Internal Controls in a Computerized Information System-Questions and Answers

by

Internal Controls in a Computerized Information System

COMPUTERIZED INFORMATION SYSTEMS Notes

QUIZ

  1. list the different types of application Controls.
  2. What are computer audit programs?
  3. processing controls.
    1. output controls
    1. input controls
    1. Controls over master files and standing data.

These consist of computer programs used by an auditor to read magnetic files and to extract specified information from the files.

QUESTION ONE

A medium size firm which has been your client for several years has changed from manual accounting system to a computerized one. State and explain the factors which you will take into account when planning the first audit under the new system.

QUESTION TWO

Computer security is of vital importance not only to the accountant in industry but also to the accountant in practice who may be advising his client as to suitable security controls or who may be auditing a computer system. Security is the means by which losses are controlled and therefore involves the identification of risks and the institution of measures to either prevent such risks entirely or to reduce their impact.

  1. State four areas of risk which may arise in relation to a computer system and in each case explain one factor which could lead to the system being exposed to such risk.
  2. Describe the different forms of control which should be instituted to safeguard against computer security risks.

QUESTION THREE

  • Computer-assisted audit Techniques (CaaTs) are used to assist an auditor in the collection of audit evidence from computerized systems.

Required:

List and briefly explain four advantages of CAATs.

  • Nagaya a limited liability company is a reseller of sports equipment, specializing in racquet sports such as tennis, squash and badminton. The company purchases equipment from a variety of different suppliers and then resells this using the internet as the only selling media. The company has over 150 different types of racquets available in inventory, each identified via a unique product code.

 Customers place their orders directly on the internet site. most orders are for one or two racquets only. The ordering/sales software automatically verifies the order details, customer address and credit card information prior to orders being verified and goods being dispatched. The integrity of the ordering system is checked regularly by archer Web, an independent internet service company.

 You are the audit manager working for the external auditors of Nagaya, and you have just started planning the audit of the sales system of the company. You have decided to use test data to check the input of details into the sales system. This will involve entering dummy orders into the Nagaya’s system from an online terminal.

Required:

List the test data you will use in your audit of the financial statements of Nagaya to confirm the completeness and accuracy of input into the sales system, clearly explaining the reason for each item of data.

(c) You are also considering using audit software as part of your substantive testing of the data files in the sales and inventory systems of Nagaya.

                List and briefly explain some of the difficulties of using audit software.

QUESTION FOUR

Walsh Co sells motor vehicle fuel, accessories and spares to retail customers. The company owns 25 shops. The company has recently implemented a new computerized wages system. Employees work a standard eight hour day. Hours are recorded using a magnetic card system; when each employee arrives for work, they hold their card close to the card reader; the reader recognizes the magnetic information on the card identifying the employee as being ‘at work’. When the employee leaves work at the end of the day the process is reversed showing that the employee has left work.

hours worked are calculated each week by the computer system using the magnetic card information. overtime is calculated as any excess over the standard hours worked. any overtime over 10% of standard hours is sent on a computer generated report by e-mail to the financial accountant. if necessary, the accountant overrides overtime payments if the hours worked are incorrect.

Statutory deductions and net pay are also computer calculated with payments being made directly into the employee’s bank account. The only other manual check is the financial accountant authorizing the net pay from Walsh’s bank account, having reviewed the list of wages to be paid.

Required:

  1. Using examples from Walsh Co, explain the benefits of using Computer-Assisted Audit Techniques to help the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion.
  2. list SiX examples of audit tests on Walsh Co’s wages system using audit software.
  3. Explain how using test data should help in the audit of Walsh Co’s wages system, noting any problems with this audit technique.

SUGGESTED ANSWERS

QUESTION ONE

When planning the audit in a computerized environment the following factors should be considered:

  • Auditors need to be involved in computerized systems at a planning, development and implementation stages. Knowledge of the systems gained at these stages will enable the auditor to plan the audit with an understanding of the system.
  • Timing is more important in computerized environments than in manual environment because of the need of the auditor to be present when data and the files are available, more frequent visits to the client are usually required.
  • Recording methods may be different. Recent developments including the use of portable micro computers to make audit working papers in diskettes and not in paper or coupling a client’s mainframe computer to a micro computer in the auditor’s office enabling auditors to download data files onto their own personal computers.
  • The allocation of suitably skilled staff to the audit. Thus audit firms now use the computer audit department on some parts of the audit and allowing general audit staff to have some computer experience.
  • The extent to which computer assisted audit techniques can be used. These techniques often require considerable planning in advance.

QUESTION TWO

  1. Four areas of risk concerning a computer system are as follows.
    1. Hardware. The computer hardware may be stolen or damaged, especially the modern ‘desk-top’ type peripherals. a system which does not incorporate physical controls will be subject to such risk.
    1. Unauthorized access. if terminals are not secure it might be possible for unauthorized users to obtain or corrupt information held on file.
    1. System breakdown. if the system does not incorporate retrieval procedures there might be a loss of data if the system breaks down for any reason such as power failure.
    1. Corrupt files. If stringent checks are not carried out on data, input files may be corrupted, with the consequent fall in the quality of output
  2. Forms of control which may be instituted to safeguard against these risks are as follows.
    1. Physical controls. All hardware and files should be kept in secure locations with access only available to authorized personnel. The use of special rooms, storage cupboards and strict control over keys will assist in establishing secure locations. To protect the hardware and files from damage they should be located away from possible hazards such as fire and flood which might arise near a canteen or washroom facilities. The installation of smoke/heat alarms and other detectors of environmental hazards should also be carried out.
    1. access controls. This will be partly helped by physical controls such as locked EDp rooms. in addition to this, terminal keys should be issued to authorized personnel. These ensure that the terminal will only become live for a valid user. The use of unique passwords will further improve control because, in the event of a key being stolen, the system will still be inaccessible without a valid password

QUESTION THREE

(a) The advantages of Computer-assisted audit Techniques (CaaTs) are that they:

  • Enable the auditor to test program controls – if CaaTs were not used then those controls would not be testable.
  • Enable the auditor to test a greater number of items quickly and accurately. This will also increase the overall confidence for the audit opinion.
  • Allow the auditor to test the actual accounting system and records rather than printouts which are only a copy of those records and could be incorrect.
  • Are cost effective after they have been setup as long as the company does not change its systems.
(b) Test Datareason for test
input of an order for a negative number of tennis racquetsEnsures that only positive quantities are accepted although the company cannot dispatch negative quantities anyway
input of an order for ten tennis racquetsThere are reasonableness checks in the system to identify possible input errors. a warning message should appear on screen asking the customer to confirm any order for more than say two racquets
input of an order without payment detailsinput of invalid inventory code  Ensures that the computer detects the invalid code and presents an error message rather than taking the nearest code and accepting that
input of invalid customer credit card detailsonline checking of credit card details to the credit card company ensures that goods cannot be dispatched without payment. This will also limit the number of bad debts.
input of invalid addressesEnsures that the address and valid zip code is valid, possibly by accessing a database of valid codes. if the code is not valid an error message should be displayed. This ensures that goods are only dispatched to valid addresses
  • Allow the results from using CaaTs to be compared with ‘traditional’ testing – if the two sources of evidence agree then this will increase overall audit confidence.

(c) audit software

Difficulties of using audit software

  • Substantial setup costs because the client’s procedures and files must be understood in detail before the audit software can be used to access and interrogate those files.
  • Audit software may not be available for the specific systems setup by the client, especially if those systems are bespoke. The cost of writing audit software to test those systems may be difficult to justify against the possible benefits on the audit.
  • The software may produce too much output either due to poor design of the software or using inappropriate parameters on a test. The auditor may waste considerable time checking what appear to be transactions with errors in them when the fault is actually in the audit software.
  • Checking the client’s files in a live situation. There is the danger that the client’s systems are disrupted by the audit program. The data files can be used offline, but this will mean ensuring that the files are true copies of the live files.

QUESTION FOUR

(a) Use of Computer-assisted audit Techniques (CaaTs)

            Testing programmed controls

 Reliance on CAATs will force the auditor to rely on programmed controls during an audit; in fact using CaaTs may be the only way to test controls within a computer system. Use of the CaaT enables the auditor to meet the auditing standard requirement of obtaining appropriate audit evidence. For example, in Walsh Co, an overtime report is generated by the computer, although this can also be overridden by the accountant. Test data can be used to check that the overtime report is being created correctly and audit software can monitor that only the accountant’s password can be used to override the overtime payment.

            Test larger number of items

 Using CaaTs enables the auditor to test a larger number of items quickly and accurately, meeting the auditing standard requirement of obtaining sufficient audit evidence.

 Using audit software, the auditor can check the deduction and net pay calculations of a significant proportion of wages calculations – or all of them if necessary. Checking each calculation manually would take a long time.

                Test actual accounting records

 Using CaaTs enables the auditor to test the actual accounting records (the electronic version) rather then relying on printouts or other copies of the data. it is always appropriate for the auditor to test original documentation where possible. in the case of Walsh, the actual wages will be tested rather than any paper copies.

            Cost

 After initial set-up costs, using CAATs is likely to be cost effective; the same audit software programs can be run each year as long as the client does not change the accounting systems.

 in Walsh Co, the system has just been implemented. Hopefully the wages system will be used for a number of years, making the use of CAATs cost-effective for the audit firm.

  • Examples of the use of audit software
    • Calculation checks: For example, re-calculation of net pay for a number of employees to ensure the mathematical calculation is correct.
    • Reviewing the list of employees paid each week/month and printing a list of employees, who have not be been paid, for further investigation.
    • Detecting unreasonable items: reviewing the list of net wages for large or negative payments.
    • Detecting violation of system rules: For example, where other people besides the accountant have been overriding overtime payments or employees amending their own gross wages.
    • Conducting new analysis as part of the analytical review of wages. For example, calculating total wages for the year from the number of employees and average wages paid.
    • Completeness checks – ensuring there is an electronic record of all employees who ‘clocked in’ for a day’s work and ‘clocked out’ again.
  • Audit test data consists of data submitted by the auditor for processing on the client’s computer-based accounting systems.

          The data can be processed during a normal processing run (a ‘live’ testing situation) or in a special run outside of the normal processing cycle (a ‘dead’ testing situation).

 In Walsh, the auditor can create a ‘dummy employee’ record on the wages master file, and then use a magnetic card to mimic that employee working a certain number of hours in the company over the course of, for example, one week.

 Knowing how many hours has been input into the wages system; the auditor can calculate the expected net pay and then compare this to the actual net pay produced by the computer system.

 if the amounts agree then this provides appropriate audit evidence of the accuracy of recording and processing of the wages software.

                The problems of using this audit technique include:

  • The possibility that the client’s computer system will be damaged by the testing being undertaken by the auditor. For example, by errors being caused by entering data that the client’s software cannot process.
  • The need to reverse or remove any transactions input by the auditor. The transactions may be incorrectly or incompletely removed leaving dummy data in the client’s live computer system.
  • Use of test data can be expensive – the auditor needs to ensure that the benefit gained from the test outweighs the expense. in this situation, it will take a long time to input employee details and there may be more efficient audit tests available.

AUDITORS’ REPORT (iSA 700)-Questions and Answers

AUDITORS’ REPORT (iSA 700) NOTES

THE AUDITOR AND THE COMPANIES ACT-Questions and Answers