Audit Tutorial 12

Question 1

a) Describe TWO (2) types of control in an information technology environment.

Snapshot:

1. General control
- Related to the overall information processing environment
- It relates to the overall environment within which computer base accounting systems
are developed, maintained and operated to all the applications
- General controls are sometimes referred to as supervisory, management or information
technology controls
- Example: server, hard disc, accounting system

2. Application control
- It applies to the processing of individua accounting application
- Example: Purchasing module > help to ensure the completeness and accuracy of
purchasing transaction processing, authorization and validity

b) Describe TWO (2) types of audit approach in an IT environment.

Snapshot:
1. Audit around the computer ( input to output)
- Concerning input and output and ignoring the process
- Audit procedures would include checking authorization, coding and control inputs and
checking the output with source documents
- Condition to use this approach
i. Adequate source documents and accounting reports in human readable form
ii. Transactions must be traceable from source document to the accounting reports

2. Audit through the computer ( input to processing to output)

- Concerning input, output and also the processing routines if the computer
- It describes the various steps taken by the auditor to evaluate client’s software and
hardware to determine the reliability of operations that I hard for auditors to view.
- Need to test the operating effectiveness of related computer controls that is hard for
human eyes
- Condition to use this approach
i. When there is no visible trail

c) Describe any THREE (3) effects of IT on an organization’s internal controls.

Snapshot:

1. Control environment
- Foundation/ framework > discipline and structure of the company
- IT affects all the factors that affect the control environment
- Example: Implementation of accounting system> ERP system or normal accounting
system or manual system> character of management team
 2. Control procedures
- Information processing > IT affects the control procedures that ensure management’s
directives are carried out
- Example: ERP system > management’s emphasized on the strong internal control

3. Business risk
- IT affects the business risks that influence the achievement of entity objectives > risk
management
- Example: Install fire alarms and smoke detectors to minimize the fire risk
- Example: Proper authorization via accounting systems (ERP) > reduce human risk

4. Information and communication requirement

- General control and application control > IT affects the information and communication
requirement
- Example: reports generated from accounting systems> sales by region, sakes by
customers, sakes by product etc.
- Example: built-in “help” function

5. Monitoring activities
- It affects all the monitoring activities > to ensure its effectiveness and efficiency in
operation
- Example: Using accounting system to monitor the purchasing process flow ( PR to PO to
GRN to matching SI and PR/PO/GRN to GL recording to Payment), i.e no payment can be
made before key in PR, PO, GRN and SI

d) Describe THREE (3) security and access controls on IT that may be implemented by an
organization.

Snapshot:

Security and access controls are:

1. Restricting access
- Restricting access to computers to authorized users only such as locked doors,
authorized cards, windows log in
- Example: Authorized personnel only can be access into the computer room with
authorised access card

2. Logging or trails
- Logging or trail to record and monitor access to computer files and programmes
- Example: Log on based on company and functions

3. Password
- Password to restrict access to programme and data files
- Example: password set by individual users

4. Secure storage of backup data

- Secure storage of backup data in a safe and separate location
- Example: backup disc is kept in the bank
 - Example: Internet data centre at Cyberjaya ( Multimedia Super Corridor)

Question 2

[Refer to case study of tutorial]

a) Identify and explain four matters that the audit partner of your firm should consider before
deciding whether to accept the appointment as the company’s auditors.
Snapshot:
 Refer to Tutorial 8, Q1
1. Qualification to act as auditor > Independent > companies Act 2016
2. Ethical matters > 5 ethical principles & ethical threats
3. Technical competence > knowledge of the industry
4. Resources available > audit staff and audit techniques
5. Risk assessments > auditor business risk
6. Replacement of previous auditor > serious disagreements
7. Procedures for obtaining information > third party inquiry > integrity of management

b) Explain why it is important for a strong internal to be exercised over the development of the
new computer accounting system.

Snapshot :

1. Consistent application of predefined business rules and performance

- Consistent application of predefined business rules and performance of complex
calculations in processing large volume of transactions or data
- Example : assist in auto compute the sales listing

2. Timeliness, availability and accuracy of information

- Once input keyed in correctly, output or required information can be easy generated
- Enhancement of the timeliness, availability and accuracy of information
- Easy to extract the information required
- Example : financial statement can be generated in timely basis

3. Monitor the performance

- Enhancement of the ability to monitor the performance of the entity’s activities and its
policies and procedures
- Example: Using audit trail function to monitor the performance of the staff

4. Additional analysis of information

- Facilitation of additional analysis of information for decisions making
- Example: sales analysis report by customers, products etc

5. Reduction in the business risk

- Using systems to control the process procedures which is systematic and able to reduce
the business risk
- Example: assist in sales process flow, Delivery order only can issue after creation of
Sales order in order to prevent unauthorised delivery

6. Effective segregation of duties

 - Enhancement of the ability to achieve effective segregation of duties by implementing
security controls in applications , databases and operating system
- Example: Implementing proper segregation of duties in purchasing process by using
accounting system > PO>PO>GRN>matching PI /PO/GRN > payment

c) Outline FIVE (5) examples of controls to prevent unauthorized changes to data files that you
would expect to find in the new accounting system of YY.
Snapshot:
a. Under general controls
1. Data centre and network operations control
-Example : only authorised personnel can access to the data centre

2. System software acquisition, change and maintenance control

-Example : ERP such as SAP or Oracle implied a better internal control feature
compared with normal accounting software such as autocount or MYOB

3. Application system acquisition , development and maintenance control

-Example : Sales module, Purchasing module, financial module in SAP developed a
better internal control feature such as system control and audit trail feature
compared with normal accounting software such as UBS

4. Access security control

-Implement access security control, i.e who to access the system
-Example : financial controller only can be read the information

b. Under application controls

1. Data capture controls
-Software technique to keep track of data entry and data changes
- Example: date , description, quantity and amount
- Example “ mandatory field”> to fury in compulsory field

2. Data validation controls

-Identify validation controls, i.e to help control integrity of data
- To identify data errors, incomplete or missing data and inconsistences among
related data items
- Example: To test whether the account and cost centre is a valid combination

3. Processing controls
-Refers to the process flow > i.e to increase business process reliability and efficiency
and ensure compliance with a broad range of regulations
- Example: Purchasing modules required the following process flow PR>PO>GRN>
Matching PI and GRN and PO > Payment

4. Output controls
-Output controls assist to manage the business transactions and reports required
within the company
- The application uses interfaces that were predefined in customizing for condition
to call up output control
 - Example: Output control on the basis of sales document type (Sales Order,
Delivery
Order, Sales Invoice)
-Example: Output control on SOPL and SOFP and only can be read by Accountants.

5. Error controls
-Error control is the process of detecting and correcting the errors during data
capturing or transmission
- Example: Prompt out “ Server Error message” when the system detected an error
that resulted the user cannot proceed to next progress

d) Describe the effect that the existence of the new accounting system will have on the planning of
the financial statements audit of the company.

Snapshot:

1. Control risk increase > do more audit work to collect audit evidence
Data conversion from existing system to new systems, i.e. to ensure all the opening
balances (SOFP) were properly reconciled.
2. Extra time is required to test the new system and ensure that it support YY’s business
3. May need to adopt audit through the computer
4. Assign of more experienced audit staff with required IT knowledge, expertise and
experience to the engagement team
5. Increased supervision and review of the audit work performed

Question 3
[Refer to case study of tutorial]

a) Explain what you understand by the term “audit trail”. Illustrate your answer.
Snapshot:
- Audit trails means a chain of evidence provided by documentation or other cross
referencing that connects account balances and other summary results with original
transaction data.
- Example : Electronic audit trail gives a step by step documented history of a transaction.
It enables an auditor to trace the financial data from general ledger to the source
document

b) Explain why there is often a loss of visible audit trail in many computer-based accounting
systems.
Snapshot:
- In an advanced IT system, many computer based programs lack of visible audit trail
because it only exist in electronic form. There are fewer hardcopy form of documents.
Most of the data is stored in the electronic format which lack audit trail

c) Describe FIVE (5) factors that should be considered by you in determining the audit approach.
Snapshot:
1. Staffing requirements and use of expert
- Example : Audit through computer required IT experts
 2. Consideration of materiality and risk
- Example: Audit through computer required when consist of large volume of business
transactions i.e high audit risk
- Example : Audit through computer required when there is no visible trail

3. Understand the applicable laws and regulations

- Example: Understand the regulatory requirements when applies Audit through
computer

4. Identify related parties

- Example : Audit through computer is more appropriate when there is high volume of
related parties transactions

5. Going concern issues

- Example : Audit around computer is more appropriate when there is going concern
issues

6. Consideration of internal audit function

- Example : If the internal function is strong and independent, audit around computer can
be applied

7. Review audit strategy with audit committee

- Example : Audit committee may recommend the audit approach to be conducted

8. Additional value added services

- Example : Audit through computer may be more appropriate when audit client required
value added services

Question 4

Identify FIVE (5) internal control procedures to facilitate the physical security of a computer-based
accounting system and related software.

Snapshot:

1. Limit access > computer facilities

- Limit access to the computer facilities
- Example : limit access to the computer facilities through the use of locked doors with
authorized personnel being admitted through use of conventional key an authorization
card or physical recognition

2. Limited access to application programs > authorized personnel

- Only authorised personnel can access to the accounting application programs
- Example: Programmers must not allowed access to the computer room to prevent them
from making unauthorized modification to systems and application programs

3. Authorization control
 - Authorization controls that limit access only to authorized information user
identification controls
- Example : Using passwords and data communication controls such as encryption of data
to restrict access to authorized personnel only

4. Physical control over programs and data

- Physical control over programs and data can be maintained by a separate library
function that controls access and use of files
- Example: backup disc kept in the bank
- Example: External connectivity of system from Cyberjaya to the company.

5. Operational disaster plan

- The entity should have an operational disaster plan which may include an off-side
backup location for processing critical applications
- Example : Computer room > climate control , Air-con & backup power supply
- Example : Backup power plan such as emergency generator power , batter back up-
Uninterruptible Power Supplies (UPS)

Question 5

[Refer to case study of tutorial]

a) Explain why Top Secret should run both the existing and new system alongside each other prior
to live running of the new system.
Snapshot:
1. Parallel running of two computer system, i.e the old system and the new system prior to
solely using the new system is a common technique that is used to ensure that the new
system is operating satisfactorily and that all information produced is complete and
accurate prior to discontinuing the use of the old system
2. Clearly the directors would not want to transfer over to the new system unless they are
confident that all information is being accurately processed and that information can be
produced on a timely basis and ban be relied upon
3. During the period of parallel run, identical information would be produced from both
system and compared to ensure that both are identical. In the event that any differences
were found these should be investigated and corrected prior to discontinuing use of the
old system

b) Explain why as company auditor would wish to be involved at this stage of the development
process of the new computer-based accounting system.
Snapshot:
1. To facilitate the timely examination and testing of the controls within the new computer
based accounting system > to validate the reliability of the new computer based
accounting system
2. Need to review the output from both systems and compare the two to validate their
accuracy and reliability of the new computer based accounting system
3. Need to review the procedures( and test compliance with those procedures) operated
by the company’s staff to test the reliability of the new systems
4. In the event that auditor found any errors or encountered problems with the data or
procedures auditor will make relevant recommendations to management.