Module 4 Application Controls

Application Controls-

- consist of manual and automatic procedures that relate to specific accounting systems such as payroll,
accounts, receivable and cash disbursements.

- the purpose is to ensure an acceptable level of internal control in each accounting system. - these are
located in each of the data processing functions of input, processing and output.

A. Controls methodology - a description of the role that controls play in accounting systems. - auditors
must make a series of evaluation and determination before the usefulness of controls can be defined.

- Steps to determine the usefulness of controls:

1. Determine the likelihood of exposures resulting from errors and irregularities.

a. Unreliable data

b. Improper processing

c. Loss or destruction of assets and records

d. Failure to accomplish organizational objectives

e. Operational inefficiency

2. Set broad management control objectives translated into system objectives.

Management Objective 1. To provide reliable data

System Objectives a. Completeness b. Accuracy c. Uniqueness d. Reasonableness e. Errors are detected,

corrected, and resubmitted.

Management Objective 2. To encourage adherence to prescribed accounting policies

System Objectives a. Timeliness b. Valuation c. Classification

Management Objective 3. To safeguard assets and records

System Objectives a. Transaction authorization b. Distribution of output c. Validity d. Security of data

and records

3. Evaluate the role that controls play in an accounting system.

B. Audit trail - consists of the input, processing and output documentation and file data that permit the
tracing of transaction processing.

C. Data entry controls

Risk controllable during data entry: a. Unreliable data i. Omission ii. More than once iii. Inaccurate data

Risk controllable during data entry: b. Non-adherence to accounting policies i. Wrong accounting period
ii. Improper valuation or classification c. Loss of assets and records i. Unauthorized/invalid transactions
C. Data entry controls: prevention and detection

Prevention Controls a. Computer assisted procedures > screen formats and computer dialogue Detection
Controls a. Data entry validation tests b. Record confirmation check c. Data approval test

D. Processing controls

Risk controllable during processing: a. Unreliable data i. Incorrect calculations ii. Incorrect processing
logic iii. Use of wrong file / record

Risk controllable during processing: b. Adherence to accounting policies i. Wrong version of the program
c. Loss of assets and records i. System generated transactions and financial entries may not be in
accordance with agreed policy.

D. Processing Controls: prevention and detection

Prevention Controls a. General controls Detection Controls a. Arithmetic accuracy test i. Double
arithmetic, e.g., reverse multiplication ii. Overflow check b. Dual field input c. Run-to-run totals

Correction Control a. Errors corrected and processed with current job b. Errors removed and corrected
subsequently c. Errors discovered subsequent to processing - Corrected through adjusting entry

E. Output controls

Risk controllable during data processing output: a. Unreliable data i. Output received by the user may be
inaccurate or incomplete ii. Non-adherence to accounting policies iii. Improper classification and
valuation

Risk controllable during data processing output: b. Loss of assets and records i. Distribution or display to
unauthorized individuals

Prevention Controls i. Distribution checklist and schedule Detection Controls i. Review of the checklist
and schedule Correction Controls i. Should be corrected at source

Module 5 Auditing Computer Processing

Auditing Computer Processing

1. Auditing Computer Programs

2. Auditing Computer Files

3. Auditing Computer Processing Systems performed through: - non processing of data - processing of
actual data - processing of simulated data

a. Integration of parts of the computer processing systems

b. Integration of types of tests i. Separate tests on each program or file ii. Single tests combining the test
of programs and files iii. Multiple tests combines mixture of compliance and substantive tests

Non-processing of data (auditing around the computer)

Conditions necessary for using approach The auditor must be able to:

1. locate copies of the source documents

2. read the source documents and accounting reports without the aid of a computer

3. trace transactions from the source documents to the accounting reports and from the accounting
reports back to the source

Module 6 Computer Assisted Audit Techniques (CAAT)

Computer Assisted Audit Techniques

- using standard financial accounting software, modified as necessary for a particular system.

- generally, much of the same information is requested and analyzed as in a traditional audit.

- once verified using computer techniques, data is retained so it can be used in other areas of the audit
including error identification and segregation of transactions within accounts.

- customized reports are generated by computer and a standard audit trail is maintained.

Advantages of Using CAATs

- saves time with no loss of quality or accuracy.

- data analysis is focused and allows for any future adjustment to be made with minimal effort.

- preliminary data can be analyzed early in the audit process and a more efficient audit plan can be
devised earlier.

Specific Areas in which CAAT Is Useful

Computer Assisted Sampling -permits the use of random statistical sampling, which tends to be more
accurate and saves time in those instances in which it is appropriate.

File Management - files are combined, compared, managed, segregated and ordered automatically using
generally accepted computerized file management.

Report Generation - once data integrity is verified, the auditor can produce various reliable reports from
the overall data population.
Commonly Used Compliance Testing Techniques

- test data

used to verify: - input validation routines; - error detection capabilities; - processing logic and
calculations; - the accuracy of reports;

- integrated test facilities (ITF)

- provides an in-built testing facility through the creation of a dummy department or company
within the normal accounting system.

- parallel simulation

- an independent program is generated to simulate part of an application.

- program code comparison

- Utility programs are used to compare two versions of a program, and report difference
between the two. - to ensure that only authorized changes have been made.

- program code review

- involves a detailed examination of program coding.

- it generally involves a fair degree of programming skill, and a thorough knowledge of program
specification

Commonly Used Substantive Testing Techniques

- data file interrogation

Using audit software to review information held in computer files, by performing the following:

1. selecting records that conform to particular criteria;

2. printing selected records for detailed examination;

3. printing totals and subtotals from an accounting file;

4. reporting on file contents by value bands;

5. searching for duplicate transactions;

6. searching for gaps in sequences;

7. comparing the contents of two or more files, and printing either record matches or exceptions;

8. sorting and merging files.

- embedded audit modules

- An audit application that is permanently resident within the main processing system.

- It examines each transaction as it enters the system based on selection criteria before further
processing.

Module 7 Characteristics of Specific CIS

Types of CIS

1. Stand Alone 2. On-Line 3. Database system

Stand Alone CIS

- One that is not connected to or does not communicate with another computer system.

- Computing is done by an individual at a time.

- All input data and its processing takes place on the machine.

- A desktop or laptop computer that is used on its own without requiring a connection to a local area
network (LAN) or wide area network (WAN).

- Although it may be connected to a network, it is still a stand-alone PC as long as the network

connection is not mandatory for its general use.

On-Line CIS

- computers or devices are connected to a network for purposes of real-time processing of transactions
and immediately update the corresponding files.

- enable users to access data and programs directly through terminal devices.

On-Line CIS: Classes of terminals

- general purpose terminals such as basic keyboard/screen, intelligent terminals that can perform a
certain amount of data validation, and microcomputers. - special purpose terminals such as POS devices,
automated teller machines, and voice response systems such as those used in telebanking.

Types of Online Systems

- real-time or on-line data entry and processing

- online data entry / batch processing

Database System

- access to data is usually provided by a "database management system" (DBMS) consisting of an

integrated set of computer software that:

- allows users to interact with one or more databases and, - provides access to all of the data contained
in the database
Database Management System

- a "software system that enables users to define, create, maintain and control access to the database".

Database Management System

Functions

- Data storage, retrieval and update

- User accessible catalog or data dictionary describing the metadata

- Support for transactions and concurrency

- Facilities for recovering the database should it become damaged

- Support for authorization of access and update of data

- Access support from remote locations

- Enforcing constraints to ensure data in the database abides by certain rules