2. Phases of Audit
• Know your client & the industry because
most clients are using computerized
systems
• Using modern technology replaces the
conventional/manual records, even
signatures are scanned
• There are no trails as all records are in the
‘black box’
• Audit must satisfy himself that controls are
effective to give complete accurate FR
3. Relationship of CIS to audit
phases (IAS 1008)
• Knowing how the business processes its
accounting information >VIP areas
• Control systems for processing accounting
information: transaction trail, segregation of
processing, potentials for misstatement,
errors= compliance test on internal controls
• Risk Assessment: inherent risk (set up &
programs), control risk (access & data input)
• Plan audit procedures to detect risks
4. Basic Features of CIS
• Hardware & Software
• Different Input Devices: scanner, flash
drives, CDs, tapes and Output Devices:
screen, softcopy/printer, email, website
• Data Processing: online versus offline,
direct access v sequential access
• Batch processing online v individual online
• IT skill is essential in an CIS audit
5.
6. Internal Controls in CIS
General
• Physical set up,
location or housing
• Physical control,
security and back up
• Access control
• Storage and library of
CIS data for backup
or future retrieval
Application
• Software choice
and programming
• Input access &
control-authorized
• Files control
• Process & Output
control
7. Three Common CIS Audit
Techniques/Procedures
• Auditing Around the computer-testing of
general controls & manual vouching of
output to source documents, then verify
with CIS output
• Auditing through the computer-testing of
application controls using various tests
• Auditing with the computer-auditing with
the use of audit software and/or computer
assisted audit techniques (CAAT)
8. Auditing Around the Computer
• Computer is treated as a black box and
only documents are assessed before and
after they have gone thru
• Cheapest, no IT knowledge required &
simple
• Doesn’t prevent any problem as it is
postmortem approach
9. Auditing through the computer
• Requires testing of input & output controls
• Data test-where some data is processed thru the
system & compares with manually processed
result. Tested in ‘non-live’ set separately to
avoid corrupting the client’s program
• Integrated Test Facility- requires the use of
dummy data to test the client’s live files. The
data is processed in the usual manner with the
rest.
10. • Process client actual data-to test controls
thru controlled processing, reprocessing or
parallel processing where two systems
operate in the test
• Non processing approach-program codes
are reviewed for logic & accuracy; review
of accounting job runs for errors, timing &
abnormality.
#review of codes requires extensive IT
knowledge
11.
12.
13. Auditing with Computer
• Where clients have large volumes of
records, it is time consuming to audit
manually.
• Generalized Audit Software (GAS)- a
software that can perform general
accounting/processing activities. Others
like File Formats-file formats vary, thus
this program can deal with file differences;
processing instructions; can assess
certain processing tasks
14. • Current GAS can:
1. Identify and select items to audit/review
2. Conduct exception reporting-select
records certain criteria-aged debtors
3. Can carry out calculations-calculate
doubtful debts of aging debtors
4. Compare data from different files
5. Summary data-list of debtors owing
K1m>
6. Summarize & report
Specialized Auditing software for each
industry or activities (SAS)
15. Using PCs in the audit
• PCs used in different audit assignments
including spreadsheet
• Templates can be created for common
accounting or auditing calculations e,g,:
1. Working Trial Balance=accounts are down
loaded from the client’s accounts to draw up
a trial balance, adjustments, P&L & B/S
2. Analytical Procedures- comparative ratios
3. Complex Computations from Templates set
up
16. Audit Soft wares
• General audit software can be purchased
off the shelf and engineered to meet need
• Expert system -specialised system =
’artificial intelligence’ or decision support
system=assists in testing Internal controls.
Auditor enters client program, software
generate a relevant internal control test
questionnaire automatically. The auditor
provides symptoms, program suggests
relevant audit procedures
17. E-Commerce & Audit
• Earliest form=Electronic Data Interchange
(EDI), a subset of e-commerce
• E-Commerce grew by 3000% b2win 1999
& 2005, a booming business. It impacts on
auditing (IAS 1009-CAAT)
• Auditor needs to identify impact of e-
commerce on client assertions in planning,
risk assessment, sampling, analytical
procedures, compliance & substantive
tests
18. Auditing in a Computer
Environment
• Main aim : to test whether client program
will detect errors/invalid transactions.
Results of computer processed information
is compared with manual result
• VIP to ensure the program tested is one
the client is using thru out the period
19.
20.
21.
22. Internet Risk
• Unless an entity uses a private network,
what is transmitted over a public network
is vulnerable; subjected to being
intercepted, altered, lost, diverted or
replaced.
• These makes audit authenticity at risk.
Some input control check include:
1. Batch control-group gets processed in full
2. Sequence Control-all pass in order
3. Digit check- correct & complete numbers
23. Computer Related
Considerations
• Real Time Processing systems-online
entry method where a transaction entered
into a terminal updates accurately without
trail. IAS 1002
• Computer service bureau-using external
CIS e.g. PNG concept payroll system. The
auditor needs to understand the controls in
place. Audit is done either on the client or
the service provider
24. • Database Management System-need CIS
specialist to plan an audit because
different programs use the same database
(IAS1003)
• Stand alone PC-single user, internal
controls need assessing (IAS1001)
• LANs & other networks-many users &
controls are stronger but risks are higher
25. Cont.
• Advanced CAATs (IAS 1009)-System
control audit file (SCARF) tags a
transaction to observe processing files
• Snapshot –the software takes a snapshot
of the program process a transaction
• Audit hooks-audit modules built into CIS
so auditors can use it to do auditing. It is
done at the initial stage of CIS set up.