Audit Recording (iSA 230-Documentation)

AUDIT QUALITY CONTROL

INTRODUCTION

in the business environment today and in today’s world, there has been an irreversible push for companies to automate their systems and their way of doing business so a to be competitive. The push for companies to embrace the new technological changes has come with new challenges for the audit environment. Unlike before where most systems were manual and the procedures carried out by the auditor’s were tailor made for them, most company systems today are automated. This means that the auditor has to device new means of carrying out an audit in a computerized environment. he also needs to understand how the controls work in such a system. in the chapter below, all this is covered so that the student can be able to understand and appreciate the challenges and the gains in auditing in a computerized environment.

A computer system requires procedures to;

• Convert data to machine readable form.
• input data into the computer.
• process data.
• Store data in machine readable form.
• Convert data into desired output form.

For these procedures to be undertaken, a mixture of hardware and software is needed. The hardware will consist of;

1. input devices. These include keyboards, optical readers, and bar code scanners.
2. processing devices. These are the computers themselves. i.e. CpU
3. Storages devices include hard disk, diskettes and magnetic tapes.

iv.                 output devices. These include the visual display unit (vDU) and printers.

Content of The computer software

What are Computer Programs?

are the instructions telling the computer how each type of transaction is to be processed. These instructions include routines of checking and controlling data, matching data with master files and performing mathematical operations on data. E.g. for sales transactions, matching routines will enable the computer to identify the right sales price from the sales master file and the right customer from debtors master file. Mathematical routines will include calculating the total debtor’s amount and updating customer’s balance in the debtors’ master file.

Define Operating system

relates to a series of related programs to provide instructions as to what files are required to be on-line, what output devices are required to be ready and what additional file need to be created for further processing. E.g. with a batch of sales transactions, the sales price file and debtor’s file need to be on-line. The printer must be loaded with blank invoice forms and the totals must be retained for posting to the sales and debtors control accounts in the general ledger master file.

an operating system will provide details of further processing runs within the system. So, for example, in sales these will include updating the general ledger, processing cash receipts and credit notes to the debtor’s file, printing out monthly statements and printing out analysis of due accounts for credit control purposes.

in a batch processing system, the operating system may consist of a set of instructions provided to the operator but increasingly the operating system is part of the computer software such that with real time system, the computer identifies source of an incoming signal and automatically processes that transaction using the appropriate programs and the right file.

Define Computer files.

These are equivalent of books and records in a manual system and are described as either transaction files or master files.

Types of Computer Files

1. Transaction files.

These are equivalent of journal such as sales journal, the purchases journal or the cash book. They contain details of individual transactions, but unlike books, a transaction file is not a cumulative record. A separate file is set up for each batch. Thus in real time systems, a transaction file is not necessary, but good systems will always create a transaction file for control purposes to provide a security back up, incase of errors or computer malfunctions during processing data to master file.

• Master files.

These contain what is referred as standing data. They may be the equivalent of ledgers but may also contain semi permanent data needed to process transactions. E.g. a debtor’s master file the equivalent of debtor’s ledger but will also include data that in a manual system may be kept separately such as invoicing address, discount terms and credit limits, even non accounting data as cumulative sales to specific customers.

When master files are updated by processing them against a transaction file, the entire contents of the file are usually re-written in a separate location so that after processing, the two files can be compared and the difference agreed to the total of the transaction file. Any errors in updating the master file will thus be detected and the process repeated. In practice, the old copy of the master file and transaction file will be retained until the master file is updated again. This is the grandfather-father-son approach. If the current master file is corrupted or lost due to machine or operator error, previous versions provide back up from which the master file can be re-created. Master files holding semi permanent data would in the case of debtor’s system include current sales price list and in the case of personnel department, a personnel file giving details of wage rates, authorized deductions and cumulative record of amounts paid to date for purpose of providing tax certificates.

A special class of transactions includes those of amending standing data held in master files such as sales price or wage rate. These transactions require special consideration because an error in such data held in a master file will cause errors in all transactions processed against the master file. E.g. an item priced erroneously in sales price list will mean all sales will be charged to customers at the wrong price.

The audit approach in computerized information systems

The actual approach adopted by the auditor will depend on:

• The auditor’s experience with the client.
• The control environment.
• The complexity of the computerized information system.
• The risk profile of the client.
• The risk of misstatements in the financial statements.

The approach taken by the auditor when examining computerized records takes either of the two main forms.

1. auditing round the computer.
2. auditing through the computer.
3. Auditing round the computer.

This means examining evidence for all items in the financial statements without getting immersed in the details of the computerized information system. The benefits of this approach are that it saves time and its justification is that computers are 100% accurate in processing transactions and therefore material processing errors simply do not occur.

COMPUTERIZED INFORMATION SYSTEMS Notes

The draw back of this approach is that once an application is programmed to process an item incorrectly, then it processes exactly as programmed indefinitely. However, major frauds and error or system failures should be picked up in the assets and liabilities verification e.g. if processing of sales is incorrect, verification of debtors can uncover the error. Also an analysis of gross profit margins will help discover any errors in sales. This approach is suitable for small businesses but largely unsuitable for large scale entities.

Techniques of Auditing through the computer.

There are two basic techniques available to the auditor for auditing through the computer. These are use of test data and use of computer audit programs which are also called CaaTs (computer assisted audit techniques).

i)             Test data

These are designed to test the performance of client’s programs. What it involves is for the auditor either using dummy data or live data for processing to manually work out the expected result using the logic of the program. This is then run on the computer using the program and the results are compared. a satisfactory outcome gives the auditor a degree of assurance that if that program is used continuously throughout the year, then it will perform as required. This technique of test data falls under compliance testing.

live data testing has the following disadvantages

1. if the data is included with normal, separate test data totals cannot be obtained. This can sometimes be resolved by use of dummy branches or separate codes to report the programs effects on the test data.
2. Side effects can occur. it has been known for an auditor’s dummy product to be included in a catalogue.

Client’s files and totals are corrupted although this may be immaterial.

if the auditor is testing procedures such as debt follow up, then the testing has to be over fairly a long time. This can be difficult to organize.

Dummy testing has the following disadvantages

1. Difficulties will be encountered in simulating the whole system or part of it.
2. A more detailed knowledge of the system is required than with use of live files.
3. There is often uncertainty as to whether operational programs are really being used for the test.
4. The time span problem is still difficult but more capable of resolution than live testing.
6. ii) Computer programs or audit software

These consist of computer programs used by the auditor to read magnetic files and to extract specified information from the files. They are also used to carry out audit work on the contents of the files. These programs are sometimes called enquiry or interrogation programs. They can be written by an audit firm or they can be bought from software houses. They have the advantage that they can be used to train unskilled staff.

Real time and on-line systems

Traditional batch processing has the advantage that the data can be subjected to checks for validity, accuracy and completeness before it is processed. but for organizations that need information on strict time scale, this type of processing is unacceptable. This has led to the development of on-line and real time systems and the number is growing particularly in airline offices, banks and other financial institutions. The auditor’s duties do not change but his audit techniques must change.

The key features of these systems are that they are based on the use of a remote terminal which is just a vDU and a keyboard. These terminals will be scattered within the user department and have access to the central computer store. The problem for the auditor arises from the fact that master files held in the central computer store may be read and updated by the remote terminals without an adequate audit trail. necessary precautions have to be made therefore to ensure that these terminals are used in a controlled way by authorized personnel only. The security techniques include;

• hardware constraints e.g. necessitating the use of a key of magnetic strip badge or card to engage a terminal or placing the terminal in allocation to which access is carefully restricted and which is constantly monitored by closed circuit television surveillance systems.
• The allocation of identification numbers to authorized terminal operators. With or without the use of passwords, these are checked by the main frame computer against stored records of authorized numbers or passwords.
• Using operator characteristics such as voice, fingerprints and hand geometry (finger length ratios) as a means of identification by the mainframe computer.
• Restricting the access to particular programs or master files in the mainframe computer to designated terminals.
• in top security systems, the authority to allocate authorities such as determination of passwords and nominating selected terminals should be restricted to senior personnel other than intended users.
• A special file maybe maintained in the central processor which records every occasion on which access is made by particular terminals and operators to the central programs and files. This log will be printed out on regular basis or on request by personnel with appropriate authority.

What differentiate on-line system from real time system is that the on-line system has a buffer store where input data is held by the central processor before accessing the master files. This enables input from the remote terminals to be checked by a special scanning program before processing commences.

With real systems however, action at the terminal causes an immediate response in the central processor where the terminal is on-line. Security against unauthorized access and input is even more important in real time systems because the effect of the input is that it instantaneously updates the file held in the central processor and any edit checks on the input are likely to be under the control of the terminal operators themselves. in view of these control problems, most real time systems incorporate additional controls over the scrutiny of the master file.

in planning the audit, the auditor should consider how the presence of computerized information systems may affect client’s accounting and internal control system and the conduct of the audit. This is because computerized information systems have unique features compared to manual systems and require inbuilt adequate controls to ensure that the accounting system can be relied upon for complete and accurate accounting records. These features include;

• Consistency unlike manual systems. Computerized information systems will process transactions consistently. This implies that if the system is properly programmed, the all transactions will be processed consistently and accurately. on the other hand, if there are any programming errors, the transactions will be consistently processed inaccurately.
• Concentration of functions and controls. in a computerized information system, few people are involved in processing of financial information. This may compromise segregation of duties such that persons involved in writing of programs may also be involved in processing transactions. This increases risk of manipulation of operating programs and data. programs ad data are held together increasing the potential for unauthorized access and alteration.
• Computerized information systems are designed to limit paperwork.. This result in less visible evidence to support transactions processed which ultimately leads to loss of the audit trail.
• Ease of access of data and computer programs. Where there are no proper controls over access to computers at remote terminals, there is increased danger of unauthorized access and alteration of data and programs.
• Use of programmed controls. in a computerized environment, controls are programmed together with data processing instructions e.g. protection of data against unauthorized access may be by way of using passwords and user profiles that grant different levels of access to the system. Use of programmed controls implies that the auditor must adopt an audit approach to test effectiveness of those controls.
• System generated transactions. many systems are capable of generating transactions automatically without manual intervention e.g. calculation of interest from customer’s accounts may be done and charged to income automatically. if the system set up is interfered with, this could affect the accuracy and integrity of transactions generated.
• Data and programs are stored in portable magnetic disks and tapes which are vulnerable to theft and intentional or accidental alteration.

AUDIT PLANNING, CONTROL & RECORDING (iSA 300) NOTES

AUDITORS’ REPORT (iSA 700) NOTES

THE AUDITOR AND THE COMPANIES ACT-Introduction