Part-3-Auditing-Computer-Based-Information-System

Around the Computer Approach (Black Box Approach)

Around the Computer Approach (Black Box Approach)

In this approach the auditor does not examine the computer processing but instead the auditor put emphasis on the following matters:

Ø To ensure the completeness, accuracy and validity of information by comparing output reports with the input documentation

Ø To ensure effectiveness of input controls and output controls.

Ø To ensure the adequacy of segregation of duties.

“Through the Computer Approach” (White Box Approach)

In this approach requires the auditor to examine the detailed processing routines of the computer to determine whether the controls in the system are adequate to ensure complete and correct processing of all data.

Therefore, the auditor will use the Computer Assisted Audit Techniques (CAATs).

Computer Assisted Audit Techniques (CAATs)

These are the tools used by the auditor with the computer to aid in the effective and efficient performance of an audit whereby the computer programs allow the auditor to test files and database.

Need for CAATs

Absence of key documents or lack of visible paper trail may require the use of CAATs in the application of compliance and substantive procedures.

Need for CAATs

Ensuring audit findings and conclusion are supported by appropriate analysis and interpretation of evidence.

Need for CAATs

Need for obtaining sufficient, relevant, and useful evidence from the IT applications or database as per audit objectives.

Need for CAATs

Need to identify materiality, risk, and significance in an IT environment.

Need for CAATs

Need to increased audit quality and comply with auditing standards.

Need for CAATs

Improving the efficiency and effectiveness of the audit process.

Need for CAATs

Ensuring better audit planning and management of audit resources.

Need for CAATs

Need to access information from systems having different data structure, record formats, processing functions in a commonly usable format.

Key Steps for Obtaining Data

Discuss with clients about the requirement of raw data for audit and issue a request for getting the requested data in specified form as per audit objectives.

Key Steps for Obtaining Data

Discuss with IT personnel responsible for maintain data/application software and obtain copies of record layout and definition of all fields and ensure that you have an overall understanding of the data.

Key Steps for Obtaining Data

Print sample list of the first 100 records in the data file and compare this to a printout of the obtained data to confirm they are correct.

Key Steps for Obtaining Data

Verify data for completeness and accuracy by checking the field types and formats, such as identifying all records with an invalid date in a date field.

Key Steps for Obtaining Data

Obtain control totals of all key data and compare with totals from the raw data to ensure all records have been properly obtained. This can be performed by importing the data in audit software and reviewing the statistics of all key field.

Key Capabilities of CAATs

File access

Key Capabilities of CAATs

File reorganization

Key Capabilities of CAATs

Data selection

Key Capabilities of CAATs

Statistical functions

Key Capabilities of CAATs

Arithmetical functions

Key Factors to be Considered in Using CAATs

His computer knowledge, expertise and experience

Key Factors to be Considered in Using CAATs

Availability of CAATs and suitable computer facilities

Key Factors to be Considered in Using CAATs

Impracticability of manual tests

Key Factors to be Considered in Using CAATs

Effectiveness and efficiency

Key Factors to be Considered in Using CAATs

Timing

Stages of Control Procedures in an EDP Environment: Manual Procedures

The clerical work done up to the translation of data into machine- sensible form.

This stage, being manual, is subjected to usual internal control conditions and the auditor will have little difficulty in appraising them by means of “compliance test” and “substantive test”

Stages of Control Procedures in an EDP Environment: Computer Procedures

The computer processing work.

Auditing in this area is a complex activity, for which the auditor as a prudent person should develop himself for adequate EDP knowledge.

Before he starts to conduct his audit in EDP environment, he should envision to maintain an “Audit Control File” as his valuable kit.

Detailed Contain of the Computer Audit Control File

Copies of all documents and the details of the checks that have been done to ensure their accuracy.

Detailed Contain of the Computer Audit Control File

Details of the physical control over source documents and any control totals on numbers, quantities, values, including the names of the personnel keeping these controls.

Detailed Contain of the Computer Audit Control File

Full description of how the source documents are to be converted into input media, and the check-cum-control device.

Detailed Contain of the Computer Audit Control File

A detailed account of the manual internal controls contained in the system, e.g. separation of programmers from operators, control of assets from record keeping, etc.

Types of Computer Assisted Audit Techniques

Generalized Audit Software Programs (GASPs)

Types of Computer Assisted Audit Techniques

Custome audit software

Types of Computer Assisted Audit Techniques

Test data

Types of Computer Assisted Audit Techniques

Integrated test facility

Types of Computer Assisted Audit Techniques

Parallel simulation

Types of Computer Assisted Audit Techniques

Concurrent auditing techniques

Generalized Audit Software Programs (GASPs)

Readily available computer programs that read the client’s data, process the data, performed the indicated audit procedures, and require little programming effort and technical knowledge of auditor.

Used by auditor during substantive test to determine reliability and integrity of the computerized accounting records.

Its ability includes:

• Can select sample for confirmation of balances.

• Can provide detailed schedule of what are the items that make up account balance

• Can rearrange information in a manner suitable for the auditor to study and evaluate. ØCan calculate ratio and trend analysis

Custom Audit Software

Is generally written by auditors for specific audit tasks.

It is necessary when the entity’s computer system is not compatible with the auditor’s Generalized Audit Software (GAS) or when the auditor wants to conduct some testing that not be possible with the GAS.

Test Data

Development of imaginary data by auditor that are subsequently processed using the client’s computer system

Results obtained are then compared with predetermined results

Used by auditor during test of controls

Its ability include:

• Can verify the correct functioning of a program.

• Can ensure computer responds correctly to deliberate errors on data.

• Error or exception report is generated by computer.

• Can verify computed generated total balance and analysis.

• Computer will do the adding and subtracting, and analysis will be compared against the input.

Test Data Approach

Test Data Approach

Integrated Test Facility

Computer Assisted Audit Techniques (CAAT) that uses fictitious data and processes it with real data to test the computer system while the client’s personnel are unaware of testing process.

Parallel Simulation

Computer Assisted Audited Techniques (CAAT) that uses client input data and processes it on a duplicate program to test the computer system.

Concurrent Auditing Techniques

Advanced computer system may require the auditor use concurrent auditing techniques, which may be conducted by internal auditors.

Snapshot

System Control Audit Review

Expert System

Three (3) concurrent auditing techniques

Snapshot

This techniques involves taking picture of a transaction as it flows through the computer system.

Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through the various stages of processing.

Such a technique permits an auditor to track data and evaluate the computer processes applied to the data.

Systems Control Audit Review Files (SCARF)

This involves embedding audit software modules within an application system to provide continuous monitoring of the system transactions.

The information is collected into a special computer file that the auditor can examine.

Expert System

This techniques is a computer program that uses artificial intelligence (AI) technologies to simulate the judgement and behavior of a human or an organization that has expert knowledge and experience in a particular field.

Typically, an expert system incorporate a knowledge base containing accumulated experience and an inference or rules engine – set of rules for applying the knowledge base to each situation that is described to the program.

The system’s capabilities can be enhanced with additions to the knowledge base or to the set rules.

Current system may include machine learning capabilities that allow them to improve their performance based on experience, just as humans do.

Major Steps in Applying CAATs

Set the objective of the CAAT application.

Major Steps in Applying CAATs

Identify the specific files or database to be examined.

Major Steps in Applying CAATs

Determine the accessibility of the entity’s files.

Major Steps in Applying CAATs

Define the specific tests or procedures and related transactions and balances affected.

Major Steps in Applying CAATs

Define the output requirements.

Major Steps in Applying CAATs

Identify the personnel who will participate in the application of the CAAT.

Major Steps in Applying CAATs

Ensure the use of the CAAT is properly controlled and documented

Major Steps in Applying CAATs

Reconcile data to be used for the CAAT with the accounting records

Major Steps in Applying CAATs

Evaluate the results after execution of the CAAT application.

Step by Step Methodology for Using CAATs

Identify the scope and objectives of the audit. Based on this, the auditor can decide about the need and the extent to which CAATs could be used.

Step by Step Methodology for Using CAATs

Identify the critical data which is being audited as per audit scope and objectives.

Step by Step Methodology for Using CAATs

Identify the sources of data from the enterprise information system/application software. These could be relating to general ledger, inventory, payroll, sundry debtors, sundry creditors.

Step by Step Methodology for Using CAATs

Identify the relevant personnel responsible for the data information system. These personnel could be from the IT Department, vendors, managers, etc.

Step by Step Methodology for Using CAATs

Obtain and review documents relating to data/information system. This should provide information about data types/data structures and data flow of the system.

Step by Step Methodology for Using CAATs

Understand the software by having a walk-through right from user creation, grant of user access, configuration settings, data entry, query and reporting features.

Step by Step Methodology for Using CAATs

Decide what techniques of CAATs could be used as relevant to the environment by using relevant CAAT software as required.

Step by Step Methodology for Using CAATs

Prepare a detailed plan for analyzing the data. This includes all the above steps.

Step by Step Methodology for Using CAATs

Perform relevant tests on audit data as required and prepare audit findings which will be used for forming audit report/opinion required.