Download Assignment 1 is compulsory and due

1
COMPUTER AUDITING AND THE USE OF THE COMPUTER - summary
Computer system influences audit procedures :
 understanding of computer system and internal controls
 internal controls and control risk influences audit risk decision
 tests of controls & substantive procedures designed and performed to achieve audit objectives.
Consider intended
use & if appropriate
System CAAT’s
(computerised controls)
or Data CAAT’s
(substantive procedures)
Audit software
Simulated data captured
on client’s system for
processing and then
checked against
prepared results.
General Audit Software
/ off shelf = GAS
retrieval software cheap,
widely used but normally
specific environment &
not all clients. Have
limitations
Purpose written
software – costly and
auditor dependent on
writer
Utilities – use client’s
report writer. Not audit
tool, needs special care
System management
programs – used for
data retrieval, software
comparison. Not meant
for audit use.
100% testing not samples
(reduces audit risk), more
reliable evidence (no
human errors), increased
audit efficiency (millions
of calcs in minutes)
Computer Assisted Audit Technique’s methods
Control &
Reprocessing
Select
transactions and
then
reprocessed
under auditor
supervision (so
as to check the
programmed
controls)
.
Simulation
Processing
client data on
auditor’s
simulated
program and
then results
compared to
client’s original
Evolving techniques
AI & expert systems to
copy human
judgement in audit
process. Takes
client’s data for use in
auditor’s work papers
Data CAAT’s = audit retrieval software :
 reperforms casts and calcs
 performs investigations and analyses
 selects samples
 extracts summaries / masterfiles
 performs comparisons
Program
code analysis
Tests program
code of
controls to see
if coded
correctly –
high technical
knowledge,
must be right
version
Embedded audit routines /
concurrent CAAT’s
Audit routines built into client’s
computer system normally at
installation time. Runs at
same time so whole period
reviewed. e.g. :
 Snapshots
 Integrated test facility (ITF)
 On-line audit / SCARF
Test data
Simulated data captured
on client’s system & then
results checked against
prepared results.
Tests controls &
processing on computer
system.
Either live (must be
deleted) or on copy
(must be same version).
Used when high use of
programmed controls,
no paper doc trail &
large volumes of data
processed.
Risks – no surprise cos
must be arranged with
client, can corrupt
client’s live data,
program used in test
may not be program
used all year.
SUBSTANTIVE PROCEDURE!
FORMULATE PROCEDURES - SUBSTANTIVE PROCEDURES / TESTS OF CONTROLS :
Use WHAT, TO WHAT, HOW and WHY in every procedure.
Use the correct assertions
Say “use GAS / Audit Software to ……” and end with “follow up differences with management”
Or if doing general tests of controls then also say “discuss any exceptions with management”
Assertions for Income Statement :
 occurrence
 completeness
 accuracy
 cut-off
 classification
Assertions for Balance Sheet :
 existence
 valuation and allocation
 rights and obligations
 completeness
IS = OCACC
BS = EVRC
2
Assertions for Presentation and Disclosure :
 occurrence
 completeness
 accuracy
 classification
 rights and obligations
 valuation and allocation
occurrence – took place during period in question and belong to entity (validity)
completeness – no unrecorded / undisclosed items
accuracy – recorded appropriately
cut-off – recorded and allocated to correct period
classification – recorded at correct accounts
existence – asset or liability exists at given date
valuation – recorded at correct value
rights and obligations – belongs to entity at that time
presentation and disclosure – disclosed, classified and described as per Framework
Tests of control :
 inspect
 observe
 enquire
 re-perform
TC = IOER
Substantive procedures :
 inspect
 observe
 enquire
 re-preform
 re-calc
 confirm e.g. letter of confirmation
Programmed tests of control :
SUB = IOERRC
 control and re-processing
 programme code analysis
 simulation
 investigation
 reperformance (test data, embedded audit routines)
Substantive procedures – either :
 tests of detail – inspect
enquire
re-perform
re-calc
confirmation

CSIRP
analytical procedures – ratios & trends (to other periods, info & industry standards)
GAS substantive procedures for sales (IS) – use audit software to :
 extract sample of invoices and inspect that items from stock aren’t fictitious and that invoices are in the name of the
company
 add the sales total on each sequentially numbered invoice for the period and compare the calculated total to the
total in the sales account. Print exception report
 use masterfile document number info to extract sample of invoices after year-end and compare to supporting docs
to ensure goods were actually delivered after year-end
 re-calc total sales by multiplying selling price by quantity sold field (without vat) and then subtract trade discount and
compare to the sales amount field
3
 compare total sales in the masterfile with the balance in the GL
 print an exception report with negative values in price or quantity sold fields
 multiply the selling price per item by the quantity sold and multiply by 14% get the vat total and then compare with
amount in vat field
 perform analytical procedures like :
 total sales in current year’s masterfile to total sales in previous year’s masterfile
 total sales to budgeted sales
 vat for the year multiplied by 100/14 compared to sales in the GL
and follow up differences with management
GAS substantive procedures for inventory (BS) – use audit software to :
 recalculate value of inventory at year-end – multiply cost by inventory on hand and compare to the masterfile total
 compare inventory value in the masterfile with the value in the GL
 extract an exception report of inventory on hand at year end with a “zero YTD sales figure” to identify slow moving
or obsolete stock
 get the last GRN number for the year and then extract a list of numbers higher then that in to see if have been
processed (shouldn’t have been)
 select sample of high-value items from masterfile and trace cost price to supplier invoices to confirm correct
purchase price used
 select sample of high-value items from masterfile and trace selling price to sales invoice to confirm correct sales
price has been used
 extract sample of items that were adjusted in month before year-end and confirm authorisation for the adjustment
(check supporting docs)
 extract list of items at year-end where the selling price is below the cost price and see if this is listed as an
impairment by management
 can inventory masterfile for “errors” like :
 duplicated inventory numbers
 missing inventory numbers
 average unit cost exceeds unit selling price
 zero in quantity field by amounts showing in value field
 extract list of negative unit cost, selling price or quantity amounts (cos negative times negative is a positive)
 if imported items then must extract a sample of high value imported items and :
 trace to the invoice and reperform calcs to confirm that the correct exchange rate was used and that the import,
customs duties and shipping charges were included
 reperform the weighted average calc (if use this system)
 verify the invoice is in the name of the entity
 perform analytical inventory review by comparing current year and prior year figures and ratios for :
 total inventory
 total inventory by category
 imported / local
 inventory as a % of current assets and total assets
 if have allowance for credit losses then perform analytical procedures to give overview as to reasonableness of the
allowance by comparison to ratios of prior years and also the allowance compared to actual write-downs
 generate report to give evidence of obsolete stock by looking for items that :
 have a quantity on hand but the date of last receipt was more then 12 months ago
 have a quantity on hand but where the last date of sale is more then 6 months ago
then physically inspect the items to establish if they are obsolete / damaged
and follow up differences with management
GAS substantive procedures for existence of asset (BS) – use audit software to :







print exception report of any duplicated asset codes
select sample of asset for physical inspection and compare it to description / documents
extract list of additions in current year and compare with supporting docs and verify to physical asset
extract sample list of assets and compare to insurance docs to ensure they are covered (i.e. exist)
cast the asset category schedule or the whole asset register and agree the balance to the GL
search the disposal date field for any disposals before or after current financial year (shouldn’t be any)
extract an exception report for any “errors :
 blank / missing fields
 duplicated asset details e.g. engine numbers or licence details
existence /
 negative book values
valuation
 current depreciation that is higher then cost
 cast the net book value for all assets and agree to amount in the GL
and follow up differences with management
4
Remember if asked to verify existence then NOT value just that they exist!! Read the question to see what they want to
know about assets!!
If doing depreciation then – use audit software to :
 reperform the deprec calc for each asset in each category and then agree to the total of the current year’s
depreciation field
 perform brief analytical review of depreciation allowance e.g. compare to prior year by total and category of asset.
and follow up differences with management
GAS substantive procedures for Trade Receivables (debtors) (BS) – use audit software to :
 extract the opening balances of trade receivables for the current year and trade receivables closing balance for the
previous year and print a report of the exceptions
 compare closing balance in trade receivables ledger with the responses received from the confirmations of trade
receivables and print a report of the exceptions
 recalc the closing balance of trade receivables and compare to the closing balance in the masterfile (take opening
balance plus sales less payments received less trade discount must equal closing balance)
 extract and print total of trade receivables masterfile and trade receivables control account in the GL
 extract list of credit closing balances in the trade receivables ledger and examine the source docs to establish why
there are credit balances, or inspect the journal where it is reclassified as a liability in the financials
 scan the trade receivables masterfile for “error” conditions like :
 duplicated account numbers
 blank fields
 missing invoice numbers (using sequence test on invoice numbers)
 figures in the amount columns, but nothing in the name or details blocks
 extract sample of trade receivables at year-end and also list of payments from masterfile after year-end and
compare with the source documents to confirm is before year-end and that the trade receivables do exist at yearend
 extract a list of debtors who have a hold on their account or who have exceeded their credit limits to access if the
amounts are deemed to be recoverable
 perform analytical review of the credit losses account i.e. ;
 comparison to prior years
 comparison to aging to prior year (has there been a change to the credit policy)
 calculation of ratios e.g. allowance as a percent of sales, days outstanding debtors and comparison to prior
years)
 identify new account holders buy comparing debtors for this year-end and the last year-end and then trace the
debtors to the credit applications to substantiate their existence.
and follow up differences with management
GAS substantive procedures for Trade Payables / creditors (BS) – use audit software to :
 extract the opening balances of trade payables in the current year and compare it to the closing balance of the
previous year and print an exception report
 compare a list of creditors at the current year-end with a list of creditors at the end of the previous year end to
identify creditors where were on the previous list and aren’t on this one and creditor’s balances that are a lot smaller
then they were in the previous year
 extract and print total of the list of trade payables in the masterfile and compare to the trade payables control
account in the GL
 reperform casts f the creditor’s control account
 recalc the closing balance of trade payables and compare it to the closing balance in the masterfile (opening
balance at beginning of year, add purchases during the year, less payments made, less trade discount received and
compare to closing balance in masterfile)
 extract list of debit closing balances in trade payables ledger and examine the source docs to establish why they
exist and then inspect the journal where they are reclassified as an asset in the financials
 scan the trade payables masterfile for error conditions like :
 blank fields
 missing account numbers
 duplicate creditors names / account numbers
 amounts above a certain limit
 extract a sample of payments after year-end and compare with the source invoices to confirm that it is before yearend and that the trade payables were raised in the current year
 extract sample of purchase invoices before year-end and compare with relevant supplier delivery note to confirm
that purchases do exist and they are in the GL
 use analytical procedures on creditor’s balance and follow up on material fluctuations like :
 comparison of aging current year to prior year
5
 current year purchases and creditors to each other and prior years
 reperform the cross cast (days outstanding) on the masterfile
and follow up differences with management
GAS substantive procedures purchases (BS) – use audit software to :
 extract a sample of purchase invoices and inspect that they are made out to the entity and that the items purchases
appear on the entity’s inventory list and aren’t fictitious
 extract a sample of purchase invoices and inspect bank statements to confirm that payment for the goods was
made to the correct supplier and for the correct amounts
 find the last GRN for the year and then search for any GRN number that is higher then that that has been
processed (shouldn’t be any)
 extract and compare all the payments made to suppliers to the purchases in the GL
 use transaction date in the masterfile to extract a sample of purchase invoices before year-end and trace them to
the supporting docs to confirm that they were received in the current period
 recalc the total purchases by multiplying the purchase price by the quantity received (excluding vat) and subtract
the discount received and then compare with the value in the purchases amount field
 compare the total purchases amount in the masterfile with the balance in the GL
 print exception report indicating negative values in price or quantity purchase fields and follow up with management
 multiply the purchase price with the quantity purchased and multiply the product by 14% to give the expected vat
amount – compare this to the vat field
 for interest changed on each trade payable balance multiply the amount owed by the interest rate and compare the
interest charged field
 compare all credits in the trade payables account to each debit entry in the purchase account to confirm that all
purchases have been recorded in the proper account
 extract a sample of purchase invoices by inspecting the description of the goods purchases by comparing it to the
inventory list and trace it to the inventory account in the GL
and follow up differences with management
Audit objective “to obtain satisfaction that ….”
DBMS assists auditor in audit procedures by :
 generating test data
 providing an audit trail
 inspecting the integrity of the database
 obtaining other necessary info for the audit
 providing access to the database for use of audit software.
Controls for occurrence and authorisation (validity) of EFT’s :
 EFT should be limited to 1 terminal
 multi-level passwords (2 or more) for senior staff to authorise transfers
 bank must identify the terminal as authorised when EFT’s are processed (dial back etc)
 terminal should switch off after 3 unsuccessful attempts to do EFT
 should use 1-time passwords (e.g. if exceeds certain limit)
 security breaches must be logged and followed up by management
 controls over telephone lines where data is transmitted (dial-back)
 division of duties
 all EFT transfers should be recorded through a suspense account
 limited to certain days / times
 bank should acknowledge EFT’s and request confirmation before the money is transferred
 must have audit trail of each EFT transaction – must be reviewed by management and reconciled
 regular bank recons should be prepared.
Factors for direct connection to internet :
 relatively expensive connection, but very fast and reliable
 large number of users can gain access
 management can exercise control over access
 need specialised knowledge and skills for installation and maintenance
6
Software used by auditor includes GAS and Computerised audit Working Paper Programme
Characteristics of CWPP – must have the ability to :
 transfer TB electronically
 allocate schedule codes to accounts / generate lead schedules, journal entries and prev year’s balances
 consolidate group accounts
 record important matters for easy revision by auditor
 generate variation and ratio analyses
 adapt master programmes to needs of individual clients and also develop audit tests for key balances
 generate journals (and convert them to standard journals)
 generate financials without having to transfer data to another software package.
General characteristics for choice of CWPP :
 cost and maintenance
 system support / supplier support
 adaptability or capacity for expansion
 ease of installation
Technical characteristics of CWPP :
 automatic generation of lead schedules
 ability to have important info or notes on hand for review and revision by audit partner
 ability to transfer and adapt to each client
 ability to generate journals for discussion and then to transfer then into standard journals.
Use CAAT’s to do :




substantive testing on transactions and balances
analysing and selecting samples from large volume transactions
analytical procedures
testing programme controls
Audit software :
 Generalised Audit Software
 On-line audit
 Purpose-written software
Primary use :
substantive procedures
Secondary use : tests of controls (extraction,
selection, recalculation)
Test data :
 control and reprocessing – auditor reprocesses
transactions and checks if programmed controls working
 program code analysis – checking programming code
of programmes to see if coded correctly
 parallel simulation – using simulated programme & then
compares results to client’s system
 expert techniques – AI judgments or extracting data into
auditor’s e-working papers
 embedded routines – ITF / snapshot (built in the
system)
Factor’s that influence decision to use CAAT’s :
 complexity of client’s system
 volume of transactions / output
Primary use :
tests of controls
 data stored in electronic form
Secondary use : substantive procedures
 computer skills of audit team
(programmed controls of importance
for substantive procedures)
 attitude of client
 utilities available at client
 cost associated with obtaining the data
 compatibility of firm’s hardware and software with client’s
 potential loss of independence – CAAT’s need co-operation of client and is system orientated
Audit functions that can be performed using data-orientated CAATs :
 sorting and file re-organisation
 summarisation, stratification and frequency analysis
 extracting samples
 exception reporting
 file comparison – e.g. current masterfile to prior year’s masterfile
 analytical review – e.g. extraction of ratios
 casting and recalculation
 examining records for inconsistencies, inaccuracies and missing data (and creating a report of this)
7
Advantages of CAAT’s :
 can achieve audit efficiency by saving time
 reduction in audit costs
 improves quality of audit (as larger samples or all the data can be tested CAAT’s achieves more extensive
reperformance, precision and conclusive results)
 better knowledge of computerised info system
 can deal with large volumes
 audit staff develop improved expertise
 reduces reliance on client’s computer personnel (IT staff)
 improves client service
Factor’s to be considered when using CAAT’s :
 availability of CAAT’s and computer facilities
 computer knowledge, competence and experience
 impracticality of human / manual testing
 timing of testing
 effectiveness and efficiency
 other considerations :
 cost of software to benefits achieved
 possible need for specialised equipment / peripherals
 risk of CAAT’s corrupting client’s data and so need to back up data for audit testing purposes for on-line system
Planning with CAAT’s very important - specifically :
 knowledge of client’s business
 audit plan – audit staff training, experience, hardware needed, how does client retain data etc
 data file management – audit testing data must recon to client’s info (e.g. control totals)
Computer controls :
 general controls
 programmed controls
Investigate, reperformance either :
 manually
 using CAAT’s
 test data
 reprocessing
 simulation
 program code analysis
 audit software
General controls
Application controls
Manual controls
(can NEVER be computerised)
 organisational and management
controls
 staff practices (e.g. rotation of staff)
 input controls (completeness)
 checking of recons
Programmed controls
(can ONLY be programmed)
 access control over programs
 passwords on operating systems
 input controls (accuracy)
 field size test
Combination of manual and
programmed controls (EITHER
computerised or manual)
 system development and
implementation controls
 project authorisation
 input controls (validity)
 authorisation of input documents (either
manually signed or entering of
authorisation code)
Methods of testing controls using programmed controls :
 control and reprocessing – re-process selected transactions under the auditor’s supervision. So program
first checked by auditor and the processing is aimed at testing the functioning of the programmed controls
 program code analysis – investigation of program coding of production programs to ensure that the
necessary programmed controls are present and that the program is correctly coded. Needs high level of
technical knowledge and auditor must also ensure that program documentation relates to the production
programs in use
 simulation – processing client’s data on auditor’s simulated program and then comparing the results with
the client’s results.
8
Transactions
/ Events
Assertion
Occurrence
X
Completeness
X
Accuracy
X
Cut-off
X
Classification
X
Balances (assets, liabs
equity interest)
Presentation
disclosure
X
X
X
X
X
Existence
X
Rights & Obligations
X
X
Valuation & Allocation
X
X
Transactions and events :
 Occurrence – have all
occurred and pertain to the
entity
 Completeness – anything
that should have been
recorded has been recorded
 Accuracy - have been
recorded appropriately
 Cut-off - have been
recorded in the correct
accounting period
 Classification - have been
recorded in the correct
accounts
Assertions for Statement
Assertion
Account balances :
 Existence – assets,
liabilities and equity interest
exist
 Rights and obligations –
entity holds and controls
rights to assets and
obligations are theirs
 Completeness – have all
been recorded
 Valuation and allocation –
included at appropriate
amounts and valuation or
allocation adjustments are
recorded
Presentation & disclosure :
 Occurrence and rights and
obligations – have occurred
and pertain to entity
 Completeness – all has
been included
 Classification &
understandability – is
appropriately presented and
described and disclosures
are clearly expressed
 Accuracy and valuation –
disclosed fairly & at
appropriate amounts.
of Financial Position transactions and balances :
Rights &
obligations
Audit objective - to obtain satisfaction that :
individual transactions and balances in respect of specific kind of asset or liability are fully
accounted for in the accounting records and financials
the balance for the specific asset or liability has been accounted for at the appropriate carrying
value and that the transactions have been correctly allocated to the proper period and recorded
at the proper amount
at a given date the asset or liability did exist and the transactions did take place during the
period in question
at a given date the asset or liability pertains to the entity and that the transactions did take
place during the period in question
Presentation &
disclosure
the asset or liability was disclosed, classified and described in accordance with the applicable
legal requirements and generally accepted accounting practice
Completeness
Valuation &
allocation
Existence
Assertions for Statement
Assertion
of Comprehensive Income transactions and balances :
Completeness
Audit objective - to obtain satisfaction that the specific revenue or expenditure :
transactions and balances are fully accounted for in the accounting records and financial
statements
Occurrence
 transactions actually took place during the period in question (occurrence)
 transactions pertain to the entity (validity)
Cut-off / accuracy /
classification
transactions are recorded in the proper period, are correctly allocated and are recorded at the
proper amount
Presentation &
disclosure
balances are disclosed, classified and described in accordance with the applicable legal
requirements and generally accepted accounting practice (ISA’s & 4 th schedule)
9
Procedures used by auditor to obtain audit evidence :
Analysis of objectives
Procedures of auditor
Completeness :
All transactions were recorded at the time when they
took place
- check date on the supporting documentation
All transactions have been reported in the accounting
records
- check sequential numbering of transactions
Occurrence :
Transactions reordered in records did actually take
place
- investigate existence of valid documents
- compare entries in accounting records with supporting
documents
- check that transactions have been authorised
Transactions recorded in the accounting records
pertain to the entity
- check supporting document to ensure that entity was party in
the transaction
Existence :
Assets and liabilities did actually exist on given date
- perform physical inspection of assets and compare it with the
accounting record
- examine supporting documentation
- obtain supporting evidence from 3rd parties
Accuracy / cut-off / classification :
All transactions have been recorded at the proper
amount
- compare the amount from supporting documents with the
amount in the accounting records
All transactions have been correctly allocated
- compare the allocation with the particulars in the supporting
documents
All transactions have been recorded in the correct
financial period
- compare the date of the transaction with the date on the
supporting documentation
Valuation :
Assets and liabilities have been recorded at an
appropriate carrying value
- obtain external valuation or confirmation from 3rd parties
Assess value by physical inspection
- compare value by referring to supporting documentation
Assess the reasonableness of the amounts claimed
for reduction / increase or write-off of assets
Rights and obligations :
Assets and liabilities pertain to the entity at a given
date
- examine supporting documentation
- obtain evidence from 3rd parties in support of rights or
obligations
- obtain sufficient information to make sure that the state of
affairs was applicable at given date
Presentation and disclosure :
Items in financials have been correctly disclosed,
classified and described
- examine financials and obtain satisfaction that there has
been proper disclosure, classification and description in
terms of the Companies Act and generally accepted
accounting practice
10
GAS substantive procedures fixed assets (BS) – use audit software to :






select sample of additions and disposals to confirm with source documents
print an exception report of any missing / duplicated asset codes
select a sample for physical inspection
recalc depreciation for each asset and compare to client register and print exception report
print exception report of any asset with negative book value
print exception report of any asset where the depreciation rate or method of calculating depreciation is different from
the company’s accounting policy
 recalculate all additions, totals and cross casting
and follow up differences with management
GAS substantive procedures share capital (BS) – use audit software to :






summarise shareholders resister per main category of share capital and compare it to the GL
recalc share split and shares issued
identify all new shares that were issued with cash actually received
identity all negative shareholdings
identify all shares that were redeemed during the year and compare it to the amount of cash paid
print report indicating main shareholders to obtain positive confirmations that they hold the shares
and follow up differences with management
GAS substantive procedures on entity’s investments (BS) – use audit software to :







add up the investments per type and compare to accounts in the GL
extract list of all new and redeemed investments and compare the cash paid or received to confirm the amounts
recalc investment income and compare to accounts in GL
recalc amortisation of discounts and premiums and compare to accounts in GL
identify investments in associate companies and compare to accounts in GL
draw test sample of investment transactions to verify
draw test sample of investments for external confirmation
and follow up differences with management
GAS substantive procedures on verification of inventory (BS) – use audit software to :








recalc value of inventory at year-end (quantity on hand x cost of last purchase)
compare total inventory value to GL
draw sample of representative number of items to verify during physical count
list items on hand at year end where there is a zero YTD sales quantity and investigate
list items with negative unit costs or negative quantity
extract items where average unit cost exceeds the unit selling price
extract list of duplicate / missing inventory numbers
extract sample of item by date of last receipt, supplier code, unit cost and quantity on hand to obtain the latest cost
price per item
and follow up differences with management
Risks associated with internet connection :
 masquerade – imitating someone
 disclosure – someone could “wire-tap” access
 unauthorised access
 loss of data integrity – data is adjusted or changed while in transit
 refusal of service – cos internet is flooded with requests
 theft of services or resources – if offer specific service to client on the net
Detection risk
Risk that auditor will not detect a misstatement that exists in an assertion that could be material, either individually or in
total with misstatements in other assertions. Detection risk is controlled by the auditor
Inherent risk (“built in” risk) - controlled by entity
Control risk (relates to internal controls) – inherent and control risks controlled by client
Database is collection of data that is shared and used by different users and application programs for different
purposes. Consists of database and DBMS
Controls in database system :
General controls
 standard approach for development and maintenance of application programs
 data ownership
11




access to database
division of duties
data resource management
database recovery – controls for data security and database recovery are critical
Online processing - general controls :
 access controls
 password controls
 systems development and maintenance control measures
 programming control measures
 transaction logs
Online processing - application controls :
 pre-processing authorisation
 terminal device edit
 cut-off procedures
 file controls
 masterfile controls
 balancing / reconciling
Advantages for service bureau :
 division of duties when processing done though 3rd party
 cost saving on :
 capital outlay for hardware and software
 IT staff
 hardware, resources and expertise provided by service
bureau
 reliability of processing
 service bureau probably has secure control environment
Disadvantages for service bureau :
 dependency on bureau for processing
 loss of control over info processing
 costs / levies to service bureau
 reliability of bureau for processing and
safeguarding integrity of data
 risk of being locked into obsolete
technology
Other issues to be considered before using service bureau :
 fee structure
 speed of info turnaround
 is bureau financially sound?
 quality of backup and support available
 service bureau’s contingency plans
 bureau’s ability to keep pace with technology
 quality of info made available
 implications for :
 management control
 accounting control
 will system cater for future needs?
 effect on companies image (staff and 3rd parties)
Advantages of EDI (Electronic Data Exchange) :
 cost savings for transactions i.e. human preparation, time, paper costs, postage etc
 increased speed in processing transactions and communication with trading partners
 more accurate processing – reduction in risk of errors
 improved inventory and cash management
 improved trade relations with suppliers
Programmed (logical application controls)
Controls must be implemented to ensure that messages have been properly received :
 echo checking – messages transmitted back to transmitting device to ensure individual messages are complete
 use of verification of headers, trailers and record counts
 use of hash values and hash value comparison.
 messages should be automatically re-transmitted if any errors are detected
 use and verification of proper message structures will ensure that input is received from valid source
 before processing data in each message must be subjected to normal input validation / edit checks
 recipient should wait before reacting to messages in case an error is detected and corrected
 atomicity – feature of a transaction is considered to be indivisible so if the transaction is interrupted or fails then a
mechanism is provided to ensure that the system is returned to its state prior to the initiation of the transaction
12
 terminals :
Dynamic Auditing pg 9/28
 shutdown after period of inactivity
 shutdown after 3 unsuccessful logins. Reconnection only by supervisor and investigation after every
disconnection.
 Unable to login simultaneously on different machines (restricted to one login at a time)
 identification of users – passwords, computer’s serial number, magnetic cards
 authorisation of use – levels of access, two or more passwords needed for release, onetime passwords
 use of access system software – firewalls, console logs and software to monitor and report unauthorised attempts
to gain access
 monitor access and processing – print auditor trail of daily activities and processing showing all sign-ons and sign
offs, sensitive transactions processed and use of utilities
 communication lines and networks – controlled by passwords and sensitive data transmitted via different route
 password controls – minimum length, not obvious, cancelled on resignation, changed monthly, confidentiality
emphasied to staff
 restricted access to password and login files, menu files and authorisation level files
 data to be encrypted
 separate systems for vulnerable and sensitive applications (away from main file servers or main system)
 program libraries – controlled by manager and librarian who can monitor program updates and use, make backups,
control access to data
 utilities control – general user programs that read, organise, change or gain access to files
EFT transactions
Advantages of EFT’s :
 improved cash flow cos of stricter control of funds
 cost savings in service fees and for staff cos no user preparation of cheques
 improved security and control cos no cash handling
 sensitive info like salaries better controlled then with pay packets
EFT edit checks / tests :
 format testing – computer tests that names are alphabetic and amounts are numeric etc
 screen testing – operator tests accuracy of EFT transfer instructions
 dependency testing – system tests if payments are for valid transactions on the system
 limit / reasonability testing – computer tests the reasonableness of payments against
predetermined limits
 digits check – computer tests accuracy of codes / accounts entered
 control totals – computer calc total payments for EFT transactions in comparison to the
bank totals
 occurrence & authorisation / existence testing – computer tests the validity of payments
against masterfile details
 field size – computer tests of different fields size of payment instructions (e.g. bank account
mustn’t exceed 6 digits etc)
Firewalls – combination of computer hardware and software that strengthens access controls over the internet by :
 separating the internet from the internal computer network
 controlling traffic to and from the internet by forcing data to follow a controlled route
 controlling the acceptability of incoming and outgoing data
 logging internet activity
 using encryption / decryption facilities
Different types of word processing software :
 word processing – engagement letters that are saved on computer and can be reviewed and updated instead of
retyped annually
 spreadsheets – time and money budgeting / time sheets updated so audit manager can effectively monitor the cost
of the audit
 presentation software – complex recommendations easily understood if presented in graphic format
 flow charting software – in each audit have to compile and update system descriptions of the flow of documents /
transactions. Use software to analyse procedures and identify the controls (or lack of them). Flow charts can be
reviewed and updated annually.