Lecture 8 and 9

Computerised Information
System (CIS )

Learning outcomes
Describe the impact of IT on the audit process
Discuss the use of IT in audit management
Describe and illustrate the audit procedures in
an IT audit environment

Understand
about the
impact of IT
on the audit
process
3

INTRODUCTION
An entity may use automated systems that
may share data and that are used to
support all aspects of the entitys financial
reporting, operations and compliance
objectives. An entity with such information
systems is likely to use automated
procedures to initiate, record, process, and
report routine business transactions in
electronic.

IT environment
Use of IT enhances internal controls by adding
new control procedures
Use of IT also increases risk
We will study what are the risks associated with
IT environment, identify controls to minimize
such risk and how IT controls affect the audit
practices

Inadvertent reliance on IT related

controls
Auditors fail to test the accuracy and
completeness of computer generated
information before placing reliance on
them
Auditors must understand and test
computer based control before placing
reliance to say that such information is
reliable
6

IT enhances internal controls

Computer controls replaces manual controls
Ability to apply checks and balances consistently
to all transactions, thus more reliable
Therefore reduces the risk of misstatements

Higher quality information is available

Produces information faster than manual
processes
Incorporating multimedia effects
Complexity of IT environment calls for better
organisation, procedures and documentation

Impact of IT Systems on Auditors

Major developments in computing are continually taking place.

Significant recent developments include:

the proliferation of powerful micro and mini-computers as stand-alone

systems
Increase usage of mobile computing such as tablets and smartphones
the increase in client-server systems, LAN and Intranet
the decentralisation of processing functions in the hands of end-users,
facilitated by advances in the development of fourth-generation languages
the initiation, implementation and recording of transactions between the
entity and other parties using electronic impulses and machine-readable
data rather than paper trails
the advent and proliferation of E-commerce and use of the Internet as well
as cloud computing

Impact of IT Systems on Auditors

Generally, an auditor working with IT systems should acquire these

additional skills:

a basic understanding of computer concepts,

terminology, systems design, methods of processing and
communication and storage of data
the ability to identify IT control procedures, and assess
the impact of these controls on computer operations and
application systems; and
a sound working knowledge of computer-assisted audits.

Benefits of IT on Internal Control

The potential benefits of IT on internal control
include:
Consistence application of predefined
business rules and performance of complex
calculations in processing large volumes of
transactions or data.
Enhancement of timeliness, availability and
accuracy of information.
Facilitation of additional analysis of
information.

 Enhancement of the ability to monitor the

performance of the entitys activities and
the policies and the procedures.
Reduction in the risk of controls will be
circumvented.
Enhancement of ability to achieve
effective segregation of duties by
implementing security of controls in
application, databases and operating
systems.

The Potential Risk to IT on Internal Control

The potential risks to internal control include:
Reliance on systems or programs that
inaccurately
process
data,
process
inaccurate data, or both.
Unauthorized access to data that may
result in destruction of data or improper
changes to data, including the recording of
unauthorized or nonexistent transactions or
inaccurate recording of transactions.

 Visibility of audit trail. The use of IT often

converts the traditional paper trail to an
electronic audit trail, eliminating source
documents and paper-based journals and
records.
Reduced
human
involvement.
The
replacement of traditional manual processes
with
computer-performed
processes
reduces opportunities for employees to
recognize misstatements resulting from
transactions that might have appeared
unusual to experienced employees.

 Systematic versus random errors. Due to

the uniformity of processing performed by IT
based systems, errors in computer software
can result in incorrect processing for all
transactions processed. This increases the
risk of many significant misstatements.
Unauthorized access. The centralized
storage of key records and files in electronic
form
increases
the
potential
for
unauthorized on-line access from remote
locations.

 Reduced segregation of duties. The installation

of IT-based accounting systems centralizes
many of the traditionally segregated manual
tasks into one IT function.
Lack of traditional authorization. IT-based
systems can be programmed to initiate certain
types of transactions automatically without
obtaining traditional manual approvals.
Need for IT experience. As companies rely to a
greater extent on IT-based systems, the need
for personnel trained in IT systems increases in
order to install, maintain, and use systems.

 Absence of input document:. Data may be entered directly

into the IT system without supporting documents. In some
on-line transaction systems written evidence of data entry
authorisation (for example, approval for order entry) may be
replaced by other procedures, such as authorisation controls
contained in computer programs (for example, credit limit
approval
Lack of visible output: Certain transactions or results of
processing may not be printed. In manual environments and
in some EDP environments, it is normally possible to visually
examine the results of processing. In other IT environments,
the results of the processing may not be printed, or only
summary data may be printed. Thus, the lack of visible output
may result in the need to access data retained on computer
files readable only by the computer. IT-based systems can be
programmed to initiate certain types of transactions
automatically without obtaining traditional manual approvals.

Accessibility of data and

computer programs
Data and computer programs can be accessed
and altered by persons through the use of online terminals.
Therefore, in the absence of appropriate
controls, there is an increased potential for
unauthorised access to, and alteration of, data
and computer programs by persons inside or
outside the entity.

17

Control Procedures affected by

IT
(a) Information processing
(b) Segregation of duties.
(c) Physical controls.

18

Control Procedures affected by IT

(a) Information processing. Two areas in which
control procedures can be affected by the use
of IT in processing are:

(1) authorization of transactions

(2) and keeping of adequate documents
and records.
An auditor may not be able to observe the
authorization policies by sighting the signatures
of individual who authorizes the transaction by
signing his/her name to the document

 When IT is used in information processing,

hard copy of source documents and
records may not be available. Thus normal
paper audit trail may not be present for the
auditor to examine.
The auditor has to rely on computer
assisted audit procedures to obtain
evidence
on
the
processing
of
transactions.

(b) Segregation of duties.

In the IT environment, the programs within the
system may assume the responsibilities of all the
functions relating to the initiation, authorization,
and recording of transactions as well as the
custody of assets without having different
individuals, or separate units perform those tasks.
Thus it is important to have adequate controls
within the IT environment to compensate for this
situation.

(c) Physical controls. Physical control over

assets and records is important in any type of
system. Where IT application is extensive,
most of the assets and records may be
concentrated in the database system or be
accessible through the computer terminals. It
may also be easier to hide the theft of assets.
It is important to have proper backup controls
for computer programs and data files in case
the original copies are destroyed or damage.
Backup copies of programs and files should be
stored off at a different location.

Types of control in an IT
environment

23

Environmental controls

24

Internal controls in an IT
environment
Internal controls in an IT environment
includes both manual and computerised
controls
Classified under 2 categories
General controls
Applies to the overall IT processing
environment

Application controls
Apply to specific computer applications
25

Types of Controls in an IT Environment

General
Controls

1. Data center & network

operations
2. System software acquisition,
change and maintenance
3. Access security
4. Application system
acquisition, development,
and maintenance

Application
Controls

1.
2.
3.
4.
5.

Data capture controls

Data validation controls
Processing controls
Output controls
Error controls

Relationship Between General

and Application Controls
Risk of unauthorized change
to application software

Risk of system crash

Cash receipts
application
controls

Sales
application
controls

Payroll
application
controls
Other cycle
application
controls

Risk of unauthorized
master file update

GENERAL CONTROLS

Risk of unauthorized
processing

TYPES OF CONTROLS IN AN IT
ENVIRONMENT
There are 2 broad categories of information
systems control procedures: general controls
and application controls.
(A) General Controls
Relates to overall information processing
environment and they have a pervasive effect
on the entitys information systems and
operations.
(B) Application Control
Application controls are manual or
automated procedures that typically operate
at a business process level.

General controls
General IT controls are policies and procedures
that relate to many applications and support
the effective functioning of application controls by
helping to ensure the continued proper operation of
information systems.
They commonly include controls over data centre
and network operations, system software
acquisition, change and maintenance, access
security, and application system acquisition,
development and maintenance.
General controls include controls over the
following:

(i) Data centre and network operations controls.

Data centre and network operations controls include
control over computer and network operations, data
preparation, work flow control, and library functions.
Important controls over computer and network
operations should prevent unauthorized access to
the network program files, and systems
documentation by computer operators.
The operating systems log, which documents all
program and operator activities, should be regularly
reviewed to ensure that operators have not
performed any unauthorized activities. Controls over
data preparation include proper entry of data into an
application system and proper oversight of error
correction.

 Examples of data center and network control

Password protection ie Use a unique password (alpha numberic)

Restricted access to authorised users only
Back up data/files
Segregation of duties

Password controls

32

Audit Procedures
Data centre and network operations controls
1. Review and test whether authorisation to
gain access to the system is consistent
with the segregation of duties in IT
2.Review controls over work flow and error
correction procedures
3.Review backup and recovery procedures
33

(ii) Systems software acquisition, change and

maintenance controls
System software IS computer programs that control
the computer functions and allow the application
programs to run.
These programs include operating systems, library
and security packages, and database management
systems. The operating systems also detects and
corrects processing errors.
The entity should have strong controls that would
ensure proper approval for purchases of new
system software and adequate controls over
changes and maintenance of existing system
software.

Audit Procedures
Systems software acquisition, change and
maintenance controls
1) Review equipment manufacturers documentation to determine
what software controls and hardware controls are available
2) Review equipment failure logs or other operating reports on the
equipment reliability
3) Review maintenance contract with computer equipment
manufacturers
4) Inquire of IT personnel about the types of systems software
and whether any modifications have been made to the
programmers
35

(iii) Access security controls & Hardware control

The general controls are concerned with:
(1) physical protection of computer equipment,
software and data, and
(2) loss of assets and information through theft
or unauthorized use.
Security controls include placing the computer
facilities in a separate building. They also include
limiting access to the computer facilities through
the use of locked doors with authorized personnel
being admitted through use of conventional key,
an authorized card or physical recognition.

 Controls must also be enforced within the

computer facility. For example, programmers
access to the computer room should be
restricted, this restrictions will prevent them
from making unauthorized modifications to
systems and application programs.
Unauthorized access to programs or data
can cause loss of assets and information.
Physical control over programs and data can
be maintained by separate library function
that controls access and use of files.

Hardware Controls
Hardware controls are built into computer
equipment by manufacturer to detect and
report equipment failures. Auditor are more
concerned with how the client handles
errors identified by the hardware controls
than with their adequacy. Regardless of the
quality of hardware controls, output will be
corrected only if the client has provided for
handling machine errors.
38

 Examples:
Segregation of duties
Full records of program changes
Password protection of programs so
that access is limited to
computer operations staff.
Restricted access to central computer
by locked doors, keypads
Maintenance of programs logs

Auditors concern
Segregation of duties
System programming and application
programming
System programmers may amend application programs
to create fictitious transactions or unauthorised changes
of application programs

Operations and systems analysts/application

programmers
System analyst/application programmer could made
unauthorised changes to programs and data

However, smaller set-up may not have complete

segregation, due to cost factor

40

Security and access controls

Concern with
Physical protection of computer equipment, software &
data
Reducing the risk of loss of assets through theft and
unauthorised access
Control procedures
Physical access controls
Security guard and clearance to gain access to
buildings
Limited access to computer rooms/data centre using
card access / biometric recognition
Programmers are not allowed into the computer room
41

Security and access controls

Control procedures
Environmental controls

Fire suppression and water detection systems

Power supply UPS and Backup generator
Construction of computer room
Disaster recovery plan

Logical access controls

Segregation between production and development/test
libraries
User-id and password controls
Encryption
Firewall and intrusion detection
42

Firewall to protect LAN

43

Audit Procedures for Security and

access controls
1) Inquire of IT management and observe physical
security controls.
2) Observe whether access to remote computer
terminals is restricted
3) Review data communication access controls
4) Inquire of IT management about fire detection
devices
5) Review the IT departments disaster recovery
plan, including insurance coverage
44

(iv) Application systems acquisition,

development, and maintenance controls
These controls are critical for ensuring the
reliability of information processing. The
ability to audit accounting systems is greatly
improved if
(1) the entity follows the common policies
and procedures for system acquisition or
development
(2) the internal or external auditors are
involved in acquisition or development
process and

(3) proper user, system operator, and program

documentation is provided for each application.
The entity should establish written policies and
procedures for planning, acquiring or developing,
and implementing new systems.
Examples:
Storing extra copies of programs and data
files off-site
Protection of equipment against fire and
other hazards
Back-up power sources
Disaster recovery procedures eg availability
of back-up computer facilities.
Maintenance agreements and insurance

Audit procedures for application system

acquisition, development, and maintenance
controls
1) Review the systems development standards
manual for policies and procedures for
development and maintenance of application
systems
2) Review the documentation of a sample of
application systems to determine if systems
development and modification policies are being
followed
3) Review documentation for approval of new
applications by management, users and IT groups
47

Application controls
Applies to processing of individual
accounting applications to ensure
Completeness and accuracy of processed
transactions
Authorisation
Validity

48

Application control components

Data capture control

Data validation controls
Processing controls
Output controls
Error controls

49

Application controls
Application controls are manual or automated
procedures that typically operate at a business
process level.
They can be preventative or detective in nature
and are designed to ensure the integrity of the
accounting records.
Accordingly, they relate to procedures used to
initiate, record, process and report transactions or
other financial data.
The categories of Application Control include:

(i)Data capture controls. Data capture

controls must ensure that:
All transactions are recorded in the
application system
Transactions are recorded only once
Rejected transactions are identified,
controlled, corrected and re-entered into
the system.
Thus, data capture controls are concerned
primarily with occurrence, completeness
and
accuracy assertions.

There are three ways of capturing data in an

information system:
(1) Source documentation,
(2) Direct data entry
(3) A combination of the two.
When the source documents are present,
batch processing is an effective way of
controlling data capture.

 Batching is simply the process of grouping similar

transactions of data entry. It is important that each
batch be well controlled.
This can be accomplished by assigning each
batch a unique number and recording it in batch
register or log.
A cover sheet should be attached to each batch
with spaces for recording the batch number, the
date, the signatures of various persons of various
persons who processed the batch, and information
on errors detected.
To ensure complete processing of all transaction in
a batch, some type of batch total should be used.

Controls over input: accuracy

Programmes to check data fields (for
example value, reference number, date) on
input transactions for plausibility:
Digit verification (eg reference numbers are
as expected)
Reasonableness test (eg sales tax to total
value)
Existence checks (eg customer name)
Character checks (no unexpected characters
used in reference)
Necessary information (no transaction
passed with gaps)
Permitted range (no transaction processed
over a certain value)

(ii)Data Validation controls. These controls can

be applied in various stages, depending on
the entitys IT capabilities, and are mainly
concerned with the accuracy assertion.
When source documents are batch
processed, the data are taken from the
source documents and transcribed to disk
or other storage media. The data are then
validated by an edit program or by routines
that are part of the application programs.

(iii)Processing controls. These are controls that

ensure proper processing of transactions. In
some information systems, many of the
controls discussed under data validation may
be performed as part of data processing
controls.
General controls play an important role in
providing assurance about the quality of
processing controls.
If the entity has strong general controls (such
as
application
systems
acquisition,
development, and maintenance controls,
personnel practices and separation of duties),
it is likely that programs will be properly
written and tested, correct files will be used
for processing and unauthorized access to
the system will be limited.

(iv)Output controls. Output includes reports,

cheques, documents and other printed or
displayed information. Controls over output
from computer systems are important
application controls. The main concern is
that, the computer output may be distributed
or displayed to unauthorized users.
A number of controls should be present to
minimize the unauthorized use of output.
A report distribution log should contain a
schedule of when reports are prepared, the
names of the individuals who are to receive
the report, and the date of the distribution.

Output controls
Results that are finally reported as a
consequence of the inputting and processing of
the data are valid accurate and complete.
Concerns that confidential information is
accessible to unauthorised personnel
Define who should be able to read what
information in the system
Define who should get a copy of those hard copies
report
Ensure proper control over the sending of
hardcopy reports (reports, cheques, documents,
bank statements, ATM mailers) and subsequent
receipt
61

(v)Error controls. Error controls can be identified at

any point of the system. While most transaction
errors should be identified by data capture and
data validation controls, some errors may be
identified by processing or output controls.
After identification, errors must be corrected and
resubmitted to the application system at the
correct point in processing.
For example, if a transaction is entered with an
incorrect customer number, it should be rejected
by a validity test. After the customer number is
corrected, it should be resubmitted into the
system

Error controls
On line input

Batch input

Validation
Program
Accepted
data

Error file
Error report

Error
Program
Unclear/outstanding
Error report
Review

William F. Margaret B (2004) Auditing and Assurance Services in Malaysia, McGraw Hill, pg213

63

Audit Process in an IT
environment

64

Audit process in IT environment

Auditor during the planning stage, must consider
the followings; The extent to which computer is used in each
significant accounting application
The complexity of the entitys computer environment
The organisational structure of the IT organisation
The availability of data for audit evidence

65

Impact of IT on the audit

process (Page 358 of arens)
Effects of general control on system wide
application
Effect of General control on software changes
Obtaining an understanding of client General
control
Relating IT control to Transaction related
audit objectives
Effect of IT on Substantive Procedures
66

Auditors concern
May need more time to understand clients IT
environment to conduct test of control and
substantive procedure
May need computer audit specialists to use
CAAT as a cost effective auditing approach
Also specialist skills in the evaluation of IT
related controls

67

What audit strategy to use ?

Substantive strategy
Auditing around the computer
Must have adequate source documents and accounting
reports in hardcopies
Transactions can be traced from source documents to
accounting records and vice versa

No reliance placed on application controls (input,

processing & output)
Auditor may still use computer to select and print
confirmation letters
Why this approach? Less costly because no
involvement of specialist

68

What audit strategy to use ?

Reliance strategy (Audit thru the computers)
Auditors review and test general and application
controls and determine their effectiveness
Are the controls operating as planned and required?

Use enquiry, observation and inspection to assess

general controls
Use CAATs to test for application controls

69

Computer Assisted Auditing

Techniques (CAATs)

70

CAATs
What auditors should consider when applying
CAATs?

The IT knowledge, expertise and experience

The availability of CAATs
Availability of data
Impracticality of manual test
Effectiveness and efficiency factors
Timing of applying CAATs

71

CAATs
In a computer information (IT) environment, the
application of auditing procedures may require the
auditor to consider techniques known as Computer
Assisted Audit Techniques (CAATs) that use the
computer as an audit tool.
To to assist auditors, by providing guidance on the
use of CAATs as an audit tool.
The statement provides practical assistance to
auditor by describing:
What are CAATs
Consideration in the use of CAATs
Usage of CAATs
Usage of CAATs in small entity IT environment

72

What can CAATs Do?

Tests of details of transactions & balances

Analytical procedures
Test general control in a limited situation.
Sampling programs
Tests of application controls
Re-performing calculations

73

Computer-assisted audit
techniques

Computer-assisted audit techniques (CAATs)

are the applications of auditing procedures
using the computer as an audit tool.
The overall objectives and scope of an audit do not
change when an audit is conducted in a
computerised environment.
However, the application of auditing procedures
may require auditors to consider techniques that
use the computer as an audit tool. These uses of
the computer for audit work are known as
computer-assisted audit techniques (CAATs).

 Computer assisted audit techniques

(CAATs) may be used by auditors to
execute substantive procedures or in
testing application controls.
An auditor may find it necessary to use
CAATs in advanced IT systems when the
validation and processing controls for
routine transaction are embedded in the
application programs.
Use of CAATs for substantive procedures
may be efficient when the entitys data files
are maintained in machine readable form.

 CAATs may be used in performing various

auditing
procedures,
including
the
following.
Tests of details of transactions and
balances.
Analytical review procedures.
Tests of computer information
system controls.

 The advantages of using CAATs are:

Auditors can test programme controls as
well as general internal controls
associated with computers.
Auditors can test a greater number of
items more quickly and accurately than
would be the case otherwise.
Auditors can test transactions rather
than paper records of transactions that
could be incorrect.

CAATs are cost-effective in the long-term

if the client does not change its systems.
Results from CAATs can be compared
with results from traditional testing if the
results correlate, overall confidence is
increased.

Other advantages of CAAT

Locate errors and potential fraud by comparing
and analyzing files according to end user
criteria.
Recalculate and verify balances.
Identify control issues and ensure compliance
with standards.
Age and analyze account receivable, payables
or other time sensitive transactions.
79

Types of CAATs

Generalised audit Software (GAS)

Custom Audit Software
Test Data
Integrated Test Facility
Parallel Simulation
Specialized audit software
Embedded audit module
80

Generalised audit Software (GAS)

Generalised audit software comes in a variety of forms. It
may either be commercial software or developed by an
auditing firm. The purpose of the audit software is to
interrogate, extract and sometimes analyse information
from management computer information system. Expert
audit systems are another example of such software.
Generalized audit software may be used to gather
evidence in relation to both the effectiveness of operation
of a programmed control procedure and the extent of
misstatements in account balances and underlying
classes of transactions. In other words, this audit
software may be used as either a test of control or as a
substantive procedure.
81

 Generalised audit software allows auditors

to perform or verify mathematical calculations;

to include, exclude, or summarize items having

specified characteristics;
to provide subtotals and final totals;
to compute, select, and evaluate statistical
samples for audit tests;
to print results or sequence that will facilitate an
audit step;
to compare, merge, or match the contents of
two or more files,
and to produce machine-readable files in a
format specified by the auditor.

GAS offers several advantages:

It is easy to use.
Limited IT expertise or programming
skills are required.
The time required to develop the
application is usually short.
An entire population can be examined,
eliminating the need for sampling in some
instances.

Among the disadvantages of GAS are:

It involves auditing after the client has
processed the data rather than while the
data is being processed.
It provides a limited liability to verify
programming
logic
because
its
application is usually directed to testing
data files or database.
It is limited to audit procedures that can
be conducted on data available in
electronic form.

Custom audit software/ Purposewritten program

To be considered when the GAS could not
be used
Incompatible input file format
Calculation logic too difficult for GAS to
handle

85

Custom Audit Software

Custom audit software is audit software
designed to perform specific tasks in
specific
circumstances,
such
as
comparison of source and object code, the
analysis of unexecuted code and the
generation of test data. It is used to gather
evidence as to the design effectiveness of
client's software.
86

Custom Audit Software

Custom audit software is generally written by auditors for
specific audit tasks. Such programs are necessary when
the entitys IT system is not compatible with the auditors
GAS or when the auditor wants to conduct some testing
that may not be possible with GAS.
It may also be efficient to prepare custom programs if they
are used in future audits of the entity or if they may be used
on similar engagements.
Custom audit software is written by auditors for
specific tasks when generalised audit software cannot
be used.

The major disadvantages of custom

software are:
It is expensive to develop
It may require a long development
time, and
It may require extensive modification
if the entity changes its accounting
application programs.

 Suppose an entity uses IT in maintaining the

perpetual inventory records which are updated
by the sales and purchasing systems. At the
time of the physical inventory count, the
entitys employees record the physical count
on special computer forms that are optically
scanned to create a physical inventory files.
The auditor who observes the entitys physical
stock take can record their test count results
on special computer forms that are optically
scanned and used as input to the custom
program.

The custom program

performs the
following audit procedures:
Traces the test counts into the entitys
perpetual inventory file and print out any
exceptions,
Performs a complete mathematical test,
including extensions, additional, cross
adding and use of approved prices,
Summarizes the inventory by type and
Prints out items in excess of
predetermined amount for review.

Test Data
Test data prepared by the auditor is processed on
the current production version of the client's
software, but separately from the client's normal
input data. The test data that is processed
updates the auditor's copies of the client's data
files. The updated files are examined to ensure
that the transactions were processed in the
manner expected. This procedure is typically
used to gather evidence as to the effectiveness
of design of programmed control procedures, as
well as aspects of the effectiveness of operation.
91

CAATs Test Data

Test Data
The auditor uses test data for testing the
application controls in the entitys computer
programs. In using this method, the auditor
first creates a set of simulated transaction
data (test data) for testing.
The data should include both valid (correct)
and invalid (incorrect) data.
The auditor manually calculated what the
processing results should be and runs the
test data through the entitys application
program.

 Test data techniques are used in

conducting
audit
procedures
by
entering data (eg a sample of
transactions) into an entitys computer
system, and comparing the results
obtained with pre-determined results.
Test data is used for tests of controls.
The valid data should be properly
processed, while the invalid data should be
identified as error. The results of the
processing are compared to the auditors
predetermined results.

This technique can be used to check:

Data validation controls and error
detection routine.
Processing logic controls.
Arithmetic calculations
The inclusion of transactions in records,
files and reports.

 Test data can for example be used to check

the controls that prevent the processing of
invalid data by entering data with say a
non-existent customer code or worth an
unreasonable amount, or a transaction
which may if processed break customer
credit limits.
Test transactions used in an integrated test
facility. This is where a dummy unit (eg
a department or employee) is established,
and to which test transactions are posted
during the normal processing cycle.

 The main advantage of the test data

method are:
Provides direct evidence on the
effectiveness of the controls included in
the entitys application programs.
Useful for determining whether the
controls relating to accuracy and
completeness
of
processing
are
effective.

However the disadvantages of this method are:

It would be very time consuming to create the
test data,
The auditor may not be certain that all
relevant conditions or controls are tested
The auditor must be certain that the test data
are processed using the entitys regular
application program, meaning the program
tested is the application used in actual
processing
The auditor must make sure that all test data
is removed from the entitys files.

Integrated Test Facility

Integrated test facility is a facility forming part of the
client's software that enables the auditor's test data to be
integrated and processed with the client's live input data.
The facility ensures that the test data updates special
dummy files, rather than actual operating files. The
dummy files are examined to ensure that the test data
has been processed in the manner expected. This
procedure provides evidence of the effectiveness of
design of programmed control procedures as well as
aspects of the effectiveness of operation. Compare the
processed results with auditors predetermined results

99

Integrated test facility

Auditors directly input data into the live
system but using a dummy entity, such as
a dummy branch or subsidiary
Compare the processed results with
auditors predetermined results

100

Integrated Test Facility

The IFT technique enters test data along
with the actual data in a normal application
run. To use this approach dummy records
such as fictitious customers are created
within the entitys files or records.
Simulated transactions (like tests data) are
entered and processed against the live files
during a regular processing.
The auditor then examines the processing of
the simulated test data related to the
dummy customers

 The ITF technique has the same objectives as

the test data method except that the testing
takes place under actual operating conditions.
This provides added assurance that the auditor
is testing the programs actually used by the
entity.
The disadvantage of an ITF is the risk of error
when removing the test data from the entitys
records. The auditor must be very careful to
ensure that all the test data are removed and
does not create any additional errors in the
entitys system.

CAATs Integrated test Facility

Parallel Simulation
Parallel simulation in which actual client data is
processed using a copy of the client's software
that has undergone program code analysis by
the auditor and is under the control of the
auditor. The data processed on the auditor's
copy of the software is compared to the data
previously processed by the client to ensure that
the processing is identical. This procedure
provides evidence as to the effectiveness of
design of programmed control procedures as
well as aspects of the effectiveness of operation.
104

Parallel Simulation
The use of parallel simulation requires that
the auditor construct a simulation program
that mimics the entitys application
program.
With this method the auditor processes
the actual data of the entity through the
simulated program and compares the
results with the data processed by the
entitys program.

CAATs- Parallel Simulation

 The main advantages of the use of a

parallel simulation are:
It provides evidence on the controls
used in the entitys application program
It allows the auditor to test the
accuracy
of
large
volumes
of
transactions.
The major disadvantage is the cost of
developing the simulation.

Quality control in CAATs

application
Auditors are required to ensure accuracy of the CAAT
programs: Participate in the design and testing of CAATs
Check the program coding to ensure that it is
correctly done in line with the audit objective
Ask clients personnel for permission if you need
to run it on their systems (suggest to use
generalised audit software on auditors PC )
Test the program before placing reliance on
CAATs results

108

Quality control in CAATs

application
Ensure correct files are used (cutoff) and
files are complete
Ensure that the audit software is
functioning and operating as planned
Establish security measures to
safeguard the integrity and security of
clients data

109

The use of PC as an audit tool

Preparation of trial balance, lead
schedules, working paper ,audit programs
and audit plan
Data retrieval and analysis
Analytical & statistical sampling
procedures
Documentation of internal control
procedures( eg Flowchart)
110

Use of IT in Audit Work

Communication emails
Automated working papers MS Word
& MS Excel
Analytical procedures calculations /
analysis
Tailored computer programs draft
financial statements / sampling
Resources library tools & intranet
111

E-Commerce and implication to

auditors
Broadly ecommerce is often defined as any
business carried out in electronic form.
e-Business is the complex fusion of business
processes, enterprise applications, and
organizational structure necessary to create a
high-performance business model. - Kalakota
and Robinson

112

ELECTRONIC COMMERCE AND

AUDIT IMPLICATION
Electronic commerce generally refers to
commercial activities which are transacted
electronically through a public network, such
as internet or a private network (often called
dot com). There has been a tremendous
growth of e- commerce activities involving
individuals and organizations doing business
transactions without paper documents.
Electronic data interchange (EDI), is one
example of this type of commerce. In EDI,
business is conducted between entities that
have pre arranged contractual relationship.

 E-commerce changes the way an entity

conducts its business activities and
introduces new elements of risk that an
entity must address and respond to. To
mitigate these risks, the entity must ensure
proper technology infrastructure and
controls are implemented.
A new e-business environment has a
significant impact on accounting records,
information systems and procedures, and
consequently, the evidence available to
support the transactions

Risk Associated with E-Commerce

Activities
Business risks arising from e-commerce
activities which have an effect on financial
statements include the following:
Loss of transaction integrity, often
compounded by lack of transaction trail.
E-commerce security risks, such as virus
attacks, fraud arising from unauthorized
access and denial of service

 Improper accounting policies related to, for

example, capitalization of website development
costs, translation of foreign currencies, and
revenue recognition issues.
Non compliance with legal requirements, for
example when transactions are conducted
across international boundaries.
Systems and infrastructure failures or crashes.
Systems outages affecting revenue stream and
going concern

Authenticity & integrity of trading partners

When the transactions generated from the

entitys website linked to the internal
accounting systems, these risks can affect
financial reporting in the following aspects:
Completeness and the accuracy of
transaction processing and storage.
Timing of recognition of sales,
purchases and other transactions
Identification of disputed transactions.

E-Commerce
Control measures-PAGE 257 of
Margaret Boh

Proper security infrastructure to obtain

assurance over: Security and integrity of transaction
Completeness and accuracy of transaction
Confidentiality
Availability

118

Control measures
The entity engaging in e-commerce activities
should have proper security infrastructure and
related controls to address such business risk
to ensure the security and integrity of
transactions. Controls to address security
risks are important to ensure that information
are secure to the extent that the requirements
for its authorization, confidentiality, integrity
and availability are satisfied.
If the entity does not have adequate controls,
electronic transactions can be changed, lost,
duplicated or processed incorrectly.

 This will affect the security of financial

records and the completeness and
reliability of the financial information
produced. The entity must have sufficient
controls to ensure that consumer
information is protected from unauthorized
use. The entity must have a strong access
controls that prevent security breaches of
corporate network or Internet servers.
Examples of security infrastructure include
both physical and technical safeguards
such as user ID, passwords and firewalls.

Audit Implications
The e-commerce or e-business environment
presents new risks that must be considered
by the auditors when planning and
performing the audit of financial statements.
To assist the auditors in identifying and
assessing these risks, IFAC has issued a
practical statement, Electronic CommerceEffect on the Audit of Financial
Statements.

 This new International Auditing Practice Statement

(IAPS) helps auditors address e-commerce issues by
focusing on the following:
The level of skills and knowledge required to
understand the effect of e-commerce on the audit;
The extent of knowledge the auditor should have
about the entity's business environment, activities
and industries;
Business, legal, regulatory and other risks faced by
entities engaged in e-commerce activities;
Internal control considerations, such as an entity's
security infrastructure and transaction integrity; and
The effect of electronic records on audit evidence.

 When an entity sells products or services over

the Internet, the auditors main concerns are
transaction integrity, protection of information,
and unauthorized access to the entitys
network.
The auditor should perform risk assessment
procedures to obtain an understanding of the
entitys internal control to identify business
risks arising from e-commerce activities that
may result in a material misstatement of the
financial statements or have a significant effect
on the auditors procedures or the audit report.

Skills and Knowledge

In conducting an audit in an e-commerce
environment, the audit team should
possess appropriate IT and Internet
business knowledge to understand the
following aspects of e-commerce activities:
The entitys e-commerce strategy and
activities.
The technology used by the entity to
facilitate the e-commerce activities.

 The IT and knowledge of entity

personnel.
The risk associating with e-commerce
activities and the entitys approach to
manage those risks.
The security infrastructure and related
controls that have an effect on financial
reporting.

 Knowledge and understanding of the above

aspects of e-commerce activities are necessary
to enable the auditor to determine the nature,
timing and extent of audit procedures and
evaluate audit evidence.
The auditor should consider the effect of the
entitys dependence on e-commerce activities on
its ability to continue as a going concern.
Depending on the complexity of the e-commerce
technology, and the extent the entitys operations
are effected through e-business, the auditor may
find it necessary to use the work of an expert in
this area

 For example, the auditor may require the

assistance of an expert when testing security
controls by attempting to break through the
security layers of the entitys system
(penetration testing).
The auditor needs to obtain sufficient
understanding of the entity and the industry
to assess the significance of e-commerce to
the entitys operations, business risks and
the effect on the financial statements and the
auditors report.

 The entitys e-commerce strategy, including

the way it uses IT for e-commerce and its
risk management policies, has an effect on
the security of the financial records and the
completeness and reliability of the financial
information produced.

Audit Procedures
The auditors concern in the audit of financial
statements is the completeness, accuracy,
timeliness and authorization of information
processed in the entitys financial records.
Internal controls can be used to mitigate many of
the risks associated with e-commerce activities.
Accordingly, the auditor is likely to focus his audit
procedures in an e-commerce environment
largely on the evaluation on the entitys security
infrastructure and related controls established
for ensuring integrity of transactions.

 For example, firewalls and anti virus software,

and automated controls to ensure the integrity of
transactions such as record integrity checks,
digital signatures etc. The auditors focus is on
internal controls that the entity applied to its ecommerce activities and those that are relevant
to the financial statements assertions.
Depending on the auditors assessments of
these controls, the auditor may also consider the
need to perform further substantive procedures
such as obtaining confirmation of transactions
and balances from external third parties.

Ecommerce
Managements responsibilities
Managements responsibility for
establishing and maintaining adequate
internal controls over financial reporting
management assessment and auditor
attestation/review of the effectiveness of the
internal control structure and procedures.

131

E-commerce
Providing assurance to stakeholders
To provide investors and others,
reasonable assurance that companies
have designed processes to help ensure
transactions are properly authorized,
recorded and reported, and assets are
safeguarded against unauthorized or
improper use.

132

E-Commerce
Audit implication
To have adequate skills and knowledge to
understand
Clients ecommerce strategy and activities
Technology that enables the ecommerce
operations
IT skills and knowledge of clients personnel
Risk associated with ecommerce risk and clients
approach to manage these risks
Security infrastructure and related controls that
have impact on financial statements
Auditors may need to engage expert, as per
ISA620 Using the work of an expert
133

Review some technological changes that

may impact IT and Business environment
Distributed data
processing,
networking, EDI &
EFT
Real time systems
Intelligent systems

134

Distributed data processing &

networking
WWW

Local Area Network 3

Central
computer
Wide
Area
Network

Central
computer

Local Area Network 1

Internet
gateway
Organise and coordinate data
processing by decentralising computer
function and power

135

Local Area Network 2

Distributed data processing, Networking and

Electronic data interchange
Distributed data processing organizes and
coordinates data processing by decentralizing
computer functions and computing power.
Distribution data processing places selected
information processing capabilities at the
division or user department level.
For example, PCs that are connected to the
entitys mainframe computer may be installed
at the division level so that each division can
control the processing and maintenance of its
own data.

 Selected information will then be sent to the

central computer at predetermined times to
update corporate record.
Mainframe, does the processing , holds and
updates the data, and sends back results to
the user-client.

 There are two major levels of networking. At

one level, networking occurs within an entity
and is called a Local Area Network (LAN).
This allows various groups within the
organization to communicate (such as
email) with one another.
It also provides a way for various groups to
access the entitys data, whether centralized
in one location or distributed among many
locations throughout the organization.

 The
other
level
of
networking
provides
communication outside the organization. An entity
can send data to various groups (such as suppliers
or customers) outside the organization directly by the
computer via connection to Wide Area Networks
(WANs).
This includes the initiation and execution of
transactions.
Another innovation is the use of Electronic Data
Interchange (EDI), which allows organization to
transmit
business
transactions
over
telecommunications networks.
The benefits of EDI include in reduction in paperwork
and faster turnaround times for transactions.

Audit Implications:
The auditors main concerns with distributed
data processing are the controls that limit
access
to
the
system
and
the
telecommunication controls that transmit data
to and from the central computer.
If unauthorized individuals can access the
system at either the division or corporate levels,
assets and record may be misappropriated.
The auditor must also be concerned about the
completeness and accuracy of the data sent
back and forth between the central (server) and
divisional (client) computers.

 With networking the auditor needs to

understand the network and the business
process that are affected by the network.
The auditor needs assurance that control limit
access to the network and the data files and
databases stored there. Such controls ensure
the validity, authorization and completeness
of transactions processed.

Electronic data interchange (EDI)

Allows for exchanging of business data directly
between the computers of trading companies.
IT a paperless way to transfer business data as
orders, delivery note and invoices
Started with using standardized formats that are
recognised among trading partners in an EDI
relationship, until mid-1996. Thereafter, internet
takes over as the communication medium

142

IT Environment EDI Systems

Controls
Access & communication controls
Authorization procedures
Disaster prevention & recovery facilities

Audit Procedures:
Review formal partner & 3rd party agreements
Review important components of the EDI system
Review automated control structure & authorized
electronic signatures

143

EDI Benefits
Business can concentrate of sales and
manufacturing, knowing that the retail
fulfillment, shipping, and billing aspects
are taken care of.
Reduced paper work
Faster turnaround time for each
transaction
Achieving cost reduction
144

IT Environment EFT Systems

Segregation of function
Transaction initiation
Security & integrity controls
Communication controls
Maintenance of backup facilities
Standard recovery procedures at system &
application level
Built in security features
145

Concerns of EDI & EFT

Confidentiality
How can we ensure that only the sender and the
intended recipient can read the message?

Integrity
How can the recipient know that the contents of the
data have not been changed?

Availability
How can the systems be made to operate without any
disruption or outage?

146

Online real time system

Online systems provide immediate responses to
an inquiry without changing data files.
In a batch environment, transactions are entered
as group, validated, batched onto a transaction
file, and run against master files to be updated.
(On line in batch control environment)
With online, real time system, transactions are
entered individually, rather that batch mode.
The master file is changed immediately, although
a transaction log is normally generated for control
purpose.

 Online, real time systems rely heavily on

networking and database technology.
For examples, ATMs, just in time inventory
systems, airline reservation systems and
optical scanning of purchase in retail
stores(Point of Sales).

Real time system

On Line Real Time updates directly to master file
Audit implication
Auditors need special skill to audit due to lack of hard
copy documents
Concern over completeness of data captured and
processed
Also over authorisation of transactions, done by
programs and thus integrity of records and accounts

149

Audit Implications:
Such systems are likely to have fewer source
documents in hard copy form, and there may
also be no batch type controls to ensure
completeness, thus the concern over controls
over access to the system is increased.
In an online, real time system, the auditor
must rely more on the entitys controls, the
auditing needs to be conducted more
continuously.

Intelligent system e.g. Expert

system & Decision support system
Intelligent systems such as credit approval and
insurance pricing have impact on accounting
systems
E.G. Automated loan approval based on
predetermined criteria
Audit implication
Concern with the integrity of knowledge captured and
how decision is made

151

Other consideration in IT
environment
IT Environment - Database Systems
IT Environment - On-line Computer
Systems
IT Environment - Stand Alone Personal
Computers

152

IT Environment - Database
Systems
Practical assistance to auditors when
database systems are used in the production
of information that is material to the financial
statements.
Specifically the statement focuses on:
Description of database systems and
characteristics of such systems
Internal control in a database environment
The effect of database systems on the accounting
system and related internal controls
The effect of database systems on audit
procedure
153

IT Environment - On-line
Computer Systems
Practical assistance to auditors when on-line computer
systems are used in the production of information that is
material to the financial statements.
Specifically the statement focuses on:

Description of what is an on-line computer system

Characteristics and types of on-line computer systems
Internal control in an on-line computer systems
The effect of on-line computer systems on the accounting
system and related internal controls
The effect of on-line computer systems on audit procedure

154

IT Environment - Stand Alone

Personal Computers
Practical assistance to auditors when standalone PCs are used in the production of
information that is material to the financial
statements.
Specifically the statement focuses on:
The usage stand-alone PCs in production of information
in financial statements
Internal control in stand-alone PC environment
The effect of stand-alone PCs on the accounting system
and the related internal controls
The effect of a stand-alone PC environment on audit
procedure
155

IT Environment - Stand Alone

Personal Computers
Assessment of risks of material
misstatements

Environment less structured & more undisciplined

Different control levels for hardware & software
Lack segregation of duties
Users have little processing knowledge
Portable hardware & storage media
Heavy reliance on 3rd party developed software
Access controls limited to hardware & storage
media

156

IT Environment Distributed
Systems
Communication controls to preserve
integrity of data from unauthorized access
High standard for physical access controls
Prompt corrective recovery

157

Audit consideration on future

trend of IT
Outsource to computer service centre /
bureaus
Issues of data ownership by users should be
stated in written contract
User entity exercise local control
Control over backup copies of files &
documentation
Need to obtain internal controls of outsourcing
entity

Web based databases

158

End of Lecture

159