SECTION 8 Auditing Complex EDP Systems Auditing Complex

  • Slides: 36
Download presentation
SECTION 8 Auditing Complex EDP Systems

SECTION 8 Auditing Complex EDP Systems

Auditing Complex EDP Systems • Computer used extensively – simple batch processing – complex

Auditing Complex EDP Systems • Computer used extensively – simple batch processing – complex on-line, real-time processing • Computer affect two aspects if audit risk – assessing control risk – managing detection risk

Around vs. Through the Computer • Around – manually calculate INPUT and trace to

Around vs. Through the Computer • Around – manually calculate INPUT and trace to OUTPUT • Through – test the controls in the computer

Impact of Computer Controls • Change in the Audit Trail – less documentation offset

Impact of Computer Controls • Change in the Audit Trail – less documentation offset by programmed controls – file storage reduces need for hard copy – testing shift to examination of EDP controls

• Combination of Functions – computer processing allows combining functions that are usually

• Combination of Functions – computer processing allows combining functions that are usually separate in manual systems – e. g. input editing of a sales transaction » customer number » credit limit » inventory number and price

Types of EDP Accounting Systems • Batch Processing – accumulated and processed in groups

Types of EDP Accounting Systems • Batch Processing – accumulated and processed in groups – what is the main form of control? – the main problem?

Batch Processing System Batch Total Input Convert to machine readable form T/A Tape Old

Batch Processing System Batch Total Input Convert to machine readable form T/A Tape Old Master Compare New Master Process Transactions Output

• Real-Time Processing – transactions are edited on-line as they occur – continuous

• Real-Time Processing – transactions are edited on-line as they occur – continuous file updating – more complex than batch – how does this method affect the audit trail?

Batch Processing System Input Update Terminal Master File 1 Master File 2 Master File

Batch Processing System Input Update Terminal Master File 1 Master File 2 Master File 3

Time Sharing and Service Bureaus • Time sharing – an entity processes data for

Time Sharing and Service Bureaus • Time sharing – an entity processes data for itself and other entities » i. e. shares its computer • Service bureau – process transactions for other entities » i. e. this is their business

Separate Files vs. Integrated Data Base • File System – main characteristic? • Data

Separate Files vs. Integrated Data Base • File System – main characteristic? • Data Base – main characteristic?

Hardware Configurations • Electronic Data Interchange (EDI) – on-line format – computer-to-computer exchange –

Hardware Configurations • Electronic Data Interchange (EDI) – on-line format – computer-to-computer exchange – public standard format » Accredited Standards Committee of the American National Standards Institute Ø ANSI X 12

Two methods for EDI 1. The Direct Approach Manufacturers Computer 2. Suppliers Computer The

Two methods for EDI 1. The Direct Approach Manufacturers Computer 2. Suppliers Computer The Indirect Approach Customer 1 Company Computer Third Party Network Customer 2 Customer 3

• Small Computer Systems – small firms – low cost and advanced hardware

• Small Computer Systems – small firms – low cost and advanced hardware • Distributed Data Processing – companies with branches and divisions – geographic dispersion

A Distributed System Branch 1 Computer Branch 2 Computer Head Office Mainframe Branch 3

A Distributed System Branch 1 Computer Branch 2 Computer Head Office Mainframe Branch 3 Computer – Types of computers at the branches? Branch 4 Computer

Kinds of EDP Controls • Two main classifications 1. General controls 2. Application controls

Kinds of EDP Controls • Two main classifications 1. General controls 2. Application controls

General Controls a. Organization and Operating Controls – segregation of duties very important Chief

General Controls a. Organization and Operating Controls – segregation of duties very important Chief Operating Officer Director of MIS EDP Manager Computer Operators Programmers Systems Analysts Input Preparation Data Control Data Librarian

b. Systems Development & Documentation – control over definition, design, development, testing, and documentation

b. Systems Development & Documentation – control over definition, design, development, testing, and documentation of systems – once designed and developed, the system must be thoroughly tested – systems and programs must be documented 1. 2. 3.

c. Access Controls – prevents unauthorized use – batch systems » who controls access

c. Access Controls – prevents unauthorized use – batch systems » who controls access in this case? – on-line systems » primary control for access?

d. Data and Procedural Controls – to control daily operations – backup files on

d. Data and Procedural Controls – to control daily operations – backup files on and off the premises – environmental controls

Application Controls – a separate set for each application controls – How are application

Application Controls – a separate set for each application controls – How are application controls classified? a. Input Controls – computer edit controls – ensure completeness and accuracy of input

b. Process Controls – concerned with data manipulation once it is in the computer

b. Process Controls – concerned with data manipulation once it is in the computer – what type of control can used as a process control? c. Output Controls – verification and distribution of output

Techniques for Testing EDPBased Controls • Best to understand as a number of steps

Techniques for Testing EDPBased Controls • Best to understand as a number of steps as shown in the following flowchart Understand EDP Controls Test further YES NO Document Understanding Test Controls Assess Control Risk Design Substantive Tests

Gaining an Understanding of EDP Controls Two main ways: – observation and enquiry –

Gaining an Understanding of EDP Controls Two main ways: – observation and enquiry – studying the system and program documentation 1. Observation and Enquiry – should look for the following: a Segregation of functions b Control of access to files and programs

c Approval of new systems and programs d Existence of hardware and environmental controls

c Approval of new systems and programs d Existence of hardware and environmental controls e The functioning of data and procedural controls f Backup files

2. Systems and Program Documentation – Documentation is an integral part – Should include

2. Systems and Program Documentation – Documentation is an integral part – Should include 1. 2.

The Testing of EDP Controls – Auditor should be able to identify those controls

The Testing of EDP Controls – Auditor should be able to identify those controls that are necessary for the effectiveness of the application – by testing these controls, which component of audit risk may be reduced? – Two ways to look at testing 1. 2.

1. Auditing Around the Computer Client Input Client Output CPU Audit Comparison Client Input

1. Auditing Around the Computer Client Input Client Output CPU Audit Comparison Client Input Auditor Predetermines Output Predetermined Output

2. Auditing Through the Computer Auditor Input Output CPU Comparison Auditor Input Auditor Predetermines

2. Auditing Through the Computer Auditor Input Output CPU Comparison Auditor Input Auditor Predetermines Results Predetermined Results

Techniques for Auditing Through the Computer 1. Test Data Approach – simulated data –

Techniques for Auditing Through the Computer 1. Test Data Approach – simulated data – of what should this data consist? – main problems of this approach 1. 2.

2. Mini Company Approach – also called the Integrated Test Facility – a fictitious

2. Mini Company Approach – also called the Integrated Test Facility – a fictitious entity is created – fictitious transactions are processed along with regular transactions – any problems with this approach?

3. Simulation / Auditor’s Program Approach – Auditor creates an application program that simulates

3. Simulation / Auditor’s Program Approach – Auditor creates an application program that simulates the system – uses client data as input – potential uses of this approach » sampling » computations » comparing » summarizing

4. Generalized Audit Software – most common type of audit software – transportable from

4. Generalized Audit Software – most common type of audit software – transportable from one client to another – independent – limited by the availability of the clients data files

Small Computer Systems • Widespread • Weaknesses in General Controls 1. Lack of segregation

Small Computer Systems • Widespread • Weaknesses in General Controls 1. Lack of segregation of duties 2. Location of the computer

3. Limited Knowledge of EDP • Special Consideration for Application Controls 1. Data Entry

3. Limited Knowledge of EDP • Special Consideration for Application Controls 1. Data Entry 2. Data processing 3. Absence of Limit and Reasonableness Tests

• Study and Evaluation of Internal Control – The effect of computer size

• Study and Evaluation of Internal Control – The effect of computer size on the auditor – General controls are often weak – More reliance on application controls – If application controls and any manual controls are not reliable, what should the auditor do with regards to testing?

CHAPTER 15 AUDITING EDP SYSTEMS EFFECT OF EDPCHAPTER 15 AUDITING EDP SYSTEMS EFFECT OF EDP
Entrepreneurs Development Program EDP Factors of Success EDPEntrepreneurs Development Program EDP Factors of Success EDP
EDP CANSEVER EDP CANSEVER Edip Cansever 8 AustosEDP CANSEVER EDP CANSEVER Edip Cansever 8 Austos
AUDITING 10 1 Auditing AAAs Definition Auditing isAUDITING 10 1 Auditing AAAs Definition Auditing is
ETHICS IN AUDITING AUDITING FUNCTION Ethics in AuditingETHICS IN AUDITING AUDITING FUNCTION Ethics in Auditing
Complex Systems Complex Networks Complex Systems What isComplex Systems Complex Networks Complex Systems What is
CHAPTER 11 Auditing ComputerBased Information Systems AUDITING ProsesCHAPTER 11 Auditing ComputerBased Information Systems AUDITING Proses
Introduction Introduction Software is Complex Complex complicated ComplexIntroduction Introduction Software is Complex Complex complicated Complex
Complex analysis Chapters 13 16 Complex numbers complexComplex analysis Chapters 13 16 Complex numbers complex
The Complex Plane The Complex Plane The complexThe Complex Plane The Complex Plane The complex
constructors u i class complex public complex complexconstructors u i class complex public complex complex
Complex Numbers the Complex Plane Demoivres Theorem ComplexComplex Numbers the Complex Plane Demoivres Theorem Complex
Complex lipid metabolism 1 Complex lipids Complex lipidsComplex lipid metabolism 1 Complex lipids Complex lipids
COMPLEX MACHINES COMPLEX MACHINES A complex machine isCOMPLEX MACHINES COMPLEX MACHINES A complex machine is
COMPLEX IONS CHEM 112 COMPLEX Ions Complex metalCOMPLEX IONS CHEM 112 COMPLEX Ions Complex metal
Complex Sentences Complex Sentence A complex sentence hasComplex Sentences Complex Sentence A complex sentence has
Writing Complex Sentences Complex Sentence n A complexWriting Complex Sentences Complex Sentence n A complex
Complex Numbers 2 Complex Numbers Complex Numbers WhatComplex Numbers 2 Complex Numbers Complex Numbers What
Auditing Public private partnership H B Kramer auditingAuditing Public private partnership H B Kramer auditing
Standards vs Procedures Auditing standards differ from auditingStandards vs Procedures Auditing standards differ from auditing
Defense Logging Auditing Response Logging and Auditing WeDefense Logging Auditing Response Logging and Auditing We
Welcome to Auditing in the Grey or AuditingWelcome to Auditing in the Grey or Auditing
Auditing Sustainable Development Goals Auditing Sustainable Development GoalsAuditing Sustainable Development Goals Auditing Sustainable Development Goals
Continuous Auditing Global Technology Auditing Guide 3 TwelfthContinuous Auditing Global Technology Auditing Guide 3 Twelfth