e##icienc' o# his audit procedures. Tell: Techni2ues that use the computer itsel# #or audit purposes are kno%n as =computer3assisted audit techni2ues= A0AATsB. Tell: According to !A 1@/ computer3assisted audit techni2ues ma' (e used in per#orming various auditing procedures/ including the #ollo%ing: Tests o# details o# transactions and (alances; #or e-ample/ the auditor ma' use audit so#t%are to test all Aor a sampleB o# the transactions in a computer #ile. Anal'tical revie% procedures; #or e-ample/ audit so#t%are ma' (e used to identi#' unusual #luctuations or items. uide 8.1 RT!/ 6A!P7R 15

Risk Based Audit Approach 0ompliance tests o# EDP controls; #or e-ample/ the auditor ma' use test data to test the #unctioning o# a programmed procedure.

Session 8.1

Tell: &hen an auditor uses 0AATs/ he should keep ade2uate %orking papers relating to the application o# such techni2ues. The %orking papers should contain su##icient documentation to descri(e the 0AAT application/ such as: Planning $(1ectives o# 0AAT. Speci#ic 0AAT to (e used. 0ontrols to (e e-ercised. Sta##ing/ timing and cost

E-ecution 0AAT preparation and testing procedures and controls. Details o# the tests per#ormed (' the 0AAT. Details o# input/ processing and output. Relevant technical in#ormation a(out the entit'=s accounting s'stem/ such as computer #ile la'outs. Audit Evidence $utput provided. Description o# the audit %ork per#ormed on the output. Audit conclusions. $ther Recommendations to entit' management. Dote 8.1 E*+lain an& &ic(ss: Ty+es, A&vantages an& !isa&vantages o' CAATs in vario(s a(&iting sit(ations

uide 8.1

RT!/ 6A!P7R

1@

Risk Based Audit Approach

Session 8.1

Tell: &e %ill no% discuss one o# the generali)ed audit so#t%are !DEA. $ur discussion %ill (e #ocused on the #ollo%ing points: !DEA an introduction 9unctions Do%nloading o# data Slide 8.1.+./+4 Slide 8.13 +5/+@ Slide 8.13 +C/+8

7se o# !DEA To s(- (+ !t %ill (e o(served #rom the a(ove discussion that approach and techni2ues to (e #ollo%ed (' an auditor in auditing EDP (ased in#ormation Ae.g. accounts processed on computersB are in certain respects di##erent #rom those to (e #ollo%ed in manual environment re2uiring more skills and kno%ledge. Audit risks are a #act/ #ollo%ing necessar' preventing methods must (e adopted to estimate and control risks e##ectivel': Re#orming audit techni2ues and methodolog'/ !mproving preliminar' and #ollo% up audit on !T S'stem/ Strengthening audit on internal controls and urging audited entities to esta(lish and improve the internal control s'stem in !T Environment/ Enhancing the training o# auditors; and Speeding up the development o# audit so#t%are. Better understanding o# 0AATs and use o# !DEA so#t%are #or data/ anal'sis and sampling

Slide 8.13 +Eto4,

uide 8.1

RT!/ 6A!P7R

1C