Part-3-Auditing-Computer-Based-Information-System
Auditor shall obtain two approaches:
Around the Computer Approach
Through the Computer Approach
the auditor shall use the microcomputer software when performing this approach.
Around the Computer Approach (Black Box Approach)
– In this approach the auditor does not examine the computer processing but instead the auditor put emphasis on the following matters:
ØTo ensure the completeness, accuracy and validity of information by comparing output reports with the input documentation
ØTo ensure effectiveness of input controls and output controls.
ØTo ensure the adequacy of segregation of duties.
– In other words, this approach concentrate solely on the input and corresponding output with emphasis on user department only.
– These include the checking authorization, coding, and control totals of input and checking the output with source documents and clerical control totals.
“Through the Computer Approach” (White Box Approach)
– In this approach requires the auditor to examine the detailed processing routines of the computer to determine whether the controls in the system are adequate to ensure complete and correct processing of all data.
– Therefore, the auditor will use the Computer Assisted Audit Techniques (CAATs).
Computer Assisted Audit Techniques (CAATs)
– These are the tools used by the auditor with the computer to aid in the effective and efficient performance of an audit whereby the computer programs allow the auditor to test files and database.
Need for CAATs
– Absence of key documents or lack of visible paper trail may require the use of CAATs in the application of compliance and substantive procedures.
– Ensuring audit findings and conclusion are supported by appropriate analysis and interpretation of evidence.
– Need for obtaining sufficient, relevant, and useful evidence from the IT applications or database as per audit objectives.
– Need to identify materiality, risk, and significance in an IT environment.
– Need to increased audit quality and comply with auditing standards.
– Improving the efficiency and effectiveness of the audit process.
– Ensuring better audit planning and management of audit resources.
– Need to access information from systems having different data structure, record formats, processing functions in a commonly usable format.
Key Steps for Obtaining Data
– Discuss with clients about the requirement of raw data for audit and issue a request for getting the requested data in specified form as per audit objectives.
– Discuss with IT personnel responsible for maintain data/application software and obtain copies of record layout and definition of all fields and ensure that you have an overall understanding of the data.
– Print sample list of the first 100 records in the data file and compare this to a printout of the obtained data to confirm they are correct.
– Verify data for completeness and accuracy by checking the field types and formats, such as identifying all records with an invalid date in a date field.
– Obtain control totals of all key data and compare with totals from the raw data to ensure all records have been properly obtained. This can be performed by importing the data in audit software and reviewing the statistics of all key field.
Key Capabilities of CAATs
– File access
– File Reorganization
– Data Selection
– Statistical Functions
– Arithmetical Functions
Key Factors to be Considered in Using CAATs
– In determining whether to use CAATs, the auditor should consider:
ØHis computer knowledge, expertise and experience
ØAvailability of CAATs and suitable computer facilities
ØImpracticability of manual tests
ØEffectiveness and efficiency
ØTiming
Stages of Control Procedures in an EDP Environment
Manual Procedures
• The clerical work done up to the translation of data into machine-sensible form.
• This stage, being manual, is subjected to usual internal control conditions and the auditor will have little difficulty in appraising them by means of “compliance test” and “substantive test”
Computer Procedures
• The computer processing work.
• Auditing in this area is a complex activity, for which the auditor as a prudent person should develop himself for adequate EDP knowledge.
• Before he starts to conduct his audit in EDP environment, he should envision to maintain an “Audit Control File” as his valuable kit.
Detailed Contain of the Computer Audit Control File
–Copies of all documents and the details of the checks that have been done to ensure their accuracy.
–Details of the physical control over source documents and any control totals on numbers, quantities, values, including the names of the personnel keeping these controls.
–Full description of how the source documents are to be converted into input media, and the check-cum-control device.
–A detailed account of the manual internal controls contained in the system, e.g. separation of programmers from operators, control of assets from record keeping, etc.
–The arrangement for retaining source documents and input media for the required periods necessitating reconstruction of stored files in the event of error, mishap, loss, etc.
–Detailed Flow Diagram of what takes place during the process run.
–Details of all tapes or discs produced, including their layout, labelling, storage and retention
–Copies of all documents of output and details of subsequent sorting and checking.
Types of Computer Assisted Audit Techniques
– Generalized Audit Software Programs (GASPs)
– Custom Audit Software
– Test Data
– Integrated Test Facility
– Parallel Simulation
– Concurrent Auditing Techniques
Generalized Audit Software Programs (GASPs)
– Readily available computer programs that read the client’s data, process the data, performed the indicated audit procedures, and require little programming effort and technical knowledge of auditor.
– Used by auditor during substantive test to determine reliability and integrity of the computerized accounting records.
– Its ability includes:
ØCan select sample for confirmation of balances.
ØCan provide detailed schedule of what are the items that make up account balance
ØCan rearrange information in a manner suitable for the auditor to study and evaluate.
ØCan calculate ratio and trend analysis.
Custom Audit Software
– Is generally written by auditors for specific audit tasks.
– It is necessary when the entity’s computer system is not compatible with the auditor’s Generalized Audit Software (GAS) or when the auditor wants to conduct some testing that not be possible with the GAS.
Test Data
– Development of imaginary data by auditor that are subsequently processed using the client’s computer system
– Results obtained are then compared with predetermined results
– Used by auditor during test of controls
Test Data
– Its ability include:
ØCan verify the correct functioning of a program.
ØCan ensure computer responds correctly to deliberate errors on data.
ØError or exception report is generated by computer.
ØCan verify computed generated total balance and analysis.
ØComputer will do the adding and subtracting, and analysis will be compared against the input.
Integrated Test Facility
– Computer Assisted Audit Techniques (CAAT) that uses fictitious data and processes it with real data to test the computer system while the client’s personnel are unaware of testing process.
Parallel Simulation
– Computer Assisted Audited Techniques (CAAT) that uses client input data and processes it on a duplicate program to test the computer system.
Concurrent Auditing Techniques
– Advanced computer system may require the auditor use concurrent auditing techniques, which may be conducted by internal auditors.
– Three (3) concurrent auditing techniques are:
ØSnapshot
ØSystem Control Audit Review
ØExpert System
Concurrent Auditing Techniques
• Snapshot
– This techniques involves taking picture of a transaction as it flows through the computer system.
– Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through the various stages of processing.
– Such a technique permits an auditor to track data and evaluate the computer processes applied to the data.
• Systems Control Audit Review Files (SCARF)
– This involves embedding audit software modules within an application system to provide continuous monitoring of the system transactions.
– The information is collected into a special computer file that the auditor can examine.
Concurrent Auditing Techniques
• Expert System
– This techniques is a computer program that uses artificial intelligence (AI) technologies to simulate the judgement and behavior of a human or an organization that has expert knowledge and experience in a particular field.
– Typically, an expert system incorporate a knowledge base containing accumulated experience and an inference or rules engine – set of rules for applying the knowledge base to each situation that is described to the program.
– The system’s capabilities can be enhanced with additions to the knowledge base or to the set rules.
– Current system may include machine learning capabilities that allow them to improve their performance based on experience, just as humans do.
Major Steps in Applying CAATs
– Set the objective of the CAAT application.
– Identify the specific files or database to be examined.
– Determine the accessibility of the entity’s files.
– Define the specific tests or procedures and related transactions and balances affected.
– Define the output requirements.
– Identify the personnel who will participate in the application of the CAAT.
Major Steps in Applying CAATs
– Ensure the use of the CAAT is properly controlled and documented
– Reconcile data to be used for the CAAT with the accounting records
– Evaluate the results after execution of the CAAT application.
Step by Step Methodology for Using CAATs
– CAATs are very critical tools for Auditors. Hence, it is important to formulate appropriate strategies to ensure their effective use. Some of the key strategies for using CAATs are:
ØIdentify the scope and objectives of the audit. Based on this, the auditor can decide about the need and the extent to which CAATs could be used.
ØIdentify the critical data which is being audited as per audit scope and objectives.
ØIdentify the sources of data from the enterprise information system/application software. These could be relating to general ledger, inventory, payroll, sundry debtors, sundry creditors.
ØIdentify the relevant personnel responsible for the data information system. These personnel could be from the IT Department, vendors, managers, etc.
Step by Step Methodology for Using CAATs
– CAATs are very critical tools for Auditors. Hence, it is important to formulate appropriate strategies to ensure their effective use. Some of the key strategies for using CAATs are:
Obtain and review documents relating to data/information system. This should provide information about data types/data structures and data flow of the system.
Understand the software by having a walk-through right from user creation, grant of user access, configuration settings, data entry, query and reporting features.
Decide what techniques of CAATs could be used as relevant to the environment by using relevant CAAT software as required.
Prepare a detailed plan for analyzing the data. This includes all the above steps.
Perform relevant tests on audit data as required and prepare audit findings which will be used for forming audit report/opinion required.
Auditor shall obtain two approaches:
Around the Computer Approach
Through the Computer Approach
the auditor shall use the microcomputer software when performing this approach.
Around the Computer Approach (Black Box Approach)
– In this approach the auditor does not examine the computer processing but instead the auditor put emphasis on the following matters:
ØTo ensure the completeness, accuracy and validity of information by comparing output reports with the input documentation
ØTo ensure effectiveness of input controls and output controls.
ØTo ensure the adequacy of segregation of duties.
– In other words, this approach concentrate solely on the input and corresponding output with emphasis on user department only.
– These include the checking authorization, coding, and control totals of input and checking the output with source documents and clerical control totals.
“Through the Computer Approach” (White Box Approach)
– In this approach requires the auditor to examine the detailed processing routines of the computer to determine whether the controls in the system are adequate to ensure complete and correct processing of all data.
– Therefore, the auditor will use the Computer Assisted Audit Techniques (CAATs).
Computer Assisted Audit Techniques (CAATs)
– These are the tools used by the auditor with the computer to aid in the effective and efficient performance of an audit whereby the computer programs allow the auditor to test files and database.
Need for CAATs
– Absence of key documents or lack of visible paper trail may require the use of CAATs in the application of compliance and substantive procedures.
– Ensuring audit findings and conclusion are supported by appropriate analysis and interpretation of evidence.
– Need for obtaining sufficient, relevant, and useful evidence from the IT applications or database as per audit objectives.
– Need to identify materiality, risk, and significance in an IT environment.
– Need to increased audit quality and comply with auditing standards.
– Improving the efficiency and effectiveness of the audit process.
– Ensuring better audit planning and management of audit resources.
– Need to access information from systems having different data structure, record formats, processing functions in a commonly usable format.
Key Steps for Obtaining Data
– Discuss with clients about the requirement of raw data for audit and issue a request for getting the requested data in specified form as per audit objectives.
– Discuss with IT personnel responsible for maintain data/application software and obtain copies of record layout and definition of all fields and ensure that you have an overall understanding of the data.
– Print sample list of the first 100 records in the data file and compare this to a printout of the obtained data to confirm they are correct.
– Verify data for completeness and accuracy by checking the field types and formats, such as identifying all records with an invalid date in a date field.
– Obtain control totals of all key data and compare with totals from the raw data to ensure all records have been properly obtained. This can be performed by importing the data in audit software and reviewing the statistics of all key field.
Key Capabilities of CAATs
– File access
– File Reorganization
– Data Selection
– Statistical Functions
– Arithmetical Functions
Key Factors to be Considered in Using CAATs
– In determining whether to use CAATs, the auditor should consider:
ØHis computer knowledge, expertise and experience
ØAvailability of CAATs and suitable computer facilities
ØImpracticability of manual tests
ØEffectiveness and efficiency
ØTiming
Stages of Control Procedures in an EDP Environment
Manual Procedures
• The clerical work done up to the translation of data into machine-sensible form.
• This stage, being manual, is subjected to usual internal control conditions and the auditor will have little difficulty in appraising them by means of “compliance test” and “substantive test”
Computer Procedures
• The computer processing work.
• Auditing in this area is a complex activity, for which the auditor as a prudent person should develop himself for adequate EDP knowledge.
• Before he starts to conduct his audit in EDP environment, he should envision to maintain an “Audit Control File” as his valuable kit.
Detailed Contain of the Computer Audit Control File
–Copies of all documents and the details of the checks that have been done to ensure their accuracy.
–Details of the physical control over source documents and any control totals on numbers, quantities, values, including the names of the personnel keeping these controls.
–Full description of how the source documents are to be converted into input media, and the check-cum-control device.
–A detailed account of the manual internal controls contained in the system, e.g. separation of programmers from operators, control of assets from record keeping, etc.
–The arrangement for retaining source documents and input media for the required periods necessitating reconstruction of stored files in the event of error, mishap, loss, etc.
–Detailed Flow Diagram of what takes place during the process run.
–Details of all tapes or discs produced, including their layout, labelling, storage and retention
–Copies of all documents of output and details of subsequent sorting and checking.
Types of Computer Assisted Audit Techniques
– Generalized Audit Software Programs (GASPs)
– Custom Audit Software
– Test Data
– Integrated Test Facility
– Parallel Simulation
– Concurrent Auditing Techniques
Generalized Audit Software Programs (GASPs)
– Readily available computer programs that read the client’s data, process the data, performed the indicated audit procedures, and require little programming effort and technical knowledge of auditor.
– Used by auditor during substantive test to determine reliability and integrity of the computerized accounting records.
– Its ability includes:
ØCan select sample for confirmation of balances.
ØCan provide detailed schedule of what are the items that make up account balance
ØCan rearrange information in a manner suitable for the auditor to study and evaluate.
ØCan calculate ratio and trend analysis.
Custom Audit Software
– Is generally written by auditors for specific audit tasks.
– It is necessary when the entity’s computer system is not compatible with the auditor’s Generalized Audit Software (GAS) or when the auditor wants to conduct some testing that not be possible with the GAS.
Test Data
– Development of imaginary data by auditor that are subsequently processed using the client’s computer system
– Results obtained are then compared with predetermined results
– Used by auditor during test of controls
Test Data
– Its ability include:
ØCan verify the correct functioning of a program.
ØCan ensure computer responds correctly to deliberate errors on data.
ØError or exception report is generated by computer.
ØCan verify computed generated total balance and analysis.
ØComputer will do the adding and subtracting, and analysis will be compared against the input.
Integrated Test Facility
– Computer Assisted Audit Techniques (CAAT) that uses fictitious data and processes it with real data to test the computer system while the client’s personnel are unaware of testing process.
Parallel Simulation
– Computer Assisted Audited Techniques (CAAT) that uses client input data and processes it on a duplicate program to test the computer system.
Concurrent Auditing Techniques
– Advanced computer system may require the auditor use concurrent auditing techniques, which may be conducted by internal auditors.
– Three (3) concurrent auditing techniques are:
ØSnapshot
ØSystem Control Audit Review
ØExpert System
Concurrent Auditing Techniques
• Snapshot
– This techniques involves taking picture of a transaction as it flows through the computer system.
– Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through the various stages of processing.
– Such a technique permits an auditor to track data and evaluate the computer processes applied to the data.
• Systems Control Audit Review Files (SCARF)
– This involves embedding audit software modules within an application system to provide continuous monitoring of the system transactions.
– The information is collected into a special computer file that the auditor can examine.
Concurrent Auditing Techniques
• Expert System
– This techniques is a computer program that uses artificial intelligence (AI) technologies to simulate the judgement and behavior of a human or an organization that has expert knowledge and experience in a particular field.
– Typically, an expert system incorporate a knowledge base containing accumulated experience and an inference or rules engine – set of rules for applying the knowledge base to each situation that is described to the program.
– The system’s capabilities can be enhanced with additions to the knowledge base or to the set rules.
– Current system may include machine learning capabilities that allow them to improve their performance based on experience, just as humans do.
Major Steps in Applying CAATs
– Set the objective of the CAAT application.
– Identify the specific files or database to be examined.
– Determine the accessibility of the entity’s files.
– Define the specific tests or procedures and related transactions and balances affected.
– Define the output requirements.
– Identify the personnel who will participate in the application of the CAAT.
Major Steps in Applying CAATs
– Ensure the use of the CAAT is properly controlled and documented
– Reconcile data to be used for the CAAT with the accounting records
– Evaluate the results after execution of the CAAT application.
Step by Step Methodology for Using CAATs
– CAATs are very critical tools for Auditors. Hence, it is important to formulate appropriate strategies to ensure their effective use. Some of the key strategies for using CAATs are:
ØIdentify the scope and objectives of the audit. Based on this, the auditor can decide about the need and the extent to which CAATs could be used.
ØIdentify the critical data which is being audited as per audit scope and objectives.
ØIdentify the sources of data from the enterprise information system/application software. These could be relating to general ledger, inventory, payroll, sundry debtors, sundry creditors.
ØIdentify the relevant personnel responsible for the data information system. These personnel could be from the IT Department, vendors, managers, etc.
Step by Step Methodology for Using CAATs
– CAATs are very critical tools for Auditors. Hence, it is important to formulate appropriate strategies to ensure their effective use. Some of the key strategies for using CAATs are:
Obtain and review documents relating to data/information system. This should provide information about data types/data structures and data flow of the system.
Understand the software by having a walk-through right from user creation, grant of user access, configuration settings, data entry, query and reporting features.
Decide what techniques of CAATs could be used as relevant to the environment by using relevant CAAT software as required.
Prepare a detailed plan for analyzing the data. This includes all the above steps.
Perform relevant tests on audit data as required and prepare audit findings which will be used for forming audit report/opinion required.
