




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
IT controls, including general and application controls, and internal control. It also covers computer-assisted auditing techniques (CAATs) and audit software, including general and specialized audit software. the functions of audit software, such as selecting sample items, identifying records meeting specified criteria, testing and making calculations, comparing/analyzing data, extracting/summarizing data, and report writing. It also discusses exception reporting and its features/uses. valuable information for students studying IT controls and auditing.
Typology: Exercises
1 / 8
This page cannot be seen from the preview
Don't miss anything!





General Controls Apply generically to any user accessing a system (password to log on to a desktop computer attached to a network). The manner in which computer software is introduced or modified (upgraded) Protect the firm’s hardware and software – Physically! Risk Management of the data systems, e.g. hacker attack, power failures, protection of the confidentially of key databases (intellectual property) Application Controls Focus on a particular module, e.g. payroll, Accounts Receivable and inventory systems etc. Auto checking the credit limit of a customer, checking the number of hours worked by employees for a pay cycle, checking that there is sufficient inventory to match a proposed sale. Passwords are BOTH a general control and an application control. A debtor clerk should be able to process sales, but only the credit controller or accountant approve and process credit adjustments. Internal control Automated control Suitable for high volume, recurring transactions, where types of errors can be predicted. Manual control Suitable where judgment is required Transactions are large, unusual or non-recurring Errors are difficult to predict
IT General Controls Segregation of duties Separation between IT and user department functions. For example, the accountants don’t develop and operate IT systems. Separation of functions within the IT department. For example, those who have knowledge of the operation of the accounting systems and applications programs, should not be permitted to access data files and production programs that accompany operations. Control over program
To ensure that at all times, it is known which programs are running on the system and exactly what they do. Acquisition, Development and changes of programs Authorization Documentation and approval Testing Computer security System wide logon passwords and auto terminal shutdown Physical security of the IT environment, e.g. locked doors, swipe cards. Firewall software protection, anti-hacking protection for web sites Antivirus software Regular computer security audits Control over data To ensure that only allowed changes can be made to the data; data is not lost; data is consistent and free from error; data cannot be stolen. Restrict access to data files to authorised users and programs Physical security measures including locks, badges and passes ID and passwords to obtain access to particular data files Backup and reconstruction controls Audit trails
IT Application Controls Manual application controls Segregation of duties Authorization Training Supervision Documented procedures Review and reporting Physical security Computerised Application Controls Input controls A major source of errors in accounting systems are poor inputs. Missing information Information entered more than once Incorrect data (wrong numbers, names etc.).
This provides an easy way to determine if a number is valid without access to a list of all valid numbers. File control Ensure that the proper versions of files are used in processing internal file labels — computer-readable data that identifies content of the file external file labels — printed or handwritten labels attached to disk or tape Processing controls Detect errors in data and errors that occur in processing as a result of logic errors in application programs or systems software errors. checking numerical sequence of records comparing related fields run-to-run control totals. For instance, the beginning balances on the receivables ledger plus the sales invoices (processing run 1) less the cheques received (processing run 2) should equal the closing balances on the receivable ledger. Output controls Ensure complete and accurate output is distributed only to authorised persons restricted distribution Restricted print access (screen only) automatic dating of reports page numbering end-of-report messages Review of exception reports (eg. The wages exception report showing employees being paid more than $1,000).
Testing of IT Controls Manual controls Observation Inquiry Inspection Re-performance Programmed Application Controls A problem arises due to data being stored on magnetic media and the nature of programmed controls (e.g. self-checking digit, range check, validity check, field check) which requires specific techniques, generally termed auditing through the computer which utilise CAATS.
test data entering test transactions (test data) that should be accepted (no errors) and seeing that they are processed correctly entering test transactions that should be rejected (the transaction has known errors in it) and noting if the transaction is rejected for the right reasons integrated test facility (ITF) allows testing to occur without the client personnel knowing (i.e. continuous check/ processing of ‘test data’) add a fake entity, such as a ‘dummy company’ or ‘dummy customer’ record to the client’s system process transactions against it to check that they are processed correctly parallel simulation reprocess the clients actual data and compare the results to the original results program code review read the software code and see how the controls are actually implemented Note that is process may require the auditor to use an “Expert” ASA Computerised controls are more reliable than manual controls when evaluating the potential for control errors due to human intervention.
Substantive Testing Using CAATs CAAT’s (Computer Assisted Auditing Techniques) Similar problem as with tests of controls, i.e. data is stored in non-readable format, which may result in loss of audit trail (the ability to trace transactions). Solution: Audit with the assistance of the computer systems. Can be efficient to apply audit procedures to records in their computer-readable form. May be more efficient for the auditor to use a computer program (e.g. GAS/SAS) to automate application of auditing procedures. Auditor’s computer program (e.g. GAS/SAS) may be used with master files or transactions files. Using an auditor’s computer program (e.g. GAS/SAS) to test a client’s master files is more common. Major Benefits : Direct auditor’s attention to areas of risk or materiality Undertake routine audit tasks efficiently Audit software Generalised audit software (data-oriented) most commonly used
Ability to: select sample items identify records meeting specified criteria (exception reporting) test and make calculations (arithmetic and/or analytics) compare/analyse data in separate fields or on separate files extract/sort/summariseapp data report writing Please Remember – The software is only a tool to make the process more efficient for the Auditor, the Auditor MUST still do the work!! Functions of Audit Software Using GAS Valuable in selecting a sample of transactions Print out the sample in a logical order useful for audit purposes The Auditor MUST THEN perform the detailed substantive tests Exception reports One way to conduct substantive tests is to identify the unusual transactions or balances and investigate them. Finding them can be a very costly and time-consuming process. This process can be automated by the use of computer generated exception reports. An exception report is a report where the items are selected based on one or more criteria. For example: Select all debtors who have not paid for more than 90 days, Select all sales that are over $1,000, Select all orders who do not have a customer number that appears in the Customers table. Features/Uses of GAS : Sampling : e.g. selection of sample for debtor confirmations (existence) Exception Reporting : e.g. all debtor balances > 60 days due (valuation and allocation) or where Customer Account Balance > Credit Limit on Customer Profile. Calculations : e.g. recalculate ageing or total balance (valuation and allocation) Compare Files/Data : e.g. last year with this year to identify missing debtor accounts (completeness) Summarise Data :
e.g. by different level of trading (i.e. large v small number of transactions) Report Writing : e.g. print out confirmation letters (existence) Key points The Auditor must still be focused on the evidence required to validate the “key assertion”. The GAS report must produce the information in a form that “Works” for the auditor. Only the parts of the database that are required for a particular audit test. The GAS merely prints the information, the Auditor must then complete the substantive test of detail. Must be a practical report that allows the evidence to be collected and evaluated.
Type of tests Risk assessment procedures To assess the risk of material misstatement in the financial statements Tests of controls To test the effectiveness of controls in support of a reduced assess control risk Evidence Make inquiries of appropriate client personnel Inspect documents, records and reports Observe control-related activities Re-perform client procedures Substantive tests of transactions To test for dollar (monetary) misstatements to determine whether the six transaction related audit objectives have been satisfied for each class of transactions. Analytical procedures use of comparisons and relationships to assess whether account balances or other data appear reasonable Purposes indicate the presence of possible misstatements in the financial statements provide substantive evidence. Tests of details of balances Testing for monetary misstatements to determine whether the eight balance-related audit objectives have been satisfied for each significant account balance. Emphasis on balance sheet