lect 1 e-audit

1. What is auditing?
Auditing refers to a systematic and independent examination of books, accounts, documents
and vouchers of an organization to ascertain how far the financial statements present a true
and fair view of the concern.
Element
Systematic procedures are used
Evidence is obtained - compliance tests - tests of internal controls
- substantive tests
Determination of materiality for weaknesses found
Prepare audit report & audit opinion

2. What is the type of Auditor

Internal auditor often perform tasks which can reduce external audit
fees and help to achieve audit efficiency and reduce
audit fees
as an independent evaluation function within the
organization.
External auditor primary objective and responsibility= is to attest to the
fairness of a firms financial reports
represent the interests of third party stakeholders
Government are considered a subset of internal auditors, and are employed by
auditor federal, state, and local agencies
Fraud auditor involves a specialized approach and methodology ;the auditor is looking
for evidence of fraudwith a single purpose; to prove or disprove a
fraud exists.

3. Type of Audit
Operational Concerned with the economical and efficient use of
audits resources and the accomplishment of established goals
and objectives.
Compliance / Audit undertaken to confirm whether a firm is following
internal control the terms of an agreement (such as a bond indenture),
audit or the rules and regulations applicable to an activity or
practice prescribed by an external agency or authority.


Financial audit Examines the reliability and integrity of accounting
records (both financial and operating information).
It is an independent attestation(exam/evaluate) by a
professional regarding the faithful representation of
the financial statements.
Info. Sys. Audit Reviews the general and application controls in an AIS to assess its compliance
with internal control policies and procedures and its effectiveness in
safeguarding assets.
Fraud audit is a meticulous review of financial documents, while one searches for
the point where the numbers and/or financial statements do not mesh.
Fraud audits are done when fraud is suspected

Page 1 of 31
4. Type of info. Sys Auditing (computer related activity)
Audit An accounting system is comprised of input, processing, and
around the output.
computer In the around-the-computer approach, it only involved input
& output processes
Source documents supplying the input to the system are
selected and summarized manually so that they can be
compared to the output.
Computer is a black-box.
Assumption: If the auditor can show that the actual outputs
are the correct results to be expected from a set of inputs to
the processing system, then the computer processing must
be functioning in a reliable manner
Suitable only under the following conditions:
o The audit trail is complete and visible
o The processing operations are relatively
straightforward, uncomplicated, low volume
o Complete documentation, such as DFDs and Systems
Flowcharts, are available to the auditor
Limitations is that it does not allow the auditor to determine
exactly how the computer processing programs handle edit
checks and programmed checks

Audit Defined as the verification of controls in a computerized

through system.
the It is the process of reviewing and evaluating the internal
computer controls in an electronic data processing system
Should be applied to all complex automated processing
systems
Methods include:
o Test Data
o Integrated Test Facility
o Embedded Audit Module Techniques
o Program Code Checking
o Parallel Processing
o Parallel Simulation
o Controlled Processing
All auditing-through-the-computer techniques provide
evidence concerning the level of control risk.
Audit with is the process of using information technology in auditing.
the It is the utilization of the computer by an auditor to perform
computer some audit work that otherwise would have to be done
manually.
Most of the data to be evaluate are already in an electronic
format.
The use of information technology is essential to increase the
effectiveness and efficiency of auditing.
potential benefits of using information systems technology in
audit?
o Computer-generated working papers are generally

Page 2 of 31
 more legible and consistent.
o Saved time
o Calculations, comparisons, and other data
manipulations are more accurately performed.
o Analytical review calculations may be more efficiently
performed.
o Easily generated and analyzed project info.
o Standardized audit correspondence
o Increased cost-effectiveness
o Increased independence from information systems
personnel is obtained.

Lect 2&3
5. What is CAAT
CAATs are any automated audit techniques. Computer Assisted Audit Techniques
(CAATs) are important tools for the IS Auditor in performing audits.
CAATs fall into two general categories:
i. Designed to test controls within the system.
ii. Involves examinations of computerized data- Data file interrogation
6. Type of test control in CAAT
CAATs in this category are designed to test controls within the system. You are
then able to judge how reliable the controls are and how accurate the accounting
and other records may be. Techniques (described in more detail later) that are
commonly used to review and verify system controls include:-

Test Data Description: Test data are input containing both valid
and invalid data.
Example: Payroll transactions for fictitious employees are
processed concurrently with valid payroll
transactions.
Used to verify the correct operation of particular program or
module
to confirm the operation of new or amended programs. It can
be used to test and verify:-
input validation routines;
error detection capabilities;
processing logic and calculations

Integrated Description: ITF involves both the use of test data and
Test Facility the creation of fictitious (made up) records
(vendors, employees) on the master files of
a computer system.
Example: Payroll transactions for fictitious employees are
processed concurrently with valid payroll
transactions.
Provides an in-built testing facility through the creation of
a dummy department or branch within the normal
accounting system
the dummy entity does not interrupt the real operation of
the system

Embedded Description: Special auditing routines included in regular

Page 3 of 31
(fixed)Audit computer programs so that transaction data
Module can be subjected to audit analysis.
Techniques Example: Data items that are exceptions to auditor-specified
edit tests included in a program are written to
a special audit file.
used with a computer system that handles very high
volumes of data.
It is an audit application that is permanently resident
within the main processing system as is also known as
resident audit monitor.
Audit routines are coded into the system to copy or print
data or certain transactions of specified audit interest.
The function may be switched on or off by certain inputs
from the auditor. Rather than copy or print the
transactions, the routines may be set up to tag the
relevant transactions, by setting an indicator field in the
transaction record, for later audit analysis.
audit module examines each transaction as it enters the
system. Every time a transaction occurs that meets the
selection criteria, transaction details are logged before the
transaction is allowed to continue for further processing.
The audit log file is periodically scanned, analysed and
reports are printed for follow up
Embedded audit facilities usually have the ability to select
transactions that fulfill a range of criteria, which may be
altered by amending the selection parameters.
Example: collect copies of all purchase invoices where
there is no corresponding purchase order reference.
Program Code involves a detailed examination of program coding.
Review &
It generally involves a fair degree of programming skill, and a
Comparison
thorough knowledge of program specification.
Utility Programs are also available that will compare two versions
of a program, and report difference between the two.
checked to ensure that only authorised changes have been made.

Parallel
Recording Description: Processing real data through audit programs. The
simulated output and the regular output are then
compared.

Example: Depreciation calculations are verified by processing the

fixed- asset master file with an audit program.

The objective of parallel simulation is to generate an independent

program to simulate part of an application. For example, suppose
that you want to prove that an interest calculation program works
properly, but because of excessively high data volumes you are
unable to do this easily.

Page 4 of 31
 If used real data and write your own interest calculation program. If
you run your simulation program against the same source data file,
you should obtain the same results.
Extended
Recording Description: Modification of programs to collect and store data of audit
interest.

Example: A payroll program is modified to collect data pertaining to

overtime pay.

Tracing
Description: Tracing provides a detailed audit trail of the instructions
executed during the programs operation.

Example: A payroll program is traced to determine if certain edit

tests are performed in the correct order.

Review
system Description: Existing system documentation such as program
documentatio
flowcharts are reviewed for audit purposes.
n

Example: An auditor desk checks the processing logic of a payroll

program.

Control
flowcharting Description: Document flowcharts or other graphic techniques are used
to describe the controls in a system.

Example: An auditor prepares an document flowchart to review

controls in the payroll application system.

7. What is data file interrogation

is about using audit software to review information held in computer
files, and to use the computers speed and reliability helps you to
cope with the massive volumes of data often involved.
Data files may hold either transaction data or standing data files (eg
master files). CAATs are not confined to accounting data alone, but
may be used for processing non-accounting files such as journals (or
logs) that are created when accounting data is processed.
There are three basic approaches to undertake interrogation of
computer held data:

Page 5 of 31
 o traditional interrogation package specifically designed
for audit purposes which runs on the computer facility where
the data is held, ie the mainframe or minicomputer, where
the system being audited runs and holds its data.
o general programming language tools as used in the
organisations IT department and probably in which the
system being audited has been developed.
o transfer extracts of the data files that the auditor wishes
to interrogate to a PC and analyse the data on the PC using
PC tools or possibly a PC based interrogation package
designed for audit use.
The sorts of operations that auditors often need to perform on data
include:-
o selecting particular records;
o searching for duplicate transactions;
o searching for gaps in sequences;
o comparing the contents of two (or sometimes more) files, and
printing either record matches (where none should match) or
exceptions (where all should match);
o sorting and merging files in preparation for other audit tests
(such as file comparisons and gap analysis).

8. What is GAS & function

GAS = Generalised audit software
GAS is audit software that has been specifically designed to allow auditors
to perform audit-related data processing functions.
Example: An auditor uses GAS to search computer files for unusual
items
Function Adv Dis Adv
Extracting Data from The languages are easy to They do not
Files use directly examine
Calculating with Data Require little EDP the applications
Summarizing Data background, program and
Analyzing Data Compatible with any programmed
Reorganizing Data computer because it is checks.
Selecting Sample hardware-independent, They cannot
Data for Testing It can be used to audit the replace audit-
Gathering Statistical data files of many through-the-
Data different applications. computer
Printing Confirmation Allow auditors to access techniques
Requests, Analyses, computer-readable
and other outputs records for a wide variety
Extracting Data from of applications and
Files organizations
Calculating with Data Enable auditors to
Summarizing Data examine much more data
Analyzing Data than could be examined
Reorganizing Data through manual means

Page 6 of 31
 Selecting Sample Rapidly and accurately
Data for Testing perform a variety of
Gathering Statistical routine audit functions,
Data including the statistical
Printing Confirmation selection of samples
Requests, Analyses, Reduce dependence on
and other outputs non-auditing personnel for
performing routine
functions like summarizing
data, thereby enabling
auditors to maintain
better control over the
audit
Require only minimal
computer knowledge on
the part of the auditor

9. Effective & efficiency in CAAT

The effectiveness and efficiency of auditing procedures may be improved
by using CAATs to obtain and evaluate audit evidence.
CAATs are often an efficient means of testing a large number of
transactions or controls over large populations by:
(a) analysing and selecting samples from a large volume of
transactions;
(b) applying analytical procedures; and
(c) performing substantive procedures.
Matters relating to efficiency that an auditor might consider include:
(a) the time taken to plan, design, execute and evaluate a CAAT;
(b) designing and printing of forms (for example, confirmations);
and
(c) availability of computer resources.

Lect 5
10. What is audit risk

Page 7 of 31
 Risk the possibility of an act or event occurring that would have an
adverse effect on the organisation and its information systems.
Error Risk the risk of errors occurring in the area being audited.
Exposure the potential loss to an area due to the occurrence of an
adverse event.

Audit risk -Is the probability the auditor will issue an unqualified (clean)
opinion when in fact the financial statements are materially misstated.
the risk of giving an incorrect audit opinion.

11. How the auditor identify the level of risk assessment

Risk assessment, in combination with other audit techniques, should be
considered in making planning decisions such as:
- The nature, extent, and timing of audit procedures
- The areas or business functions to be audited
- The amount of time and resources to be allocated to an audit

12. What is the risk-based audit approach?

The risk-based approach to auditing provides auditors with a clear understanding
of the erors and irregularities that can occur and the related risks and exposures.

This understanding provides a sound basis for developing recommendations to

management on how the AIS control system should be improved.

the four-step approach to internal control evaluation

1. Determine the threats facing the AIS.
2. Identify the control procedures that should be in place to minimize each
threat.
3. Evaluate the control procedures.
4. Evaluate weakness (errors and irregularities not covered by control
procedures).

13.What are the 3 type of risk

Inheren Associate with the unique business or industry characteristic
t risk -susceptibility of an audit area to error which could be material,
-In assessing the inherent risk, the IS Auditor should consider both
pervasive and detailed IS controls.
Pervasive IS Controls general controls which are designed to
manage and monitor the IS environment and which therefore
affect all IS-related activities.
Detailed IS Controls controls over the acquisition,
implementation, delivery and support of IS systems and
services.

Control Flawed because control are either absent or inadequate to prevent or

risk detect errors in accounts
-Risk that an error which could occur in an audit area, and which
could be material, individually or in combination with other
errors, will not be prevented or detected and corrected on a
timely basis by the internal control system.

Detecti Is the risk that the auditor willing to take that errors note detected or
on risk prevented by control structure will also not be detected by the auditor
-Detection risk is the risk that the IS Auditors substantive

Page 8 of 31
 procedures will not detect an error which could be material,
individually or in combination with other errors.

14. What is audit risk model

Audit Risk is the product of the Inherent Risk by the Control Risk by the
Detection Risk. This is normally abbreviated to:
AR = IR x CR x DR (Note: Maximum Risk is assessed as 1)
In order to make use of the model we
1. need to realise that only some elements of the model are within the
auditors control. In particular the auditor can do nothing about the
Inherent Risk and the Control Risk. He can assess them but cannot
change them. The auditor can, however, decide what level of overall
Audit Risk he wishes to take. Naturally this will normally be quite low:
usually about 5% is considered acceptable. So now we have
.05 = IR x CR x DR
2. Theoretically, the auditor can make Detection Risk as low as he
pleases. To eliminate risk altogether the auditor simply has to check
every transaction, every asset and every liability! Of course, in practice
this is usually just not possible.
3. The usefulness of this model is that it allows the auditor to set
quantitative values on Inherent Risk and Control Risk.
4. In other words, the auditor will need to do less substantive testing if
the Inherent Risk and/or the Control Risk are low. If, for example, the
system of internal control is good then the Control Risk will be low
leading to less substantive testing.
5. The auditor has decided that an overall Audit Risk of 5% is acceptable,
that the Inherent Risk is 80% and the Control Risk is 50%. We have:
0.05 = 0.5 x 0.8 x DR
therefore DR = 0.05 / 0.5 x 0.8
DR = .125 or 12.5%
6. The auditor now knows that he can afford to take a 12.5% chance of
not detecting an error during the substantive testing. Conversely he
needs 87.5% assurance that the substantive testing will pick up all
material errors. He can use this information in conjunction with
statistical sampling techniques (which are outside the scope of this
article) so as to determine appropriate sample sizes for the purposes of
substantive testing.
Lec 4
15.4 type of audit evidence
Observed observations of activities, property and
information systems functions,
Documentary audit recorded on paper or other media, can include:
evidence - Results of data extractions
- Records of transactions
- Invoices
- Activity and control logs
Representations of those being audited can be audit evidence,
such as:
- Written policies and procedures
- System flowcharts

Page 9 of 31
 - Written or oral statements
Analysis results through comparisons, simulations,
calculations and reasoning can also be used as
audit evidence.
16. What are the assertion of audit evidence

17. What constitutes of sufficient & appropriate evidence

During the course of the audit, the Auditor of a Computer Based Information
System (CBIS) is to obtain sufficient, reliable, relevant and useful evidence to
achieve the audit objectives effectively.
When external auditors are employed to express an opinion on the financial
statements of an entity, they must also ensure that they have sufficient
appropriate evidence on which to base such an opinion.
What constitutes sufficient appropriate evidence?
Sufficiency, as applied to audit evidence, is the measure of the quantity of
evidence.

Page 10 of 31
 Appropriateness is the measure of the quality of reliability of audit evidence and
its relevance to a particular assertion.
Whilst sufficiency and appropriateness are interrelated, various factors including
risk of misstatement and materiality need to be considered when judging as to
what is sufficient appropriate audit evidence. However, it is not practical for
auditors to search endlessly for audit evidence. There are two major constraining
factors in this respect:

Time: an audit timetable is normally agreed with the management of the entity
giving a deadline date for the conclusion of the audit.

Cost: the fee for an audit assignment is normally agreed in advance. Thus,
effective use of audit resources is crucial if commercial viability is to be
maintained.

18. What is the audit test in computer based info. Sys (CBIS)
In CBIS environment, the data needed to perform audit tests are contained in
computer files that must be extracted using specialized audit software.

Methods for auditing computer applications:

1) techniques for testing application controls - compliance testing
2) techniques for examining transaction details and account balances
substantive testing
3) Audit Sampling
4) Analytical Procedures
19. What is the method of gathering evidence
- Inspection;
- Observation;
- Enquiry and confirmation;
- Computation;
- Analytical procedures.
- Reperformance
- Monitoring
20. What is the compliance testing
Compliance tests are defined as those test which seek to provide
audit evidence on both the effectiveness of the controls and that
internal control procedures are being applied as prescribed.
o Eg Internal Control Questionaire
Auditors test internal controls in order to establish whether they are
operating effectively throughout the period under review.
If controls are operating effectively, auditors can reduce the level of
substantive testing on transactions and balances that would
otherwise be required.

21. How the auditor deal with control failure?

Where there is a breakdown in internal controls it is also necessary to
reassess the auditors preliminary risk assessment.
Abandoning tests of control may place strains on the budget for the audit
and auditors should always consider the possibility of compensating
controls before abandoning tests of controls.
Tests of controls enable the auditor to establish whether a control system
in operation is effective. If properly designed controls are operating as

Page 11 of 31
 prescribed, auditors can reduce the level of substantive testing required at
the period-end.

22. What is analytical procedure & how to apply it?

Analytical procedures concern not only analysis (of ratios, trends and
relationships) but also the investigation of fluctuations. The analysis
usually considers both
comparisons
Compare with prior year; budget & forecast; industry average
relationships.
Btween element of financial info (gross profit %)
Financial & non-financial info (hotel revenue to room occupancy)

23. Type of analytical procedure?

trend analysis (e.g., graphical time series, monthly turonver
and regression analysis);
ratio analysis (financial ratio); and
reasonableness tests (also called proof in total; independent
check on the total value of a population and are most useful
for income and expenditure accounts.exp payroll).

Lec 6
24. how the auditor extract audit sampling
The objective of sampling is an unbiased selection of items from a larger
population enables the observer to draw mathematically valid conclusions
about the population as whole form the items supplied. Two conditions
must be satisfied:
population must be homogenous
individual items must be selected on a completely
random basis

25. how to determine the level of confident in audit sampling

The auditors previous experience of the particular area being audited
Results of earlier audits of internal controls
The materiality of the items concerned

26. 4 type of sampling technique

Interval or systematic i) Random number selection
sampling ii) Random interval selection (every 5 transaction)

Random sampling
Stratified sampling Exp: the transaction above 15K must do 100% test
Select the largest amount as a sample since its
represent biger percentage
Cluster sampling Selection of sample items by breaking the
population down into groups. Each group is then
treated separately.

Page 12 of 31
Lec 7
27. What is audit documentation & it importance?
Documentation' or `working papers' means the material prepared
or obtained and retained by the auditor in performing the audit. It
may be in the form of data stored on paper, film, electronic or other
media.
to document matters which are important in supporting the audit
opinion; and
to evidence that the audit was carried out in accordance with
auditing standard
Documentation also provides guidance for planning future audits
and for familiarizing new staff, thereby saving time and cost.

28. What is the contain of audit documentation

In summary, working papers provide a record of:
(a) planning and performance of the audit (including the nature,
timing and extent of audit procedures);
(b) supervision and review of audit work;
(c) audit evidence (including oral representations) obtained to support
the audit opinion (including conclusions drawn).

Permanent Audit Files (PAF) and Current Audit Files (CAF)

For recurring audit engagements it is usual for documentation which is
of continuing importance (i.e., `permanent') to be filed separately from
information relating primarily to the audit of a single period (i.e.,
`current').
General correspondence files are also likely to be maintained for each
client although the engagement letter, management (weakness) letter
and letters providing evidence (such as the bank report for audit
purposes and management representation letter) will be filed on the
current audit file.

29. What is the audit standard modal

1. agree the opening balance with the previous years audit
working papers to ensure that last years audit adjustments were
properly recorded in the books;
2. scrutinise ledger balances for unusual entries such as large
entries from unusual sources especially those close to the year end;
3. check schedules provided by the entity, such as a list of debtors,
to and from the records to ensure they are complete and accurate;
4. undertake analytical procedures;
5. perform tests of details of transactions;
6. perform by tests of details of balances;
7. carry out a technical review on presentation and disclosure to
ensure that it is in accordance with regulatory requirements.

30. 3 type of documentation technique

Page 13 of 31
 (1) Narrative notes written descriptions require little formal
training and are best suited to small, simple systems descriptions or
to explain peripheral aspects of larger systems not dealt with by
other techniques (e.g., the issue of credit notes).
(2) Flowcharts visual descriptions highlight controls and are easy
to understand by a trained user. However, different audit firms and
their clients use different types (e.g., documentation flowcharts,
information flowcharts and overview flowcharts).

(3) Questionnaires internal control questionnaires (ICQs) are

designed to indicate which parts of a system are strong or weak and
so make a preliminary assessment of the extent to which the
auditor seeks to place reliance (if any) on internal controls. The form
and extent of this documentation is influenced by such factors as:
size and complexity of entity;
nature of accounting and internal control system (e.g.,
manual or computerised);
auditors' intended reliance on internal controls;
whether prepared by client (e.g., internal audit
department) or external auditor;
ease of preparation and/or updating.

Lec 9
31. What is database
A database is a collection of data that is shared and used by many
different users for different purposes. Each user may not necessarily be
aware of all the data stored in the database, or of the ways that the data
may be used for multiple purposes. Generally, individual users are aware
only of the data that they use and may view the data as computer files
utilised by their applications.
Database systems consist principally of two components: the database
and the database management system (DBMS). Database systems
interact with other hardware and software aspects of the overall computer
system.

Databases may be structured as flat file databases, or as relational

databases.
In a flat file database, all the data concerning one record are stored as
part of that record. With a relational database, data are stored as a series
of tables, with links between the tables as necessary.
Relational databases minimise the duplication of stored data, as data
shared by more than one record need to be stored only once.

32.What is data base management system (DBMS)?

The software that creates, maintains and operates the database is
referred to as DBMS software. Together with the operating system, the
DBMS facilitates the physical storage of the data, maintains the

Page 14 of 31
 interrelationships between the data, and makes the data available to
application programs.

It also provides controlled access methods to establish basic security

measures over the data. Usually, the DBMS software is supplied by a
commercial vendor but will need to be adapted to the entitys needs.

33. Characteristic of database system?

a. data sharing and
i) A database is composed of data set up with defined
relationships and organised to permit many users to use
the data in different application programs. Individual
applications share the data in the database for different
purposes.
ii) For example, an inventory item unit cost maintained by
the database may be used by one application program
to produce a cost of sales report and by another
program to prepare an inventory valuation

b. data independence.
i) The DBMS records the data once for use by various
application programs. This creates a need for data
sharing and a need for data independence from
application programs.
ii) In non-database systems, separate data files are
maintained for each application. Similar data used by
several applications may be repeated in several different
files. In a database system, however, a single file of data
(or database) is used by many applications, with data
redundancy kept to a minimum.

34. Internal control in database environment

In database systems, general controls normally have a greater influence
than application controls because of data sharing, data independence and
other characteristics of database systems. The general controls of
particular importance in a database environment can be classified into the
following groups:
(a) standard approach for development and maintenance of
application programs;
(a) definition standards are established and monitored for
compliance;
(b) data backup and recovery procedures are established and
implemented to ensure database availability;
(c) various levels of access control for data items, tables and
files are established to prevent inadvertent or unauthorised
access;

Page 15 of 31
 (d) controls are established to ensure accuracy, completeness
and consistency of data elements and relationships in the
database.
(e) database restructuring procedures are followed

(b) data model and data ownership;

The database administrator needs to ensure there is a clear
and definite assignment of responsibility for the accuracy and
integrity of each item of data. A single data owner should be
assigned responsibility for defining access and security rules,
such as who can use the data (access) and what functions
they can perform (security).
For example, the credit manager may be the designated
owner of a customers credit limit and would be responsible
for determining the authorised users of that information. If
several individuals are able to make decisions affecting the
accuracy and integrity of given data, the likelihood increases
of the data becoming corrupted or improperly used.
(c) access to the database;
User access to the database can be restricted through access
controls. These restrictions apply to individuals, terminal
devices and programs.
For passwords to be effective, adequate procedures are
required for changing passwords, maintaining the secrecy of
passwords, and reviewing and investigating attempted
security violations.
Relating passwords to defined terminal devices, programs
and data helps to ensure that only authorised users and
programs can access, amend or delete data.
For example, the credit manager may give sales clerks
authority to refer to a customers credit limit, whereas a
warehouse clerk might not have such authorisation.
(d) segregation of duties;
(e) data resource management; and
(f) data security and database recovery.
Databases are likely to be used by people in many different
parts of an entitys operations. This means that many parts of
the entity would be affected if the data were unavailable or
contained errors.
Accordingly, the general controls for data security and
database recovery assume a high level of importance in
database systems.

35. The effect of database in AIS & internal control

Database systems typically provide the opportunity for greater reliability
of data than non-database systems.
(a) Improved consistency of data is achieved because data are
recorded and updated only once, rather than being stored in several
files and updated at different times and by different programs.

Page 16 of 31
 (b) Integrity of data will be improved by effective use of facilities
included in the DBMS, such as recovery/restart routines, generalised
edit and validation routines, and security and control features.
(c) Other functions available with the DBMS can facilitate control
and audit procedures. These functions include report generators,
which may be used to create balancing reports, and query
languages, which may be used to identify inconsistencies in the
data.

Alternatively, the risk of misstatement may increase if database systems

are used without adequate controls.
In a typical non-database environment, controls exercised by individual
users may compensate for weaknesses in general controls. In a database
system, however, individual users cannot always compensate for
inadequate database administration controls.
For example, accounts receivable personnel cannot effectively control
accounts receivable data if other personnel are not restricted from
modifying accounts receivable balances in the database.

36. Effect database on Audit procedure

Audit procedures in a database environment will be affected principally by
the extent to which the accounting system uses the data in the database.
To obtain an understanding of the database control environment and the
flow of transactions the auditor may consider the effect of the following on
audit risk in planning the audit.
(a) The relevant access controls. People outside the traditional
accounting function may use the databases, and the auditor
considers the access controls over accounting data and all those
who may have access to it.
(b) The DBMS and the significant accounting applications using the
database. Other applications within the entity may generate or alter
data the accounting applications use. The auditor considers how the
DBMS controls these data.
(c) The standards and procedures for development and
maintenance of application programs using the database.
Databases, especially those on stand-alone computers, may often
be designed and implemented by people outside the IT or
accounting functions. The auditor considers how the entity controls
the development of these databases.
(d) The data resource management function. This function plays an
important role in maintaining the integrity of data stored on the
database.
(e) Job descriptions, standards and procedures for those individuals
responsible for technical support, design, administration and
operation of the database. With database systems, it is likely that a
wider range of individuals have significant data responsibilities than
would be the case with non-database systems.

Page 17 of 31
 (f) The procedures used to ensure the integrity, security and
completeness of the financial information contained in the
database.
(g) The availability of audit facilities within the DBMS.
(h) The procedures used to introduce new versions of the database
into operation.

When determining the extent of reliance on internal controls related to

the use of databases in the accounting system, the auditor may consider
how the controls are used. If the auditor subsequently decides to rely on
those controls, the auditor designs and performs appropriate tests.

37. Type of computer network

A network is a group of computers connected together that allow users to
share information and equipment
The global networks used by many companies to conduct electronic
commerce and to manage internal operations consist of two components:
1 Private portion owned or leased by the company- Intranet
Local area network (LAN)
A Local Area Network, or LAN, is a collection of
computers, terminals, printers, scanners and
other devices linked together by cable or other
medium. Some of the computers will be
workstations and some will be servers. The
servers will hold data files that can be shared by
network users subject to access privileges.
The LAN is generally owned by the user
organisation, it is hard wired and will have very
limited or no access to other networks.

Wide area network (WAN)

A Wide Area Network, or WAN, is a collection of
computers and other devices, as for a LAN, but
one that takes the local organisation beyond the
narrow geographical confines of a LAN into a
wider system. In practice a WAN is typically
made up by creating connections between a
number of local LANs.
The connections of the network could be
between other offices of the organisation if it
has geographically dispersed sites around the
country or in other countries around the world.
Alternatively the organisation may also wish to
connect to other organisations networks or to
connect to public services such as the Internet.
2 The Internet

38. Characteristic on online/ network sys

Page 18 of 31
 Users may have on-line access to the system that enables them to
perform various functions (for example, to enter transactions and to read,
change or delete programs and data files through the terminal devices).
Unlimited access to all of these functions in a particular application is
undesirable because it provides the user with the potential ability to make
unauthorised changes to the data and programs.
Unlimited access precludes segregation of duties and allows users access
to all stages of processing and recording a transaction.

An on-line computer system may be designed not to provide

supporting documents for all transactions entered into the system. Such a
system must be able to provide details of the transactions on request or
by transaction logs or other means.
Examples of these types of systems include orders received by a
telephone operator who enters them on-line without written purchase
orders, and cash withdrawals from automated teller machines.

Programmers may have on-line access to the system that enables

them to develop new programs and modify existing programs.
Unrestricted access provides the programmer with the potential to make
unauthorised changes to programs and obtain unauthorised access to
other parts of the system and would represent a serious control weakness.

39. Effect of network/ online sys on Audit procedures

Audit procedures performed concurrently with on-line processing
may include tests of the controls over the on-line applications.
For example, this may be by means of entering test transactions through
the on-line terminal devices or by the use of audit software. These tests
may be used either to confirm the auditors understanding of the system
or to test controls such as passwords and other access controls.
Where the entity permits access through the Internet, audit procedures
can include tests of firewalls and other authorisation and access controls,
as well as tests of transaction processing. To avoid the inadvertent
corruption of client records, the auditor reviews concurrent procedures
with appropriate client personnel and obtains approval before conducting
the tests.

Procedures carried out during the planning stage may include the
following:
(a) the participation on the audit team of individuals with technical
proficiency in on-line computer systems and related controls;
(b) identification of any new remote access facilities; and
(c) preliminary determination, during the risk assessment process,
of the impact of the system on the audit procedures.

Procedures performed after processing has taken place may include the
following:
(a) tests of controls over transactions logged by the on-line system
for authorisation, completeness and accuracy;

Page 19 of 31
(b) substantive procedures covering transactions and processing
results rather than tests of control, where the former may be more
cost-effective or where the system is not well-designed or
controlled; and
(c) reprocessing transactions as either a test of control or a
substantive procedure.

Page 20 of 31
What is 6 component and audit objective?

Objective(1): Types of security errors and fraud faced by

overall security companies:
Accidental or intentional damage to system
assets.
Unauthorized access, disclosure, or modification
of data and programs.
Theft.
Interruption of crucial business activities.
Control procedures to minimize security errors
and fraud:
Developing an information security/protection
plan.
Restricting physical and logical access.
Encrypting data.
Protecting against viruses.
Implementing firewalls.
Instituting data transmission controls.
Preventing and recovering from system failures or
disasters, including:
Designing fault-tolerant systems.
Preventive maintenance.
Backup and recovery procedures.
Disaster recovery plans.
Adequate insurance.
Audit Procedures: Systems Review

Page 21 of 31
 Inspecting computer sites.
Interviewing personnel.
Reviewing policies and procedures.
Examining access logs, insurance policies, and
the disaster recovery plan.
Audit Procedures: Tests of Controls
Auditors test security controls by:
Observing procedures.
Verifying that controls are in place and
work as intended.
Investigating errors or problems to ensure
they were handled correctly.
Examining any tests previously performed.
One way to test logical access controls is to try to
break into a system.
Compensating Controls
If security controls are seriously deficient, the
organization faces substantial risks.
Partial compensation for poor computer security
can be provided by:
Sound personnel policies
Effective segregation of incompatible
duties
Effective user controls, so that users can
recognize unusual system output.
These compensations arent likely to be enough,
so auditors should strongly recommend that
security weaknesses be corrected.

Objective (2): Types of errors and fraud:

Prgm development Two things can go wrong in program
& acquisition development:
Inadvertent errors due to careless
programming or misunderstanding
specifications; or
Deliberate insertion of unauthorized
instructions into the programs.
Control procedures:
The preceding problems can be controlled by
requiring:
Management and user authorization and
approval
Thorough testing
Proper documentation
Audit Procedures: Systems Review
The auditors role in systems development should
be limited to an independent review of system

Page 22 of 31
 development activities.
To maintain necessary objectivity for
performing an independent evaluation, the
auditor should not be involved in system
development.
During the systems review, the auditor
should gain an understanding of
development procedures by discussing
them with management, users, and IS
personnel.
Should also review policies, procedures, standards, and
documentation for systems and programs
Audit Procedures: Tests of Controls
To test systems development controls, auditors
should:
Interview managers and system users.
Examine development approvals.
Review the minutes of development team
meetings.
Thoroughly review all documentation
relating to the testing process and
ascertain that all program changes were
tested.
Examine the test specifications, review the
test data, and evaluate the test results.
If results were unexpected, ascertain
how the problem was resolved.
Compensating Controls
Strong processing controls can sometimes
compensate for inadequate development
controls.
If auditors rely on compensatory processing
controls, they should obtain persuasive
evidence of compliance.
Use techniques such as independent
processing of test data to do so.
If this type of evidence cant be obtained,
they may have to conclude there is a
material weakness in internal control.
Objective 3: Types of Errors and Fraud
Prgm modification Same that can occur during program
development:
Inadvertent programming errors
Unauthorized programming code
Control Procedures
When a program change is submitted for
approval, a list of all required updates should be

Page 23 of 31
 compiled by management and program users.
Changes should be thoroughly tested and
documented.
During the change process, the developmental
version of the program must be kept separate
from the production version.
When the amended program has received final
approval, it should replace the production version.
Changes should be implemented by personnel
independent of users or programmers.
Logical access controls should be employed at
all times.
Audit Procedures: System Review
During systems review, auditors should:
Gain an understanding of the change
process by discussing it with management
and user personnel.
Examine the policies, procedures, and
standards for approving, modifying, testing,
and documenting the changes.
Review a complete set of final
documentation materials for recent
program changes, including test
procedures and results.
Review the procedures used to restrict logical access to the
developmental version of the program
Audit Procedures: Tests of Controls
An important part of these tests is to verify
that program changes were identified, listed,
approved, tested, and documented.
Requires that the auditor observe how
changes are implemented to verify that:
Separate development and production
programs are maintained; and
Changes are implemented by someone
independent of the user and programming
functions.
The auditor should review the development
programs access control table to verify that only
those users assigned to carry out modification
had access to the system.
To test for unauthorized program changes,
auditors can use a source code comparison
program to compare the current version of the
program with the original source code.
Any unauthorized differences should
result in an investigation.

Page 24 of 31
 If the difference represents an
authorized change, the auditor can refer to
the program change specifications to
ensure that the changes were authorized
and correctly incorporated.
Two additional techniques detect unauthorized
program changes:
Reprocessing
On a surprise basis, the auditor
uses a verified copy of the source
code to reprocess data and compare
that output with the companys data.
Discrepancies are investigated.
Parallel simulation
Similar to reprocessing except
that the auditor writes his own
program instead of using verified
source code.
Can be used to test a program
during the implementation process.
Auditors should observe testing and
implementation, review related authorizations,
and, if necessary, perform independent tests for
each major program change.
If this step is skipped and program change
controls are subsequently deemed inadequate, it
may not be possible to rely on program outputs.
Auditors should always test programs on a
surprise basis to protect against unauthorized
changes being inserted after the examination is
completed and then removed prior to scheduled
audits.
Compensating Controls
If internal controls over program changes are
deficient, compensation controls are:
Source code comparison;
Reprocessing; and/or
Parallel simulation.
The presence of sound processing controls,
independently tested by the auditor, can also
partially compensate for deficiencies.
But if deficiencies are caused by inadequate
restrictions on program file access, the auditor
should strongly recommend actions to strengthen
the organizations logical access controls.

Page 25 of 31
Objective 4: Types of Errors and Fraud
Computer During computer processing, the system may:
processing Fail to detect erroneous input
Improperly correct input errors
Process erroneous input
Improperly distribute or disclose output
Control Procedures
Computer data editing routines
Proper use of internal and external file labels
Reconciliation of batch totals
Effective error correction procedures
Understandable operating documentation and run
manuals
Competent supervision of computer operations
Effective handling of data input and output by
data control personnel
File change listings and summaries prepared for
user department review
Maintenance of proper environmental conditions
in computer facility
Audit Procedures: Systems Review
Review administrative documentation for
processing control standards
Review systems documentation for data editing
and other processing controls
Review operating documentation for
completeness and clarity
Review copies of error listings, batch total reports,
and file change lists
Observe computer operations and data control
functions
Discuss processing and output controls with
operations and IS supervisory personnel
Audit Procedures: Tests of Controls
Evaluate adequacy of processing control
standards and procedures
Evaluate adequacy and completeness of data
editing controls
Verify adherence to processing control procedures
by observing computer operations and the data
control function
Verify that selected application system output is
properly distributed
Reconcile a sample of batch totals, and follow up
on discrepancies
Trace disposition of a sample of errors flagged by
data edit routines to ensure proper handling

Page 26 of 31
 Verify processing accuracy for a sample of
sensitive transactions
Verify processing accuracy for selected computer-
generated transactions
Search for erroneous or unauthorized code via
analysis of program logic
Check accuracy and completeness of processing
controls using test data
Monitor online processing systems using
concurrent audit techniques
Recreate selected reports to test for accuracy and
completeness
Compensating Controls
Auditors must periodically reevaluate processing
controls to ensure their continued reliability.
If controls are unsatisfactory, user and
source data controls may be strong enough
to compensate.
If not, a material weakness exists and steps
should be taken to eliminate the control
deficiencies.
Auditors commonly use five concurrent audit
techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)

Objective 5: Auditors commonly use five concurrent audit

Source data techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)
Control Procedures
Effective handling of source data input by data
control personnel
User authorization of source data input
Preparation and reconciliation of batch control
totals
Logging of the receipt, movement, and disposition
of source data input
Check digit verification
Key verification
Use of turnaround documents

Page 27 of 31
 Computer data editing routines
File change listings and summaries for user
department review
Effective procedures for correcting and
resubmitting erroneous data
Audit Procedures: System Review
Review documentation about responsibilities of
data control function
Review administrative documentation for source
data control standards
Review methods of authorization and examine
authorization signatures
Review accounting systems documentation to
identify source data content and processing steps
and specific source data controls used
Document accounting source data controls using
an input control matrix
Discuss source data control procedures with data
control personnel as well as the users and
managers of the system
Audit Procedures: Tests of Controls
Observe and evaluate data control department
operations and specific data control procedures
Verify proper maintenance and use of data control
log
Evaluate how items recorded in the error log are
handled
Examine samples of accounting source data for
proper authorization
Reconcile a sample of batch totals and follow up
on discrepancies
Trace disposition of a sample of errors flagged by
data edit routines
Compensating Controls
Strong user controls
Strong processing controls
Auditors use an input controls matrix (as shown on
the next slide) to document the review of source data
controls.
The matrix shows the control procedures applied to
each field of an input record.
Auditors should ensure the data control function:
Is independent of other functions
Maintains a data control log
Handles errors
Ensures overall efficiency of operations
Auditors should test source data controls on a regular

Page 28 of 31
 basis, because the strictness with which they are
applied may change.
Samples should be evaluated for proper
authorization.
A sample of batch control totals should also be
reconciled.
A sample of data edit errors should be evaluated
to ensure they were resolved and resubmitted.

Objective 6: The sixth objective concerns the accuracy, integrity, and

Data files security of data stored in machine-readable files.
Data storage risks include:
Unauthorized modification of data
Destruction of data
Disclosure of data
Many of the controls discussed in Chapter 8 protect
against the preceding risks.
If file controls are seriously deficient, especially with
respect to access or backup and recovery, the auditor
should strongly recommend they be rectified.
Auditing-by-objectives is a comprehensive,
systematic, and effective means of evaluating internal
controls in an AIS.
Can be implemented using an audit procedures
checklist for each objective.
Should help the auditor reach a separate
conclusion for each objective and suggest
compensating controls.
A separate version of the checklist should be completed
for each significant application.
Auditors should review system designs while their
suggestions can be incorporated.
Techniques such as ITF, snapshot, SCARF, audit hooks,
and real-time notification should be incorporated during
design.
It is much more difficult and costly to add them later.
Types of Errors and Fraud
Destruction of stored data due to:
Inadvertent errors
Hardware or software malfunctions
Intentional acts of sabotage or vandalism
Unauthorized modification or disclosure of stored
data
Control Procedures
Secure file library and restrictions on physical
access to data files
Logical access controls using passwords and

Page 29 of 31
 access control matrix
Proper use of file labels and write-protection
mechanisms
Concurrent update controls
Encryption of highly confidential data
Use of virus protection software
Maintenance of backup copies of all data files in
an off-site location
Audit Procedures: System Review
Review documentation for functions of file library
operation
Review logical access policies and procedures
Review operating documentation to determine
prescribed standards for:
Use of file labels and write-protection
mechanisms
Use of virus protection software
Use of backup storage
System recovery, including checkpoint and
rollback procedures
Review systems documentation to examine
prescribed procedures for:
Use of concurrent update controls and data
encryption
Control of file conversions
Reconciling master file totals with
independent control totals
Examine disaster recovery plan
Discuss data file control procedures with systems
managers and operators
Audit Procedures: Tests of Controls
Observe and evaluate file library operations
Review records of password assignment and
modification
Observe and evaluate file-handling procedures by
operations personnel
Observe the preparation and off-site storage of
backup files
Verify the effective use of virus protection
procedures
Verify the use of concurrent update controls and
data encryption
Verify completeness, currency, and testing of
disaster recovery plan
Reconcile master file totals with separately
maintained control totals
Observe the procedures used to control file

Page 30 of 31
 conversion
Compensating Controls
Strong user controls
Effective computer security controls
Strong processing controls

Page 31 of 31