to the origin of each individual transaction.“Auditing around the computer”is an audit approach used in less complex ITenvironments where the traditional documents making up an audit trail exist insome readily available form, such as organizations that use IT to process businesstransactions but design their systems in such a way that source documents can beeasily retrieved and accounting journals and ledgers can be printed.Because theaudit trail is still in tact and transactions can be traced through the system by theauditor, the auditor generally obtains an understanding of internal control andperforms tests of controls and substantive tests of transactions in the same manneras if the system were entirely manual. Although responsible for gaining anunderstanding of general and application controls, the auditor generally does notperform tests of those computer controls.“Auditing through the computer”is an audit approach used in more complex ITenvironments where internal controls are embedded in applications that are visibleonly in electronic form.The traditional source documents and accounting recordsare only available in electronic form, not hard copy.When auditing through thecomputer, the auditor may follow one of three strategies:1.Test Data approach– the processing of the auditor’s test data through the client’scomputer system using the client’s application program to determine whether thecontrols embedded in the computer accurately process the test data.Knowing inadvance the results that should be produced with the test data, the auditor comparesthe output generated by the system with the expected output in order to evaluate theeffectiveness of the program’s controls.2.Parallel simulation– the use of auditor-controlled software designed to parallel anoperation performed by the client’s software to test data.The data used in theauditor’s software should be the same data used by the client.The output from theclient’s software is compared with the output from the auditor’s software.Differencesin output may indicate weaknesses in internal control.3.Embedded audit module approach– the insertion of an audit module into theclient’s application system to capture certain transactions. Show Newly uploaded documentsRelevant to Foundation level Paper FAU and ACCA Qualification Papers F8 and P7 (Int and UK) The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect this situation. Students need to ensure they have a complete understanding of the controls in a computer-based environment, how these impact on the auditor’s assessment of risk, and the subsequent audit procedures. These procedures will often involve the use of computer-assisted audit techniques (CAATs). The aim of this article is to help students improve their understanding of this topic by giving practical illustrations of computer-based controls and computer-assisted techniques and the way they may feature in exam questions. Relevant auditing standards
Internal controls in a computer environment Application controls Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed (ISA 315 (Redrafted)). Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally divided into the following categories: (i) Input controls The most common example of programmed controls over the accuracy and completeness of input are edit (data validation) checks when the software checks that data fields included on transactions by performing:
When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal an anomaly, eg ‘Supplier account number does not exist’. (ii) Processing controls (iii) Output controls (iv) Master files and standing data controls General controls
‘End-user environment’ refers to the situation in which the users of the computer systems are involved in all stages of the development of the system. (i) Administrative controls
‘System software’ refers to the operating system, database management systems and other software that increases the efficiency of processing. Application software refers to particular applications such as sales or wages. The controls over the development and maintenance of both types of software are similar and include:
Exam focus
Computer-assisted audit techniques (i) Audit software
The auditor needs to determine which of these functions they wish to use, and the selection criteria. Exam focus The following is an example of how this could be applied to the audit of wages:
(ii) Test data Examples of errors that might be included:
Data without errors will also be included to ensure ‘correct’ transactions are processed properly. Test data can be used ‘live’, ie during the client’s normal production run. The obvious disadvantage with this choice is the danger of corrupting the client’s master files. To avoid this, an integrated test facility will be used (see other techniques below). The alternative (dead test data) is to perform a special run outside normal processing, using copies of the client’s master files. In this case, the danger of corrupting the client’s files is avoided – but there is less assurance that the normal production programs have been used. (iii) Other techniques
The attraction of embedded audit facilities is obvious, as it equates to having a perpetual audit of transactions. However, the set-up is costly and may require the auditor to have an input at the system development stage. Embedded audit facilities are often used in real time and database environments. Impact of computer-based systems on the audit approach (i) Planning (ii) Risk assessment The application notes to ISA 315 identify the information system as one of the five components of internal control. It requires the auditor to obtain an understanding of the information system, including the procedures within both IT and manual systems. In other words, if the auditor relies on internal control in assessing risk at an assertion level, s/he needs to understand and test the controls, whether they are manual or automated. Auditors often use internal control evaluation (ICE) questions to identify strengths and weaknesses in internal control. These questions remain the same – but in answering them, the auditor considers both manual and automated controls. For instance, when answering the ICE question, ‘Can liabilities be incurred but not recorded?’, the auditor needs to consider manual controls, such as matching goods received notes to purchase invoices – but will also consider application controls, such as programmed sequence checks on purchase invoices. The operation of batch control totals, whether programmed or performed manually, would also be relevant to this question. (iii) Testing This statement holds true irrespective of the accounting system, and the auditor will design compliance and substantive tests that reflect the strengths and weaknesses of the system. When testing a computer information system, the auditor is likely to use a mix of manual and computer-assisted audit tests. ‘Round the machine (computer)’ v ‘through the machine (computer)’ approaches to testing In the ‘through the machine’ approach, the auditor uses CAATs to ensure that computer - based application controls are operating satisfactorily. Conclusion In small computer-based systems, ‘auditing round the computer’ may suffice if sufficient audit evidence can be obtained by testing input and output. Written by a member of the Paper F8 examining team Which of the following approach of audit is also called the auditing around the computer?Computer assisted audit techniques are used. Black box approach is where the auditor is basically not well versed about the computer processing, it is also know as audit around the computer, where documents are taken in physical form and audit techniques are applied on them.
Which box approach is auditing around the computer?- Auditing around the computer means that processing done by the computer system needs not to be audited as auditor expects that sufficient appropriate audit evidence can be obtained by reconciling inputs with outputs. - It is often known as black box audit approach.
How an auditor can audit around the computer?Auditing around the computer is when the audit team doesn't inspect IT system controls. Instead, they obtain source documentation from the system (i.e. system reports) and compare that information to the financial statements.
What is auditing in a computer?A software audit is an internal or external review of a software program to check its quality, progress or adherence to plans, standards and regulations. The process is conducted by either internal teams or by one or more independent auditors.
|