Audit under Computerized Environment
LEARNING OBJECTIVES
1. Explain the nature of risks and control characteristics in CIS environment.
2. Describe automated-related internal controls in complex systems and their impact on
evidence accumulation.
3. Explain the components of controls in CIS environment.
4. Know the similarities and differences in obtaining an understanding of complex and
non-complex computerized systems of internal controls.
5. Describe when it is appropriate to audit only the non-automated internal controls to
assess control risks.
6. Understand the circumstances where it is appropriate to assess control risk using
non-automated internal controls.
Audit under
Computerized
Environment
Nature of Risks How CIS Control in Impacts of CIS
and Control Enhance CIS on Audit
Characteristics Internal Control Environments Evidence
Accumulation
General Application
Control Control
N20-1
�1. Nature of Risks and Control Characteristics in CIS Environment
(Dec 14)
1.1 Concentration of function, data and knowledge
(a) concentration of recording, processing and control functions within the CIS
department.
(b) data may be concentrated in one department, i.e. CIS department.
(c) financial information may be centralized into one computer program,
eliminating many conventional controls based on adequate segregation of
duties.
(d) greater reliance on programmed controls, to ensure the reliability of computer
system outputs.
(e) may increase potential risk of fraud or error and make detection difficult.
1.2 Control procedures – decrease in human involvement eliminates most of the visual
checking performed during processing in manual systems, but may increase the
potential for individuals to gain unauthorized access to information and alter
information to the detriment of the entity concerned.
1.3 System integration and generated transactions
(a) computer systems may permit the single transaction update of multiple or
data base computer files. An erroneous entry in such a system may create
errors in several financial accounts.
(b) system generated transactions may not be specifically documented.
1.4 Accessibility of data and computer programs
(a) unauthorized uses of terminal and transactions.
(b) unauthorized modification of previously entered transactions, alteration of
data and programs, etc.
1.5 Transient nature or lack of hardcopy evidence
(a) Lack of documentation – i.e. no audit trail, is the name given to the facility
to trace individual transactions through a system from its origin to completion.
(b) Storage of processing procedures or programs rely on both a computer and
a program to reveal.
(c) Results of processing may be highly summarized.
(d) On-line computer system may not be designed to provide printed reports.
(e) CIS auditor must frequently become involved in the early stages of systems
design.
1.6 Vulnerability of data and program storage media – easy to theft, loss or intentional
or accidental destruction.
N20-2
�2. How Computerized Systems Enhance Internal Control
(Dec 11)
2.1 Computer controls incorporated in the daily processing
2.1.1 One of the advantages of computerized system is the ability to improve internal
control by:
(a) Incorporating computer performed controls in day-to-day transaction
processing activities to ensure erroneous data are detected.
(b) Replacing manual procedures with programmed controls that apply checks
and balances to each processed transaction can reduce human error that is
likely to occur in traditional manual environments.
(c) Establishing online security controls in applications, databases, and
operating systems also provide opportunities to enhance segregation of duties.
(d) Encouraging the management to develop good internal control practices
in order to implement and maintain a complex computer system.
(e) Providing the management with more information and more effective
analysis.
2.2 Initiation to enhance administrative controls
2.2.1 It is difficult to implement and maintain a complex computer system successfully
without effective organization, good procedures and documentation, and also effective
administration. This is, in turn, fosters good control.
2.3 Higher-quality information is available
2.3.1 Computerized system is typically used to provide management with more
information and more effective analysis of the information.
2.3.2 Management’s use of the information offers further potential for improved
management decisions and enhanced internal controls.
N20-3
�3. Controls in CIS Environments
3.1 General control
(Dec 11)
3.1.1 It refers to the environment within which computer applications are developed,
maintained and operated, and within which the application controls operate.
3.1.2 The objectives are to ensure the proper development and implementation of
applications, and the integrity of programme and data files, and of computer
operations.
3.1.3 It includes
(a) organization and management controls – policies and procedures relating to
controls over computer processing functions.
(b) system development and program maintenance controls – ensure the
effective systems and programmes are formally developed as authorized.
(c) Computer operation controls – used for authorized purposes only; restricted
to authorized personnel; ensured that errors are detected.
(d) System software controls over acquisition or development – changes are
authorized, approved, tested, implemented and documented.
(e) Program library security controls – unauthorized changes cannot be made;
separation of responsibilities between programme libraries and programme
changes; protect of back-up copies of programmes.
(f) Data security controls – unauthorized changes cannot be made to data on
files or databases.
(g) Other general controls – e.g. offsite storage of data; protection against fire,
theft, loss, etc.
3.2 Application control
(Dec 11)
3.2.1 It refers to controls that are specific to individual accounting applications, and are
therefore unique to particular accounting applications or functions.
3.2.2 The purpose is to ensure the completeness and accuracy of the accounting records and
the validity of the entries therein. They consist of a combination of manual and
programmed procedures.
N20-4
�3.2.3 It classifies as:
(a) input controls
(i) completeness of input – e.g. record counts, control or batch totals,
hash totals.
(ii) accuracy of input – e.g. validity check (customer no. checked to
master file); reasonableness tests; limit checks, etc.
(iii) Validity of input – e.g. authorization limits; clerical review of input
transactions.
(b) Processing controls – e.g. input controls as above; control totals; error logs;
cross footing tests.
(c) Output controls – e.g. compared with source documents, error logs or
exception reports; scrutiny of output before dispatch.
(d) Error correction controls – e.g. immediate error correction procedures and
accumulation of errors in an error file for subsequent follow-up by data input
personnel provide for early detection and correction of input errors.
4. Impacts of Computerized System on Audit Evidence Accumulation
4.1 Use non-automated internal control to assess control risk
4.1.1 In assessing the control risk of an entity, auditors have to consider both the automated
and non-automated internal controls.
4.1.2 In certain occasions, manual aspects of systems may be more suitable. PSA 315
specifies that manual internal control is more suitable for assessing control risks
where judgment and discretion are required such as for the following
circumstances:
(a) Large, unusual or non-recurring transactions, which is not usually
processed through the uniformity processing system.
(b) Circumstances where errors are difficult to define and anticipate or predict;
as a result, computer-based controls may not be available for detecting such
type of errors.
(c) In changing circumstances that require a control response outside the scope
of an existing automated control. Thus, it is unavoidable to use manual
control in such circumstance.
(d) In monitoring the effectiveness of automated controls.
N20-5
�4.1.3 However, manual or non-automated controls have the following problems:
(a) Manual controls are performed by people, and therefore pose specific risks to
the entity’s internal control because different person may have different
motives and level of competencies.
(b) Manual controls may be less reliable than automated controls because they
can be more easily bypassed, ignored, or overridden by people.
(c) Manual controls are more prone to simple errors and mistakes due to
careless or other reasons.
(d) Consistency of application of a manual control element cannot therefore be
assumed and the reliability of manual control may not be of the same level
over time.
4.1.4 Manual systems may be less suitable for the following circumstances:
(a) Transactions that are of high volume or recurring.
(b) The type of errors that can be anticipated or predicted can be prevented or
detected by control parameters that are automated.
(c) Control activities that have specific ways to perform and can be adequately
designed and automated.
4.2 Understanding of complex and non-complex computerized systems of internal
controls
(a) Similarities
4.2.1 Evaluate the effectiveness of general controls before evaluating application
controls
(a) If general controls are ineffective, there is potential for material
misstatement in each computer-based accounting application, regardless of
the quality of application controls.
(b) If good general controls are in place, there is an increased likelihood of
placing greater reliance on application controls. It increases the auditor’s
ability to rely on application controls to reduce control risk and so it can
reduce substantive testing.
4.2.2 Auditors must be knowledgeable about the general controls and application
controls.
(a) Auditors must be knowledgeable about these controls because they are
responsible for gaining an understanding of internal control, regardless of
whether the client’s use of a computerized system that is simple or complex.
(b) Knowledge about general controls increases the auditor’s ability to rely on
N20-6
� effective application controls to reduce controls risk. Because general
controls can have a pervasive effect on the operating effectiveness of
application controls.
4.2.3 The auditor should obtain an understanding of the information system relevant to
financial reporting. (Dec 11)
(a) The class of transactions in the entity’s operations and how the information
system captures events and conditions that are significant to the financial
statements.
(b) The procedures and related accounting record by which those transactions
are initiated, recorded, processed and reported in the financial statements.
(c) The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures.
(d) Controls surrounding journal entries, including non-standard journal entries
used to record non-recurring, unusual transactions or adjustments.
(e) The related accounting records, supporting information and specific
accounts in the financial statements that are used to initiate, record, process
and report transactions; these include the correction of incorrect information
and how information is transferred to the general ledger. The records may be in
either manual or electronic form.
(b) Differences
4.2.4 Visibility of source documents and audit trails
(a) In a non-complex computerized system, source documents are retrievable
in readable form and can be traced easily through the accounting system to
output.
(b) Internal controls often include client comparison of computer-produced
records with source documents.
(c) However, with greater volumes of data and more complexity system, this is
no longer true.
4.2.5 Mode of authorization
(a) In certain complex computerized systems, there are certain types of
transactions initiated automatically by the computer; examples are the
calculation of interest on savings accounts and the ordering of inventory when
pre-specified order levels are reached. In these instances, authorization is not
made for each transaction, as occurs in a less complex system.
N20-7
�4.2.6 Audit approach
(a) In a non-complex computer system, auditors use the approach of auditing
around the computer because it is not necessary for the auditors to use
computer controls to reduce assessed control risk.
(b) In a complex computer system, where the source documents and internal
controls are often embedded in applications that are visible only in
electronic form, the auditor must change the approach to auditing through
the computer.
Question 1
(a) During the planning stage of an audit, the auditor shall obtain an understanding of the
information system, including the related business process, relevant to financial
reporting. What areas of the information system relevant to financial reporting should
the auditor consider? (4 marks)
(b) How do computerized systems enhance internal control? (4 marks)
(c) What are general IT controls? Provide two examples. (4 marks)
(d) What are the four categories of application controls? (4 marks)
N20-8
