Professional Documents
Culture Documents
Chapter 28 - Answer PDF
Chapter 28 - Answer PDF
AUDITINGINACOMPUTERINFORMATIONSYSTEMS
(CIS)ENVIRONMENT
Questions
1.
2.
The audit trail is the source documents, journal postings and ledger account
postings maintained by a client in order to keep books. These are a trail of the
bookkeeping (transaction data processing) that the auditor can follow forward
with a tracing procedure or back ward with a vouching procedure.
In a manual system this trail is usually visible to the eye with posting
references in the journal and ledger and hard-copy documents in files. But in a
computer system, the posting references may not exist, and the records must be
read using the computer rather than the naked eye. Most systems still have
hard-copy papers for basic documentation, but in some advanced systems even
these might be absent.
4.
The audit trail (sometimes called management trail as it is used more in daily
operations than by auditors) is composed of all manual and computer records
that allow one to follow the sequence of processing on (or because of) a
transaction.
The audit trail in advanced systems may not be in a human-readable form and
may exist for only a fraction of a second.
The first control implication is that concern for an audit trail needs to be
recognized at the time a system is designed. Techniques such as integrated test
facility, audit files and extended records must be specified to the systems
designer. The second control implication is that if the audit trail exists only
momentarily in the form of transaction logs or master records before destructive
update, the external auditor must review and evaluate the transaction flow at
various times throughout the processing period. Alternatively, the external
auditor can rely more extensively on the internal auditor to monitor the audit
trail.
5.
Major characteristics:
1.
2.
3.
Staff and location of the computer operated by small staff located within
the user department and without physical security.
Programs supplied by computer manufacturers or software houses.
Processing mode interactive data entry by users with most of the master
file accessible for inquiry and direct update.
Control Problems:
28-3
6.
Auditing through the computer refers to making use of the computer itself to test
the operative effectiveness of application controls in the program actually used
to process accounting data. Thus the term refers only to the proper study and
evaluation of internal control. Auditing with the computer refers both to the
study of internal control (the same as auditing through) and to the use of the
computer to perform audit tasks.
7.
Both are audit procedures that use the computer to test controls that are included
in a computer program. The basic difference is that the test data procedure
utilizes the clients program with auditor-created transactions, while parallel
simulation utilizes an auditor-created program with actual client transactions. In
the test data procedure the results from the client program are compared to the
auditors predetermined results to determine whether the controls work as
described. In the parallel simulation procedures the results from the auditor
program are compared to the results from the client program to determine
whether the controls work as described.
8.
The test data technique utilizes simulated transactions created by the auditor,
processed by actual programs but at a time completely separate from the
processing of actual, live transactions. The integrated test facility technique is
an extension of the test data technique, but the simulated transactions are
intermingled with the real transactions and run on the actual programs
processing actual data.
9.
11.
1.
2.
3.
4.
5.
6.
7.
Phases
Define the audit objectively
Feasibility
Planning
Application design
Coding
Testing
Processing
8. Evaluation
a
c
c
d
5.
6.
7.
8.
d
d
c
b
9.
10.
11.
12.
b
d
b
b
13.
14.
15.
16.
c
a
d
b
17. b
18. c
19. d
28-5
Cases
1.
a.
b.
The CPA would decide to audit through the computer instead of around
the computer (1) when the computer applications become complex or (2)
when audit trails become partly obscured and external evidence is not
available.
Auditing around the computer would be inappropriate and inefficient in
the examination of transactions when the major portion of the internal
control system is embodied in the computer system and when accounting
information is intermixed with operation information in a computer
program that is too complex to permit the ready identification of data inputs
and outputs. Auditing around the computer will also be ineffective if the
sample of transactions selected for auditing does not cover unusual
transactions that require special treatment.
c.
(1) Test data is usually a set of data in the form of punched cards or
magnetic tape representing a full range of simulated transactions, some
of which may be erroneous, to test the effectiveness of the programmed
controls and to ascertain how transactions would be handled (accepted
or rejected) and if accepted, the effect they would have on the
accumulated accounting data.
(2) The auditor may use test data to gain a better understanding of what the
data processing system does, and to check its conformity to desired
objectives. Test data may be used to test the accuracy of programming
by comparing computer results with results predetermined manually.
Test data may also be used to determine whether errors can occur
without observation and thus test the systems ability to detect
noncompliance with prescribed procedures and methods.
2.
a.
Document retention
IMPACT ON THE INTERNAL CONTROL SYSTEM: In on-line real time
systems and EDI systems, the audit trail is frequently modified in the form
of reduced documentation. To compensate, internal controls should provide
for adequate input editing, as well as some form of transaction log as
documentation at the input stage.
IMPACT ON THE INDEPENDENT AUDIT: In examining internal
control, under these circumstances, the auditor must rely more on
observation, inquiry, and reprocessing of transactions for control testing
purposes, and less on document testing. If documents are retained for only
a short period, the auditor should also consider the feasibility of frequent
visits for both substantive and control testing purposes.
b.
Uniformity of processing
IMPACT ON THE INTERNAL CONTROL SYSTEM: The impact of this
internal control characteristic is to generally strengthen control by
increasing the consistency of processing. Once the proper controls are
installed and tested, processing consistency increases the accuracy of
transaction processing over that which exists in manual systems.
IMPACT ON THE INDEPENDENT AUDIT: The auditor must emphasize
control study and testing at the point of transaction input and processing to
28-7
determine that the necessary controls exist and are functioning. Upon
determining that the necessary input and processing controls are in place
and functioning properly, the auditor may elect to perform little or no
document testing.
c.
Concentration of functions
IMPACT ON THE INTERNAL CONTROL SYSTEM: In manual systems,
separation of functional responsibilities provides a double-check for the
purpose of enhancing processing accuracy. In EDP accounting systems,
consistency of processing removes the need for double-check.
IMPACT ON THE INDEPENDENT AUDIT: The auditor must determine
that the necessary input editing controls are in place and functioning to
ensure that transactions are accurately introduced into the processing
stream. Moreover, to ensure checks and balances within the electronic data
processing function, the auditor should study the organizational structure of
the EDP group to ascertain proper separation among the following
functions:
Systems analysis and design
Program design, development, and testing
Computer operations involving data processing
Distribution of EDP output and reprocessing of errors
d.
Test data approach: The auditor prepares simulated input data (both valid
and invalid transactions) that are processed, under the auditors control, by
the clients processing system.
Advantage: A good way of testing existing controls for proper functioning.
Disadvantage: Difficulty in designing comprehensive test data; Difficulty
in ascertaining whether the programs tested are the same programs used by
the client in processing actual transactions and events during the year.
ITF approach: The auditor creates a fictitious entity within the clients
actual data files, and processes simulated data during live processing by
client. The auditor then compares the results of processing with anticipated
results.
Advantage: Greater assurance that programs tested are programs used by
the client (the approach can be applied at different points in time during the
year).
Disadvantage: Difficult to remove test data from the system without
harming clients files.
Tagging and tracing: This is a technique whereby an identifier or tag is
affixed to a transaction record; and the tag triggers snapshots during the
processing of transactions. Following the tagged transactions through the
system permits the auditor to evaluate the logic of the processing steps and
the adequacy of programmed controls.
Advantage: The use of actual data eliminates the need for removing data
from the clients processing system.
Disadvantage: The auditor analyzes the transactions only after processing
is completed.
SCARF: A systems control audit review file is an audit log used to collect
information for subsequent analysis and review. An imbedded audit
module monitors selected transactions as they pass by specific processing
points. The module then captures the input data so that relevant
information, accessible only by the auditor, is displayed at key points in the
processing system.
Advantage: Utilizes real- rather than simulated-transaction data, and does
not require reversing the entries.
28-9
c.
d.
4.
(a) Test decks, also called test data, are sets of computer input data which
reflect a variety of auditor-identified transactions for verification through
actual computer processing to detect invalid processing of results (i.e.,
existing programs run test data). Ideal test data should present the
application under examination with every possible combination of
transactions, master file situations, and processing logic which could be
encountered during actual comprehensive processing. Test data are usually
processed separately from actual data using copies of master files. Test
decks are most feasible when the variety of transactions processing and
controls is relatively limited (i.e., fairly simple files).
Uses include checking and verifying: (1) input transaction validation
routines, error detection, and application system controls, (2) processing
logic, and controls associated with creation and maintenance of master files,
(3) computational routines such as interest and asset depreciation, and (4)
incorporation of program changes.
(b) Parallel simulation consists of the preparation of a separate computer
application that performs the same functions as those used by the actual
application programs. The simulation programs read the same input data as
the application programs, use the same files, and attempt to produce the
same results (e.g., real data run through test programs). These simulated
results are matched with those from the live programs, providing a means
for testing through comparison.
Uses include all those cited for test decks.
(c) The integrated test facility approach permits the introduction of auditorselected test data into a computer system with actual or live data and then
traces the flow of transactions through the various system processing
functions for comparison to predetermined actual results. An ITF involves
the creation or establishment of a dummy entity (e.g., a branch or
division) to receive the results of the test processing. Therefore,
transactions are processed against the test entity together with actual
transactions. Test data must be removed from the entitys records upon
completion of the test. Uses are identical to the test deck technique.
(d) Tagging and tracing and SCARF are forms of transaction tracking provided
only for auditor selected computer inputs carrying a special code. If the
capability is provided in the application system in advance, the attachment
of a code to any input transaction can be made to generate a printed
transaction trail for that item following each step of the application
processing.
28-11