Relevant to Foundation level Paper FAU and ACCA Qualification Papers F8 and P7 (Int and UK) Show The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect this situation. Students need to ensure they have a complete understanding of the controls in a computer-based environment, how these impact on the auditor’s assessment of risk, and the subsequent audit procedures. These procedures will often involve the use of computer-assisted audit techniques (CAATs). The aim of this article is to help students improve their understanding of this topic by giving practical illustrations of computer-based controls and computer-assisted techniques and the way they may feature in exam questions. Relevant auditing standards
Internal controls in a computer environment Application controls Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed (ISA 315 (Redrafted)). Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally divided into the following categories: (i) Input controls The most common example of programmed controls over the accuracy and completeness of input are edit (data validation) checks when the software checks that data fields included on transactions by performing:
When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal an anomaly, eg ‘Supplier account number does not exist’. (ii) Processing controls (iii) Output controls (iv) Master files and standing data controls General controls
‘End-user environment’ refers to the situation in which the users of the computer systems are involved in all stages of the development of the system. (i) Administrative controls
‘System software’ refers to the operating system, database management systems and other software that increases the efficiency of processing. Application software refers to particular applications such as sales or wages. The controls over the development and maintenance of both types of software are similar and include:
Exam focus
Computer-assisted audit techniques (i) Audit software
The auditor needs to determine which of these functions they wish to use, and the selection criteria. Exam focus The following is an example of how this could be applied to the audit of wages:
(ii) Test data Examples of errors that might be included:
Data without errors will also be included to ensure ‘correct’ transactions are processed properly. Test data can be used ‘live’, ie during the client’s normal production run. The obvious disadvantage with this choice is the danger of corrupting the client’s master files. To avoid this, an integrated test facility will be used (see other techniques below). The alternative (dead test data) is to perform a special run outside normal processing, using copies of the client’s master files. In this case, the danger of corrupting the client’s files is avoided – but there is less assurance that the normal production programs have been used. (iii) Other techniques
The attraction of embedded audit facilities is obvious, as it equates to having a perpetual audit of transactions. However, the set-up is costly and may require the auditor to have an input at the system development stage. Embedded audit facilities are often used in real time and database environments. Impact of computer-based systems on the audit approach (i) Planning (ii) Risk assessment The application notes to ISA 315 identify the information system as one of the five components of internal control. It requires the auditor to obtain an understanding of the information system, including the procedures within both IT and manual systems. In other words, if the auditor relies on internal control in assessing risk at an assertion level, s/he needs to understand and test the controls, whether they are manual or automated. Auditors often use internal control evaluation (ICE) questions to identify strengths and weaknesses in internal control. These questions remain the same – but in answering them, the auditor considers both manual and automated controls. For instance, when answering the ICE question, ‘Can liabilities be incurred but not recorded?’, the auditor needs to consider manual controls, such as matching goods received notes to purchase invoices – but will also consider application controls, such as programmed sequence checks on purchase invoices. The operation of batch control totals, whether programmed or performed manually, would also be relevant to this question. (iii) Testing This statement holds true irrespective of the accounting system, and the auditor will design compliance and substantive tests that reflect the strengths and weaknesses of the system. When testing a computer information system, the auditor is likely to use a mix of manual and computer-assisted audit tests. ‘Round the machine (computer)’ v ‘through the machine (computer)’ approaches to testing In the ‘through the machine’ approach, the auditor uses CAATs to ensure that computer - based application controls are operating satisfactorily. Conclusion In small computer-based systems, ‘auditing round the computer’ may suffice if sufficient audit evidence can be obtained by testing input and output. Written by a member of the Paper F8 examining team Which of the following is application control?Application control includes completeness and validity checks, identification, authentication, authorization, input controls, and forensic controls, among others. Simply put, application controls ensure proper coverage and the confidentiality, integrity, and availability of the application and its associated data.
What is an example of an application control?An example of an application control is the validity check, which reviews the data entered into a data entry screen to ensure that it meets a set of predetermined range criteria. Or, a completeness check will examine a data entry screen to see if all fields have an entry.
What are the types of application control?Application controls can be classified as (1) input controls, (2) processing controls, and (3) output controls.
What are computer application controls?Application controls are transactions and data relating to each computer-based application system and are specific to each application. The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein.
|