Transcript ACCT 4240- Auditing

Chapter 3 with added info
Auditing
Data Management Systems
Challenges of Sophisticated Computer
Systems
• electronic method of sending
documents between companies
• no “paper trail” for the auditor to follow
• increased emphasis on front-end controls
• security becomes key element in
controlling system
Objectives of General Controls
1.
2.
3.
4.
Responsibility for control
Information system meets needs of entity
Efficient implementation of information systems
Efficient and effective maintenance of
information systems
5. Effective and efficient development and
acquisition of information systems
6. Present and future requirements of users can be
met
7. Efficient and effective use of resources within
information systems processing
Objectives of General Controls
8. Complete, accurate and timely processing of
authorized information systems
9. Appropriate segregation of incompatible
functions
10. All access to information and information
systems is authorized
11. Hardware facilities are physically protected from
unauthorized access, loss or damage
12. Recovery and resumption of information
systems processing
13. Maintenance and recovery of critical user
activities
Input Controls
• input data should be authorized & approved
• the system should edit the input data &
prevent errors
• Examples include: validity checks, field
checks, reasonableness check, record counts
etc.
Processing Controls
assure that
data entered into
the system are
processed, processed
only once, and
processed accurately
Processing Controls
Examples
control, batch, or proof total - a total of a
numerical field for all the records of a batch
that normally would be added (example:
wages expense)
logic test - ensures against illogical combina
tions of information (example: a salaried employee does not report hours worked)
Output Controls
assure that
data generated by
the system are valid,
accurate, complete,
and distributed to
authorized persons in
appropriate quantities
Objectives of Application Controls
1. Design application controls with regard to:
- segregation of incompatible functions
- security
- development
- processing of information systems
2. Information provided by the systems is:
- complete
- accurate
- authorized
3. Existence of adequate management trails
There are two general approaches to
auditing EDP systems:
1. Auditing “around” the computer
involves extensive testing of the
inputs and outputs of the EDP
system and little or no testing of
processing or computer hardware.
This approach involves no tests of the
computer programs and no auditor use
of the computer.
There are two general approaches to
auditing EDP systems:
1. Auditing “around” the computer
depends on a visible, traceable, hard
copy audit trail made of manually
prepared and computer-prepared
documents.
There are two general approaches to
auditing EDP systems:
2. Auditing with use of the computer
involves extensive testing of
computer hardware and software.
Techniques for auditing
with use of the computer
1. Test data involves auditor preparation of a
series of fictitious transactions; many of
those transactions will contain intentional
errors. The auditor examines the results
and determines whether the errors were
detected by the client’s
system.
What are the shortcomings of the use of
test data?
- possibility of accidental integration of
fictitious and actual data
- preparation of test data that examines
all aspects of the application is difficult
- the auditor must make sure that the
program being tested is the one
actually used in routine processing
techniques for auditing
with use of the computer
• 2. Parallel simulation
-the auditor writes a computer program that
replicates part of the client’s system
-the auditor’s program is used to process
actual client data
- the results from the auditor’s program and
that of the client’s routine processing are
compared
Auditing Software
Generalized audit software involves
the use of auditor programs, client
data, and auditor hardware. The
primary advantage of GAS is that the
client data can be down-loaded into
the auditor’s system and manipulated
in a variety of ways.
Common Audit Software Functions
- verifying extensions and footings
- examining records
- comparing data on separate files
- summarizing or re-sequencing data and
performing analyses
- comparing data obtained through other
audit procedures with company records
- selecting audit samples
- printing confirmation requests
Differences with Computer Processing
• Audit trails are different than with manual
accounting systems
• Portions of audit trails may be temporary or
never exist
• Processing is more uniform
• Computer may initiate and complete
transactions
• Greater potential for fraud
Impact of Computers on Planning
• Extent to which computers are used
• Complexity of computer operations
• Organizational structure of computer
operations
• Availability of data
• Use of CAATs
• Need for specialized skills by auditor
Audit Alternatives
• Continuous (Electronic) Auditing
• Auditing Around the Computer
• Auditing Through the Computer
• Non-concurrent (after-the-fact) auditing
– Can be used for tests of transactions and balances
(substantive tests)
– Can be used to test the effectiveness of controls at
various times in the past
– Recent SAS pronouncements reduce applicability of
non-concurrent auditing
Audit Alternatives
• Concurrent auditing provides greater
information about the effectiveness of
controls
– Special audit test records can be used to
examine system effectiveness
– Embedded audit modules collect, process
and report audit evidence as it is processed
by the system
SAS No. 80
• In entities where significant information is
transmitted, processed, maintained, or accessed
electronically, the auditor may determine that it
is not practical or possible to reduce detection
risk to an acceptable level by performing only
substantive tests for one or more financial
statement assertions.
SAS No. 80
• Due to the short-term nature of electronic data,
the auditor should consider the time during
which information exists or is available in
determining the nature, timing and extent of his
tests
SAS No. 94
• “The Effect of Information Technology on the
Auditor’s Consideration of Internal Control in a
Financial Statement Audit”
• Amends SAS No. 55 – “Consideration of Internal
Control in a Financial Statement Audit”
• SAS No. 94 does NOT change the requirement
that the auditor obtain a sufficient understanding
of internal control to plan the audit
SAS No. 94
• SAS No. 94 acknowledges that IT use presents benefits
as well as risks to an entity’s internal control
• The auditor should expect to encounter IT systems and
electronic records rather than paper documents
• An entity’s IT use may be so significant that the quality
of the audit evidence available to the auditor will
depend on the controls that business maintains over its
accuracy and completeness
SAS No. 94
• As companies rely more and more on IT
systems and controls, auditors will need to
adopt new testing strategies to obtain evidence
that controls are effective
• An auditor might need specialized skills to
determine the effect of IT on the audit
• In some instances, the auditor may need the
skills of a specialist
Areas of Audit Focus
• Auditing computer programs
• Auditing computer processing
• Auditing computer files and databases
Auditing Computer Programs
• Non-processing of data
– Program logic flowchart verification
– Program code checking
– Examination of job accounting and control
information
– Review printouts
Non-concurrent Auditing
• The Black Box Approach (still allowed?)
– Must be able to locate copies of source
documents for transactions and the
accounting reports resulting from those
transactions
– Must be able to read the source documents
and reports without the aid of the client’s
computer
– Auditor must assess a low level of risk on
controls external to EDP
Black Box Approach
• Must trace transactions from the source
documents (cradle) to the accounting reports
(grave) and from the reports back to the
source documents
Computer
(Black Box)
Document
Document
with error
Document
Source Documents
Manual Verification
Document
Document
with error
Document
Output Reports
Need for Concurrent Auditing
• Disappearing paper-based audit trail
• Continuous monitoring required by advanced
systems
• Increasing difficulty of performing transaction
walkthroughs
• Presence of entropy (disorder) in systems
• Outsourced and distributed IS
• Increased interorganizational IS (EDI)
EDP Controls
Categories:
General
Application
Specific Types of
Controls:
• Organization and
Operation
• Systems Development
and Documentation
• Hardware and Systems
Software
• Access
• Data and Procedural
• Input
• Processing
• Output
Nature:
Pertain to EDP
environment and all
EDP activities
Pertain to specific
EDP tasks
Errors and Irregularities
Necessary Control Procedures
INPUT
Valid data are incorrectly converted to machine- Verification controls
sensible form.
Computer editing
Batch controls
Data control group monitoring
Properly converted input is lost, duplicated or
Transmittal controls
distorted during handling.
Control totals
Detected erroneous data are not corrected and Error logs
resubmitted for processing.
Data control group monitoring
PROCESSESSING
The wrong files are processed and updated.
External file labels
Processing errors are made on valid input data. Internal file labels
Control totals
Illogical or unreasonable input is processed.
Limit and reasonableness tests
OUTPUT
Output may be incorrect because of processing Output control totals
errors.
Output may be incorrect because file revisions Periodic comparisons of file data
are unauthorized or approved changes are not with source documents
made.
Data control group monitoring
Output is distributed to unauthorized users.
Report distribution control sheet
Tests of Controls Techniques
• Auditing Around the Computer—Manually
processing selected transactions and
comparing results to computer output
• Auditing Through the Computer—
Computer assisted techniques
– Test Decks—Processing dummy transactions and
records with errors and exceptions to see that
program controls are operating
Tests of Controls Techniques
– Controlled Programs—Processing real and test data
with a copy of the client’s program under the
auditors’ control
– Program Analysis Techniques—The examination of a
computer generated flowchart of the client’s
program to test the program’s logic
– Tagging and Tracing Transactions—Examination of
computer generated details of the steps in
processing “tagged” transactions
Tests of Controls Techniques
– Integrated Test Facility—A system that processes
test data simultaneously with real transactions to
allow the system to be constantly monitored
– Parallel Simulation—The use of an auditor-written
program to process client data and comparison of
its output to the output generated by the client’s
program
Client’s
Program
Auditors’
Test Data
Computer
Processing
Computer
Results
should
match
Auditors’
Predetermined
Results
System Concept of Parallel Simulation
Master
file
Transactions
“Live”
system
“Live”
file
Simulated
system
Comparison
Simulated
output
Exceptions
Source: W.C. Mair, “New Techniques in Computer Program Verification,” Tempo
(Touche Ross & Co., Winter 1971-72), p. 14.
Parallel Simulation
Input Transaction
File
Input Master
File
System
Application
Parallel
Simulation
Output
Master File
Generalized
Audit
Software
Discrepancies
Output
Master File
Types of Concurrent Auditing
• Testing real data
– Tracing transactions
– Snapshot/extended record (EAM)
– System Control Audit Review File (SCARF)
• Testing simulated data
– Test deck approach
– Integrated test facility (ITF)
Auditing Using Client’s ComputerTracing Real Data
• Provides direct confirmation that controls
functioned as prescribed
• Weaknesses of approach
– Actual transactions selected may not
trigger all of the controls- in fact,
finding actual transactions to test every
control may not be possible
– May be disruptive to client’s operation
Auditing using Client’s ComputerTracing Real Data
• Weaknesses, continued
– Difficult to verify that program tested is
program normally used
– Difficult to verify that procedures used
during test are procedures normally
employed
– Auditor needs to understand IT
operations
Auditing using Client’s ComputerUsing Simulated Data
• Strengths
– Auditor can reduce substantially the
number of records that have to be
processed (one record can test
several controls)
– Permits testing of every control
Auditing using Client’s ComputerUsing Simulated Data
• Weaknesses
– Only those conditions known to exist
can be tested
– Same program and procedures
questions as in processing real data
– Removal of simulated data from
client's records
Auditing using Client’s ComputerUsing Simulated Data
• Verify that no amounts, accounts, or
transaction types are omitted
• Verify pricing, extensions, and other valuation
procedures
• Verify account coding and classification
• Verify proper time period recording
• Test subsidiary records footing and
reconciliation to control account balances
Auditing using Client’s ComputerUsing Simulated Data
• Test data or test record approach
– Simulated data is controlled and
processed separately from real data
– Output is compared to auditorcalculated output
Auditing using Client’s ComputerUsing Simulated Data
• Integrated test facility (ITF)
– Simulated data is assigned a special
code to distinguish it from real data
– Simulated data is integrated with real
data and processed in normal course
of business
– Weakness - simulated data may be
processed differently than real data
Generalized Audit Software
• Off-the-shelf software that allows
examination of client data on auditor’s
computer
• Information systems vary widely between
clients
– Hardware and software environments
– Data structures
– Record formats
– Processing functions
Generalized Audit Software
• GAS developed specifically to accommodate a
wide variety of hardware and software
platforms
• Allows auditor to quickly modify audit approach
as audit objectives change
• Allows auditors relatively unskilled in computer
systems to audit effectively in an electronic
environment
Functional Capabilities of GAS
• File access
• File reorganization (sorting and merging)
• Filtering (Boolean operators: =, >=, <=, <>,
AND, OR, etc.)
• Statistical (sample selections)
• Arithmetic
• Stratification
• File creation
• Reporting
Available CAATs
• CA-Easytrieve (Computer Associates)
– Works in UNIX or LAN (primarily mainframes)
– Uses a background language similar to COBOL
• SAS
– Statistical analysis
– Data mining
• ACL
• IDEA
Electronic Workpapers
• Electronic working papers
–
–
–
–
Standardizes audit forms and formats
Improves quality and consistency
Coordinates efforts
Can centralize management efforts
Centralized Vs Distributed Systems
• Some activities should remain centralized
• DDP is more expensive but can add efficiencies
over straight client-server approach
• Data can be distributed in different ways
• May raise security issues
• Auditor must question how each site is secured
• DDP may be partitioned or replicated
• DDP requires concurrency control
End Ch 3