technical auditing in acomputer-based RELEVANT TO cat paper 8 and ACCA QUALIFICATION PAPERs f8The accounting systems of many ¤ ISA 330 (Redrafted) The (i) Input controls The aim of this article is to help students improve theircompanies, large and small, are Auditor’s Responses to Examples include batch controlcomputer-based; questions in Assessed Risks. totals and document counts, demonstrations of computer-based controls andall ACCA audit papers reflect as well as manual scrutiny ofthis situation. Internal controls in a documents to ensure they have techniques, and the ways they may feature in exams. Students need to ensure computer environment been authorised. An example of understanding of this topic by giving practicalthey have a complete The two main categories the operation of batch controlsunderstanding of the controls in are application controls and using accounting software woulda computer-based environment, general controls. be the checking of a manuallyhow these impact on the produced figure for the totalauditor’s assessment of risk, Application controls gross value of purchase invoicesand the subsequent audit These are manual or automated against that produced on screenprocedures. These procedures procedures that typically operate when the batch-processing optionwill often involve the use at a business process level is used to input the invoices. Thisof computer-assisted audit and apply to the processing total could also be printed out totechniques (CAATs). of transactions by individual confirm the totals agree. The aim of this article is to applications. Application controls The most common example ofhelp students improve their can be preventative or detective programmed controls over theunderstanding of this topic by in nature and are designed accuracy and completeness ofgiving practical illustrations of to ensure the integrity of the input are edit (data validation)computer-based controls and accounting records. checks when the software checkscomputer-assisted techniques Accordingly, application that data fields included onand the way they may feature in controls relate to procedures transactions by performing:exam questions. used to initiate, record, process ¤ reasonableness check, eg net and report transactions or other wage to gross wageRelevant auditing standards financial data. These controls ¤ existence check, eg that aReferences will be made help ensure that transactions supplier account existsthroughout this article to occurred, are authorised and ¤ character check, eg that therethe most recent guidance are completely and accurately are no alphabetical charactersin standards: recorded and processed in a sales invoice number field¤ ISA 300 (Redrafted) Planning (ISA 315 (Redrafted)). ¤ range check, eg no employee’s an Audit of Financial Statements Application controls apply weekly wage is more¤ ISA 315 (Redrafted) Identifying to data processing tasks than $2,000 and Assessing the Risks of such as sales, purchases ¤ check digit, eg an extra Material Misstatement Through and wages procedures and character added to the account Understanding the Entity and are normally divided into the reference field on a purchase Its Environment following categories: invoice to detect mistakes such as transposition errors during input.
student accountant 08/2009 Studying Papers F8 or P7? Performance Objectives 17 and 18 are linkedenvironmentand p7 (int and uk)When data is input via a list. A regular printout of master ¤ prevent or detect errors assessment of risk, and the resulting audit procedures.keyboard, the software will often files such as the wages master during program execution,display a screen message if any file could be forwarded monthly eg procedure manuals, job understanding of the controls in a computer-basedof the above checks reveal an to the personnel department to scheduling, training andanomaly, eg ‘Supplier account ensure employees listed have supervision; all these preventnumber does not exist’. personnel records. errors such as using wrong environment, how these impact on the auditor’s(ii) Processing controls data files or wrong versions of Students need to ensure they have a completeAn example of a programmed General controls production programscontrol over processing is a These are policies and ¤ prevent unauthorisedrun-to-run control. The totals procedures that relate to many amendments to data files, egfrom one processing run, applications and support authorisation of jobs priorplus the input totals from the the effective functioning of to processing, back up andsecond processing, should application controls. They physical protection of filesequal the result from the second apply to mainframe, mini-frame and access controls suchprocessing run. For instance, and end-user environments. as passwordsthe beginning balances on the General IT controls that ¤ ensure the continuity ofreceivables ledger plus the sales maintain the integrity of operations, eg testing ofinvoices (processing run 1) less information and security of data back‑up procedures, protectionthe cheques received (processing commonly include controls over against fire and floods.run 2) should equal the closing the following:balances on the receivable ledger. ¤ data centre and (ii) System development controls(iii) Output controls network operations The other general controls referredBatch processing matches input ¤ system software acquisition, to in ISA 315 cover the areasto output, and is therefore also change and maintenance of system software acquisitiona control over processing and ¤ program change development and maintenance;output. Other examples of output ¤ access security program change; and applicationcontrols include the controlled ¤ application system acquisition, system acquisition, developmentresubmission of rejected development, and maintenance and maintenance.transactions, or the review (ISA 315 (Redrafted)) ‘System software’ refers toof exception reports (eg the the operating system, databasewages exception report showing ‘End-user environment’ refers management systems andemployees being paid more than to the situation in which the other software that increases$1,000). users of the computer systems the efficiency of processing.(iv) Master files and standing are involved in all stages of the Application software refers todata controls development of the system. particular applications such asExamples include one-for-one (i) Administrative controls sales or wages. The controlschecking of changes to master Controls over ‘data centre and over the development andfiles, eg customer price changes network operations’ and ‘access maintenance of both types ofare checked to an authorised security’ include those that: software are similar and include:
technical of application controls over the input and processing of data. Many answers Students often confuse application controls and general controls. In the June 2008 CAT Paper 8 exam, Question 2 asked candidates to provide examples referred to examples of general controls – and thus failed to gain marks.¤ Controls over application Computer-assisted audit techniques Using audit software, the auditor development, such as good Computer-assisted audit can scrutinise large volumes of standards over the system techniques (CAATs) are those data and present results that can design and program writing, featuring the ‘application of then be investigated further. The good documentation, testing auditing procedures using the software consists of program procedures (eg use of test computer as an audit tool’ logic needed to perform most data to identify program (Glossary of Terms). CAATs of the functions required by the code errors, pilot running are normally placed in three auditor, such as: and parallel running of old main categories: ¤ select a sample and new systems), as well as (i) Audit software ¤ report exceptional items segregation of duties so that Computer programs used by the ¤ compare files operators are not involved in auditor to interrogate a client’s ¤ analyse, summarise and program development computer files; used mainly for stratify data.¤ Controls over program changes substantive testing. They can be – to ensure no unauthorised further categorised into: The auditor needs to determine amendments and that changes ¤ Package programs (generalised which of these functions are adequately tested, eg audit software) – pre-prepared they wish to use, and the password protection of programs for which the selection criteria. programs, comparison of auditor will specify detailed production programs to requirements; written to be Exam focus controlled copies and approval used on different types of Sometimes, questions will of changes by users computer systems present students with a scenario¤ Controls over installation ¤ Purpose-written programs – and ask how CAATs might and maintenance of system perform specific functions of be employed by the auditor. software – many of the controls the auditor’s choosing; the Question 4 in the December mentioned above are relevant, auditor may have no option 2007 Paper F8 exam required eg authorisation of changes, but to have this software students to explain how audit good documentation, access developed, since package software could be used to audit controls and segregation programs cannot be adapted receivables balances. To answer of duties. to the client’s system (however, this type of question, you need this can be costly) to link the functions listed aboveExam focus ¤ Enquiry programs – those to the normal audit work onStudents often confuse that are part of the client’s receivables. Students shouldapplication controls and general system, often used to sort and refer to the model answer tocontrols. In the June 2008 print data, and which can be this question.CAT Paper 8 exam, Question adapted for audit purposes, The following is an example of2 asked candidates to provide eg accounting software may how this could be applied to theexamples of application controls have search facilities on some audit of wages:over the input and processing modules, that could be used ¤ Select a random sample ofof data. Many answers referred for audit purposes to search employees from the payrollto passwords and physical access for all customers with credit master file; the auditor couldcontrols – which are examples of balances (on the customers’ then trace the sample backgeneral controls – and thus failed module) or all inventory items to contracts of employmentto gain marks. exceeding a specified value (on in the HR department to the inventory module). confirm existence
student accountant 08/2009questions may present students with a scenario and ask how CAATs might bebalances. To answeR, you need to link the functions to audit work on receivables.students to explain how audit software could be used to audit receivablesemployed by the auditor. Question 4 in the December 2007 F8 exam required ¤ Report all employees earning Data without errors will ¤ Embedded audit facilities more than $1,000 per week also be included to ensure (embedded audit monitor) – ¤ Compare the wages master file ‘correct’ transactions are also known as resident audit at the start and end of the year processed properly. software; requires the auditor’s to identify starters and leavers Test data can be used ‘live’, own program code to be during the year; the auditor ie during the client’s normal embedded into the client’s would then trace the items production run. The obvious application software. The identified back to evidence, disadvantage with this choice embedded code is designed to such as starters’ and leavers’ is the danger of corrupting the perform audit functions and forms (in the HR department) client’s master files. To avoid this, can be switched on at selected to ensure they were valid an integrated test facility will times or activated each time employees and had been added be used (see other techniques the application program is or deleted from the payroll below). The alternative (dead used. Embedded facilities can at the appropriate time (the test data) is to perform a special be used to: auditor would need to request run outside normal processing, – Gather and store that the client retain a copy of using copies of the client’s information relating to the master file at the start of master files. In this case, the transactions at the time of the year to perform this test) danger of corrupting the client’s processing for subsequent ¤ Check that the total of gross files is avoided – but there is audit review; the selected wages minus deductions less assurance that the normal transactions are written to equates to net pay. production programs have audit files for subsequent been used. examination, often called (ii) Test data (iii) Other techniques system control and review Test data consists of data There are increasing numbers file (SCARF) submitted by the auditor for of other techniques that can be – Spot and record (for processing by the client’s used; the main two are: subsequent audit attention) computer system. The principle ¤ Integrated test facility – used any items that are objective is to test the operation when test data is run live; unusual; the transactions of application controls. For this involves the establishment are marked by the audit reason, the auditor will arrange of dummy records, such as code when selection for dummy data to be processed departments or customer conditions (specified by the that includes many error accounts to which the dummy auditor) are satisfied. This conditions, to ensure that the data can be processed. They technique is also referred to client’s application controls can can then be ignored when as tagging. identify particular problems. client records are printed out, Examples of errors that might and reversed out later. The attraction of embedded be included: audit facilities is obvious, as it ¤ supplier account codes that do equates to having a perpetual not exist audit of transactions. However, ¤ employees earning in excess of the set-up is costly and may a certain limit require the auditor to have an ¤ sales invoices that contain input at the system development addition errors stage. Embedded audit facilities ¤ submitting data with incorrect are often used in real time and batch control totals. database environments.
technical assess control risk and plan audit work to minimise detection risk. The level The auditor still needs to obtain an understanding of the system in order to The key objectives of an audit do not change in a computer environment.Impact of computer-based systems questions remain the same – but means that the auditor reconciles of audit testing will depend on the assessment of key controls.on the audit approach in answering them, the auditor input to output and hopes thatThe fact that systems are considers both manual and the processing of transactionscomputer-based does not alter the automated controls. was error-free. The reason forkey stages of the audit process; For instance, when answering the popularity of this approachthis explains why references to the the ICE question, ‘Can liabilities used to be the lack of auditaudit of computer-based systems be incurred but not recorded?’, software that was suitable for usehave been subsumed into ISAs the auditor needs to consider on smaller computers. However,300, 315 and 330. manual controls, such as this is no longer true, and audit(i) Planning matching goods received notes to software is available that enablesThe Appendix to ISA 300 purchase invoices – but will also the auditor to interrogate copies(Redrafted) states ‘the effect consider application controls, of client files that have beenof information technology such as programmed sequence downloaded on to a PC or laptop.on the audit procedures, checks on purchase invoices. However, cost considerations stillincluding the availability of The operation of batch control appear to be a stumbling block.data and the expected use totals, whether programmed or In the ‘through the machine’of computer‑assisted audit performed manually, would also approach, the auditor uses CAATstechniques’ as one of the be relevant to this question. to ensure that computer‑basedcharacteristics of the audit (iii) Testing application controls arethat needs to be considered ‘The auditor shall design and operating satisfactorily.in developing the overall perform further audit proceduresaudit strategy. whose nature, timing and extent Conclusion(ii) Risk assessment are based on and are responsive The key objectives of an audit‘The auditor shall obtain an to the assessed risks of material do not change in a computerunderstanding of the internal misstatement at the assertion environment. The auditor stillcontrol relevant to the audit.’ level.’ (ISA 330 (Redrafted)) needs to obtain an understanding(ISA 315 (Redrafted)) This statement holds true of the system in order to assess The application notes to irrespective of the accounting control risk and plan audit work toISA 315 identify the information system, and the auditor minimise detection risk. The levelsystem as one of the five will design compliance and of audit testing will depend oncomponents of internal control. It substantive tests that reflect the the assessment of key controls. Ifrequires the auditor to obtain an strengths and weaknesses of the these are programmed controls,understanding of the information system. When testing a computer the auditor will need to ‘auditsystem, including the procedures information system, the auditor is through the computer’ and usewithin both IT and manual likely to use a mix of manual and CAATs to ensure controls aresystems. In other words, if the computer-assisted audit tests. operating effectively.auditor relies on internal control In small computer-basedin assessing risk at an assertion ‘Round the machine (computer)’ systems, ‘auditing roundlevel, s/he needs to understand v ‘through the machine (computer)’ the computer’ may suffice ifand test the controls, whether approaches to testing sufficient audit evidence canthey are manual or automated. Many students will have no be obtained by testing inputAuditors often use internal control experience of the use of CAATs, and output.evaluation (ICE) questions to as auditors of clients using smallidentify strengths and weaknesses computer systems will often Peter Byrne is assessor for CATin internal control. These audit ‘round the machine’. This Paper 8