Relevant to Foundation level Paper FAU and ACCA Qualification Papers F8 and P7 (Int and UK) Show
The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect this situation. Students need to ensure they have a complete understanding of the controls in a computer-based environment, how these impact on the auditor’s assessment of risk, and the subsequent audit procedures. These procedures will often involve the use of computer-assisted audit techniques (CAATs). The aim of this article is to help students improve their understanding of this topic by giving practical illustrations of computer-based controls and computer-assisted techniques and the way they may feature in exam questions. Relevant auditing standards
Internal controls in a computer environment Application controls Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed (ISA 315 (Redrafted)). Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally divided into the following categories: (i) Input controls The most common example of programmed controls over the accuracy and completeness of input are edit (data validation) checks when the software checks that data fields included on transactions by performing:
When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal an anomaly, eg ‘Supplier account number does not exist’. (ii) Processing controls (iii) Output controls (iv) Master files and standing data controls General controls
‘End-user environment’ refers to the situation in which the users of the computer systems are involved in all stages of the development of the system. (i) Administrative controls
‘System software’ refers to the operating system, database management systems and other software that increases the efficiency of processing. Application software refers to particular applications such as sales or wages. The controls over the development and maintenance of both types of software are similar and include:
Exam focus
Computer-assisted audit techniques (i) Audit software
The auditor needs to determine which of these functions they wish to use, and the selection criteria. Exam focus The following is an example of how this could be applied to the audit of wages:
(ii) Test data Examples of errors that might be included:
Data without errors will also be included to ensure ‘correct’ transactions are processed properly. Test data can be used ‘live’, ie during the client’s normal production run. The obvious disadvantage with this choice is the danger of corrupting the client’s master files. To avoid this, an integrated test facility will be used (see other techniques below). The alternative (dead test data) is to perform a special run outside normal processing, using copies of the client’s master files. In this case, the danger of corrupting the client’s files is avoided – but there is less assurance that the normal production programs have been used. (iii) Other techniques
The attraction of embedded audit facilities is obvious, as it equates to having a perpetual audit of transactions. However, the set-up is costly and may require the auditor to have an input at the system development stage. Embedded audit facilities are often used in real time and database environments. Impact of computer-based systems on the audit approach (i) Planning (ii) Risk assessment The application notes to ISA 315 identify the information system as one of the five components of internal control. It requires the auditor to obtain an understanding of the information system, including the procedures within both IT and manual systems. In other words, if the auditor relies on internal control in assessing risk at an assertion level, s/he needs to understand and test the controls, whether they are manual or automated. Auditors often use internal control evaluation (ICE) questions to identify strengths and weaknesses in internal control. These questions remain the same – but in answering them, the auditor considers both manual and automated controls. For instance, when answering the ICE question, ‘Can liabilities be incurred but not recorded?’, the auditor needs to consider manual controls, such as matching goods received notes to purchase invoices – but will also consider application controls, such as programmed sequence checks on purchase invoices. The operation of batch control totals, whether programmed or performed manually, would also be relevant to this question. (iii) Testing This statement holds true irrespective of the accounting system, and the auditor will design compliance and substantive tests that reflect the strengths and weaknesses of the system. When testing a computer information system, the auditor is likely to use a mix of manual and computer-assisted audit tests. ‘Round the machine (computer)’ v ‘through the machine (computer)’ approaches to testing In the ‘through the machine’ approach, the auditor uses CAATs to ensure that computer - based application controls are operating satisfactorily. Conclusion In small computer-based systems, ‘auditing round the computer’ may suffice if sufficient audit evidence can be obtained by testing input and output. Written by a member of the Paper F8 examining team Which of the following types of evidence would an auditor most likely examine to determine whether controls are operating as designed?To determine whether internal controls are operating as designed, an auditor would most likely collect client records documenting the use of EDP programs.
When an accounting application is processed by computer An auditor Cannot verify the reliable operation of programmed control procedures by?When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed controls by: manually re-performing, as of a point in time, the processing of input data and comparing the simulated results to the actual results.
Which of the following would most likely be an advantage in using classical variable sampling rather than probability proportional to size sampling?Therefore, classical variables sampling would have an advantage over PPS sampling because variables sampling does not require special design considerations for inclusion of zero and negative balances.
When auditors consider only non IT controls in assessing control risk it is known as?When the client uses a computer but the auditor chooses to use only the non-IT segment of internal control to assess control risk, it is referred to as auditing around the computer. Which one of the following conditions need not be present to audit around the computer?
|