AUDITING: A RISK ANALYSIS APPROACH

1
AUDITING A RISK ANALYSIS APPROACH
5th edition
Larry F. Konrath
Electronic Presentation
by Harold O. Wilson
2
Chapter 8
INTERNAL CONTROLS and CBIS

3
A note on technology
Information processing systems have encouraged
continuous auditing throughout a clients
fiscal year. Computer systems and personnel (and
changes) tend to obscure (or destroy) audit
trails traditionally traced by auditors.

Auditor ingenuity is continuously challenged!
4
FAQ?
What are major impacts of CBIS advances on
auditing and assurance services?

• Trends in computer use impact two aspects of
  audit risk, but not audit objectives
• Assessing control risk (need for CBIS control)
• Managing detection risk (verifying transaction
  data processed by CBIS, and balance data stored
  in CBIS)

5
(No Transcript)
6
Impact of CBIS on Audit Approach

• Less documentation of transactions
• Paperless office
• Document management system
• Computer audit trail
• Combining functions in CBIS systems
• Computer performs review comparison functions
• Must test computer controls

7
FAQ?
What is the audit trail?
The documents records (evidence of executed
transactions) that allow tracing transactions
through the accounting cycle in the accounting
and information system.
8
Auditing Around the Computer

• Treats computer as a black box
• Compare input and output
• Easy!!
• Cant make any assertions about underlying data

Auditing around the computer is to pretend
its just a super-sized typewriter!
9
Auditing through thebox

• Direct testing--processes auditors known data
  properly, completely, etc.
• Auditor observes the control functions in action
  (e.g., check digits, limit tests).
• Gives evidence of an underlying process.
• BUT, is the evidence only about today and the
  usual data? Is it playing client?

10
Observations on auditing with, around, or through
computers

• The difficulty After-the-fact testing of data,
  computers, applications may or may not
  replicate what happened during the period under
  audit.
• The responsibility Auditors must develop
  confidence in the controls and in
  input outputs while performing
  other auditing techniques as
  well.

11
TYPES OF CBIS

• Centralized vs. Distributed (DDP) systems
• OLRT vs. Batch processing systems
• Multi-user (DBMS) vs. flat file systems
• Interactive vs. stand alone system
• Various degrees of networking, geographic
  separations, e-commerce functions,
  volumes/types of transactions, etc., and focus
  on end users needs.

12
ELECTRONIC COMMERCE SYSTEMS

• Scope
• Merchandise and securities markets
• Bookkeeping and tax services
• Consulting and teaching
• Risk concerns (control over inputs)
• Access by customers and employees (complex!)
• Data security concerns (EDI)
• Internet involvement

13
Remember The Auditors initial concern is
transaction cycles!

• All firms have
• Sales
• Cash In
• Cash Out
• Purchases
• Payrolls

AND documentation should underlie the debits and
the credits to these accounts!
14
CBIS CONTROLS 1. General Controls

• Control procedures that are interactive with two
  or more control objectives.
• Relate to the organizational structure of the
  CBIS function (safeguarding data files
  programs, documentation, etc.).
• Relate to all (or many) computerized accounting
  activities.
• Of major concern to auditors.

15

• CBIS should be separate from user departments,
  and not initiate transactions.
• CBIS Manger reports to top management.
• Other Personnel System Analysts (design
  modify system to meet user needs), Programmers,
  Computer Operators Programmers, Librarian
  (custody over files, programs, control access),
  Data Control Group (similar to internal audit)
• CBIS testing precedes going on line.

16

• Increased dependence on computers prompts all
  user groups to participate in design
  development of CBIS
• Documentation includes objectives, access
  controls (approvals, authorizations),
  flowcharts, and instructions.
• Procedural controls include protocols, data
  encryption, telecommunications, network
  monitoring software, etc.

17
CBIS CONTROLS 2. Application Controls

• Control procedures that are designed to achieve
  specific control objectives.
• Relate to individual computerized accounting
  applications.
• Organized into input controls, processing
  controls, output controls.

18

• There are application controls for sales, cash
  receipts, cash disbursements, purchases, and
  payrolls.
• Input controls accuracy completeness
  (editing, audit trails, transaction logs, e.g.,
  reasonableness tests, test digits)
• Processing controls (headers, footers, record
  counts, echo checks)
• Output controls (verifications, proper
  distribution to authorized recipients)

19
CBIS CONTROLS 3. User Controls

• Control procedures that are established by
  departments other than Data Processing, whose
  transactions are computer processed.
• Relates to ensuring accuracy of data processing
  (e.g., approvals of inputs, review of outputs).
• Techniques include control totals, hash totals,
  comparative summaries.

20

• Auditors often evaluate a mix of CBIS and user
  controls.
• If CBIS controls are weak, auditors default to
  evaluating user controls as possible
  compensating controls.
• Audit focus on User controls may be save audit
  time in some cases, since evaluating complex CBIS
  controls may contribute little to audit
  objectives.

21
AUDIT TECHNIQUES for testing CBIS
controls

• Obtain understanding of the system
• Review the CBIS and identify areas for specific
  testing of controls
• Study the system and program documentation
• Make tests
• Evaluate the control risk

22
AUDIT TECHNIQUES for testing CBIS
controls

• Understanding of the system
• Observe inquire
• Organization operation of CBIS function
• Limited access
• Process for new/revised programs
• Process of designing new systems
• Extent of backup files
• Existence of disaster recovery plans
• Data control group

23
AUDIT TECHNIQUES for testing CBIS controls

• Auditor concerns in evaluating testing General
  Controls
• Design phase auditing
• Evaluating testing organizational controls
• Evaluating testing access controls
• Evaluating testing systems development
  documentation controls
• Evaluating testing data procedural controls

24
Techniques for Auditing Through the Computer

• Test Data (hypothetical answers errors) used
  with the clients computer Would their
  computer find?
• BCSE (for large clients!)
• Integrated test facility (ITF) approach
• Tagging Tracing technique
• Systems Control Audit Review File (SCARF)
  using specific control points

25
Auditing through.

• Parallel Simulation an automated version of
  auditing around the computer, e.g., Clients
  software or data used with CPAs computer or
  software (known reliability).
• Mixing such factors, surprise audit, may be
  effective or may be inadvisable maybe
  dangerous.

26
CBIS Audit Risk Implications

• Audit trail modifications may occur as OLRT
  inputs are shotgunned once to every location
  to use such input data.
• Hard-copy may be replaced by DBMS.
• Temporary vs. long-term retention policies may
  become fuzzy policies.
• Similar concerns prompt initial assessments
  of control risk at very high levels!

27
Suggestions for Strengthening Controls
Associated with OLRT DDP

• Effective documentation
• Adequate transaction logs
• Password security
• Effective input editing controls
• Backups History Logsdetailed, required.

28
Added Controls of EDI

• Strict identification password controls
• Limit number of terminals
• Produce transaction log showing date, time, type
  of transaction, operator
• Exercise strict control over encoding keys
• Error log for input receiving errors
• Echo check

29
Managing Detection Risk

• Auditors more involved
• Greater use of CAS
• Continuous auditing
• Be alert for ingenious perpetrations of fraud

30
Expert Systems

• Artificial Intelligence Expert Systems
  (AI/XS) Software packages based on decision
  rules, knowledge base systems (KBS), and
  expertise in defined domains.
• Expert System Shells Software prompting
  effective transference of expertise to the
  less experienced, by utilizing a critical
  sequence of input variables.

31

• Expert Systems Shells software dependent on
  which knowledge base underlies the XS-- being
  used in grant insurance coverage, predicting
  fraud or bankruptcy, solving tax cases, aid in
  forensic accounting cases (e.g., kiting), and
  designing audit programs.
• Neural network computer system designed to
  replicate the functioning of the human brain,
  i.e., simulated learning via cases.

AI/XS conclusions are often linked to
probabilities.
32
FAQ?
Would the auditors use of artificial data
introduced into the clients normal live data
processing (ITF approach) be effective?
efficient? wise?
Very controversial! Many pitfalls may exist here
for the auditor. Can you list a few?
33
End of Chapter 8