Master of Business Administration- MBA Semester 3

MF0013 – Internal Audit & Control - 4 Credits

(Book ID: B1038)
Assignment Set- 1

Q.1 Write the differences between Auditing and Accounting?

Ans:

Audits are performed to ascertain the validity and reliability of information; also to provide an
assessment of a system's internal control. The goal of an audit is to express an opinion on the person /
organization / system (etc.) in question, under evaluation based on work done on a test basis. Due to
practical constraints, an audit seeks to provide only reasonable assurance that the statements are free
from material error. Hence, statistical sampling is often adopted in audits. In the case of financial audits,
a set of financial statements are said to be true and fair when they are free of material misstatements -
a concept influenced by both quantitative (numerical) and qualitative factors. Auditing is a vital part
of accounting. Traditionally, audits were mainly associated with gaining information about financial
systems and the financial records of a company or a business (see financial audit). However, recent
auditing has begun to include non-financial subject areas, such as safety, security, information systems
performance, and environmental concerns. With nonprofit organizations and government agencies,
there has been an increasing need for performance audits, examining their success in satisfying
mission objectives. As a result, there are now audit professionals who specialize in security
audits, information systems audits, and environmental audits. In financial accounting, an audit is an
independent assessment of the fairness by which a company's financial statements are presented by
its management. It is performed by competent, independent and objective person(s) known as auditors
or accountants, who then issue an auditor's report based on the results of the audit.

Accounting is defined (by the American Institute of Certified Public Accountants) (AICPA) as "the art of
recording, classifying, and summarizing in a significant manner and in terms of money, transactions
and events which are, in part at least, of financial character, and interpreting the results thereof. Today,
accounting is called "the language of business" because it is the vehicle for reporting financial
information about a business entity to many different groups of people. Accounting that concentrates on
reporting to people inside the business entity is called management accounting and is used to provide
information to employees, managers, owner-managers and auditors..

In other words, Accounting is a process of preparing the works, Auditing is a process of

evaluating & scrutinizing of the work prepared. In other words, accountants are in charged of the day-
to-day duties of marinating the accounts, implementing the board financial strategy, if any. At the end of
the period, accountant would produce Financial Statement, a summary report of the financial
performance throughout the period. Whereas, auditor conduct a check on the accuracy of the financial
statements, to ensure that there is no material misstatement of the financial statement prepared.

Accounting is concerned with the preparing of financial statements while auditing is concerned with
checking of financial statements. The purpose of accounting is to show the performance and financial
position of a business. The purpose of auditing is to certify the true and fair view of financial
statements.
Accounting requires that an accountant must have accounting knowledge while auditing work required
that an auditor must have accounting as well as auditing knowledge. Accounting is concerned with
current data. It is constructive in nature. Auditing is concerned with past data. It is analytical in nature.
The time period of accounting is usually one year. It takes one year to complete record. The time period
of auditing is usually less than one year. It may be completed within one month.
The accountant is permanent employee of the business. The auditor is an independent person. The
work of an accountant starts when the work of the book keeper ends. The work of an auditor starts
when the work of accountant ends. An accountant may not be a chartered accountant as per law. An
auditor must be chartered accountant for public companies. The accountant has no liability for
preparing final accounts. The auditor has liability after presenting audit report.

Accounting is done on a day-to-day basis in business. It is the recording of transactions, the accounting
for depreciation, debt, revenue, etc., that are all a part of reporting the company's financial activities.

An audit is a thorough review of the records that have been generated by the day-to-day accounting.
An audit can be performed by a company's own staff (an internal audit) or by an outside firm (an
external audit.) External audits can be extremely time-consuming and harrowing for the internal staff.
The auditors are looking for any discrepancies, poor business practices, non-compliance with state and
federal law (in the U.S.), tax reporting deficiencies, and evidence of fraud or collusion, among other
things. In the U.S., a publicly-held company must undergo an external audit at least once a year and
must produce detailed financial reports that are submitted to the government and published as a matter
of public record.

Q.2 Write the factors to be considered while drawing up the audit Programme an auditor should
give attention?

Ans: These factors are:

Quality in planning: planning refers to the detailed audit plans and subsequent audit programmes. No reference
is being made to the macro level of planning that an SAI may carry out.

The preparation of an audit plan should take into account risk and materiality based on an
understanding of the audited entity and its business. The plan should set out how and when the audit
will be conducted and how sufficient and appropriate evidence is obtained in order to enable to
conclusions to be drawn and support the audit opinion.

Requisites and measures to ensure quality control

The audit plan is divided into a number of detailed tasks, which are assigned to individual team
members. To ensure quality control during the planning process, measures could include direction,
supervision and review procedures to ensure that the audit task referred to above is adequately carried
out.

Possible Checklist:

o Ensuring that planning is carried out in accordance with auditing policies, standards, manuals,
guidelines and practices.
o Obtaining relevant information regarding laws and regulations that might have a significant
impact on the audit objectives;
o Preliminary investigative audit (an audit that aims at conducting an initial study of specific issues
to help prepare an audit task plan);
o Determining objectives and scope of audit;
o Identification of sources (e.g. media, findings of audited entity’s internal audit, inspection and
other control bodies) as background for audits;
 o Determining list of activities for audit;
o Highlighting of special problems foreseen when planning the audit;
o Ensuring that members of audit team have a clear and consistent understanding of the audit
plan;
o Follow-up is made of issues in previous related audit;
o Understanding the finance, accounting and other relevant functions of the organisation;
o Identification of key elements of internal control system of auditee;
o Using appropriate analytical procedures;
o Identification and analysis of relevant ratios and comparative figures;
o Identification of trends or deviations from predicted amounts;
o Identification of sampling method and sampling population;
o Choice of relevant performance indicators;
o Assessment of inherent and controls risks;
o Establishment of materiality criteria and thresholds;
o Establishment of degree of confidence decided for audit;
o Choice of appropriate experts/consultants;
o Preparation of budget and schedule for audit;
o Assessment of reasonable resources necessary to undertake audit;
o Assessment of staff requirements and team allocated for audit;
o Investigation and settlement of queries raised during review stage;
o Drawing up, approval, review of audit programme by Head of Division;
o Checklists used in the process of (a) drawing up, (b) issuing an opinion about, (c) approving an
audit task plan;
o Other procedures and practices used in the planning phase of an audit;
o Practices to continuously enhance quality control procedures in the planning phase of audit.

Quality in Execution

The field work has to be performed in accordance with the approved audit plans and should result in
sufficient appropriate evidence being obtained to determine with reasonable confidence whether or not
financial statements are free from material misstatements and irregularity or that facts relating to
VFM/performance audits are scientifically and/or fairly arrived at.

The following methodologies and practices are used in the execution of audits: (European
Implementing Guidelines for the INTOSAI Auditing Standards)

i. Sources: Methods and Nature of the reliability and evaluation of audit evidence include

Sources:

Generated by auditor directly

Obtained by third party
Obtained from auditee

Methods:

Inspection
Observation
Inquiry and Confirmation
Computation
Analysis of financial systems

Nature:

Documentary, visual or oral (the reliability of oral evidence, in particular, depends upon the source)
ii. Audit approach includes

Objectives

Regularity (financial and compliance)

Performance or value for money (economic, effective, efficient)

Testing

Systems Based Approach (testing of internal controls)

Direct Substantive Testing

iii. Study and examination of internal controls and tests of control

iv. Information Systems

General Installation Controls

Planning, staffing, reporting and segregation of duties

Security awareness and policy of both hardware and software
Continuity and disaster recovery
Management of IT assets and use of external service providers

Application Audits

Organisation and Documentation

Input
Processing
Data Transmission
Standing Data
Output

v. Audit Sampling

vi. Analytical Procedures

Trend Analysis
Ratio
Analysis

vii. Using the work of other auditors and experts

viii. Documentation:

This is particularly important for supervision, review and quality assurance. Working papers – current
and permanent files; confidentiality; retention procedures.

ix. Performance Audit Methodology

Data Gathering Techniques

File examination
Audit sampling
Secondary analysis/literature search
Surveys
Interviews
Focus Groups
Benchmarking

Techniques for Information Analysis

Programme Logic Model

Descriptive Statistics to understand data distribution
Regression analysis
Cost-benefit analysis
Cost-effectiveness
Meta evaluation

Requisites and measures to ensure quality control in execution/field work

The field work, which would have been appropriately planned during the planning stage, should be
assigned to individual team members. To ensure quality control during the execution/fieldwork process,
measures could include direction, supervision and review procedures to ensure that team members
understand their assigned tasks and that the chosen audit methodologies are adequately carried out.

Possible checklist

o Execution of audit is carried out in accordance with auditing policies, standards, manuals,
guidelines and practices of SAI;
o Audit examiners have a sound understanding of techniques and procedures such as inspection,
observation, enquiry, etc. to collect audit evidence;
o All phases of audit have been carried out as planned and approved;
o Valid explanations are available for non-implementation of any phases of audit
o Appropriate approval exists for significant deviations that have taken place from approved audit;
o Staff resources used for audit are largely in line with those planned in terms of time, grade of
staff and expenses entailed;
o Justification for material deviations for budgeted staff resources;
o Appropriate audit techniques and audit procedures used to fulfil each audit objective in order to
provide for effective audit evidence
o Use of Computer Assisted Aids, Techniques and Tools CAATTs);
o All envisaged tests for evaluation and reliability of internal controls are used;
o Appropriate analytical procedures are used and the reliability, independence and quality of
relevant supporting data is assessed;
o Sampling methods are used according to SAI’s manuals;
o All tests of transactions clearly indicate audit objectives, adequately explain nature and extent of
audit work and provide an overall conclusion as to results of audit work;
o Audit steps and procedures have been designed to obtain sufficient, competent and relevant
evidence;
o Full investigation is made of all queries during audit;
o Existence of adequate working papers in respect of:
 Evaluation of internal controls systems
 Audit of routine procedures
 Tests of controls
 Analytical review
 Substantive tests;
 Audit of computer-based applications.
o Working papers are appropriate cross-referenced;
o Audit completion checklists are comprehensive and have been completed, approved and duly
evidenced;
o Work of consultants and other experts has been properly monitored;
 o Other procedures and practices used in the execution phase of an audit; and
o Practices to continuously enhance procedures in the execution phase of audit.

Quality in Reporting

Typical methodologies for carrying out audit tasks

Reports both for regularity and VFM audits should be in standard format. In terms of European
Implementation Guidelines (Annexe 1 of No. 31), the auditor must have specific regard to the following
aspects of the report:

 Title
 Signature and date
 Objectives and scope
 Completeness
 Addressee
 Identification of subject matters
 Legal basis
 Compliance with standards
 Timeliness

Audit Reports on specific financial statements contain an Unqualified Opinion (Clean Report), if no
material shortcomings are detected and the Financial Statements “Properly Represent” (for Accounts
on Cash-Based System) or “True and Fair View” (for Accounts on Accrual Based System). If an
unusual or important matter (“Emphasis of Matter”) needs to be included in the Audit Report to enable
the reader to correctly understand the Financial Statements, this should be contained in a separate
paragraph from the Audit Opinion in order not to give the impression that the Audit Report is not
qualified.

Q.3 Write the Guidelines for internal check for Big Departmental stores?
Q.4 Distinguish between internal control, internal check and internal Audit?

‘Control’

Control is the process by which organisations ensure that actions taken are:

 in accordance with legal requirements and the financial regulations;

 in accordance with the budget and that funds are available; and that,
 appropriate approval processes exist;

 effeectively and efficienctly; and that, the financial reporting of activity is reliable.
'

Control also is designed to ensure that actions are consistent with the ethical behaviour expected of
civil servants.

To satisfy this control process management have a duty to ensure that:

 areas of responsibility are clearly defined;

 the organisational structure is appropriate to the requirements of the service or activity (and
that means that the structure of the organisation is changed as needs change);
 personnel have and maintain a level of integrity and competence to perform their duties;
 any instructions are written and formal rather than unwritten and informal;
 there are clear and appropriate lines of reporting;
 appropriate disciplinary arrangements exist and are implemented.

The ‘internal control’ process is therefore by definition ‘ex ante’. The element of the control process
that relates to the verification and certification of transactions should cover all transactions (i.e. it is
transaction based) and should require that all appropriate approvals are obtained before any
payments are made (and/or orders placed or commitments made).

Approval of transactions is only one element of the ‘control’ process and that element cannot be
deemed to be effective unless all the other elements of the control process exist. Therefore to
focus ‘control’ on ensuring that transactions are properly approved is to fail to recognise that
transaction approval is one of the last elements in a whole process of control, not the principal
substance of the control process.

INTERNAL CHECK

The internal check and cross check of transactions of receipt and payment of money and stores should
be inbuilt in the system and should take place spontaneously and smoothly. The main objective of
internal check is to ensure that the funds and property of the Corporation are kept under proper custody
and which may not be improperly applied either by error or by intent; that expenditure be incurred only
after authorisation and is properly accounted for.

For achievement of the objectives of the internal check, a sound accounting system should be in place
in the organisation in which functions and powers of each accounts personnel should be clearly
defined, the work of one person is checked by another independent person or his superior so that
errors and fraud are prevented or detected early and remedial action may be taken.
The Accounting System and Procedures contained in this Manual, if followed in letter and intent, takes
due care of internal check requirements regarding financial transactions which take place in the
Corporation.

In addition to the Accounting System contained in this Manual, a system of 100 per cent pre-check of
all claims may be introduced in the Corporation as a measure of internal check to avoid audit
observations and recovery in post audit. A detailed procedure of pre-check system may be prepared
after decision of the management in this regard.

‘internal audit’

Internal audit is the process by which line management satisfies itself that:

 the ‘control’ processes are appropriate and working properly (effective);

 the objective of value for money is being achieved;
 the management information and control systems are not corrupted and operate
efficiently.

Internal audit is not responsible for implementing specific internal control procedures, that is
the responsibility of the management.

The internal auditor’s role is to assess the operational effectiveness of the control processes and to
ensure that they are appropriate to the objectives of the organisation. To avoid being compromised
the internal auditor should remain independent from the day-to-day administration of the
organisation and therefore should report directly to the senior management of the organisation.

Internal audit, because it is designed to review operational effectiveness, should be systems based
rather than transaction based. It should use sampling techniques to assess the quality of the
control procedures and would be directed by the application of risk management techniques, i.e. it
would focus its resources on the areas of greatest risk to the organisation.

An important starting point is risk. Internal audit should review all the internal control processes
which mitigate all the most significant risks the organisation faces. These will include reputational
(e.g. bad press) and financial risks.

A key issue for internal audit to address is that of ‘materiality’, that is, is the issue of significance to
the organisation? There is no standard quantitative definition of materiality but it is incumbent on the
auditor to understand the concept of materiality and its application to the organisation to which the
audit applies. The United Kingdom statement of auditing standards (SAS 220) addressed to
external auditors defined materiality in the following way:

‘Auditors should consider materiality and its relationship with audit risk when conducting an audit:
‘Materiality is an expression of the relative significance or importance of a particular matter in
the context of financial statements as a whole –(and also for the public sector an event can be
material if it is newsworthy). A matter is material if its omission would reasonably influence the
decisions of an addressee of the auditors’ report; likewise a misstatement is material if it would
have a similar influence. Materiality may also be considered in the context of any individual
primary statement within the financial statements or of individual items included in them.
Materiality is not capable of general mathematical definition as it has both qualitative and
quantitative aspects.’

The United Kingdom Treasury has defined internal audit as ‘an independent and objective appraisal
service within an organisation. ‘Internal audit primarily provides an independent and objective
opinion to the Accounting Officer (in the United Kingdom usually the most senior civil servant in a
Ministry) on risk management, control and governance, by measuring and evaluating their
 effectiveness in achieving the organisation's agreed objectives. In addition, internal audit's findings
and recommendations are beneficial to line management in the audited areas. Risk management,
control and governance comprise the policies, procedures and operations established to ensure the
achievement of objectives, the appropriate assessment of risk, the reliability of internal and external
reporting and accountability processes, compliance with applicable laws and regulations, and
compliance with the behavioural and ethical standards set for the organisation.

Q.5 Write the essential requirement of Computer Assisted

Auditing Techniques (CAAT)?
Ans: Computer Assisted Auditing Techniques
Your company has been selected for audit by the Massachusetts Department of Revenue. Our goal is
to determine the proper tax due and propose any adjustments to the tax reported, with minimal time
and expense to your company and the Department of Revenue. Computer Assisted Audit Techniques
(CAATS) is an important tool in attaining that goal. The Department of Revenue has invested in
software that allows us to accept electronic records from virtually any bookkeeping or financial
accounting system. If you submit your records electronically we can quickly select a statistically
valid sample of transactions on which to base our audit. We do this work from our office, saving your
staff time and inconvenience. Integrating CAATS into the audit process is part of our commitment to
streamline the audit process. Our goal is to complete an efficient, understandable and accurate audit.
We will provide an audit trail consistent with Generally Accepted Accounting Principles. Our CAATS
program is based on a tested and sound database application and informed judgment.

What is a Computer Assisted Audit?

Audit functions formerly performed manually are now performed using standard financial accounting
software, modified as necessary for a particular system. Generally, much of the same information is
requested and analyzed as in a traditional audit. Once verified using computer techniques, data is
retained so it can be used in other areas of the audit including error identification and segregation of
transactions within accounts. Customized reports are generated by computer and a standard audit trail
is maintained.
What advantages does the use of CAATS have over a traditional audit?

Most importantly, it saves time for you and DOR with no loss of quality or accuracy. Secondly, by
analyzing data and generating specific reports using a standard program, data analysis is focused and
allows for any future adjustment to be made with minimal effort. Thirdly, preliminary data can often be
analyzed early in the audit process and a more efficient audit plan can be devised earlier.

Specific Areas in which CAATS Is Useful:

Computer Assisted Sampling. This permits the use of random statistical sampling, which tends to be
more accurate and saves time in those instances in which it is appropriate (see FAQ section for
details).
File Management. Files are combined, compared, managed, segregated and ordered automatically
using generally accepted computerized file management. Adjustments or other changes to data and
reports are easily accomplished. The DOR auditor will review your accounts in order to request specific
information from your records essential to the audit.

Report Generation. Once data integrity is verified, the auditor can produce various reliable reports
from the overall data population.
Computer Audit Questionnaire
Enclosed is a Computer Audit Questionnaire. Please complete and return this form prior to the
commencement of your audit. The questionnaire provides DOR with information about your company’s
computer system, recordkeeping, methods of data retrieval and additional information about your
accounting practices. This form is mandatory and will become part of your audit file. Consistent with
DOR policy, the completed form is confidential. This questionnaire assists your auditor in identifying
and requesting records essential to completing your audit expeditiously. DOR will assist you throughout
your audit as you provide us with data in a usable format, and will explain reports, analysis of data and
sampling in detail.

Q.6 Write the Audit programme in an EDP environment?

AUDIT PROCEDURES IN EDP / CIS ENVIRONMENT

(a) Traditional approach to audit of computer-processed information.

While processing the information processed on computers, The auditor may adopt a traditional
approach, assuming that the processing of information has been under the manual system, and not
through computers. The only difference he notices is that the object of his audit examination is
computer printouts; and not the hand-written books of account. The result is that he does not suitably
modify his audit program, and carries on work as before. However this approach has certain inherent
flaws. First it does not involve evaluation of internal control system relating to computers, which may
result in more errors and fraud than under the manual system. Secondly, the auditor may devote unduly
long time on certain audit procedures, such as checking and posting of transaction which he can avoid
if an effective internal control is in place. Thirdly, it ignores the benefits of costs and risks that would be
available to the auditor if he adopts techniques suitable to auditing through computers.

(b) Auditing in EDP environment.

In this case the, the auditor should evaluate the internal control relating to electronic data processing
and other controls, and accordingly make extensive use of computer(s) to determine the nature, timing
and extent of compliance or substantive audit procedures. However, this requires him to have
adequate knowledge of computer systems to plan, direct, supervise and review the work performed by
others. For this, he may himself acquire the necessary specialized skills, or hire persons suited for the
job.

HOW AUDITORS SHOULD APPROACH AUDITING IN EDP ENVIRONMENT

Electronic data processing environment is an area that requires special techniques in approaching, as it
is apparently risky and more technological skills is needed to the Auditor before real audit is performed.
However the professional guides issued by the International Auditing Standards have disclosed several
methods that have to be followed by Auditors when doing audit in specialized areas this does not
exclude auditing in an electronic data processing environment. In actual fact the auditor should
approach auditing in electronic data processing environment as follows:

(a) Evaluate reliability of accounting and internal control system.

The auditor should ascertain how far the accounting and internal control system of the business is
reliable. To this end, he should check the following:

(I) Are there restrictions on access to electronic data processing?

The restriction should be in respect of access to hardware, program and data files. Computer room
should be under the custody of a responsible official. He alone should handle program and data files.
Further, he should make these available only to the persons authorized for the purpose, and keep a
record of issue of program and data files. Other restriction can be by way giving password (a secret
code) to authorized computers users. Yet another restriction can be through giving different rights
different users, for example, some can only read data files, others may both read and alter data files,
yet others may even alter program files.

The auditor should also see whether there are adequate methods of hardware control. For example,
almost every computer once started itself checks the proper functioning of its various components and
devices. If not it shows a message on the computer screen. If the computer system has parity check; it
will show whether, due to cause such as dirty or humidity level, there is improper functioning in the
transfer of data between the input-output devices. Such a flaw may cause loss or corruption of data,
which the computer system itself will rectify by retrying the transfer. Computer system having a check
by way of double reading of data, i.e. on a hard disc and that written to strong media, will show errors in
the process.

(ii) Is there provision for timely detection and correction of errors?

Errors may arise during the feeding of data, processing, or due to any fault in the computer system.
Here, the auditor should ensure that transactions processed by the computer have due authority, their
recording in the computer data files is accurate, there is no loss, addition, duplication or improper
change in them, and there is correction and resubmission of incorrect transactions. He should also see
that there is correct use of master files, transaction files and program files. The Auditor should review
the error – correction procedure, as it will show proper functioning of the internal control system.

(Iii) is there arrangement for resumption of system, if interrupted?

In case of electronic data processing systems due to power failure or any mechanical fault, there
should be proper arrangement for resuming the system without loosing the entries or records.

(iv) Is electronic data processing – generated output accurate and complete?

Accuracy and completeness of output will depend on the accuracy and completeness of the data fed
into the computer and its processing. This calls for proper input and controls. Recalculation of figures
and comparing the output with manual records are other methods for the purpose. The auditor should
see that there is restriction on access to processing of data such that accurate and complete output is
produced, and that only authorized persons get it on time.

( v ) Is there adequate security provision for the stored data?

Because of wrong processing or due to natural or man-made reasons, there may be loss or destruction
of stored data. The auditor should see that there are proper safety arrangements to secure the stored
data in any such eventuality. While doing so, the auditor should also see whether there are proper
backup and recovery procedures. These procedures involve keeping copies of programs and data at a
place other than the place of location of the computer. Most application programs have an in-built
system of maintaining two versions of computer file, the current one and the preceding one. The current
version will contain alterations made during the latest processing, and the preceding one the pre-
alteration version. Some computer systems even have three files, the current one, preceding the
preceding version, and the version preceding the preceding version.

( vi ) Is the source code of application software in safe custody ?.

The auditor should ensure that the source code of application software is in safe custody of a
responsible official. He should only allow access to it by a duly authorized person ( s ), and keep a
record of the persons gaining access to it.

( b ) Assess "inherent and control" risks.

The auditor should assess inherent and control risk for material financial misstatement.
Risk Assessment and internal Control.

Risk in an electronic data processing environment may arise from the following;

1. There may not be adequate procedures to control program or system change.

2. Hardware or software malfunctioning may remain undetected.
3. During transmission, there may be loss or corruption of data.
4. Computer facilitates, files and program may be available to unauthorized access.
5. Users may not participate fully in review-output, to ensure its reasonableness and maintaining
responsibility for authorization.

( c ) Effect of inherent and control risk.

Inherent and control risk in electronic data processing environment may have either all round effect on
all accounts, or account specific effect.

( I ) Risk having all round-effect on all accounts:

It may arise from deficiencies in program development, system soft ware support, physical electronic
data processing security, and control over access to special privilege utility programs. These
deficiencies will affect all application systems processed in computer and result in material
misstatement in financial statements.

( ii ) Account specific risk:

Account specific risks may result in fraud and errors such as the summarized real cases resulted from
inherent and control risks:

a) The Trolley Dodgers case- Control deficiencies in payroll transaction cycle allowed an accounting
manager to embezzle several hundred thousand dollars.

b) Goodner Brothers, Inc – An employee of this tire wholesaler found himself in serious financial
trouble. To remedy this problem, the employee took advantage of his employer's weak internal controls
by stealing a large amount of inventory which he then sold to other parties.

c) Troberg stores- An important but commonly overlooked internal control objective is ensuring
‘compliance with applicable laws and regulations ‘ The management of this company violated the
provisions of a national statute, imposing a heavy monetary cost on the company in the process.

AUDIT TECHNIQUES

( a ) Audit objectives remain the same whether processing of data is manual or computerized.

While designing audit procedures in electronic data processing environment, the auditor should keep in
mind two things:

1) Ensure that there is adequate compliance and substantive procedures and transmitted data are
correct and complete
 2) Apply professional skepticism by cross verification of records, reconciliation between primary and
subsidiary ledgers, questioning and critical assessment of audit evidence. The procedures adopted for
the purpose may be manual, by way of computer-assisted audit techniques, or on combination of both.

Auditing "around" or "through" computers

In an electronic data processing environment, an auditor may carry out compliance procedures and
substantive tests of transactions with the help of computers, or without it. If he conducts the audit in a
traditional manner by examining the data and information generated by computer system of the client it
will be auditing around the computer. In this case, the auditor only relies on the data and information
printouts given to him by the client.

On the other hand, if the auditor himself uses computer system to carry out compliance and substantive
test procedures, it will be auditing through the computer. However, this will require the auditor and / or
his staff to possess adequate knowledge of electronic data processing.

(b) Computer – assisted audit techniques.

These may be as follows:

1. Test data:

They represented a set of test data prepared by the auditor himself, or by using any such data
prepared by the internal auditor of the client. Test data comprise transactions of all kinds prepared
specifically to test a program or a set of programs of the client. To evaluate the effectiveness of the
client's program (s), the auditor may run his test data on the client's computer using the programs of the
client himself.

Use of test data serves as an assurance about the correct functioning of tested programs. However, its
limitation is that preparation of the test data requires care and expertise on the part of auditor. For
example, it will involve selection of the type of master files or records (ledger like records where there is
continuous updating through transaction records), e.g. processing of a test transaction showing receipt
of payment from a debtor will reflect in the file that contains records of sundry debtors. More over, the
test data should cover all types and variations, whether they are actual data used by the client, or
certain modifications, to ascertain that the client's program includes necessary controls.

For control purposes, the auditor should maintain proper working papers regarding the use of test data.
Working papers should show the programs put to test, and the results-both expected and actual. He
should also ensure that the programs tested are those actually used by the client, and that actual
records remain unaffected by the tests used by him.

2. Modified test data facility

It is a simulated form of a test data technique. Under it, the auditor creates artificial transactions,
processes them along with normal processing of actual transactions of the enterprise, and compares
the results of the two. This will expose whether the processing done by the enterprise is correct.
However, employees operating the electronic data processing system in the enterprise should know
nothing about this exercise.

3. Audit software
The auditor may use audit software specially developed for a particular audit or, more often,
generalized audit software (GAS) Design of audit program created for a particular audit will serve the
needs of testing the audit programs of the client. On the other hand, generalized audit software will
perform certain common data processing functions, like checking calculations, examining the
correctness of records, comparing client records with the data obtained through other procedures,
summarize or rearrange data, selecting samples, etc.

Documentation

As evidence of proper planning and organization of his examination, the auditor should document the
following:

His audit plan;

1. Nature, timing and extent of audit procedures performed by him;

2. Conclusion drawn from the evidence obtained; and
3. Safe storage of the evidence in electronic form.

Audit planning

Planning the audit for an electronic data processing environment client is not expected to be the same
as planning the audit for the manual data processing client. The auditor is required to measure the
usefulness and existence of reliable controls in the system before he or she start auditing. In electronic
data processing environment an IT environment check list will have to be used together with
interrogating the client main IT executives.

Important issues to be assessed regarding the whole of information technology field which comprises
data processing systems are listed and elaborated in the schedule below:

1.Procedure: Find out the process to register new users to the system.

Inherent risk: Illegal access to components.

2 Procedure:Examine the reliability of the procedures taken when a previous user is required to leave
or stop using the machine.

Inherent risk: Previous users still have access to the system

3. Procedure: Find out whether access to the computer room is free to any person

Inherent risk: Unauthorized personnel and visitors may enter the computer room for malicious motives

4. Procedure: Investigate whether there is any rotation of staff (segregation of duties) in system
operations

Inherent risk: There may be fraud attempts by non changed staff.

5. Procedure: Using the organizational chart verify the existence of job description in IT positions in the
entity

Inherent risk: Staff may be performing other people's duties involuntarily.

6. Procedure: Find out whether internet downloading and other uses of the internet is restricted to
safeguard entity's information.

Inherent risk: Virus penetration into the system is simple due to uncontrolled internet activities

7.Procedure: Investigate to be sure that, the use of anti virus programs is present, there is safe storage
of backups which are frequently tested to identify irrelevant backups

Inherent risk: Restoration of data is not possible when misfortunes occur.

Nature, timing and extent of audit procedures

It is customary for Auditors to perform timing and design of audit procedures that are supposed to suit
the audit they need to execute. This is important because the audit evidence obtained after audit need
to have relevance to the audit report issued. The relevance so mentioned is verified by reviewing the
documentation of nature, timing and extent of procedures employed in the audit; this is done in a
process called quality review.

Conclusions drawn from the evidence obtained

Conclusions drawn by the Auditor are the final output of the audit which when presented in a formal
and standardized manner is called an audit report. Conclusions such as these need to be documented
systematically and in a way that another auditor who have not participated in the audit should be able to
use them in reporting without the need of more elaboration from the auditor involved in the audit.

Safe storage of the evidence in electronic form

After completion of the audit and collection of relevant and sufficient audit evidence it is advised that
the Auditor should store the evidence so obtained in a safe storage and which is expected to be in
electronic form. This may be put in disc storage devices which are not easily affected by viruses and
not easily altered.