A Study of Guidelines and Auditing Standards In a Computer Environment

Suneeta Sharma

A Study of Guidelines and Auditing Standards In a Computer Environment

Practical Guidance for Auditing in a Computer Environment

by Suneeta Sharma*,

- Published in Journal of Advances and Scholarly Researches in Allied Education, E-ISSN: 2230-7540

Volume 1, Issue No. 1, Jan 2011, Pages 0 - 0 (0)

Published by: Ignited Minds Journals

ABSTRACT

This guideline describes how the principles of an external audit should apply in a computer environment, including that relating to smaller computers. Auditors unaccustomed to auditing in a computer environment are advised to obtain detailed practical guidance on the particular processing situations which they might meet and on the techniques which they might have to employ. Such auditors are also advised to use the detailed guidance available through their Accountancy Body and to attend appropriate training courses.

KEYWORD

guidelines, auditing standards, computer environment, external audit, smaller computers, auditors, detailed practical guidance, processing situations, techniques, Accountancy Body, training courses

Introduction

1 Auditing Standards prescribe the basic principles and practices to be followed in the conduct of an audit. 'The auditor's operational standard' and the guidelines on planning, controlling and recording, accounting systems, audit evidence, internal controls and review of financial statements apply irrespective of the system of recording and processing transactions. However, computer systems do record and process transactions in a manner which is significantly different from manual systems, giving rise to such possibilities as a lack of visible evidence and systematic errors. As a result, when auditing in a computer environment, the auditor will need to take into account additional considerations relating to the techniques available to him, the timing of his work, the form in which the accounting records are maintained, the internal controls which exist, the availability of the data and the length of time it is retained in readily usable form, as further described below. 2 Computers have a wide range of capabilities and changes continue to be made as a result of new technology. With the introduction of smaller computers, there is a greater likelihood of weak internal controls. This will normally lead to greater emphasis being placed on substantive testing of transactions and balances, and on other procedures such as analytical review, rather than on compliance testing. Furthermore, where smaller volumes of transactions are processed, substantive testing may in the circumstances be the more efficient method of obtaining audit evidence.

Background

3 Audits are performed in a computer environment wherever computer-based accounting systems, large or small, are operated by an enterprise, or by a third party on behalf of the enterprise, for the purpose of processing information supporting the amounts included in the financial statements. 4 The nature of computer-based accounting systems is such that the auditor is afforded opportunities to use either the enterprise's or another computer to assist him in the performance of his audit work. Techniques performed with computers in this way are known as Computer-Assisted Audit Techniques ('CAATs') of which the following are the major categories: (a) use of "audit software"-computer programs used for audit purposes to examine the contents of the enterprise's computer files; (b) use of "test data"-data used by the auditor for computer processing to test the operation of the enterprise's computer programs. 5 Where there is a computer-based accounting system, many of the auditor's procedures may still be carried out manually. For instance, the ascertainment of the accounting system and assessment of its adequacy will normally be performed manually, and in appropriate circumstances the auditor may also decide to select manual audit techniques.

Knowledge and Skills

6 When auditing in a computer environment, the auditor should obtain a basic understanding of the fundamentals of data processing and a level of technical computer knowledge and skills which depending on the circumstances may need to be extensive. This is because the auditor's knowledge and skills need to be appropriate to the environment in which he is auditing, and because ethical statements indicate that he should not undertake or continue professional work which he is not himself competent to perform unless he obtains such advice and assistance as will enable him competently to carry out his task.

Planning, Controlling and Recording

7 Paragraph 2 of 'The auditor's operational standard' states that "the auditor should adequately plan, control and record his work". The principles relating to planning controlling and recording are the same in a computer environment as in other circumstances, but there are additional considerations that need to be taken into account.

Planning

8 In order to plan and carry out an audit in a computer environment, the auditor will need an appropriate level of technical knowledge and skill. As part of his additional planning considerations, he should decide at an early stage what effect the system itself, and the way it is operated, will have on the timing of and the manner in which he will need to perform and record his work. In this respect, he may have had the opportunity to consider these matters during the development and implementation of the system. 9 The auditor should also consider the use of CAATs, as this may have a significant effect on the nature, extent and timing of his audit tests. As indicated in paragraph 10 below, in certain circumstances the auditor will need to use CAATs in order to obtain the evidence he requires, whereas in other circumstances he may use CAATs to improve the efficiency or effectiveness of his audit. For example, the availability of audit software may mean that substantive tests can be performed more economically or quickly than substantive tests performed manually, which may persuade him to place less reliance on internal controls and to reduce his compliance testing accordingly. 10 In choosing the appropriate combination of CAATs and manual procedures, the auditor will need inter alia to take the following into account:- (a) Computer programs often perform functions of which no visible evidence is available. In these circumstances it will frequently not be practicable for the auditor to perform tests manually. (b) In many audit situations the auditor will have the choice of performing a test either manually or with the assistance of a CAAT. In making this choice, he will be influenced by the respective efficiency of the alternatives, taking into account: (i) the extent of compliance or substantive testing achieved by both alternatives; (ii) the pattern of cost associated with the CAAT; (iii) the ability to incorporate within the use of the CAAT a number of different audit tests. (c) In some cases, the auditor will need to report within a comparatively short time scale. In such cases it may be more efficient to use CAATs because they are quicker to apply, even though manual methods are practicable and may cost less. (d) There is a need before using a CAAT to ensure that the required computer facilities computer files and programs are available. Furthermore, given that enterprises do not retain copies of computer files and programs for an indefinite period, the auditor should plan the use of any CAAT in good time so that these copies are retained for his use. (e) The operation of some CAATs requires frequent attendance or access by the auditor. The auditor may be able to reduce the level of his tests by taking account of CAATs performed by the internal auditors, but the extent to which he can do this in any given situation will depend, amongst other things, on his assessment of the effectiveness and relevance of the internal audit function. (f) Where the enterprise's accounting records include computer data, the auditor wil need to have access to that data. Further, where the auditor wishes to perform a CAAT, it is often necessary for the enterprise to make computer facilities available to the auditor to enable him to discharge his responsibilities.

Controlling

11 Whether or not the audit is being carried out in a computer environment, audit procedures should always be controlled to ensure that the work has been performed in a competent manner. Where CAATs are used, however, particular attention should be paid to: (a) the need to co-ordinate the work of staff with specialist computer skills with the work of others engaged on the audit (b) the approval and review of the technical work by someone with the necessary computer expertise. 12 It is acceptable for an auditor to use a CAAT on copies of computer records or programs provided he has taken steps to gain reasonable assurance that the copies are identical to the originals.

Recording

13 The standard of the audit working papers relating to computer-based accounting systems and the retention procedures in respect of them should be the same as those adopted in relation to other aspects of the audit. Where the technical papers differ materially from the other working papers, for instance where they consist of computer output or magnetic media it may be convenient to keep these separate from the other working papers. 14 Where a CAAT is used, it is appropriate that the working papers indicate the work performed by the CAAT, the results of the CAAT, the auditor's conclusions, the manner in which any technical problems were resolved and may include any recommendations about the modification of the CAAT for future audits.

Accounting Systems

15 Paragraph 3 of 'The auditor's operational standard' states that "the auditor should ascertain the enterprise's system of recording and processing transactions and assess its adequacy as a basis for the preparation of financial statements". The principles relating to this are the same in a computer environment, but it should be borne in mind that many computer-based accounting systems are specified in far greater detail than non-computer based accounting systems. In assessing the adequacy of the accounting system as a basis for the preparation of financial statements, the auditor is likely to receive a more detailed record of the enterprise's system than would otherwise be the case.

Audit Evidence

16 Paragraph 4 of 'The auditor's operational standard' states that "the auditor should obtain relevant and reliable audit evidence sufficient to enable him to draw reasonable conclusions there from". The principles relating to the obtaining of audit evidence do not change because the audit is being carried out in a computer environment. 17 However, the availability of computer facilities results in opportunities for auditors to use computers. CAATs may be used at various stages of an audit to obtain audit evidence. For instance where the auditor chooses to place reliance on internal controls, he may use a CAAT to assist in the performance of compliance tests. Furthermore, he may also use CAATs to perform substantive tests, including analytical review procedures.

Internal Control

18 Paragraph 5 of 'The auditor's operational standard' states that "if the auditor wishes to place reliance on any internal controls, he should ascertain and evaluate those controls and perform compliance tests on their operation". The principles relating to interna controls are the same in a computer environment as in any other environment, but there are additional considerations which are discussed in paragraphs 19 to 24 below. 19 Internal controls over computer-based accounting systems may conveniently be considered under the following two main headings:- (a) Application controls. These relate to the transactions and standing data appertaining to each computer-based accounting system and are therefore specific to each such application. The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the accounting records and the validity of the entries made therein resulting from both manual and programmed processing. (b) General controls. Controls, other than application controls, which relate to the environment within which computer-based accounting systems are developed maintained and operated, and which are therefore applicable to all the applications The objectives of general controls are to ensure the proper development and implementation of applications, and the integrity of program and data files, and of computer operations. Like application controls, general controls may be either manua or programmed. 20 Application controls and general controls are inter-related. Strong general controls contribute to the assurance which may be obtained by an auditor in relation to application controls. On the other hand, unsatisfactory general controls may undermine strong application controls or exacerbate unsatisfactory application controls. 21 As with controls in other circumstances, the evaluation of application controls and genera controls will be assisted by the use of documentation designed to help identify the controls on which the auditor may wish to place reliance. Such documentation can take a variety of forms but might consist of questions asking whether there are controls in a system which meet specified overall control objectives, or which prevent or detect the occurrence of specified errors or omissions. For application controls, an integrated set of internal control questions may be used covering controls over both the manual part and the programmed part of the application, and the impact of relevant general controls. 22 Where preliminary evaluation of the application controls and general controls discloses the absence of, or uncompensated weaknesses in, controls, and therefore the auditor cannot rely on the controls, he should move directly to substantive tests which may be assisted by the use of CAATs. 23 However, where preliminary evaluation reveals application controls or general controls which may meet the auditor's objectives, he should design and carry out compliance tests if he wishes to rely on those controls. In determining whether he wishes to place reliance on application controls or general controls, the auditor will be influenced by the cost effectiveness and ease of testing and by the following matters:- (a) Where application controls are entirely manual the auditor may decide to perform compliance tests in respect of the application controls only, rather than to place any reliance on general controls. However, before he can place reliance on application controls which involve computer programs, the auditor needs to obtain reasonable assurance that the programs have operated properly, by evaluating and testing the effect of relevant general controls or by other tests on specific parts of the programs. (b) Sometimes a programmed accounting procedure may not be subject to effective application controls. In such circumstances, in order to put himself in a position to limit the extent of his substantive testing, the auditor may choose to perform his compliance tests by testing the relevant general controls either manually or by using CAATs, to gain assurance of the continued and proper operation of the programmed accounting procedure. Where as a result of his compliance tests the auditor decides he cannot place reliance on the controls, he should move directly to substantive tests. (c) As indicated in paragraph 1, there is in a computer environment the possibility of systematic errors. This may take place because of program faults or hardware malfunction in computer operations. However, many such potential recurrent errors should be prevented or detected by general controls over the development and implementation of applications, the integrity of the program and data files, and of computer operations. As a result, the controls which the auditor may evaluate and test may include general controls. (d) On the other hand, the extent to which the auditor can rely on general controls may be limited because many of these controls might not be evidenced, or because they could have been performed inconsistently. In such circumstances, which are particularly common where small computers are involved, if he wishes to limit his substantive tests, the auditor may obtain assurance from compliance tests on manual application controls or by tests on specific parts of the programs. 24 In performing compliance tests on application or general controls, the auditor should obtain evidence which is relevant to the control being tested. Procedures the auditor may consider include observing the control in operation, examining documentary evidence of its operation, or performing it again himself. In the case of programmed application controls, the auditor may test specific parts of the programs, or re perform them, by taking advantage of CAATs. He may also obtain evidence by testing relevant general controls.

Review of Financial Statements

25 Paragraph 6 of 'The auditor's operational standard' states "the auditor should carry out such a review of the financial statements as is sufficient, in conjunction with the conclusions drawn from the other audit evidence obtained, to give him a reasonable basis for his opinion on the financial statements". CAATs (particularly audit software) may be of assistance to auditors in carrying out certain aspects of this work.

Third Party Service Organisations

26 Where enterprises use a third party service organisation such as a computer service bureau or a software house for the purpose of maintaining part or all of their accounting records and procedures, the auditor still has a responsibility to follow the 'auditor's operational standard'. However, the auditor may encounter practical obstacles, as the enterprise may be placing some reliance on the proper operation of internal controls exercised by the third party. Consequently, where the auditor finds it impracticable to obtain all the information and explanations that he requires from the enterprise itself (because the enterprise may not be maintaining sufficient controls to minimize that reliance) he should perform other procedures. These may include taking the steps he considers necessary to enable him to rely on the work performed by other auditors or carrying out procedures at the premises of the third party.

REFERENCE

Richard A. Goodman; Richard Arthur Goodman; Michael W. Lawless (1994). Technology

and strategy: conceptual models and diagnostics. Oxford University Press US ISBN 9780195079494. http://books.google.com/books?id=GIRdX9hIL1EC. Retrieved May

9, 2010.

"Advanced System, Network and Perimeter Auditing". http://www.sans.org/security- training/auditing-networks-perimeters-and-systems-6-mid. "Institute of Internal Auditors". http://www.theiia.org. "The SANS Technology Institute". http://www.sans.org. "ISACA". http://www.isaca.org. Hoelzer, David (1999-2009). Audit Principles, Risk Assessment & Effective Reporting. SANS Press. p. 32. "GIAC GSNA Information". http://www.giac.org/certifications/audit/gsna.php.