RET) ea Te PXetet\ Think Ahead Menu = Auditing in a computer-based environment Home / Students / Study resources / Audit and Assurance (AA) ers | Auditing in a computer-bs vironment Relevant to Foundation level Paper FAU and ACCA Qualification Papers F8 and P7 Specific aspects of auditing in a computer-based environment Information technology (IT) is integral to modern accounting and management information systems. Iis, therefore, imperative that auditors should be fully aware of the impact of IT on the audit ofa client's financial statements, both in the context of how itis used by a client to gather, procass and report financial information in its financial statements, and how the auditor can use IT in the process of auditing the financial statements ‘The purpose of this article is to provide guidance on following aspects of auditing in a computer-based accounting environment *+ Application controls, comprising input, processing, output and master file controls established by an audit client, over its computer-based accounting system and+ Computer-assisted audit techniques (CAATS) that may be employed by auditors tote client's computer-based accounting system, ;nd conclude on the integrity of @ Exam questions on each of the aspects identified above are often answered to an inadequate standard by a significant number of students - hence the reason for this article. Dealing with application controls and CAATS in tum: APPLICATION CONTROLS ‘Application controls are those controls (manual and computerised) that relate tothe transaction and standing data pertaining to @ ‘computer-based accounting system. They are specific to a given application and thelr objectives are to ensure the completeness ‘and accuracy of the accounting records and tho valty of aries mado in those records. An etfective computor-based system will ensure that there are adequate controls existing atthe point of input, processing and output stages ofthe computer processing cycle and over standing data contained in master les. Application controls need to be ascertained, recorded and ‘evaluated by tho aueitor as part ofthe process of determining the risk of material misstatement inthe auait lion's financial statements, Input controls Control activities designed to ensure that input is authorised, complete, accurate and timely re referred to as input controls. Dependent on the complexity ofthe application program in question, such controls will vry in terms of quantity and sophistication. Factors to be considered in determining these varlables include cost considerations, and confidentiaty requirements wih regard tothe data input. Input controls common to most effective application programs include on-sereen prompt facilties (for example, a request for an authorised user to login) and a facility to produce an audit trail allowing a user to trace a transaction from its origin to disposition in the system. Specific input validation checks may include: Format checks ‘These ensure that information is input inthe correct form. For example, the requirement that the date ofa sales in voice be input in numeric format only ~ not numeric and alphanumeric. Range checks ‘These ensure that information input is reasonable inline with expectations. For example, where an entity rarely, if ever, makes bulk-buy purchases with @ value in excess of $50,000, a purchase invoice with an input value in excess of $50,000 is rejected for review and follow-up. Compatibility checks ‘These ensure that data input from two or more felds is compatible, For example, a sales invoice value should be compatible with the amount of sales tax charged on the invoice Velicity checks ‘These ensure that the data input is vad, For example, where an entity operates a job costing system — costs input to a previously completed job should be rejected as invalidException checks ‘These ensure that an exception report is produced highlighting unusual situations that have arisen following the input of a specific item. For example, the carry forward of a negative value for inventory held Sequence checks ‘These facilitate completeness of processing by ensuring that documents processed out of sequence are reject ed. For example, where pre-numbered goods received notes are issued to ac knowledge the receipt of goods into physical inventory, any input of notes out of sequence should be rejected. Control totals ‘These also facilitate completeness of processing by ensure that pre-input, manually prepared control totals are compared to control totals input. For example, non-matching toals ofa “bateh’of purchase invoices should result in an on-screen user prompt, ‘or the production ofan exception report for follow-up. The use of contrl totals inthis way are also commonly rferred to as ‘output controls (see below). Check digit verification This process uses algorithms to ensure that data input is accurate. For example, internally generated valid supplier numerical reference codes, should be formatted in such a way that any purchase invoices input with an incorrect code will be automatically rejected. Processing controls, Processing controls exist to ensure that all data inputs processed correclly and that data fles are appropriately updated ‘accurately ina timely manner. The processing controls for a specified application program should be designed and then tested prior to ive" running with real data, These may typically include the use of run-to-un controls, which ensure the integrity of ‘cumulative totals contained inthe accounting records is maintained from one data processing run to the next. For example, the balance carted forward on the bank account in @ company’s general (nominal ledger. Other processing controls should include the subsequent processing of data rejected at the point of input, for example: + Acomputer produced print-out of rejected items. + Formal writen instructions notifying data processing personnel of the procedures to follow with rogard to rejected items. + Appropriate investigation/follow up with regard to rejected items, * Evidence that rejected errors have been corrected and re-input. ‘Output controls Output controls exist to en sure that all data is processed and that output is distibuted only to prescribed authorised users. While the degree of output controls wil vary from one organisation to another (dependent on the confidentiality ofthe information and ‘ize of the organisation), common controls comprise: + Use of batch contral totals, as described above (see ‘input controls), *+ Appropriate review and follow up of exception report information to ensure that there are no permanently outstanding exception items. + Careful scheduling ofthe processing of data to help facitate the distribution of information to end users on a timely basis,+ Formal writen instructions notifying data processing personnel of prescribed distribution procedures. + Ongoing monitoring by a responsible offcal, of the distribution of output, to ensure itis distributed in accordance with authorised policy. Master file controls, The purpose of master fle controls is to ensure the ongoing integrity of the standing data contained in the master files. Itis vitally important that stringent ‘security controls should be exercised over all master fles. ‘These include: + appropriate use of passwords, to restrict access to master fle data + the establishment of adequate procedures over the amendment of data, comprising appropriate segregation of duties, and authority to amend being restricted to appropriate responsible individuals + regular checking of master fle data to authorised data, by an independent responsible official + processing controls over the updating of master files, including the use of record counts and control total. ‘COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs) ‘The nature of computer-based accounting systems is such that auditors may use the audit client company's computer, or their ‘own, a8 an audit tool, to assist them in their audit procedures. The extent to which an auditor may choose between using CATS ‘and manual techniques on a specific auait engagement depends on the following factors: + the practicality of carrying out manual testing + the cost efflectivaness of using CATS + the availability of auit ime + the availabilty of the ausit lion's computer facility + the level of aueit experience and expertise in using a specified CAAT + the level of CATS carried out by the audit client's internal audit function and the extent to which the extern al auditor can rely on this work. ‘There are three classifications of CATS — namely + Aut sofware + Test date + Other techniques Dealing with each of the above in turn: Audit software ‘Audit software is a generic term used to describe computer programs designed to carry out tests of control andior substantive procedures. Such programs may be classified as:Packaged programs ‘These consist of pre-prepared generalised programs used by auditors and are not ‘client specific. They may be used to carry out numerous aueit tasks, for example, to select a sample, either statistically orjudgementally, during arithmetic calculations and ‘checking for gaps in the processing of sequences. Purpose written programs ‘These programs are usually ‘client specific’ and may be used to carry out tests of control or substantive procedures, Audit ‘software may be bought or developed, but in any event the audit fim’s audit plan should ensure that provision is made to ensure that specified programs are appropriate for a client's system and the neads of the audit. Typically they may be used to re-perform ‘computerised control procedures (for example, cost of sales calculations) or perhaps to carry out an aged analysis of trade receivable (debtor) balances. Enquiry programs ‘These programs are integral tothe client's accounting system; however they may be adapted for aut purposes. For example, \where a system provides forthe routine reporting on a ‘monthly’ basis of employee starters and leavers, this faclity may be utilsed by the aueltor when ausiting salaries and wages inthe client's fnancial statements. Similarly, a facility to repor trade payable (creditor) long outstanding balances could be used by an auditor when verifying the reported value of creditors, Test data Audit test data ‘Ault test data is used to test the existence and effectiveness of controls built into an application program used by an audit client, ‘As such, dummy transactions are processed through the clients computerised system. The results of processing are then ‘compared to the auditor's expected results to determine whether controls are operating efficiently and systems’ objectiveness are being achieved. For example, two dummy bank payment transactions (one inside and one outside authorised parameters) may be processed with the expectation that only the transaction processed within the parameters is ‘accepted’ by the system. Clearly, if dummy transactions processed do not produce the expected results in output, the ausitor will ned to consider the need for increased substantive procedures in the area being reviewed. Integrated test faciltios ‘To avoid the risk of corrupting a client's account system, by processing test data with the client's other lve’ data, auditors may instigate special test data only’ processing runs for audit test data. The major disadvantage of this is thatthe auditor does not have total assurance that the test data is being processed in a similar fashion to the client's lve data. To address this issue, the auditor may therefore seek permission from the client to establish an integrated test facility within the accounting system. This Centals the establishment of a dummy unit, for example, a dummy supplier account against which the auditor's test data is, processed during normal processing runs, Other techniques This section contains useful background information to enhance your overall understanding. Other CAATS include: Embedded audit facilities (EAFS) This technique requires the auditor's own program code to be embedded (incorporated) into the client's application software,‘such that verification procedures can be caried out as required on data being processed, For example, tests of control may include the reperformance of specific input validation checks (see input controls above) ~ selected transactions may be "agged’ ‘and followed through the systom to ascertain whether stated controls and processes have been applied to those transactions by the computer system. The EAFs should ensure that the results of testing are recorded in @ special secure file for subsequent review by the auditor, who should be able to conclude on the integrity of the processing controls generally, rom the results of testing. A further EAF, of ton overlooked by students, is that ofan analytical review program enabling concurrent performance of analytical review procedures on client data as its being processed through the automated system. Application program examination \Whon determining the extent to which thoy may rely on application controls, auditors noed to consider the extant to which specified controls have been implemented correctly. For example, where system amendments have occurred during an ‘accounting period, the auditor would need assurance as to the existence of necessary controls both before and after the ‘amendment. The auditor may sek to obtain such assurance by using a software program to compare the controls in place prior to, and subsequent to, the amendment date. Summary ‘The key objectives of an audit do not change irespectve of whether the auelt engagement is carried out in a manual or a ‘computer-based environment. The aucit approach, planning considerations and techniques used to obtain sufficient appropriate aul evidence do of course change. Students are encouraged to read further to augment their knowledge of auditing in a ‘computer-based environment and to practise thoi ably to answer exam questions onthe topic by attempting questions set in previous ACCA exam papers, Written by a member of the audit exam team S Related Links + Student Accountant hub page AdvertisementInvest in Your Team's Future ptee\ Think Ahead Our sites myACCA ACCA Learning AGCA Careers AGCA Career Navigator ACCA Learning Community Useful links Make a payment ACCA-X online coursesMost popular Professional insights ACCA Qualification Member events and CPD ‘Supporting Ukraine Past exam papers ACCA Mail Hye fi =| Contact us =] Send us a message Planned system updates 01) View our maintenance windows Accessibility Legalpolicies Data protection & cookies Advertising Sitemap Contact us