Relevant to Foundation level Paper FAU and ACCA Qualification Papers F8 and P7 (Int and UK) Show
The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect this situation. Students need to ensure they have a complete understanding of the controls in a computer-based environment, how these impact on the auditor’s assessment of risk, and the subsequent audit procedures. These procedures will often involve the use of computer-assisted audit techniques (CAATs). The aim of this article is to help students improve their understanding of this topic by giving practical illustrations of computer-based controls and computer-assisted techniques and the way they may feature in exam questions. Relevant auditing standards
Internal controls in a computer environment Application controls Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed (ISA 315 (Redrafted)). Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally divided into the following categories: (i) Input controls The most common example of programmed controls over the accuracy and completeness of input are edit (data validation) checks when the software checks that data fields included on transactions by performing:
When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal an anomaly, eg ‘Supplier account number does not exist’. (ii) Processing controls (iii) Output controls (iv) Master files and standing data controls General controls
‘End-user environment’ refers to the situation in which the users of the computer systems are involved in all stages of the development of the system. (i) Administrative controls
‘System software’ refers to the operating system, database management systems and other software that increases the efficiency of processing. Application software refers to particular applications such as sales or wages. The controls over the development and maintenance of both types of software are similar and include:
Exam focus
Computer-assisted audit techniques (i) Audit software
The auditor needs to determine which of these functions they wish to use, and the selection criteria. Exam focus The following is an example of how this could be applied to the audit of wages:
(ii) Test data Examples of errors that might be included:
Data without errors will also be included to ensure ‘correct’ transactions are processed properly. Test data can be used ‘live’, ie during the client’s normal production run. The obvious disadvantage with this choice is the danger of corrupting the client’s master files. To avoid this, an integrated test facility will be used (see other techniques below). The alternative (dead test data) is to perform a special run outside normal processing, using copies of the client’s master files. In this case, the danger of corrupting the client’s files is avoided – but there is less assurance that the normal production programs have been used. (iii) Other techniques
The attraction of embedded audit facilities is obvious, as it equates to having a perpetual audit of transactions. However, the set-up is costly and may require the auditor to have an input at the system development stage. Embedded audit facilities are often used in real time and database environments. Impact of computer-based systems on the audit approach (i) Planning (ii) Risk assessment The application notes to ISA 315 identify the information system as one of the five components of internal control. It requires the auditor to obtain an understanding of the information system, including the procedures within both IT and manual systems. In other words, if the auditor relies on internal control in assessing risk at an assertion level, s/he needs to understand and test the controls, whether they are manual or automated. Auditors often use internal control evaluation (ICE) questions to identify strengths and weaknesses in internal control. These questions remain the same – but in answering them, the auditor considers both manual and automated controls. For instance, when answering the ICE question, ‘Can liabilities be incurred but not recorded?’, the auditor needs to consider manual controls, such as matching goods received notes to purchase invoices – but will also consider application controls, such as programmed sequence checks on purchase invoices. The operation of batch control totals, whether programmed or performed manually, would also be relevant to this question. (iii) Testing This statement holds true irrespective of the accounting system, and the auditor will design compliance and substantive tests that reflect the strengths and weaknesses of the system. When testing a computer information system, the auditor is likely to use a mix of manual and computer-assisted audit tests. ‘Round the machine (computer)’ v ‘through the machine (computer)’ approaches to testing In the ‘through the machine’ approach, the auditor uses CAATs to ensure that computer - based application controls are operating satisfactorily. Conclusion In small computer-based systems, ‘auditing round the computer’ may suffice if sufficient audit evidence can be obtained by testing input and output. Written by a member of the Paper F8 examining team Should internal auditors be members of systems development teams that design and implement an information system Why or why not?DQ 9.2: Should internal auditors be members of system development teams that design and implement an AIS? Why or why not? No, auditor's role in systems development should be limited to an independent review of systems development activities.
What is the role of internal audit in systems development activities?It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
What role should an auditor play in system development?The auditor's role is to assess whether the interim reviews are performed with adequate and reliable information and whether the decisions are made on the merits of the project rather than the outcome. If a project requires a significant scope change, an alarm should be raised.
What is the purpose of internal audits of management systems and how are they conducted?Goals of Internal Audits:
The purpose of an ISO internal audit is to assess an organization's efficiency as measured by the level of its quality and risk management systems and its overall business practices against one or more ISO Standards.
What are the roles of internal and external auditors AIS?Internal auditors will examine issues related to company business practices and risks, while external auditors examine the financial records and issue an opinion regarding the financial statements of the company.
Why internal audit department is important for an organization?Why is internal audit important for a Company? An internal audit is essential to maintain operational efficiency and financial reliability and to safeguard the assets. It provides independent assurance that an organization risk management, governance, and internal control process are operating effectively.
|