Professional Documents
Culture Documents
1. What is auditing?
Auditing refers to a systematic and independent examination of books, accounts, documents
and vouchers of an organization to ascertain how far the financial statements present a true
and fair view of the concern.
Element
Systematic procedures are used
Evidence is obtained - compliance tests - tests of internal controls
- substantive tests
Determination of materiality for weaknesses found
Prepare audit report & audit opinion
3. Type of Audit
Operational Concerned with the economical and efficient use of
audits resources and the accomplishment of established goals
and objectives.
Compliance / Audit undertaken to confirm whether a firm is following
internal control the terms of an agreement (such as a bond indenture),
audit or the rules and regulations applicable to an activity or
practice prescribed by an external agency or authority.
Financial audit Examines the reliability and integrity of accounting
records (both financial and operating information).
It is an independent attestation(exam/evaluate) by a
professional regarding the faithful representation of
the financial statements.
Info. Sys. Audit Reviews the general and application controls in an AIS to assess its compliance
with internal control policies and procedures and its effectiveness in
safeguarding assets.
Fraud audit is a meticulous review of financial documents, while one searches for
the point where the numbers and/or financial statements do not mesh.
Fraud audits are done when fraud is suspected
Page 1 of 31
4. Type of info. Sys Auditing (computer related activity)
Audit An accounting system is comprised of input, processing, and
around the output.
computer In the around-the-computer approach, it only involved input
& output processes
Source documents supplying the input to the system are
selected and summarized manually so that they can be
compared to the output.
Computer is a black-box.
Assumption: If the auditor can show that the actual outputs
are the correct results to be expected from a set of inputs to
the processing system, then the computer processing must
be functioning in a reliable manner
Suitable only under the following conditions:
o The audit trail is complete and visible
o The processing operations are relatively
straightforward, uncomplicated, low volume
o Complete documentation, such as DFDs and Systems
Flowcharts, are available to the auditor
Limitations is that it does not allow the auditor to determine
exactly how the computer processing programs handle edit
checks and programmed checks
Page 2 of 31
more legible and consistent.
o Saved time
o Calculations, comparisons, and other data
manipulations are more accurately performed.
o Analytical review calculations may be more efficiently
performed.
o Easily generated and analyzed project info.
o Standardized audit correspondence
o Increased cost-effectiveness
o Increased independence from information systems
personnel is obtained.
Lect 2&3
5. What is CAAT
CAATs are any automated audit techniques. Computer Assisted Audit Techniques
(CAATs) are important tools for the IS Auditor in performing audits.
CAATs fall into two general categories:
i. Designed to test controls within the system.
ii. Involves examinations of computerized data- Data file interrogation
6. Type of test control in CAAT
CAATs in this category are designed to test controls within the system. You are
then able to judge how reliable the controls are and how accurate the accounting
and other records may be. Techniques (described in more detail later) that are
commonly used to review and verify system controls include:-
Test Data Description: Test data are input containing both valid
and invalid data.
Example: Payroll transactions for fictitious employees are
processed concurrently with valid payroll
transactions.
Used to verify the correct operation of particular program or
module
to confirm the operation of new or amended programs. It can
be used to test and verify:-
input validation routines;
error detection capabilities;
processing logic and calculations
Integrated Description: ITF involves both the use of test data and
Test Facility the creation of fictitious (made up) records
(vendors, employees) on the master files of
a computer system.
Example: Payroll transactions for fictitious employees are
processed concurrently with valid payroll
transactions.
Provides an in-built testing facility through the creation of
a dummy department or branch within the normal
accounting system
the dummy entity does not interrupt the real operation of
the system
Page 3 of 31
(fixed)Audit computer programs so that transaction data
Module can be subjected to audit analysis.
Techniques Example: Data items that are exceptions to auditor-specified
edit tests included in a program are written to
a special audit file.
used with a computer system that handles very high
volumes of data.
It is an audit application that is permanently resident
within the main processing system as is also known as
resident audit monitor.
Audit routines are coded into the system to copy or print
data or certain transactions of specified audit interest.
The function may be switched on or off by certain inputs
from the auditor. Rather than copy or print the
transactions, the routines may be set up to tag the
relevant transactions, by setting an indicator field in the
transaction record, for later audit analysis.
audit module examines each transaction as it enters the
system. Every time a transaction occurs that meets the
selection criteria, transaction details are logged before the
transaction is allowed to continue for further processing.
The audit log file is periodically scanned, analysed and
reports are printed for follow up
Embedded audit facilities usually have the ability to select
transactions that fulfill a range of criteria, which may be
altered by amending the selection parameters.
Example: collect copies of all purchase invoices where
there is no corresponding purchase order reference.
Program Code involves a detailed examination of program coding.
Review &
It generally involves a fair degree of programming skill, and a
Comparison
thorough knowledge of program specification.
Utility Programs are also available that will compare two versions
of a program, and report difference between the two.
checked to ensure that only authorised changes have been made.
Parallel
Recording Description: Processing real data through audit programs. The
simulated output and the regular output are then
compared.
Page 4 of 31
If used real data and write your own interest calculation program. If
you run your simulation program against the same source data file,
you should obtain the same results.
Extended
Recording Description: Modification of programs to collect and store data of audit
interest.
Tracing
Description: Tracing provides a detailed audit trail of the instructions
executed during the programs operation.
Review
system Description: Existing system documentation such as program
documentatio
flowcharts are reviewed for audit purposes.
n
Control
flowcharting Description: Document flowcharts or other graphic techniques are used
to describe the controls in a system.
Page 5 of 31
o traditional interrogation package specifically designed
for audit purposes which runs on the computer facility where
the data is held, ie the mainframe or minicomputer, where
the system being audited runs and holds its data.
o general programming language tools as used in the
organisations IT department and probably in which the
system being audited has been developed.
o transfer extracts of the data files that the auditor wishes
to interrogate to a PC and analyse the data on the PC using
PC tools or possibly a PC based interrogation package
designed for audit use.
The sorts of operations that auditors often need to perform on data
include:-
o selecting particular records;
o searching for duplicate transactions;
o searching for gaps in sequences;
o comparing the contents of two (or sometimes more) files, and
printing either record matches (where none should match) or
exceptions (where all should match);
o sorting and merging files in preparation for other audit tests
(such as file comparisons and gap analysis).
Page 6 of 31
Selecting Sample Rapidly and accurately
Data for Testing perform a variety of
Gathering Statistical routine audit functions,
Data including the statistical
Printing Confirmation selection of samples
Requests, Analyses, Reduce dependence on
and other outputs non-auditing personnel for
performing routine
functions like summarizing
data, thereby enabling
auditors to maintain
better control over the
audit
Require only minimal
computer knowledge on
the part of the auditor
Lect 5
10. What is audit risk
Page 7 of 31
Risk the possibility of an act or event occurring that would have an
adverse effect on the organisation and its information systems.
Error Risk the risk of errors occurring in the area being audited.
Exposure the potential loss to an area due to the occurrence of an
adverse event.
Audit risk -Is the probability the auditor will issue an unqualified (clean)
opinion when in fact the financial statements are materially misstated.
the risk of giving an incorrect audit opinion.
Detecti Is the risk that the auditor willing to take that errors note detected or
on risk prevented by control structure will also not be detected by the auditor
-Detection risk is the risk that the IS Auditors substantive
Page 8 of 31
procedures will not detect an error which could be material,
individually or in combination with other errors.
Page 9 of 31
- Written or oral statements
Analysis results through comparisons, simulations,
calculations and reasoning can also be used as
audit evidence.
16. What are the assertion of audit evidence
Page 10 of 31
Appropriateness is the measure of the quality of reliability of audit evidence and
its relevance to a particular assertion.
Whilst sufficiency and appropriateness are interrelated, various factors including
risk of misstatement and materiality need to be considered when judging as to
what is sufficient appropriate audit evidence. However, it is not practical for
auditors to search endlessly for audit evidence. There are two major constraining
factors in this respect:
Time: an audit timetable is normally agreed with the management of the entity
giving a deadline date for the conclusion of the audit.
Cost: the fee for an audit assignment is normally agreed in advance. Thus,
effective use of audit resources is crucial if commercial viability is to be
maintained.
18. What is the audit test in computer based info. Sys (CBIS)
In CBIS environment, the data needed to perform audit tests are contained in
computer files that must be extracted using specialized audit software.
Page 11 of 31
prescribed, auditors can reduce the level of substantive testing required at
the period-end.
Lec 6
24. how the auditor extract audit sampling
The objective of sampling is an unbiased selection of items from a larger
population enables the observer to draw mathematically valid conclusions
about the population as whole form the items supplied. Two conditions
must be satisfied:
population must be homogenous
individual items must be selected on a completely
random basis
Random sampling
Stratified sampling Exp: the transaction above 15K must do 100% test
Select the largest amount as a sample since its
represent biger percentage
Cluster sampling Selection of sample items by breaking the
population down into groups. Each group is then
treated separately.
Page 12 of 31
Lec 7
27. What is audit documentation & it importance?
Documentation' or `working papers' means the material prepared
or obtained and retained by the auditor in performing the audit. It
may be in the form of data stored on paper, film, electronic or other
media.
to document matters which are important in supporting the audit
opinion; and
to evidence that the audit was carried out in accordance with
auditing standard
Documentation also provides guidance for planning future audits
and for familiarizing new staff, thereby saving time and cost.
Page 13 of 31
(1) Narrative notes written descriptions require little formal
training and are best suited to small, simple systems descriptions or
to explain peripheral aspects of larger systems not dealt with by
other techniques (e.g., the issue of credit notes).
(2) Flowcharts visual descriptions highlight controls and are easy
to understand by a trained user. However, different audit firms and
their clients use different types (e.g., documentation flowcharts,
information flowcharts and overview flowcharts).
Lec 9
31. What is database
A database is a collection of data that is shared and used by many
different users for different purposes. Each user may not necessarily be
aware of all the data stored in the database, or of the ways that the data
may be used for multiple purposes. Generally, individual users are aware
only of the data that they use and may view the data as computer files
utilised by their applications.
Database systems consist principally of two components: the database
and the database management system (DBMS). Database systems
interact with other hardware and software aspects of the overall computer
system.
Page 14 of 31
interrelationships between the data, and makes the data available to
application programs.
b. data independence.
i) The DBMS records the data once for use by various
application programs. This creates a need for data
sharing and a need for data independence from
application programs.
ii) In non-database systems, separate data files are
maintained for each application. Similar data used by
several applications may be repeated in several different
files. In a database system, however, a single file of data
(or database) is used by many applications, with data
redundancy kept to a minimum.
Page 15 of 31
(d) controls are established to ensure accuracy, completeness
and consistency of data elements and relationships in the
database.
(e) database restructuring procedures are followed
Page 16 of 31
(b) Integrity of data will be improved by effective use of facilities
included in the DBMS, such as recovery/restart routines, generalised
edit and validation routines, and security and control features.
(c) Other functions available with the DBMS can facilitate control
and audit procedures. These functions include report generators,
which may be used to create balancing reports, and query
languages, which may be used to identify inconsistencies in the
data.
Page 17 of 31
(f) The procedures used to ensure the integrity, security and
completeness of the financial information contained in the
database.
(g) The availability of audit facilities within the DBMS.
(h) The procedures used to introduce new versions of the database
into operation.
Page 18 of 31
Users may have on-line access to the system that enables them to
perform various functions (for example, to enter transactions and to read,
change or delete programs and data files through the terminal devices).
Unlimited access to all of these functions in a particular application is
undesirable because it provides the user with the potential ability to make
unauthorised changes to the data and programs.
Unlimited access precludes segregation of duties and allows users access
to all stages of processing and recording a transaction.
Procedures carried out during the planning stage may include the
following:
(a) the participation on the audit team of individuals with technical
proficiency in on-line computer systems and related controls;
(b) identification of any new remote access facilities; and
(c) preliminary determination, during the risk assessment process,
of the impact of the system on the audit procedures.
Procedures performed after processing has taken place may include the
following:
(a) tests of controls over transactions logged by the on-line system
for authorisation, completeness and accuracy;
Page 19 of 31
(b) substantive procedures covering transactions and processing
results rather than tests of control, where the former may be more
cost-effective or where the system is not well-designed or
controlled; and
(c) reprocessing transactions as either a test of control or a
substantive procedure.
Page 20 of 31
What is 6 component and audit objective?
Page 21 of 31
Inspecting computer sites.
Interviewing personnel.
Reviewing policies and procedures.
Examining access logs, insurance policies, and
the disaster recovery plan.
Audit Procedures: Tests of Controls
Auditors test security controls by:
Observing procedures.
Verifying that controls are in place and
work as intended.
Investigating errors or problems to ensure
they were handled correctly.
Examining any tests previously performed.
One way to test logical access controls is to try to
break into a system.
Compensating Controls
If security controls are seriously deficient, the
organization faces substantial risks.
Partial compensation for poor computer security
can be provided by:
Sound personnel policies
Effective segregation of incompatible
duties
Effective user controls, so that users can
recognize unusual system output.
These compensations arent likely to be enough,
so auditors should strongly recommend that
security weaknesses be corrected.
Page 22 of 31
development activities.
To maintain necessary objectivity for
performing an independent evaluation, the
auditor should not be involved in system
development.
During the systems review, the auditor
should gain an understanding of
development procedures by discussing
them with management, users, and IS
personnel.
Should also review policies, procedures, standards, and
documentation for systems and programs
Audit Procedures: Tests of Controls
To test systems development controls, auditors
should:
Interview managers and system users.
Examine development approvals.
Review the minutes of development team
meetings.
Thoroughly review all documentation
relating to the testing process and
ascertain that all program changes were
tested.
Examine the test specifications, review the
test data, and evaluate the test results.
If results were unexpected, ascertain
how the problem was resolved.
Compensating Controls
Strong processing controls can sometimes
compensate for inadequate development
controls.
If auditors rely on compensatory processing
controls, they should obtain persuasive
evidence of compliance.
Use techniques such as independent
processing of test data to do so.
If this type of evidence cant be obtained,
they may have to conclude there is a
material weakness in internal control.
Objective 3: Types of Errors and Fraud
Prgm modification Same that can occur during program
development:
Inadvertent programming errors
Unauthorized programming code
Control Procedures
When a program change is submitted for
approval, a list of all required updates should be
Page 23 of 31
compiled by management and program users.
Changes should be thoroughly tested and
documented.
During the change process, the developmental
version of the program must be kept separate
from the production version.
When the amended program has received final
approval, it should replace the production version.
Changes should be implemented by personnel
independent of users or programmers.
Logical access controls should be employed at
all times.
Audit Procedures: System Review
During systems review, auditors should:
Gain an understanding of the change
process by discussing it with management
and user personnel.
Examine the policies, procedures, and
standards for approving, modifying, testing,
and documenting the changes.
Review a complete set of final
documentation materials for recent
program changes, including test
procedures and results.
Review the procedures used to restrict logical access to the
developmental version of the program
Audit Procedures: Tests of Controls
An important part of these tests is to verify
that program changes were identified, listed,
approved, tested, and documented.
Requires that the auditor observe how
changes are implemented to verify that:
Separate development and production
programs are maintained; and
Changes are implemented by someone
independent of the user and programming
functions.
The auditor should review the development
programs access control table to verify that only
those users assigned to carry out modification
had access to the system.
To test for unauthorized program changes,
auditors can use a source code comparison
program to compare the current version of the
program with the original source code.
Any unauthorized differences should
result in an investigation.
Page 24 of 31
If the difference represents an
authorized change, the auditor can refer to
the program change specifications to
ensure that the changes were authorized
and correctly incorporated.
Two additional techniques detect unauthorized
program changes:
Reprocessing
On a surprise basis, the auditor
uses a verified copy of the source
code to reprocess data and compare
that output with the companys data.
Discrepancies are investigated.
Parallel simulation
Similar to reprocessing except
that the auditor writes his own
program instead of using verified
source code.
Can be used to test a program
during the implementation process.
Auditors should observe testing and
implementation, review related authorizations,
and, if necessary, perform independent tests for
each major program change.
If this step is skipped and program change
controls are subsequently deemed inadequate, it
may not be possible to rely on program outputs.
Auditors should always test programs on a
surprise basis to protect against unauthorized
changes being inserted after the examination is
completed and then removed prior to scheduled
audits.
Compensating Controls
If internal controls over program changes are
deficient, compensation controls are:
Source code comparison;
Reprocessing; and/or
Parallel simulation.
The presence of sound processing controls,
independently tested by the auditor, can also
partially compensate for deficiencies.
But if deficiencies are caused by inadequate
restrictions on program file access, the auditor
should strongly recommend actions to strengthen
the organizations logical access controls.
Page 25 of 31
Objective 4: Types of Errors and Fraud
Computer During computer processing, the system may:
processing Fail to detect erroneous input
Improperly correct input errors
Process erroneous input
Improperly distribute or disclose output
Control Procedures
Computer data editing routines
Proper use of internal and external file labels
Reconciliation of batch totals
Effective error correction procedures
Understandable operating documentation and run
manuals
Competent supervision of computer operations
Effective handling of data input and output by
data control personnel
File change listings and summaries prepared for
user department review
Maintenance of proper environmental conditions
in computer facility
Audit Procedures: Systems Review
Review administrative documentation for
processing control standards
Review systems documentation for data editing
and other processing controls
Review operating documentation for
completeness and clarity
Review copies of error listings, batch total reports,
and file change lists
Observe computer operations and data control
functions
Discuss processing and output controls with
operations and IS supervisory personnel
Audit Procedures: Tests of Controls
Evaluate adequacy of processing control
standards and procedures
Evaluate adequacy and completeness of data
editing controls
Verify adherence to processing control procedures
by observing computer operations and the data
control function
Verify that selected application system output is
properly distributed
Reconcile a sample of batch totals, and follow up
on discrepancies
Trace disposition of a sample of errors flagged by
data edit routines to ensure proper handling
Page 26 of 31
Verify processing accuracy for a sample of
sensitive transactions
Verify processing accuracy for selected computer-
generated transactions
Search for erroneous or unauthorized code via
analysis of program logic
Check accuracy and completeness of processing
controls using test data
Monitor online processing systems using
concurrent audit techniques
Recreate selected reports to test for accuracy and
completeness
Compensating Controls
Auditors must periodically reevaluate processing
controls to ensure their continued reliability.
If controls are unsatisfactory, user and
source data controls may be strong enough
to compensate.
If not, a material weakness exists and steps
should be taken to eliminate the control
deficiencies.
Auditors commonly use five concurrent audit
techniques:
An integrated test facility (ITF) technique
A snapshot technique
A system control audit review file (SCARF)
Audit hooks
Continuous and intermittent simulation (CIS)
Page 27 of 31
Computer data editing routines
File change listings and summaries for user
department review
Effective procedures for correcting and
resubmitting erroneous data
Audit Procedures: System Review
Review documentation about responsibilities of
data control function
Review administrative documentation for source
data control standards
Review methods of authorization and examine
authorization signatures
Review accounting systems documentation to
identify source data content and processing steps
and specific source data controls used
Document accounting source data controls using
an input control matrix
Discuss source data control procedures with data
control personnel as well as the users and
managers of the system
Audit Procedures: Tests of Controls
Observe and evaluate data control department
operations and specific data control procedures
Verify proper maintenance and use of data control
log
Evaluate how items recorded in the error log are
handled
Examine samples of accounting source data for
proper authorization
Reconcile a sample of batch totals and follow up
on discrepancies
Trace disposition of a sample of errors flagged by
data edit routines
Compensating Controls
Strong user controls
Strong processing controls
Auditors use an input controls matrix (as shown on
the next slide) to document the review of source data
controls.
The matrix shows the control procedures applied to
each field of an input record.
Auditors should ensure the data control function:
Is independent of other functions
Maintains a data control log
Handles errors
Ensures overall efficiency of operations
Auditors should test source data controls on a regular
Page 28 of 31
basis, because the strictness with which they are
applied may change.
Samples should be evaluated for proper
authorization.
A sample of batch control totals should also be
reconciled.
A sample of data edit errors should be evaluated
to ensure they were resolved and resubmitted.
Page 29 of 31
access control matrix
Proper use of file labels and write-protection
mechanisms
Concurrent update controls
Encryption of highly confidential data
Use of virus protection software
Maintenance of backup copies of all data files in
an off-site location
Audit Procedures: System Review
Review documentation for functions of file library
operation
Review logical access policies and procedures
Review operating documentation to determine
prescribed standards for:
Use of file labels and write-protection
mechanisms
Use of virus protection software
Use of backup storage
System recovery, including checkpoint and
rollback procedures
Review systems documentation to examine
prescribed procedures for:
Use of concurrent update controls and data
encryption
Control of file conversions
Reconciling master file totals with
independent control totals
Examine disaster recovery plan
Discuss data file control procedures with systems
managers and operators
Audit Procedures: Tests of Controls
Observe and evaluate file library operations
Review records of password assignment and
modification
Observe and evaluate file-handling procedures by
operations personnel
Observe the preparation and off-site storage of
backup files
Verify the effective use of virus protection
procedures
Verify the use of concurrent update controls and
data encryption
Verify completeness, currency, and testing of
disaster recovery plan
Reconcile master file totals with separately
maintained control totals
Observe the procedures used to control file
Page 30 of 31
conversion
Compensating Controls
Strong user controls
Effective computer security controls
Strong processing controls
Page 31 of 31