Escolar Documentos
Profissional Documentos
Cultura Documentos
What is audit
in a computer
environment?
Approaches
Auditing around the computer
Auditing through the Computer
Auditing with the computer
automation
Working Papers
Statistical sampling and
analytical procedures
Mwakalobo@apt financial
consultants
work
Standard software for word processing ,
spreadsheets
Expert systems.
Generally, an auditor can use his PC to assist for
Production of time budget and budgetary
control .
Analytical procedures.
The maintenance of permanent file
information
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
Application controls
General controls
Mwakalobo@apt financial
consultants
CATEGORIES OF CAAT
Audit software
Test data
Other techniques
Mwakalobo@apt financial
consultants
CATEGORIES OF CAAT
Audit software:
generalized audit software
specialized audit software or
Interrogation softwares
utility programs and
existing entity programs.
Regardless of the source of the
programs, the auditor should
substantiate their validity for audit
purposes prior to use.
Mwakalobo@apt financial
consultants
CATEGORIES OF CAAT
TYPES OF CAATs
Test data
Is a CAAT in which test data
prepared by the auditor is
processed on the current
production version of the client's
software, but separately from the
client's normal input data.
Mwakalobo@apt financial
consultants
TYPES OF CAATs
Other techniques
embedded audit facilities
Integrated test facility
System Review and control file
( SCARF)
Application program examination
Mwakalobo@apt financial
consultants
Limits of CAATs
Limits of CAATs
Evaluation
of general controls
Use ICQ or the ICE approach.
Mwakalobo@apt financial
consultants
PROGRAM AUTHENTICITY
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
MANUAL Vs CAATs
environment
Possibilities of attending during
system development stage
Consideration of use of CAATs
Practicability of manual audit
Expertise
Mwakalobo@apt financial
consultants
Use of CAATS
Mwakalobo@apt financial
consultants
In using CAAT,
computer
Mwakalobo@apt financial
consultants
intergrity
Manual examination may be useful in
small computer application
Observation, examination of
documentary evidence or reperforming
the procedures may be useful.
CAATs can also be useful
Mwakalobo@apt financial
consultants
(audit software)
e.g analytical review.
The working papers should indicate the
work performed by CAAT, the auditors
conclusion, the manner in which any
technical problems were resolved and
may include any recommendations about
modification of CAAT for future audits.
Mwakalobo@apt financial
consultants
AUDIT TRAIL.
Audit trail.
As the complexity of computer systems has
Mwakalobo@apt financial
consultants
Factors to consider
The
Types of Bureaux
Independent
companies formed
to provide specialist computer
services
Computer manufacturers with
bureau
Computer users (e.g.
universities)
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
Physical controls;
Mwakalobo@apt financial
consultants
changes to programs;
No access to live program file by any personnel
except for the operation personnel at the central
computer; Password protection on
programs;Restricted access to the central computer
and terminal ;Maintenance of console; Periodic
comparison of live production programs to control
copies and supporting documentation.
Mwakalobo@apt financial
consultants
during operation;
Restriction of access to terminals by use of
password; Satisfactory application control over
input , processing and master file ;Use of
operation manuals and training all
users;Maintenance of logs showing unauthorized
attempts to access; Physical protection over data
files ;Training in emergency procedures
Controls to ensure integrity of the database system;
Restriction of access to data dictionary
Mwakalobo@apt financial
consultants
systems
The problems surrounding PCs can be
grouped as ;
Lack of planning over the acquisition
and use of PCs;
Lack of documentary evidence ;
Lack of security and confidentiality .
Mwakalobo@apt financial
consultants
COMPUTER FRAUD
Input
fraud :
Processing fraud;
Fraudulent use of computer
system;
Output fraud;
Mwakalobo@apt financial
consultants
in computer literacy
Communications e.g. telephone and
PCs and hackers
Reduction of internal
Improvements in quality of software and
increase in implementation of good
software has not kept pace with
improvements in hard ware
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
DEVELOPMENTS IN COMPUTERIZED
ENVIRONMENT
Mwakalobo@apt financial
consultants
INTERNET
Mwakalobo@apt financial
consultants
CONTROLS IN INTERNET
Use of passwords,
Disabling certain terminals
Firewalls
Authorization the technique make sure that a
message has come from an authorized
sender
Virus control software regular updating
Physical controls ;against fire, damage etc
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
from happening
Mwakalobo@apt financial
consultants
WHAT IS EDI
Is the automated computer-to-
CONSIDERATION OF AUDIT
STANDARDS
ISA 315, Understanding the Entity
and
Its
Environment
and
Assessing the Risks of Material
Misstatement and
ISA
330,
The
Auditors
Procedures
in
Response
to
Assessed Risks became effective.
Mwakalobo@apt financial
consultants
as per ISA
The existence of computer is likely to have
an impact on the clients inherent risk and
control risk.
The auditor should have sufficient knowledge
of CIS to plan, direct supervise and review
the work performed.
The auditor should consider whether
specialized CIS skills are needed in an audit.
Mwakalobo@apt financial
consultants
ISA
The ISA makes it clear that auditors should have
Mwakalobo@apt financial
consultants
ISA
ELECTRONIC COMMERCE
IAPS 1013
Is any Commercial activity that takes place by means
What is an IT audit?
Like operational, financial and compliance auditors,
Why IT AUDIT?
Because of Information Technology RISK!!
Risk: The probability that a particular threat
exploits a particular vulnerability (i.e. an issue
which may impact ability to meet objective).
Threat: Event or entity with the potential to
cause unauthorized access, modification,
disclosure, or destruction of info resources.
Vulnerability: Weakness in a system control, or a
design flaw, that can be exploited to violate
system, network, or data integrity.
Mwakalobo@apt financial
consultants
Controls
General Controls.
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
consultants
Operational Audits
Review operating policies/procedures
Documented policies/procedures?
Informal policies/procedures?
Work flow examined (thru flowchart or
description requested/developed)
Controls identified and documented
Examine the business process and
recommend improvements control related or
efficiency/effectiveness
Mwakalobo@apt financial
consultants
General Controls:
The purpose of General controls is to
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants
MANUAL CONTROLS
Other Controls:
Manual Controls
Physical Controls:
-Is a matter of common sense.
-Limit access to a computer room,
-Locks and keys, only to specified
people
-Prevention of smooking.
Back-up of disks:
-Create and update an identical back up
disk for every disk in the system; Data
files&Program files; The disk should be
Mwakalobo@apt financial
APT FINANCIAL CONSULTANTS
consultants
stored in separate place.
MANUAL CONTROLS
Other Controls:
Manual Controls
Data filing:
-Each disk should be labeled clearly and filed
securely.The labeled disks should be filed in special disk
boxes to provide a degree of protection against liquid
being spoilt on the disks or their being bent or plied.
Documentation: It is vital, as it provides both a support
system for work already stored on disk and filed, and
progress report on data currently being processed or
updated.
Staff Training:
Proofing:There is always room for manual checking or
proofing, to control data on disk.
Mwakalobo@apt financial
consultants
PROGRAMMED CONTROLS
Programmed Controls:
PROGRAMMED CONTROLS
Programmed Controls:
Reasonable checks: Checks to ensure that
data input is reasonable given the type of input
it is e.g. A payroll system would check that his
recorded for a falls within a range of 30 to 50.
Existence checks: Checks to ensure that the
data input is valid by checking that the entity
already exists in the system. E.g. employee
number.
Dependency checks: Data input fields can be
compared with other fields for reasonableness.
Mwakalobo@apt financial
consultants
Main problems.
Internal Controls.
Major controls appropriate in
this environment are: Authorization:
Physical security
AUDIT PROCEDURES
Substantive tests
Mwakalobo@apt financial
consultants
Internal controls
Inherent limitations of the system of IC in
elimination of frauds & errors.
The need to balance the cost of control with its
benefits; The fact that IC are applied to systematic
transaction, not one-off year-end adjustments,
which are often larger and subject to error; The
potential human error; Possibility of circumvention
of IC through coolness in of managers or
employees with other parts inside /outside the
entity; Abuse of controls or override of controls e.g.
ordering of personal goods; Obsolescent of controls
Mwakalobo@apt financial
consultants
Advantages of CAATS:
Mwakalobo@apt financial
consultants
programs cost.
Cost; Changes to clients system; Small
installations PC; Over elaboration;
Larger quantities of output; Version of
file used for lest.
Test Data:
Is a data submitted by the auditor for
processing the clients computer-based
accounting system.
Mwakalobo@apt financial
consultants
live data
Using dummy data in a normal
production nun.
Using dummy data in special nun.
Difficulties of test data:
Cost
Limited objective
Dangers of live testing
Difficult in recording audit evidence
Mwakalobo@apt financial
consultants
Mwakalobo@apt financial
consultants