COMPUTERISED ENVIRONMENTS - Faculty of Commerce at the University .RTF by censhunay

VIEWS: 18 PAGES: 16

									                   ACC3022H

              AUDITING I - 2006




COMPUTERISED ENVIRONMENTS




   1. Overview of computerised environments
   2. Review of Internal Control in a computerised
      environment
   3. Effect on Audit Profile
   4. Computer Assisted Audit Techniques “CAATS”
OBJECTIVES

For a computerised business environment
   Identify the risk areas in the accounting cycles.
   Identify and explain the control principles and techniques that should be incorporated in the
    accounting applications.
   Identify and explain the impact on the audit profile.
   Identify and explain the role of “CAAT’S”.

PRESCRIBED READING

   ISA 315 “ Understanding the entity and its environment and assessing the risks of material
    misstatement” SAICA Handbook Auditing 2005/2006
   ISA 330 “The auditor’s procedures in response to assessed risks” SAICA Handbook Auditing
    2005/2006
   ISA 1013”Electronic commerce – effect on the audit of financial statements” SAICA Handbook
    Auditing 2005/2006
   The Principles and Practice of Auditing, 8th ed., refer to the index and in particular chapters 4.3, 9.4,
    10.3 and relevant sections in chapters 12-17
   ** Computerised Information Systems summary Module 3.

** Handed out in Control of Financial Information Systems (ACC2018S)


RECOMMENDED READING

   www.isaca.org
   Information Systems Control Journal
   Information Systems Sections/Technology in:
    -                                                          Accountancy SA
    -                                                          Business Press, e.g. Financial
        Mail (FM Campus)/Daily/Weekend Newspapers, Time Magazine, Newsweek,

LECTURE OUTLINES
1. Overview
    Typical computerised retail sales system.
    Characteristics in a CIS environment.
    Review of general IT and application controls.
2. Effect on audit profile and audit plan
    Pre-engagement activities.
    Knowledge of the Business.
    Interest Risk and Materiality.
    Understanding the accounting and internal control systems.
    Audit Approach (nature, timing and extent of procedures).
    Coordination, direction, supervision and review
    Study and Evaluate Internal Controls
3. Audit Procedures including:
   “CAATS” (see attached lecture handout) the use of service organisations




ACC322H/MODS/CAATS05
                                                                        3
             THE FINANCIAL ACCOUNTING REPORTING CYCLE
                    Inputs                                        Processing                         Outputs
              (Source Documents)                             (Accounting Records)             (Financial Statements)
Shipping Document


SalesOrder      Sales Invoice                   Sales Journal 1

                                     To Bank
                Check
                                                                                                                 Balance
                                                                                                                 Sheet
                                                                 Cash
                Remittance Advise               Receipts Journal 2

Purchase        Purchase Order
Requisition
                Receiving Report                Purchases Journal 3

                Vendor’s Invoice                                                    GENERAL    Working
                                                                                                                 Income
                                                                                    LEDGER     Trial             Statement
                                                                                               Balance


                                    To Vendor

                Check and                       Cash Disbursements
                Remittance Advice               Journal 4


                Job Time Tickets
                                                                                                                   Statement of
                                                Pay Checks to
                                                                                                                   Cash flows
                                                Employees
                Employee Clock
                Cards
                                                Payroll Journal 5

                Salaried Employee
                Time Summaries

                Miscellaneous                   General Journal 6
                Support

         ACC322H/MODS/CAATS05
COMPUTER CONTROL ACTIVITIES

                                                 Transactions



          General                            Computer General                    Controls related to all
          Control                                                      -------   Computer applications
                                             Control Activities
          Activities



                                          Programmed Application                 Controls in computer
                                             Control Activities        -------   programs that relate to
                                                                                 specific computer
                                                                                 applications



          Application
          Control                   Computer               User
          Activities                Exception              Reports
                                    Reports




                                             Manual Application
                                              Control Activities
                                            (Manual Follow-up of
                                             Computer Exception
                                                  Reports)



          User                            User Control Activities to             Manual checks of computer
          Control                         Test the Completeness        -------   output against source
          Activities                      and Accuracy of                        documents or other input
                                          Computer-Processed
                                          Transactions


Source: Adapted from AICPA Auditing Procedure Study: Consideration of Internal Control in a Computer
Environment: A Case Study.




ACC322H/MODS/CAATS05
                                        5


                                                                            CAATS1



COMPUTER ASSISTED AUDIT TECHIQUES “CAATS”

On completion of the lectures, tutorials, assignments and readings set for this
topic you should be able to:

 Identify the types of CAAT’s available.
 Outline the advantages and disadvantages of the different CAAT’s
 Describe the nature and application of the different CAATS.


LECTURE OUTLINE



1. CAAT'S DEFINITION


2. SYSTEMS ORIENTATED CAATS


3. DATA ORIENTATED CAATS


4. USE OF CAATS IN THE AUDIT PROCESS


5. PROBLEMS ASSOCIATED WITH USAGE


6. BENEFITS OF USAGE




ACC322H/MODS/CAATS05
                                                                                                   CAATS2


                                     Definition of CAAT’s

CAAT’s are methods or tools which allow the auditor to use the computer programs and data to assist
him in achieving his audit objectives in the audit process. Tests of controls and detailed audit procedures
can be peformed using audit software that can access the client’s computerised systems. This is referred to
as a Computerised Assisted Audit Techniques. (CAAT’s)


                                         Methods or tools

   Generalised audit software (bought packages)
    Generalised Audit Software (GAS) refers to software packages (CAAT Systems) designed for use
    within a particular environment (e.g. SAP R3), a particular system (e.g. IBM AS/400) or a particular
    industry (e.g. insurance companies). Some GAS packages are commercially available, while several
    accounting firms have their own proprietary GAS packages.

    GAS packages are readily available, comparatively user friendly, widely used and relatively cheap.

    However, GAS packages may not be applicable to all clients, particularly those with unique
    processing environments. GAS packages also have their limitations and may not provide the specific
    functions or information required for audit purposes. In such circumstances, CAAT software may be
    developed specifically for a particular system. However, development is a costly process as expertise
    is required. There is also a risk of dependence on the specialist programmer(s) responsible for
    development.

   Information retrieval software
   System utilities / management programs (part of client applications)
   Customised audit software / purpose written programs (auditor developed)
   Microcomputer retrieval
   Embedded audit routines built into the client’s system

Caats are either:-
systems orientated used to test the logic of programs and/or the computerised controls, both general IT
and application controls
or
data orientated used principally in support of audit procedures to access, retrieve and manipulate data
from the computerised information system.




ACC322H/MODS/CAATS05
                                                    7



                                          System CAAT’s
1 Test data

     Test data is used for processing dummy data through the system e.g. to see if controls such as edit
     or validation checks are properly performed.
      * to test specific processing characteristics
      * to test transactions in an “integrated test facility - (ref section 3(a))

     Test Data:
      * should include valid and invalid data
      * should include all conditions to be tested
      * should use the same programme as was used throughout the year (hence reliance on general
           controls over system changes)
      * compares the result to pre-determined output

       Test data is widely used and is practical.

       The major risks relating to the use of test data are:
       * lack of surprise in that the timing of test data is often by arrangement with the CIS personnel
       * the programme subjected to test data may not be the programme used throughout the year
       * possible corruption of live data
       * only tests stated conditions




ACC322H/MODS/CAATS05
                                           TEST DATA APPROACH




                                                           Client’s
                                                          Computer
                                                          Program




                                                                            Actual
             Auditor’s             Entry                   Clients        Processing
             Simulated                                 Computer System    Results in
            Transactions                                                   Visible
                                                                            Form




                                                                         Auditor’s
                                                           Client’s      Comparison
                                                          Master File
                                                           Records
                                                                         of results




                                Manual
                            Determination or                              Predetermined
                           Processing Results                               Processing
                                                                             Results




ACC322H/MODS/CAATS05
                                                       9




2      Simulation or Parallel processing
       Simulation processing is simulated transaction data run against clients program.
    Parallel processing is live data run against a simulation of the clients program
       In both cases the output is compared
    Advantages
.   Audit assurance that programs are as specified in supporting documentation
       Disadvantages
    Simulation difficulties / integrated programs
       No assurance of program usage throughout period


                             AUDITORS’ USE OF PARALLEL SIMULATION

               Computer Operations                                        Auditors


            Master                      Transaction              Master                  Transaction
            file                        File                     file                    File




                                                                                 Auditors’
                          Application                                           simulation
                           Program                                               program




                                                       Auditor
                            Output                    compares                       Output




ACC322H/MODS/CAATS05
3      Concurrent audit techniques

       Advantages
        Audit assurance that the programs tested are those used throughout the period.
        No scheduling of computer time required and little technical skill required once the initial set
          up has been done.
       Disadvantages
        Often needs involvement at the SDLC stage
        Security and removal of data
        Need to rely on clients general controls over change and access

(a) Integrated test facilities (ITF)

       ITF (Integrated Test Facility - a Concurrent CAAT) tests programs concurrently with normal live
           processing. The information selected by ITF forms part of the system’s data, but is coded
           separately for identification and retrieval.

       ITF has the advantage that the whole period under review is covered.

       Ideally ITF is installed at the time of systems development.



      Production Input                            ITF
        Transactions                          Transactions




                                                                        Data Files
                           Application                                  Production
                              Program
                                                                       Files   ITS
                                                                               Data




               Output                       Output reports
               reports                        including
               without                       ITF output
              ITS data




ACC322H/MODS/CAATS05
                                                    11




(b)   System control audit review function/file (SCARF)

.     On Line Audit or SCARF is a concurrent CAAT which selects transactions during processing
      based on pre set criteria. SCARF could also be used for detailed audit applications.




      Production Input                           ITF
        Transactions                         Transactions




                                                                         Data Files
                          Application                                    Production
                             Program
                                                                               SCARF
                                  SCARF                                         DATA
                                                                       Files   ITS
                                                                               Data


               Output                      Output reports
               reports                       including
               without                      ITF output
              ITS data                           &
                                          SCARF




(c) Snapshots

       A software routine embedded at different stages in the processing of a transaction to enable an
       auditor to trace and evaluate the computer processing of the transaction.


4      Program code reviews and flowchart checking

       Auditor reviews client program documentation to determine the program logic and the controls
       that have been prescribed

5      Program tracing or mapping.



ACC322H/MODS/CAATS05
                                    Data orientated CAAT’s
The functional capabilities of a data CAAT are:

Selection
 Selecting audit samples and performing statistical sampling evaluation
 Selecting random samples
 File stratification
 Scanning files for items that conform to specified criteria
        e.g .- exceptions
            - duplicates
            - blank fields (missing data)
            - inconsistencies
Calculation
 Checking the accuracy of computations
 Casting and extending
 Performing additional computations
Comparing data stored on different files e.g. current masterfile to prior year masterfile
Summarising, resequencing and analysing data
 Count records
 Comparisons
 Trend analysis
 Regression analysis
 Producing graphical reports
Reconstruct audit trails


                                          USE OF CAATS

Steps in planning the use of CAATs

      1.    set objectives
      2.    review content and accessibility of client data files
      3.    identify the information (files / databases) to be examined and reconcile to accounting
            information
      4.    determine reports and output requirements
      5.    identify personnel who can provide technical and administrative assistance
      6.    determine equipment needs (hardware / software / communications)
      7.    determine control requirements
      8.    prepare budgets and timetables.
      9.    decide whether CAATs are to be run on copies of data or live data (data could be corrupted)




ACC322H/MODS/CAATS05
                                             13



                             Allocation of responsibilities where
                          a specialist computer auditor is involved



General Auditor                                    Computer auditor

1. Identify need
                                                   2. Enquiry into
                                                      installation type
3. Define audit objectives
                                                   4.     Study systems /
                                                                file layouts

                                                   5.     Write, test
                                                          and run

                                                   6. Produce output

7. Audit work on output

8. Form conclusion




ACC322H/MODS/CAATS05
                                                                                                 CAATS26


                                       WORKING PAPERS

Planning

   objectives
   selection of particular CAAT
   administration - staffing / timing / cost
   procedures to ensure adequate control

CAAT

   what was done – preparation and testing
   input, processing, files used in the process, output specifications, communication media requirements
   technical requirements e.g. file layouts

Output

   actual output
   evidence of work done
   conclusions
   notes for future audit
   notes for management comments letter


                                       Advantages of CAATs
      1.    efficiency by saving time, leading to
      2.    reduced costs
      3.    improved quality of audit function
            e.g. as all the data, or large samples of data can be tested:
            * more extensive reperformance
            * more precise
            * more conclusive results
      4.    a better knowledge of the computerised information system is developed
      5.    CAATs are able to deal with large volumes of data.




ACC322H/MODS/CAATS05
                                                   15



                             Difficulties in the use of CAATs
     1.  Available CAAT software may not be compatible with the particular hardware, software or
         file layouts
     2.  Computer time may not be available
     3.  The use of CAATs may require a computer specialist
     4.  The use of CAATs may require an extensive investment in software
     6.  Data may not be retained on the system long enough to facilitate CAATs. This may be
         overcome by running CAATs more than once during the year.
     7.  CAAT output may not be suitable for audit use
     8.  CAATs may corrupt client data
     9.  The use of system CAATs once a year may not provide evidence that the system is
         functioning throughout the period of the audit. This may be overcome by running CAATs
         more than once during the year, or by evaluating general controls, particularly those over
         access and system change.
     10. Maintaining integrity of CAAT program and the supporting data.



                        Selection criteria for the use of CAATs
     1.    economic considerations: needs and potential uses of the software vs cost
     2.    computer resources available:
           * is the software compatible with the clients system
           * OR can the client's data files be converted
           * is the data and file structure in standard format
           * additional peripheral devices required
           * is the required data still on file, in sequence
     3.    availability of staff with data processing expertise
     4.    specialised training required
     5.    whether general controls are acceptable
     6.    CAAT functions to be used
     7.    quality of supplier support
     8.    Possible alternatives to the use of CAAT software:
            8.1 Could use the system’s enquiry routines.
            8.2 Possible testing of manual controls or manual controls
                  over computer information, thus obviating the need for
                  system CAATs.
     9.    Impracticability of manual tests due to IT characteristics such as:
           * no input documents / electronic initiation
           * system generated transactions
           * electronic authorisation
           * lack of visible audit train
           * no hardcopy output




ACC322H/MODS/CAATS05
Examination Technique

First establish what your examiner has in mind.

A question referring to tests of control is not necessarily confined to the use of audit software merely
because the question mentions that there is a computer system.
The tests of controls may include testing (automated computerised or programmed) controls, in which
case audit software may be required, but you should never neglect the independent manual controls and
the manual/user controls over computer information.

On the other hand, you may face a question which requires you to test only the automated controls on the
logic of the processing. In this case, you would probably use test data.

Systems CAATs

In answering a practical question concerning test data (e.g. "describe how you would use test data"):

1.    Develop your test data.

2.    Describe your test data including descriptions of valid and invalid data.

3.    Indicate that your test data should include all types of transaction to be tested and give examples.

4.    Process your test data on a system independent of your client so as to obtain a pre-determined
      correct processing result.

5.    Process your test data on the client's system.

6.    Compare the results from the client's system to your pre-determined results.

7.    Conclude whether the client's system functions properly.

8.   Evaluate General IT Controls to ensure that the system you have tested functions within a controlled
     environment and functioned without unauthorised amendment throughout the year




ACC322H/MODS/CAATS05

								
To top