THE IMPACT OF IT ON

AUDIT PROCESS TOPIC 10

 LEARNING OBJECTIVES
❑Understanding the CIS environment
❑To understand the effect of computerization in general and on internal control
❑To differentiate between general & application controls used in CIS processing
❑To understand the audit process in CIS environment
❑To understand the techniques of auditing using a CAAT
 COMPUTER INFORMATION
SYSTEM (CIS)
Students need to ensure they have a complete understanding of the controls in a
computer-based environment, how these impact on the auditor’s assessment of risk,
and the subsequent audit procedures. These procedures will often involve the use of
computer-assisted audit techniques (CAATs –audit software).
Relevant auditing standards References will be made throughout this article to the
most recent guidance in standards:
ISA 300 Planning an Audit of Financial Statements

ISA 315 Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and Its Environment

ISA 330 The Auditor’s Responses to Assessed Risks

 CIS ENVIRONMENT
CIS environment:
• A CIS environment exists when a computer of any type or size is
involved in the processing by the entity of financial information
of significance to the audit, whether that computer is operated by
the entity or by a third party.
Example CIS environment:
• Accounting data now includes electronic equivalents of general
ledger, subsidiary ledger, electronic funds transfer (for
payments or received monies), invoices, contracts and other
relevant information, of which only available in electronic
forms.
 CIS ENVIRONMENT
• 1.The procedures followed by the auditor in
obtaining a sufficient understanding of
the accounting and internal control
A CIS system.
environmen • 2.The auditor’s evaluation of inherent risk
and control risk through which the auditor
t may assesses the audit risk
affect: • 3.The auditor’s design and performance
of tests of the control and substantive
procedures appropriate to meet the audit
objective.
 CHARACTERISTICS OF CIS
ENVIRONMENT
1.Lack of transaction trails – loss of visible audit trail

2.Uniform processing

3.Lack of segregation of duties

4.Potential for errors and irregularities

5.Initiation or execution of transactions – Advanced IT systems can often initiate transactions

automatically, e.g. calculating interest on saving accounts & ordering inventory.
6.Dependence of other controls (such general control & application control)over computer processing

7.Potential for increased management supervision (to ensure security)

8.Potential for the use of Computer -Assisted Audit Techniques (CAAT)

 THE EFFECT OF CIS
Potential Benefits
1. Consistent application of complex calculations in processing large volumes of
transaction data.
2. Enhancement of the timeliness, availability and accuracy information
3. Facilitation of additional analysis information such aging schedule e.g. assets
schedule or a/c receivables
4. Enhancement of the ability to monitor the performance of the company
5. Reduction in the risks that control will be circumvented
6. Enhancement of the ability to achieve effective segregation of duties.
 THE EFFECT OF CIS
Potential Risk
• Reliance on systems or programmes that inaccurately process
data
• Unauthorized access to data that may result in destruction of data
• Unauthorized changes to data in master file
• Unauthorized changes to systems or programmes
• Potential loss of data
• Inappropriate manual intervention
• Failure to make necessary changes to systems
• Costly to acquire the equipment and software
 INTERNAL CONTROL
COMPONENTS AFFECTED BY
CIS
Control Environment Factors:
1.Assignment of authority and responsibility
•Clear lines of authority & responsibility are important so that the entity’s objectives are
met
2.Human Resources Policies & Practices
▪Competent, trustworthy employees are a key ingredient in any internal control system.
▪It is important to have personnel who possess the skills and expertise needed to oversee
and operate the information system.
▪Even companies purchase simple accounting software packages, it is important to have
personnel with knowledge & experience to install, maintain and use the system.
 INTERNAL CONTROL
COMPONENTS AFFECTED BY
CIS
Control Procedures:
• 1.Information Processing
• Two areas in which control procedures can be affected by the use
of IT namely the authorization of transaction and keeping of
adequate documents and records.
• In IT environment, many of the authorization procedures for
transaction may be part of the application program. The auditor
may not be able to observe the authorization policies.
• Hence, a well-designed information system should include a
record of the transaction taking place in machine readable
form stored in disk or other electronic devices.
 INTERNAL CONTROL
COMPONENTS AFFECTED BY
CIS
Control Procedures:
• 2.Segregation of Duties
• In an IT environment, the program within the system may assumes the
responsibilities of all the function that include initiation,
authorization and recording.
• Thus, it is important to have adequate controls within the IT
• 3.Physical Controls
• In IT application, most assets and records may be concentrated in the
database system.
• It is important in any system to have physical controls on these assets
and records, thus need to have proper back-up controls for computer
programs and data files.
 TYPES OF CONTROL IN CIS
ENVIRONMENT
2 types of controls
• General Control
• General Control defined as those policies and procedures that
relates to all or many applications and support the effective
functioning of application controls.
• General Control maintain the integrity of information and the
security of data (control on the hardware part of the computer e.g:
security of data, computer room must be locked or need separate
room for the computer).
• Application Control
• Controls that are specific to certain application e.g. for
accounting system.
TYPES OF CONTROL IN CIS
ENVIRONMENT
 GENERAL CONTROL
General control relate to overall control information processing
environment and are sometimes referred as supervisory, management or
information technology controls.
General control includes:
1.Data Centre and Network Operations
2.System software acquisition, change and maintenance controls
3.Access Security Control (card access to the computer room)
4.Application system acquisition, development and maintenance controls
 GENERAL CONTROL
Data centre No unauthorized access to the programmes, files and
and system documentation. The operator responsible is to
network
be rotate and the files should be properly maintained
operations.
and backup.

System software are computer system that control the

System computer function and allow the application programme to
software run.
acquisition, Example: Windows allow Microsoft office to run. Window is
change and system software and Microsoft office is application system.
maintenanc The entity should have strong controls that ensure proper
e controls approval for purchase of new system, changes and
maintenance of existing software
 GENERAL CONTROL
Access These include physical protection of computer equipment, software and
data and also loss of assets and information through theft and
Security unauthorized use.
Control For example, special room for computer and equipment or separate building
and accessible to the room or building must be limited to the authorized
personnel only. Also includes recovery procedures for lost data.

Application Application system for example accounting system.

system Controls on these is critical for ensuring the reliability of information
acquisition, processing.
development It might be better to have involvement of internal and external auditors
and in early stage to design the system to ensure proper control incorporate
maintenance to the system.
controls
Auditor need to review the design of the general controls
APPLICATION CONTROL
Application Control defined as manual or automated procedures that
operate at business process level and therefore apply to the processing
of individual applications. The application control is designed to ensure
integrity of the accounting records.

To ensure transaction are occurred and authorized and are complete and
accurately recorded and processed. Application control will be discussed
under the following categories:-
• 1.Data capture controls -to ensure that all transaction are recorded in application
system, transactions are recorded only once and rejected transaction are identified,
controlled, corrected and re-entered into the system.
• 2.Data validation controls –to ensure accuracy assertion and is done at various stages
depending on the entity’s IT capabilities.
APPLICATION CONTROL
3.Processing controls –to ensure proper processing of transactions. It part of data
processing and the general control plays an important role in providing assurance
about the quality of data processing.

4.Output controls –output include cheques, documents & other printed documents.
The main concern here is that computer output from computer output may be
distributed or displayed to unauthorized users.
A report distribution log should contain a schedule of when reports are prepared, the
names of individuals who are to receive the report and the distribution date.

5.Error Control –to ensure that most transaction errors be identified by data
capture and data validation controls.
Errors can be identified at any point in the system. After identified, errors must be
corrected and resubmitted to the application system at the correct point in the
processing.
 COMMON DATA VALIDATION
CONTROL
Data validation is the process of ensuring that sources data is accurate and of high
quality before using, importing or processing it.
1. Limit Test: Ensure numerical value does not exceed some predetermined value
2.Range Test: Ensure value in field within an allowable range of value. E.g.
Latitude should be between 190 and 90. Any values outside of this range considered invalid.
3.Sequence Check: Determine if input date are proper in numerical or
alphabetical sequence
4.Existence (validity) Test: Test of an ID number or code
5.Field test: Ensure its contains either all numerical or alphabetic character
6.Sign Test: Ensure that the data in a field have the proper arithmetic sign
7.Check-digit verification: a numerical value computed to provide-assurance
that the original value was not altered
 AUDIT PROCESS IN IT
ENVIRONMENT
Why auditors need to understand the IC of a client’s
CIS environment?

The knowledge of obtaining understanding of the

entity internal control is important for the purpose of :
• 1.Identifying the types of potential misstatement
• 2.Considering factors that affect the risk of material
misstatement
• 3.Designing tests of controls & substantive procedures
 AUDIT PROCESS AND IT
ENVIRONMENT
CIS may affect the audit process on the following:

• Skill and Competence

• Planning
• Risk assessment, i.e. assessment of inherent risk and control risk
• Audit procedures

Procedures in obtaining understanding accounting and internal

control, i.e. audit around computer vs thru’ the computer

Performing test of control and substantive test, i.e. audit through

computer.
 AUDITING IN CIS
ENVIRONMENT
Audit procedures
• The auditor’s specific objective do not change whether the accounting
data is processed manually or by the computer. However, method of
applying audit procedures to gather evidence may different. Auditor
may perform audit procedures manually or use CAAT or combination
of both.
• Auditing around the computer - Auditor does not examine the
computer processing but perform procedures to obtain
understanding accounting and internal control:-
• 1.Emphasis on ensuring the completeness, accuracy and validity of
information by comparing the output reports with the input
documents
• 2.To ensure the effectiveness of input controls and output controls
• 3.To ensure the adequacy of segregation of duties
 AUDITING IN CIS
ENVIRONMENT
Audit procedures
• Auditing through the computer
• Auditor performing test of control and substantive test.
• For example: “test data” enable the auditor to examine the
computer processing, internal control of the client CIS.
• Auditor may used use CAAT (audit Software) in this
procedures.
• CAAT –helps auditor to organize, analyzing and extracting
computerized data and re-performing computation and
other processing.
 THE USE OF COMPUTER AS
AN AUDIT TOOL
Auditor take laptops to the client’s premises for use as an audit tool to
perform various audit task, such as:-
• 1.Spreadsheets
• Trial balance and lead schedule
• Time and cost budgeting
• Analytical procedures
• 2.Word processor
• Audit documentation, e.g. audit confirmation
• Audit programme preparation
• Documentation of internal control –Preparation of flowchart
• Communication and Reports
• 3.Statistical Packages
• 1.Select sample for testing
• 2.Analyse result, by means of explanation to population as a whole
• 4.CAAT
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
❑ISA 401 “Auditing in a CIS Environment” discusses some of the
uses of CAATs in the following condition:-
✔ The absence of input document or lack of visible audit trail
✔ The effectiveness of efficiency of auditing procedures may be improved
through the use of CAAT.
❑Normally being used by big auditing firm for the their big
clients.
❑Common type of CAAT are Audit Software and Test Data.
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
Audit Software: computer programs used for audit purposes to
examine the contents of the client’s file.
Audit software used during substantive testing to determine the
reliability of accounting controls and integrity of computerized
accounting records. Typical testing includes:-
❑ Calculation checks, check addition, select high value, negative value
❑ Detecting violation of system rules –e.g. the program checks all accounts on sales ledger to
ensure that no customer has a balance above credit limit
❑ Detecting unreasonable items –e.g. check that no customers are allowed trade discount of
more than 50%
❑ Conducting new calculations and analyses –e.g. obtain analysis of static and slow moving
stocks
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
Continue on types of typical testing…:
❖Selecting items for audit testing –e.g. obtain the sample to sent confirmation.
❖Completeness checks –e.g. checking continuity of sales invoices to ensure they
are all accounted for.
Factors that the auditor to consider in deciding whether to use CAAT:-
❑ If no visible evidence available and the only way is CAAT
❑ Cost that associated with CAAT (exp)
❑ The extent of the ability of CAAT to perform test on various financial statements items.
❑ Time. Report need to be produced by the auditors within comparatively short time period. In
such cases it may be more efficient to use CAAT. (Timeliness)
❑ The condition of hardware (computer) and the ability to support CAAT.
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
CAAT may be used by the auditor to execute substantive
procedures or in testing application controls. There various
types of CAATs:
• 1.Generalisedaudit software (GAS)
• 2.Custom audit software (CAS)
• 3.Test data
• Parallel simulation
• Integrated test facility
• Concurrent auditing technique.
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
Audit Software: Two types of Audit Software (the most common
CAATs).
• 1. Package Programs or Generalized Audit Software (GAS)
• Package program are generalized computer program designed to perform data
processing functions such as read and extract data from entity’s computer
files or database for further audit testing, perform calculation, selecting sample
and provide report.
• 2. Written Programs or Custom Audit Software (CAS)
• Written program is audit software written by the auditors for specific audit
tasks and it is necessary when the entity’s CIS system is not compatible with
Generalized Audit Software.
• It is good to develop if the auditor can use it in doing auditing for the future.
• However, it is expensive, take longer time to develop and need modification
for every time an entity’s change their system.
• Auditor also need an IT expert to help in developing the program.
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
3. Test Data –used for testing the application controls in the entity’s computer
program. The auditor first creates a set of simulated transaction data (test data) for
testing. Data include valid and invalid data. This technique is used to check:
a. data validation control and error detection routines
b. processing logic controls
c. arithmetic calculations
d. the inclusion of transaction in records, files and reports.
Advantage: provide direct evidence of the effectiveness of the controls and useful for
determining whether the controls relate to accuracy and completeness of processing is
effective.
Disadvantage: time consuming and auditor may not be certain that all relevant controls are
tested.
 COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
Types of CAATs
4.Parallel Simulation –requires the auditor to construct
simulation program that mimics the entity’s application
program.
5.Integrated Test Facility –used integrated test facility. This
technique enters test data along with actual data in a normal
application run.
6.Concurrent auditing technique.
COMPUTER-ASSISTED AUDIT
TECHNIQUES (CAAT)
Potential benefit of using CAAT:

• 1.Time may be saved

• 2.Ability to scrutinize large volume
• 3.Eliminate manual casting, cross casting
• 4.Lesser manual procedures
• 5.The auditor does not necessarily have to be
present at client office
• 6.Review and finalizing time may be reduced
END OF TOPIC 10