Advance Auditing & Assurance

Quick Revision Notes for CAP III

Chapter 16 : Auditing in CIS environment

Coverage: Auditing Under CIS Environment

CAAT

CA Sunil Joshi

Copyrights with CA Sunil Joshi

Auditing Under Computerized Information
System (CIS) Environment

Computer Assisted Audit Techniques

(CAAT)

Copyrights with CA Sunil Joshi

Auditing Under Computerized Information
System (CIS) Environment
• Computerization of accounts does not affect the basic objective / fundamental
nature of auditing.
• The auditor would need to modify his audit procedures, approach and
technical capabilities so as to be able to form an opinion on the accounts
processed in a computerized environment.
• CIS environment exists when a computer of any type or size is involved in the
processing by the entity of financial information of significance to the audit,
whether that computer is operated by the entity or by a third party.
• Auditing in a CIS environment has caused substantial changes in the method
of evidence collection and evaluation.

Copyrights with CA Sunil Joshi

Factors affecting the scope of audit in
computerized environment
• High speed
• Low clerical error
• Concentration of duties  Multitasking ability so requires technical staffs
• Disappearance of manual reasonableness
• Impact of poor system
• Exception reporting  Part of MIS, variables not within range are reported.
• Man-machine interface / human-computer interaction
• Shifting of internal control base:

Copyrights with CA Sunil Joshi

 Shifting of Internal Control Base
Application systems development
control
Systems development control should be
designed to provide reasonable assurance
that they are developed in an authorized
and efficient manner, to establish control,
over:
• Testing, conversion, implementation,
and documentation of new revised
system.
• Changes to application system.
• Access to system documentation.
• Acquisition of application system from
third parties.
Systems software control
Systems software controls are designed
to provide reasonable assurance that
system software is acquired or developed
in an authorized and efficient manner
including:
• Authorization, approval testing,
implementation and documentation of
new system software systems
software modifications.
• Putting restriction of access to system
software and documentation to
authorized personnel.
Copyrights with CA Sunil Joshi
Issues that may arise in the implementation of
internal control system in CIS environment
• Segregation of duty
• Delegation of duties and responsibilities
• Competent and trustworthy personnel
• System of authorizations
• Adequate documents and records
• Adequate management supervision
• Comparing recorded accountability with assets

Copyrights with CA Sunil Joshi

Review of Checks & Controls in a CIS
Environment
Review Process
1) Organization Structure / Control
• Data Administrator
• Database Administrator
• System Analyst
• System Programmers
• Application Programmer
• Operation Specialist
• Librarian
2) Documentation Control
• A system flowchart
• A program flowchart
• Program change
• Operator instructions
• Program description (explaining the purpose for each part of program)

Copyrights with CA Sunil Joshi

3) Access Control
• Segregation Control
• Limited Physical Access to the computer Facility
• Visitor entry Logs
• Hardware and Software access controls
• Call back
• Encryption
• Computer Application Controls
4) Input Control
• Pre- printed form
• Check Digit
• Completeness Totals  Batch Control Total, Batch Hash Total, Batch Record
Totals, Sequence Checks
• Reasonableness Checks
• Fields Checks  Missing data / blank, Alphabetic / Numeric, Range, Master
Reference, Size, Format Mask
• Record Checks  Reasonableness,Valid Sign Numeric, Size
• File Checks

Copyrights with CA Sunil Joshi

5) Processing Control
• Overflow
• Range
• Sign- Test
• Cross- Footing
• Run- to- Run Control
6) Recording Control
• Error Log
• Transaction Log
7) Storage Control
• Physical Protection Against Erasure
• External Label
• Magnetic Labels
• File Back-up Routines
• Database Back- up routines
• Cryptographic Storage
8) Output Control

Copyrights with CA Sunil Joshi

Approach to auditing in a CIS environment
provides
1) Skill and Competence
2) Planning
3) Risk
4) Risk Assessment
5) Documentation

1) Skill and Competence

• An auditor should have sufficient knowledge of the computer information
systems to plan, direct, supervise control and review the work performed.
• If any specialized CIS skills are needed the auditor would seek the assistance
of an expert possessing such skills.

Copyrights with CA Sunil Joshi

2) Planning: The auditor should obtain an understanding of:
• the significance and complexity of the CIS activities and the availability of the data
for use in the audit.
• the accounting and internal control system to plan the audit and to determine
the nature, timing and the extent of the audit procedures.

3) Risk:
• When the computer information systems are significant the auditor should assess
whether it may influence the assessment of inherent and control risks.
• Nature of the risks and the Internal Control System in CIS environment include:
a) Lack of Transaction Trails
b) Uniform processing of Transactions
c) Lack of Segregation of functions
d) Potential for errors and Irregularities
e) Initiation or Execution of Transactions
f) Dependence of Other Controls over Computer Processing
g) Increased management Supervision
h) Use of Computer

Copyrights with CA Sunil Joshi

4) Risk Assessment
• The auditor in accordance with NSA 315 “Identifying and Assessing the
ROMM through Understanding the Entity and its Environment” should make
an assessment of inherent and control risk for material FS assertions.
• Risk may result from deficiencies in:
a) Program development and maintenance
b) System software support
c) Operations
d) Physical CIS security
e) Control over access to specialized utility programs;

5) Documentation
• The Auditor should document the audit plan, the NTE of audit procedures
performed and the conclusions drawn from the evidence obtained
• The auditor should satisfy himself that evidence that is in electronic form is
adequately and safely stored and is retrievable in its entirety as and when
required

Copyrights with CA Sunil Joshi

Considerations of Control Attributes
by the Auditors
• Preventive Controls: Controls which stop errors or irregularities from
occurring
• Detective Controls: Controls which identify errors and irregularities after
they occur
• Corrective Controls: Controls which remove the effects of errors and
irregularities after they have been identified

Copyrights with CA Sunil Joshi

Audit Trail in CIS Environment
• Audit trail is the process of tracing the transaction from the beginning (initiation) to
the end (recording in FS) thereby enabling to relate ‘one-to-one’ basis, the original
input along with the final output
• Audit trail helps the auditor to identify each stage of the transaction from the input,
through processing and finally to the output.
• Simply audit trail refers to the documentation (either in paper or electronic record)
of detailed transactions supporting summary ledger entries
• Loss of audit trail means a situation where the visible trace of transaction from its
source to its final process or resting place cannot be completed
• In CIS environment the loss of audit trial may be realized due to the following factors:
a) There is direct data entry in the processing system
b) Online processing of the transactions
c) Elimination of manual records
d) Output results are directly displayed by the system
• The loss of audit trail in CIS environment can be compensated through:
a) Use of CAAT
b) Use of Programmed Interrogation Facilities
c) Clerical recreation process etc.
Copyrights with CA Sunil Joshi
Processing System in EDP / Types of EDP
Account System
1)Batch Processing System
• It is also known as deferred processing or offline processing.
• In this system similar transactions are accumulated & processed in groups
• It is cost effective because processing transactions at once saves times & cost
instead of processing each transaction individually
• It requires fewer networks as compared to online real time system
• Batch processing is typically used for large amounts of data that must be
processed ion a routine schedule
• It may be used in case of paychecks, sales order or credit card transactions
• It is difficult to trace an error in large batches
• The master file is not always kept up to date
• The updating process in this system is slower as this processing is schedule based

Copyrights with CA Sunil Joshi

Processing System in EDP / Types of EDP
Account System
2) Online Real Time Systems (OLRT)
• This is an interactive system where the input data is processed instantly
• It means that the transactions are entered & processed at the same time
when they occur
• The data can be accessed randomly because of network access
• It involves database servers, files on hosting and browser to communicate
effectively and process the transactions in prompt manner
• Real-time processing is better & more economical for uncommon & smaller
number of transactions
• It can be either local area network or wide area network technology
• The auditor needs to have knowledge on IT to assess this system as this
system does not ordinarily, provide audit trail
• It may be used in online Reservation Systems,ATM’s etc.
• The updating process is fast

Copyrights with CA Sunil Joshi

Approach to EDP Audit
1) Black Box Approach:
• The auditor concentrates on input and output and ignores the specifics of how
computer processes the data or transactions.
• If input matches the output, the auditor assumes that the processing of
transaction/data must have been correct.
• The comparison of inputs and outputs may be done manually with the assistance of
the computer.
• The computer assisted approach has the advantage of permitting the auditor to
make more comparisons than would be possible, if done manually.

Input Processing Output

Audit
Copyrights with CA Sunil Joshi
Approach to EDP Audit
2) White Box Approach
• The processes and controls surrounding the subject are not only subject to audit
but also the processing controls operating over this process are investigated.
• In order to help the auditor to gain access to these processes, auditing software may
be used.
• To follow this approach, the auditor needs to have sufficient knowledge of
computers to plan, direct, supervise and review the work performed.
• The auditor will also need to be satisfied that there are adequate controls over the
prevention of unauthorized access to the computer and the computerized database
• The auditors task will also involve consideration of the separation of functions
between staff involved in the transaction processing and the computerized system
and ensuring that adequate supervision of personnel is administered.
Audit
Input Processing Output
Audit

Copyrights with CA Sunil Joshi

Computer Assisted Audit Techniques
• CAATs are computer programs and data that the auditor uses as part of the
audit procedures to process data of audit significance, contained in an entity’s
information systems.

Uses of CAATs
• Tests of details of transactions and balances, for example, the use of audit software for
recalculating interest or the extraction of invoices over a certain value from computer
records;
• Analytical procedures, for example, identifying inconsistencies or significant fluctuations;
• Tests of general controls, for example, testing the set-up or configuration of the
operating system or access procedures to the program libraries or by using code
comparison software to check that the version of the program in use is the version
approved by management ;
• Sampling programs to extract data for audit testing;
• Tests of application controls, for example, testing the functioning of a programmed
control; and
• Reperforming calculations performed by the entity’s accounting systems.

Copyrights with CA Sunil Joshi

 CAATs

Software Test Data

Purpose
Package Utility System Integrated
with Test Packs
Program software Management Test Facility
program
Program

Generalized General Separate Combined

Audit Customized Utility Productivity Processing Processing
Software Program function tools

Ex: Data Retrieval

Copyrights with CA Sunil Joshi

Considerations in the Use of CAATs
• IT knowledge, expertise and experience of the audit team
• Availability of CAATs and suitable computer facilities and data
• Impracticability of manual tests
• Effectiveness and efficiency and
• Time constraints

Copyrights with CA Sunil Joshi

--------END OF CHAPTER--------

Pc: Pinterest

Copyrights with CA Sunil Joshi