Auditing Gray 2015 CH 8 System Work Basic Ideas 2

Chapter 8
Systems work:
basic ideas 2
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Learning objectives
• To explain the nature and role of application controls and describe the main
features of these controls.
• To distinguish between systems-development/maintenance controls and
application controls.
• To show how the auditor breaks down systems into components as an aid to
understanding the systems.
• To explain how the auditor records systems in use.
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 2
Application controls
• The major objectives of computer applications:
– Data collected prior to input is genuine, accurate and complete.
– Data accepted by the system remains genuine, accurate and complete during processing.
– Data stored temporarily or permanently should be genuine accurate and complete.
– Output data/information is genuine, accurate and complete and goes to the intended
recipient.
– Information/audit trail is complete.
• Explanation of ‘Genuine, accurate and complete’ (see Table 6.2 and PowerPoint slides
6, 7 and 8 for Chapter 6).
• Application controls are applied at: data capture/input; processing; and output.
• Special controls: database and e-commerce.
Data capture/input controls
• Boundary controls are controls over user and system interface: cryptographic
controls; plastic cards for identification; PINs; digital signatures; passwords;
firewalls; and initiation of information/audit trail.
• Input controls in place before data passes interface: design of source
documentation; design of product, customer and other codes; check digits;
sequence checking; limit or reasonableness tests; one-for-one checking; and
batch controls.
• In database systems batch controls are different in nature.
• Input data verified as soon as possible after entry. Two useful controls:
exception reports and sound warnings of invalid data entry.
Activity 8.2
• A sales clerk receives a telephone order from a customer, Harry Smith, who
asks for a delivery of 100 units of a product, at a price of £5 per unit.
• What is particularly risky about this transaction and what procedures would be
appropriate to reduce the risks to an acceptable level?
Password and related systems 1
• Features of password system:
– degrees of access
– alphanumeric digits
– avoid passwords identified with person using
– secrecy
– regular/frequent changes
– shutdown of terminals if incorrect.
Password and related systems 2
• Related controls:
– Restriction of terminals to one particular activity
– Records of terminals and employees accessing
– Restriction of use of terminals
– Where national telephone system used for transmitting data:
 numbers ex-directory
 private secure lines
 numbers restricted to identified activities
 call-back system
 encryption.
Firewalls
• Firewall – system controlling access between internet and entity
network.
• Intranets allow easy transfer of data between parts of the system.
• Extranets – networks expanded to people and organizations outwith the
organization – may be more vulnerable to outside threats.
• Firewalls need authorization and identification systems.
• Some networks very tight – intranet for use of top management or
transfer of data.
• Others more open for some forms of communication.
Activity 8.3
• Apart from recording the identity and the authenticity

of the user, what other data about users and related
actions should be recorded when a user initiates a
transaction?
Figure 8.1
10
• Organizational controls in non-data base systems (Figure 8.1):

– Segregation of user departments and the computer department.
– User department retention of control over data
– Formal transfers of data.
– Maintenance of control log
– Investigation of differences.
– Early verification of inputs.
Processing controls
• Controls over CPU, main memory, operating system
• Controls over applications
– Continuity in processing – run-to-run controls – file dumping – control totals.
– Master files data – genuine, accurate, complete.
– Testing of programs during development and on continuing basis.
– Complete and recorded information/audit trail.
– Control system to ensure no data lost or corrupted if system failure.
– Other processing controls: sequence checks – limit or reasonableness tests –
checking calculations.
Activity 8.5
• Assume that, in an entity that you are auditing, an inventory order is

automatically prepared when a minimum inventory level has been reached.
What kind of data would you like to see recorded in the preparation of the
purchase order?
Output controls
• Two purposes of output controls: (1) outputs are genuine, accurate
and complete; (2) outputs are distributed to those who need them.
• Access controls, batch control and rapid correction of errors make
genuine, accurate and complete outputs more likely.
• The exception report is a special kind of output, important in the
context of control.
• Users of output data and information should be trained to review
the output for any obvious errors.
Database systems
• A database is ‘a collection of data that is shared and used by a number of
different applications for different purposes’.
• Prime advantage – provide the same data to all authorized users, but there are
security and integrity problems to be solved:
a) Loss of control over data by data preparation personnel.
b) Excessive power in the hands of the database administrator.
c) Technical features to secure safety in processing may reduce control.
d) The information/audit trail is particularly important.
E-commerce
• Risk enhanced by the openness of the internet.
• There are four degrees of internet use:
1. Using the internet as a means of making information available to
outsiders.
2. Exchanging information with trading partners.
3. Using the internet to transact business.
4. Full integration with business systems with direct impact on the entity’s
records.
• Auditors determine management strategy and steps to identify risks and how
controlled: security risks – legal and taxation matters – practical business and
accounting problems – the internet never sleeps – crisis management.
E-commerce: security risks
• Threats to security of data and systems:
– Corruption of data by viruses and hackers
– Threat to privacy of personal data
– Infringement of intellectual property rights
– Unwanted communication, e.g. ‘spam’
• Controls to reduce impact of risks:
1. Security policy
2. Firewalls
3. Private networks, such as intranets and extranets
4. Information/audit trails
5. Other security measures
i. Encryption of data
ii. Identification and authentication information
Legal and taxation matters
• ISA 250: ‘The auditor shall obtain sufficient appropriate audit
evidence regarding compliance with the provisions of those laws
and regulations generally recognized to have a direct effect on
the determination of material amounts and disclosures in the
financial statements.’
• The internet is international in nature – must be known which
legal jurisdiction applies when transactions are entered into.
• Also – which tax jurisdiction can tax income derived from a
transaction, including VAT.
E-commerce – practical business and accounting
problems
• Entity carrying on business over internet may act as principal
(record as sales) or agent (record commission) – examine
contractual arrangements with third parties.
• Other accounting matters include:
– Cut-off
– Return of goods and claims under product warranties
– Bulk discounts and special offers
– Payment other than by monetary transfer
– Browsing
– Follow-through of transactions
E-commerce – the internet never sleeps
• E-commerce systems must operate efficiently and effectively for 24 hours

• Staffing implications
• Systems robust enough to work properly over the 24-hour period
• Integration of systems and automatic updates of accounting records desirable.
E-commerce – crisis management
• Systems to ensure losses minimized when things go wrong.
• Possible consequences of failures include loss of reputation, loss or
corruption of data and information and significant reductions in positive
cash flows – possible going concern implications.
• Appropriate measures include back-up of important data, installing
emergency power supplies, regular review of system quality by
independent persons and regular maintenance and testing of systems in
use.
Audit approaches to systems and controls
• Systems objectives are audit objectives.

• Recording accounting and control systems.
Systems objectives = audit objectives (1)
• The basic approach to any audit area:

1. Identify the components.
2. Identify the assertions relating to those components assertions = audit
objectives, often framed as key questions.
3. Identify the inherent risks associated with each assertion.
4. Identify the controls associated with the component.
5. Estimate the level of control risk.
6. Determine the audit detection procedures necessary to reduce total audit risk to
acceptable proportions.
• See Table 8.1 for assertions in a sales and trade receivables system.
Systems objectives are audit objectives (2)
Table 8.1
24
Activity 8.11
• Consider the following assertion relating to sales: ‘The sales
represent goods whose title has passed to a third party.’ This can be
rephrased as an inherent risk: ‘There is an inherent risk that
recorded sales do not represent goods that have passed to a third
party.’
• Under what circumstances do you think that inherent risk might be
high in relation to this assertion?
Systems
objectives are
audit
objectives (3)
Figure 8.2
Activity 8.12
• Examine Figure 8.2 (on the previous slide) and identify points where there
should be control actions.
Systems
objectives are
audit objectives
(4)
Figure 8.3
Activity 8.13
• Now identify points where there should be control actions in the data flow
system shown in Figure 8.3 (on the previous slide).
Recording accounting and control systems (1)
• Practical way to approach the work is:
1. Find out persons operating the system by enquiry.
2. Interview each person.
3. Note distribution of copies of any documents.
4. Find out what entries are made in permanent records as a result of the
transactions and construct the information/audit trail.
• Auditors use ‘walk-through tests’ to understand system, record it and to see if
the entity appears to have appropriate controls in force.
• Auditors record systems and controls, using:
– Narrative description
– Visual description
– Questionnaires and checklists
Recording accounting and control systems (2)
• Visual description:
1. Organization charts
2. Information trail/audit trail flow chart
3. Flow charts: document flow chart – data flow diagram – system flow chart –
program flow chart.
4. Questionnaires and checklists:
 Internal control questionnaire (ICQ)
 Internal control evaluation questionnaire (ICEQ)
 Electronic data processing (EDP) or IT checklists
• In practice, a combination of narrative description, flowcharts and questionnaires
and checklists will be used. Each method has its value.
Flowcharts
• Advantages:
1. Aids understanding of accounting/control systems.
2. To draw a flow chart properly auditor must understand how the entity
controls its operations.
3. Detect strengths, weaknesses, unnecessary procedures and documents.
• Disadvantages:
1. Time-consuming to prepare and difficult to alter.
2. In simple systems, narrative descriptions better.
3. Considerable variation of symbols used.
4. Require experience to prepare and interpret.
5. In complex situations too simplistic.
Internal control questionnaire (ICQ) (1)
• ICQs record details of the system – useful in recording small

systems.
• Used to interpret the strengths and weaknesses of the system.
• Designed to prompt memory as to the matters of importance in the
system.
• Indicates whether individual parts of the system are strong or
weak, but requires overall conclusion.
• See Horton Limited cash receipts system in Figure 8.4.
Receipts of cash system
Figure 8.4
34
Internal control evaluation questionnaire (ICEQ) (2)
• ICEQs not used to record the system, but to evaluate it after recording by other
means.
• Set objectives for auditors, phrased as key questions.
• These key questions can often only be answered by asking other questions.
• See Table 8.2 for key questions and suggested subsidiary questions in the sales
and debtors area.
• Larger firms use computer-generated information on ICEQs in conjunction with
expert systems.
Key and subsidiary questions in a sales system (1)
Table 8.2
36
Table 8.2 (continued)
Electronic data processing (EDP) or IT checklists
• EDP or IT checklists, have been developed to help the auditor

assess the quality of computer systems.
• See Figure 8.5. This EDP/IT checklist has been completed for
general controls: development controls and organizational controls
and security for Burbage Limited whose sales system is described in
Case study 9.4 in Chapter 9.
EDP IT checklist of development, organizational and security
controls (Burbage Limited) (1)
Figure 8.5
43
Fig 8.5 (continued)
44
Figure 8.5 (continued)
EDP IT checklist of development, organizational and security controls
(Burbage Limited) (4)
46
47
Figure 8.1 Interface between data preparation and computer room
Figure 8.2 Sales system: simplified overview chart
Figure 8.3 Data flow diagram: customer order
system
Figure 8.4 Receipts of cash system
Figure 8.5 EDP IT checklist of development, organizational and
security controls (Burbage Limited)
Figure 8.5 (Continued)
Note 1: An ‘S’ denotes strong controls:

Note 2: If this checklist was on an expert system the
initial evaluation might be suggested by the
computer
program, but would have to be reviewed manually
before a final conclusion was reached
Figure 8.6 Computer systems flowchart for a payroll
system

Auditing Gray 2015 CH 8 System Work Basic Ideas 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Gray 2015 CH 8 System Work Basic Ideas 2

Uploaded by

Copyright:

Available Formats

Chapter 8

• Apart from recording the identity and the authenticity

• Organizational controls in non-data base systems (Figure 8.1):

• Assume that, in an entity that you are auditing, an inventory order is

• E-commerce systems must operate efficiently and effectively for 24 hours

• Systems objectives are audit objectives.

• The basic approach to any audit area:

• ICQs record details of the system – useful in recording small

• EDP or IT checklists, have been developed to help the auditor

Note 1: An ‘S’ denotes strong controls:

You might also like