MODULE 5

 Topics to discuss

◦ Chapter 9 of Dynamic Auditing

◦ Pages 3 – 20 Self study
 Computers change the way processing of information is
done

 Computers used in one/all of the following areas:

◦ Operational
◦ Accounting
◦ Management information

 Auditor needs knowledge of:

◦ Use of computers
◦ Hardware/software aspects
◦ Assess/evaluate general and Information processing
controls
◦ Understand IT Components:
 Hardware, software (systems/application), data organization
Exists when :
 computer involved in processing of info
 computer can be operated by entity/3rd party
Effect on audit
 Objectives stay the same
 Application of ISA’s do not change
 Need for system of internal control not change
 BUT does influence nature, timing and extent of procedures:
 Prior to accepting the engagement
 Procedures to gain an understanding of accounting and internal
control systems
 Evaluation of the inherent and control risks
 Effect of IT on audit procedures, including the availability of data
and expected use of ATTs.
 Design and performance of TOC and SP
MANUAL COMPUTERISED

Focus on organizational User changes from preparer

controls to user of output
= Managerial involvement
= Review Enhance controls
= Segregation of duties
= Stationery and document BUT lead to additional risks
control concerning the processing of
information
RISKS IN AN INFORMATION TECHNOLOGY
ENVIRONMENT

RISKS RELATING TO THE INTEGRITY OF FINANCIAL INFORMATION

= Important to both management and auditor

TRANSFER OF
ACCESS INPUT STAFF ISSUES
DATA

SPECIFIC
PROCESSING OUTPUT CONTINUITY ISSUES

GENERAL Will impact nature, timing and scope of

ISSUES audit procedures
 What is a network, a local area network and a
wide area network?

 Each computer in a network consists of

hardware and software. There are two types
of software discuss.

 What is the difference between a master file

and transaction file?
 Provide examples of benefits of using a
computerised system.

 Provide examples of risks in a computerised

system.

 Various input and processing environments

exists. Provide examples.
RISKS IN AN INFORMATION TECHNOLOGY
ENVIRONMENT

ADDITIONAL RISKS RELATING PRINCIPALLY TO MANAGEMENT’S

REQUIREMENTS

QUALITY OF
COMPUTER OPERATING
ACCESS MANAGEMENT
FRAUD ISSUES
INFO
CONTROLS IN AN INFORMATION TECHNOLOGY
ENVIRONMENT
Risks and controls in IT system will depend on the characteristics of the IT system

CONTROL RISKS IN AN IT
ENVIRONMENT AUDITOR NEEDS TO ESTABLISH THE
(examples) EXISTENCE OF EFFECTIVE IT CONTROLS
= Programs processing data DESIGNED TO ENSURE THE INTEGRITY OF
inaccurately INFORMATION AND SECURITY OF DATA
= Inaccurate data
= Failure to make necessary
changes to systems Controls can consist of:
= Unauthorised access to data = Automated controls
= Inappropriate manual = Manual controls independent on IT
intervention = Manual controls dependent on info
= A breakdown in segregation of produced by IT
duties = Limited to monitoring the effective
functioning of IT automated controls and
exceptions
CONTROLS IN AN INFORMATION
TECHNOLOGY ENVIRONMENT
What are the benefits of IT controls?

What are the relevance of manual controls in an IT

environment?
CONTROLS IN AN INFORMATION TECHNOLOGY ENVIRONMENT
OVERALL FRAMEWORK

General controls Information processing controls

 System development &
Transaction data Objective
implementation controls
Input *validity
 Systems maintenance controls
Processing *completeness
 Organisational and management
Master file *accuracy
controls
(standing data)
 Access controls
Output
 Computer operating controls
 System software controls
 Business continuity

User controls
Programmed controls
Access controls apply to both general controls (data and
program) and Information processing controls (validity
of input, processing and output)
 Umbrella controls under which each application will
operate

 Applies to mainframes, microframe and end-user

environments

 Objective of GC
 Encompass/ surround the framework of overall
controls over IT activities providing a reasonable
level of assurance that the overall objective of
internal controls are achieved.
 IMPORTANCE OF GC
◦ Have profound influence over the environment
within which Information processing controls
operate.
GENERAL COMPUTER CONTROLS

Sales / Debtors Purchases / Creditors Inventory

Application Application Application

◦ Prerequisite for reliance on Information processing

controls = existence of satisfactory general
controls.
 System development & implementation controls
To ensure self-developed/purchased systems are properly
developed, authorised and meet user’s needs.

 Systems maintenance
To ensure changes to system is authorised, meet user’s
needs and made effectively.

 Organisational and management controls

Organisational framework such as SOD, reviews and virus
protection
 Access controls
Prevent unauthorised changes to programs, data, terminals
& files

 Computer operating controls

Ensuring procedures applied correctly & consistently during
processing

 System software controls

To ensure installation, development, maintenance of
software packages are authorised and effective.

 Business continuity
Prevent/Limit system interruption
 Self developed (in house)
 System development Purchased

Self developed system

OBJECTIVE
To implement controls designed to ensure that a new system is
authorised and designed in an effective manner to meet the
user’s needs and that the system is properly developed and
implemented.
 PROJECT AUTHORISATION
◦ Develop systems development plan
◦ Steering committee - Conduct a feasibility study and
define selection criteria
◦ Result from request from users/management requirements
◦ Perform feasibility study after considering:
 Development of an in-house system
 Purchase of a system
 Recommendations in respect of the project
 Cost/benefit analysis
 PROJECT AUTHORISATION
◦ Authorisation of projects
◦ Develop system specifications
◦ Final approval before commencement by steering
committee
 PROJECT MANAGEMENT
◦ Establish a team (management, users and computer staff)
◦ Develop the system
◦ Responsibilities assigned to staff
◦ Deadlines and time schedules
◦ Formal plan of action and development
 USER NEEDS
◦ Determine the needs of users
◦ Internal and external auditors consultation
◦ Written approval from management of user departments

 PURCHASE OF HARDWARE AND SOFTWARE

◦ Carefully select hardware to purchase
◦ Decide if software will be purchased or developed
◦ Consider financing
 STANDARDS IN RESPECT OF SYSTEM
DEVELOPMENT AND PROGRAMMING
◦ Predefined industry standards
◦ Monitoring of compliance

 SYSTEM SPECIFICATIONS AND

PROGRAMMING
◦ Predetermined standards in respect of system
specifications and programming
◦ Done on program library and programmers must not have
access to live data
 TESTING THE SYSTEM
◦ Every program and system should be comprehensively
tested before installation/change

Program coding Entire system Management

 approval

 APPROVAL
◦ Final approval for implementation after testing and
correction of errors by management, users and IT
 TRAINING
◦ Training of staff and user manuals

 SYSTEM DOCUMENTATION
◦ Maintain comprehensive system documentation for all
systems analyses, programming and system descriptions

 BACK-UPS
◦ All programs – back up and stored in program library at
separate premises.
 CONVERSION
◦ Plan, control the conversion

 POST-IMPLEMENTATION REVIEW
◦ Consider if successful and address any difficulties

 LONG-TERM PLANS
◦ Devised for future system changes
PACKAGES
 User has little control over specifications, development and
testing of package
 Emphasis thus on determining if the package meets the
users’ requirements
 Controls over implementation and testing
Steps to take:
 Perform a feasibility study to determine:
◦ Users’ needs, specifications and requirements of available
packages, costs, assistance and support of the supplier,
adaptability and expansion ability of the packages, standing
and reputation of the supplier

◦ Conclusion are supported by:

 Enquiry from other users of packages
 Testing the package itself
 AUTHORISATION OF THE PURCHASE OF THE
PACKAGE

◦ After feasibility study have been studied and

recommendations considered

◦ Approval by management, users and computer staff

 IMPLEMENTATION

◦ Plan, implement/convert the system

What is the advantages and disadvantages of
package programs?
 SYSTEM CONVERSION
o Plan
o Prepare
o Data control during conversion
o Testing
o Update system documentation
o Back up of new system and files
o Post-implementation review
 SYSTEM AND PROGRAM DOCUMENTATION
o Fully maintained and updated

o Documentation should comprise (at least)

o Approval documentation
o Application system documentation
o Program documentation
o File documentation
o Operations documentation
o User documentation
o Documentation concerning testing
o Approval at various phases
 SYSTEM AND PROGRAM DOCUMENTATION
o Purpose of the documentation is to:
o Record the investigation, development, design and approval of
systems
o Provide a basis for communication between systems analysts
and programmers
o Serve as a processing manual for users
o Serve as a source reference for systems analysts and
programmers who where not involved with the system at
inception
o Assist with review of and changes to the system
o Assist in staff training
o Serve as basis for evaluation of controls
 OBJECTIVE:
Systems maintenance describes changes to a system after
implementation, with the purpose of correcting errors or to meet the
changing needs of users. Controls must be implemented to ensure
that changes are authorised and are made in an effective manner

What controls should be in place over system

maintenance?
 OBJECTIVE:
To implement controls designed to establish an organisational
framework over IT activities and to ensure that basic principles such
as division of duties, review and virus protection are met.

What controls should be in place over system maintenance?

What are the risks if a proper organisational structure is not in

place?
 ACCESS CONTROLS
=
Represent procedures designed to restrict access to on-line
terminals, devices, programs and data.

Consisting of:

USER AUTHENTICATION
= Identification of a user
through unique logon
identifications, passwords,
access cards etc.
USER AUTHORISATION
= Access rules to determine
the computer resources
each use may access
 PROGRAM SECURITY DATA FILE SECURITY

= Controls designed to = Controls designed to

prevent unauthorised prevent unauthorised
changes to programs that changes to data
process data

ACCESS TO TERMINALS AND ACCESSS THROUGH OTHER

FILES ELECTRONIC DEVICES

= Controls to limit access to = Programmed (logical)

terminals and files to controls applied by the
authorised user computer
PROGRAMMED/LOGICAL
CONTROLS

= Implemented by
computer software

PHYSICAL CONTROLS

= Implemented by users
Terminals and other Identification of Authorisation of
electronic devices users users

Use of access control Monitoring access

Authorisation of use
software and processing

Communication lines
Password controls Restrict access
and networks

Separate systems for

Data to be encrypted vulnerable and Program libraries
sensitive application

Utilities User programming

 Use of manual
Terminals Computer hardware log(registers) for
control over
processing

Distributed Logs and activity Screening and

processing registers training of staff

Controls in case of
emergency
 OBJECTIVE

To implement controls designed to control the proper operation of

the system and to ensure that programmed procedures are applied
correctly and consistently during the processing of data. These
controls incorporate functions performed by the operating system as
well as users.

What controls should be in place over computer

operating controls?
 OBJECTIVE

To implement controls over programs which do not process data (e.g

the operating system, access control program, utilities) to ensure that
they are installed or developed and maintained in an authorised and
effective manner, and that access to system software is limited.

What controls should be in place over system

software controls?
 OBJECTIVE

To implement controls designed to ensure the continuity of

processing, by preventing system interruption or limiting this to a
minimum.

What controls should be in place over business

continuity controls?
CHAPTER 9 DYNAMIC AUDITING

43
 General controls Information processing controls
 System development &
Transaction data Objectives
implementation controls
Input *validity
 Systems maintenance
Processing
 Organisational and management
*completeness
controls
Master file *accuracy
 Access controls
(standing data)
 Computer operating controls
Output
 System software controls
 Business continuity

User controls (Manual Controls)

Programmed controls

44
 = Controls over input, processing, output & master
file maintenance of information to ensure it is valid,
◦ Consists of useraccurate
& programmed controls
& complete
(Relates to the control procedures (manual or
automated) to initiate, record, process and report
transactions)

◦ Specific controls in each application to prevent,

detect and correct user errors as transaction flow
through system

◦ Although applications differ, the control principle

for all applications are the same
45
 When data of a semi-
MASTER permanent nature on
FILE the system is changed
CHANG
ES

INPUT PROCESSING OUTPUT

Capturing or Processing of
Final form in
initiation of transaction to
which data is
transactions ensure that
used
on a specific individual
application. components
eg, Pastel or are recorded
Peoplesoft correctly into
various files
and databases 46
Control Objectives
 Validity, completeness & accuracy of
transactions (input, processing & output)
 Validity, completeness & accuracy of standing
data (master files)
Explain the following concepts:
• Application program
• Information processing control
• User controls
• Programmed controls
• Transaction files
• Master files
• Control objectives
47
 OBJECTIVE
To implement controls designed to ensure that
data entered to update the master files is
VALID, COMPLETE AND ACCURATE
POSSIBLE ERRORS:
• Unauthorised data/transactions entered onto the system
• Errors in creation of data on the source document, or
during the capturing of data onto the computer application
• Errors in capture/input of data
• Data could be lost during the input
• Data could be added to or altered
• Errors in correction and re-entering of rejected data
• Corruption of data during capture or transfer

48
 Accuracy  Completenes
• Matching • Sequential

• Edit/validation numbering
Validity
checks • Matching by
• Access controls
• Authorisation of tx • Batch input and the compute
• Authorisation of processing • Field presenc

changes to data • Use user- checks ensur

• Tx generated by friendly screens that all critica
computer to minimise input fields
• Validation checks errors are present
 COMPLETENESS
COMPUTERISED /
PROGRAMMED CONTROLS USER (MANUAL)
CONTROLS
• Sequential
numbering • Stationery control
• Matching by the
computer • Examination of
• Field presence processing logs for
checks ensure that missing input
all critical input entries
fields are present
50
 ACCURACY
COMPUTERISED / USER (MANUAL)
PROGRAMMED CONTROLS CONTROLS

• Matching • Review by
• Edit/validation user/senior staff
checks • Batch input and
• Batch input and processing
processing • Use well-designed
• Use user-friendly documents to
screens to minimise errors
minimise errors • Staff training 51
  EDIT/VALIDATION CHECKS

• Formatting checks – Numerical/Alpha-numerical

• Sign check – Positive/Negative
• Screen check – Checking of accuracy of data on screen by users
• Screen prompts – Are you sure?/ Invalid entry
• Validity/existence – Codes/fields sizes (eg check stock codes included in
orders placed by customers against the database for validity)
• Limit and reasonableness check – Comparison with predetermined values
(eg max 50 hours worked per week)
• Check digits – Accuracy of codes
• Control totals – For example batch processing and comparison
• Dependency check – Test interdependency of input in respect of other
fields
• Field presence – All critical input fields are present
• Field size check – Overflow of fields
• Specific character – for example spaces in the right place
52
ACCURACY Batch and Hash totals

What is the batch total?

Assume hours worked was selected what will
be the hash total?

53
 VALIDITY
USER CONTROLS
COMPUTERISED /
PROGRAMMED CONTROLS
• Segregation of duties,
staff training and staff
• Access controls
recruitment policies
• Authorisation of tx
• Authorisation of tx by
• Authorisation of
users
changes to data
• Review of authorisation
• Tx generated by
procedures
computer
• Authorisation of changes
• Validation checks
to data 54
 COMPLETENESS, ACCURACY AND
VALIDITY

USER CONTROLS
COMPUTERISED /
• Control totals and
PROGRAMMED
reconciliations
CONTROLS • Batch processing
• Reviewing of output
• Control totals and reports by users
reconciliations • Regular back-ups
during input and after
processing
• Batch processing • Adequate error
correction procedures
55
 OBJECTIVE
To implement controls designed to ensure that
only valid data (valid and authorised) is
processed, and that data is processed
completely and accurately by the computer.
Possible errors:
• Data could be lost during processing
• Invalid data could be added during processing
• Data could be altered during processing
• Calculative or accounting errors could occur
• Existing data being duplicated
• Incorrect version of the program or data file being used

56
 COMPLETENESS
USER (MANUAL)
COMPUTERISED /
CONTROLS
PROGRAMMED CONTROLS
• Reconciliation of
• Reconciliation of
control totals
control totals
• Sequential testing by
• Sequential testing by
the computer
the computer
• Reconciliations of
• Reconciliations of
accounts/balances
accounts/balances
• Logs of processing
• Logs of processing
• Breakpoint re-runs
• Edit tests by computer
• Processing errors
program
should be reported
• Control over
• Adequate back-up
transmission of data
procedures
57
 ACCURACY
USER (MANUAL)
CONTROLS
COMPUTERISED / • See completeness:
PROGRAMMED CONTROLS Exception reports,
• Controls over batching and
computer hardware reconciliation
• Edit checks • Operator’s manual
• Exception reports and user
• Reconciliation and instructions
balancing • Supervision and
review by
competent staff 58
 VALIDITY
COMPUTERISED /
PROGRAMMED CONTROLS
• Access controls
• Librarian function USER (MANUAL)
• Internal/external CONTROLS
labels • Authorisation of
• Record comparison overrides
and matching • Authorise manual
• Monitors and intervention
prints abnormal • Use of logs
activities for review
by users 59

• Audit trails
 OBJECTIVE
To implement controls designed to protect the
integrity of master file information, to ensure
that only valid changes (valid and authorised) to
master files are processed, and that changes
are processed completely and accurately by the
computer
Possible errors:
• Unauthorised amendments
• Not all authorised amendments being updated on master
files
• Errors in capturing amendments, which result in all financial
information that is dependent on the master file being
processed incorrectly
• Errors contained in the master file data going undetected 60
 OBJECTIVE
To implement controls designed to protect the
integrity of master file information, to ensure
that only valid changes (valid and authorised) to
master files are processed, and that changes
are processed completely and accurately by the
computer

61
 COMPLETENESS

USER CONTROLS
COMPUTERISED /
PROGRAMMED CONTROLS
• Reconciliation of
changes with the
• Sequentially list/register of
numbered audit requests for
trail of master file changes and
changes is follow-up of
produced outstanding items

62
 ACCURACY

USER CONTROLS

COMPUTERISED / • Reconciliation of
PROGRAMMED CONTROLS
master file changes
• Edit/validation with master-file
checks are amendment forms,
performed over and with third
data capture party
documentation

63
 VALIDITY

USER CONTROLS

• Written
COMPUTERISED / authorisation of
PROGRAMMED CONTROLS
changes
• Access controls • Checking of
changes to master
files

64
 COMPLETENESS, ACCURACY AND
VALIDITY

COMPUTERISED /
PROGRAMMED CONTROLS
USER (MANUAL)
• The master file is CONTROLS
protected by:
• Regular review by
• Encryption
management
• Library controls
• Record counts
• Reconciliation
65
 OBJECTIVE
To implement controls designed to ensure the
completeness and accuracy of output and to
control distribution of output to authorised
users

66
 COMPLETENESS
USER (MANUAL) CONTROLS

• IT control to follow up on
missing numbers
• Reviewing of output
COMPUTERISED / reports by users
PROGRAMMED CONTROLS • Reconciliation of input to
output by IT
• Sequentially • Sequence check on
page/document nr
numbered • Page counts
• Reviewing of reports by
users for
missing/duplicated items
67
 VALIDITY (AUTHORISATION)
USER (MANUAL) CONTROLS
COMPUTERISED /
PROGRAMMED CONTROLS • Distribution list of
authorised users, listing
• Logs, listing to whom output is to be
activities and sent
• Distribution schedule
output produced, • Distribution controlled by
maintained by the IT control group
computer system – • Distribution register in
which users sign for
Regular reviewed receipt
by IT group for • Review of reports by users
unauthorised
output 68
 ACCURACY
USER CONTROLS

• Reconciliation of output to input by user departments for

accuracy of processing
• Review of output by IT users for obvious errors (eg faulty
printer)
• Physical checking of accuracy of calculations by users
(reports/documents)
• Review and follow up of items on exception reports by an
independent control group
• Scrutiny (review) of processed information by users for
accuracy
• Checking by users of the accuracy of postings from sub
ledger to general ledger.

69
 CONFIDENTIALITY
USER CONTROLS

• Controls over on-line

output
COMPUTERISED /
PROGRAMMED CONTROLS
• Restrictions on which
printers can be used for
• Controls over on-line
confidential report
output
• Controls over stationery
used for confidential
reports (eg payslips)

70
 EXTENT

Determined by:
= Assessment of
NATURE
materiality
= Assessed risk
= Inspection TIMING
= Degree of
= Observation = Depend on the
assurance the
= Enquiry auditor’s objective
auditor plans to
= Re-performance = Should cover the
obtain
= Combination of whole period
above
Items can be
selected using
professional
judgement or
statistical methods
 CONTROL TEST OF CONTROL

Separate goods receiving department Enquire and observe

exist whether a separate
department exist
The goods are received by two persons Enquire of the goods
Enquire and observe whether a separate department existEnquire and
who count and inspect them for quality receipt personnel how the
observe whether a separate department exist
control function. Observe
on a secretive basis
whether the controls are
complied with.
One receipt of the goods the goods Observe the receipt of
received personnel prepare a GRN and goods and determine
sign it as proof of the fact that the goods whether the controls are
were counted and inspected complied with.
Inspect the signatures on
the GRN as proof
 All recorded purchased are valid (goods were actually received)

What control objective is achieved?

What will be a typical control to address the above?

What test of control(s) will be performed to determine if the control is

operating effectively?
 All valid purchases are recorded and nothing is left out.
What control objective is achieved?

What will be a typical control to address the above?

What test of control(s) will be performed to determine if the control is

operating effectively?
 ISA
265

Auditor’s responsibility
* Communicate significant deficiencies

DEFICIENCY
= Control is designed,
SIGNIFICANT DEFICIENCY
implemented or operated in
= deficiency or a combination
such a way that it is unable to
of deficiencies in internal
prevent or detect and correct
control that in the auditor’s
misstatements in the AFS on a
professional judgement is of
timely basis
sufficient importance to merit
= Control necessary to prevent
the attention of those charged
or detect and correct
with governance
misstatements in the AFS on a
timely basis is missing
 ISA
265

Communication if SIGNIFICANT DEFICIENCIES should be:

• In writing
• Could be preceded by some form of oral communication to assist
management or those charged with governance to take remedial action
• Should take place on a timely basis
• Include a description of the deficiencies and explanation of their potential
effects
• Include sufficient information to enable those charged with governance
and management to understand the context of the communication
• Should be to the CEO/CFO in the case of reporting to management