Notes
AUDIT RELATED ASSURANCE SERVICES
DUE DILIGENCE
Due diligence is an investigation or audit of a potential investment or product to confirm all
facts, such as reviewing all financial records, plus anything else deemed material. It refers to the
care a reasonable person should take before entering into an agreement or a
financial transaction with another party. Due diligence can also refer to the investigation a seller
does of a buyer; items that may be considered are whether the buyer has adequate resources to
complete the purchase, as well as other elements that would affect the acquired entity or the
seller after the sale has been completed.
Conducting a due diligence audit lets you know in advance if a business is worth an investment
of your time and money. Reviewing the financial and corporate documents gives you a complete
picture of the company, and you can hire a professional business appraiser to help you with this
task. You have a set deadline to get out of the contract if your due diligence finds something
materially wrong with the business. Because the seller is providing you with private corporate
and financial information, be prepared to sign a nondisclosure or confidentiality agreement
before receiving the documents.
Obtain Financial Documents
The seller should provide you with audited financial statements and copies of bank statements
for the business checking, savings and investment accounts for the past three years. Ask for
copies of credit and loan agreements, notes payable and any liens that have been filed against the
company. You’ll also want copies of vendor and supplier contracts, the accounts receivable, an
accounts receivable aging spreadsheet and accounts written off as uncollectable. Get copies of all
income tax records for the past seven years to be sure there are no outstanding taxes or ongoing
IRS collection activities.
Visit the Business Location
What looks good on paper may not be so impressive when seen in person. Plan to make at least
one trip to inspect the business premises. Look at the overall condition of the building inside and
out. Bring along a list of the fixed assets and equipment, inventory and supplies, office furniture
and fixtures the business owns. Verify that what’s on the list is physically there, functioning and
in good condition. Be sure to get copies of current business licenses and operating permits.
Employees and Key Personnel
Employee wages and benefits are a substantial business expense. Along with monthly payroll
information, you’ll want to know about employer-sponsored retirement plans, health insurance
AUDIT COMMITTEES
An audit committee is one of the major operating committees of a company's board of
directors that is in charge of overseeing financial reporting and disclosure.
The main objectives usually associated with audit committees include;
i. Increasing public confidence in the creditability and objectivity of published
financial information including unaudited interim statements
benefits and employee vacation and leave policies. Determine if there are any employee
agreements or contracts in force. The employee handbook should be current and in compliance
with federal and state employment laws. Verify the identity of key employees along with their
payment and benefit package. If key employees have left the company, ensure that they signed a
noncompete agreement or nondisclosure agreement.
Products, Services and Competitors
If sales or services are the lifeblood of the business, you’ll want to know how many products or
services the business provides along with how the selling price is determined. You need to know
how the products and services stack up against the competitors. Ask the seller how he sets his
products or services apart from his competitors to attract and retain customers. Compare the
financial ratios against industry norms to get an idea of how the business stacks up. If the
business is involved in an environmentally sensitive industry such as dry cleaning or gasoline
sales, be sure any regulatory concerns or issues are resolved.
ii. Assisting directors (particularly non executive directors) in meeting their
responsibilities in respect of financial reporting
iii. Strengthening the independent position of a company’s external auditor by
providing an additional channel of communication.
a) The roles of an audit committee might include:
• To review the company's financial statements prior to their submission to the board;
• To review the scope and planning of the audit;
• To review the findings of the independent auditor;
• To ascertain whether the accounting and reporting policies of the company are in
accordance with legal requirements and best practice;
• To keep under review the effectiveness ofthe company'ssystems of accounting and control;
• To make recommendations to the board concerning the appointment and remuneration of
the independent auditors;
A particular role is to assist in the communication process between the board and the auditors
throughout the medium of the non-executive directors and it provides a useful way of assisting
the latter in the discharge of their duties.
b) The benefits may include
• helping directors to meet their legal responsibilities. Very often main boards spend very
little time on reviewing the financial statements. An audit committee could spend the time
on completing this task in depth;
• enabling non-executive directors to become deeply involved in the company's affairs;
• the audit committee can review the financial statements objectively. This may improve the
quality of financial reporting and improve public confidence;
• The audit function may become more independent as there will be a quasi-independent
body between the board and the auditors. It may paradoxically improve communications
between auditor and board;
• Improvement in the quality of the accounting and auditing functions. A continuous review
of the functions of financial management and internal and external audit will inevitably
result in higher status to the practitioners and superior performance.
c) Some of the arguments against the formation of Audit Committees
• Audit committees would split the board;
• Audit committees would pre-empt (and hence delay the coming) of two-tier boards (which
is the European practice);
• Audit committees would create conflicts within companies;
• Audit committees would encroach on management's responsibilities;
• Audit committees would be a talking shop with no real power;
• There are not enough non-executive directors;
• Audit committees would take too much time and cost too much;
• Audit committees would be least effective in companies which need them most (e.g.
companies dominated by ambitious and unscrupulous entrepreneurs).
• The production of financial statements may be delayed.
d) Detailed mattersto be considered by the Chairman of a new audit committee
• Ensuring the committee has the full backing of the board;
• The precise constitution and program of the committee;
• Adequate resources(secretarial, communication, time etc must be made available);
• The correct number of members. Three to five is probably optimal;
• Membership - probably but not essentially non-executive;
• His own role as chairman;
• The frequency of meetings;
• The establishment of agendas;
• The establishment of administrative arrangement - calling meetings, involving other
people, auditors, managers etc. taking minutes;
• The dissemination of findings to the offers responsible for changes consequent upon the
findings.
• The relationships required with the main board, external audit, internal audit, financial
managers etc.
• any publicity requirements.
Corporate governance is the system by which organisations are directed and controlled. It
encompasses the relationship between the board of directors, shareholders and other
stakeholders, and the effects on corporate strategy and performance. Corporate governance is
important because it looks at how these decision makers act, how they can or should be
monitored, and how they can be held to account for their decisions and actions.
The published audited financial statements and related information are therefore of key
importance. They will usually be the main information set to which shareholders and other
stakeholders have access and this is why having credible financial statements supported by the
auditor’s opinion is crucial.
The main principles of the Corporate Governance Code
The Code comprises five sections, each containing main principles:
Leadership
Every company should be headed by an effective board which is collectively responsible for the
long-term success of the company, and should lead and control the company’s operations.
There should be a clear division of responsibilities at the head of the company, which will ensure
a balance of power and authority, such that no one individual has unfettered powers of decision.
Non-executive directors should constructively challenge and help develop proposals on strategy.
The board should include a balance of executive and non-executive directors such that no
individual or small group of individuals can dominate the board’s decision taking.
Effectiveness
The board and its committees should have the appropriate balance of skills, experience,
independence and knowledge of the company to enable them to discharge their respective duties
and responsibilities effectively.
There should be a formal, rigorous and transparent procedure for the appointment of new
directors to the board. All directors should receive induction on joining the board and should
regularly update and refresh their skills and knowledge.
All directors should be submitted for re-election at regular intervals, subject to continued
satisfactory performance.
Accountability
The board should present a balanced and understandable assessment of the company’s position
and prospects. For UK companies, this is also required by the Companies Act 2006, which
requires that the directors disclose a business review as part of the directors’ report to be
included in the financial statements.
The board should maintain sound risk management and internal control systems. The board
should establish formal and transparent arrangements for considering how they should apply the
corporate reporting and risk management and internal control principles and for maintaining an
appropriate relationship with the company’s auditor.
Remuneration
Levels of remuneration should be sufficient to attract, retain and motivate directors of the quality
required to run the company successfully, but a company should avoid paying more than is
necessary for this purpose. A significant proportion of executive directors’ remuneration should
be structured so as to link rewards to corporate and individual performance.
Relations with shareholders
There should be a dialogue with shareholders based on the mutual understanding of objectives.
The board as a whole has responsibility for ensuring that a satisfactory dialogue with
shareholders takes place. The board should use the Annual General Meeting to communicate
with investors and to encourage their participation.
The role of audit committees
The audit committee is such an important part of corporate governance that it is the subject of its
own guidance document in the UK, the Financial Reporting Council’s Guidance on Audit
Committees. The audit committee should be made up of at least three independent non-executive
directors, one of whom should have recent and relevant financial experience. The committee has
many roles, including several that are specifically related to the external auditor, which are
discussed below.
Review of published financial information
The audit committee should monitor the integrity of the company’s financial statements and any
formal announcements relating to the company’s performance. Significant financial reporting
judgements should be specifically reviewed. This means that committee members should
scrutinise all published financial information, and question and be ready to challenge the finance
director and external auditors on any contentious matters arising.
Systems and controls
The audit committee members have responsibility to review the company’s internal financial
controls and systems, and the risk management systems, unless there is a separate risk
committee.
Most large companies have an internal audit function, in which case the audit committee should
extend its monitoring role to include that function, including the evaluation of the effectiveness
of that function.
Where there is no internal audit function, the audit committee should consider annually whether
there is a need for internal audit and make a recommendation to the board, and the reasons for
the absence of such a function should be explained in the relevant section of the annual report.
Fraud prevention and detection
Finally, the audit committee plays a part in fraud prevention and detection in that whistleblowing
arrangements should be made so that staff of the company may raise concerns about possible
improprieties in respect of financial reporting matters.
INTERNAL AUDIT FUNCTION
It is the responsibility of management and those charged with governance to prevent and detect
fraud,
in this respect, internal auditors may have a role to play.
Internal audit has two key roles to play in relation to organisational risk management:
- Ensuring the company's risk management system operates effectively
- Ensuring that strategies implemented in respect of business risks operate effectively
The role of internal audit
The internal audit department has a two-fold role in relation to risk management.
- It monitors the company's overall risk management policy to ensure it operates effectively.
- It monitors the strategies implemented to ensure that they continue to operate effectively.
As a significant risk management policy in companies is to implement internal controls, internal
audit has a key role in assessing systems and testing controls.
Internal audit may assist in the development of systems. However, its key role will be in
monitoring the overall process and in providing assurance that the systems which the
departments have designed meet objectives and operate effectively.
It is important that the internal audit department retains its objectivity towards these aspects of its
role,
which is another reason why internal audit would generally not be involved in the assessment of
risks and the design of the system.
Responsibility for fraud and error
It is the responsibility of management and those charged with governance to prevent and detect
fraud, and in this respect, internal auditors may have a role to play
Limitations of the internal audit function
Although the presence of an internal audit department within an organisation is indicative of
good internal control, by its very nature, there are some limitations of the internal audit function.
Internal auditors are employed by the organisation and this can impair their independence and
objectivity and ability to report fraud/error to senior management because of perceived threats to
their continued employment within the company.
To ensure transparency, best practice indicates that the internal audit function should have a dual
reporting relationship, i.e. report both to management and those charged with governance (the
audit committee). If this reporting structure is not in place, management may be able to unduly
influence the internal audit plan, scope, and whether issues are reported appropriately.
This results in a serious conflict, limits the scope and compromises the effectiveness of the
internal audit function.
Internal auditors are not required to be professionally qualified (as accountants are) and so there
may be limitations in their knowledge and technical expertise
Factors necessitating growth in Internal Audit
1. Increase in size of business
As businesses grow in size and increase the level of operations it becomes necessary to have a
function that over looks the all the internal controls that have been put in place.
2. Dynamic business
Due to changes in technology a number of companies have become so dynamic such that their
controls are updated on a continuous basis and this calls for constant feed back on those controls
that necessitate updating. This meant that, to cope with these demands companies had to
improvise and use expert advice, which was available from the Internal Auditor.
3. Legislation and regulatory requirements
As the concept of corporate governance gains roots in business management, the need for
internal audit is increasing. The function is looked plays a critical role in ensuring that
management has put in place adequate systems of internal controls. Companies are now required
to have audit committees to overlook the operation of controls within the organizations. The
internal auditor reports to the audit committee.
4. Competition
Under perfect competition companies can only survive if they are operationally efficient and this
calls for stronger controls and cost effectiveness.
5. Evolution of IT
Of late many companies have computerised their operations and controls. There is need therefore
for continuous review of the operation of controls over these computerized systems.
USING THE WORK OF INTERNAL AUDITORS
International Standard on Auditing (ISA) 610 (Revised),Using the Work of Internal Auditors
This International Standard on Auditing (ISA) deals with the external auditor’s responsibilities if
using the work of the internal audit function in obtaining audit evidence.
Relationship between the Internal Audit Function and the External Auditor
The objectives of the internal audit function are determined by management and, where
applicable, those charged with governance. While the objectives of the internal audit function
and the external auditor are different, some of the ways in which the internal audit function and
the external auditor achieve their respective objectives may be similar.
Irrespective of the degree of autonomy and objectivity of the internal audit function, such
function is not independent of the entity as is required of the external auditor when expressing an
opinion on financial statements. The external auditor has sole responsibility for the audit opinion
expressed, and that responsibility is not reduced by the external auditor’s use of the work of the
internal auditors.
Objectives of the external auditor
The objectives of the external auditor, where the entity has an internal audit function that the
external auditor has determined is likely to be relevant to the audit, are:
a) To determine whether, and to what extent, to use specific work of the internal auditors; and
b) If using the specific work of the internal auditors, to determine whether that work is
adequate for the purposes of the audit.
Using Specific Work of the Internal Auditors
- In order for the external auditor to use specific work of the internal auditors, the external
auditor shall evaluate and perform audit procedures on that work to determine its adequacy
for the external auditor’s purposes.
- To determine the adequacy of specific work performed by the internal auditors for the
external auditor’s purposes, the external auditor shall evaluate whether:
a) The work was performed by internal auditors having adequate technical training and
proficiency;
b) The work was properly supervised, reviewed and documented;
c) Adequate audit evidence has been obtained to enable the internal auditors to draw
reasonable conclusions;
d) Conclusions reached are appropriate in the circumstances and any reports prepared by the
internal auditors are consistent with the results of the work performed; and
e) Any exceptions or unusual matters disclosed by the internal auditors are properly
resolved.
Documentation
If the external auditor uses specific work of the internal auditors, the external auditor shall
include in the audit documentation the conclusions reached regarding the evaluation of the
adequacy of the work of the internal auditors, and the audit procedures performed by the external
auditor on that work.
Scope of this ISA {International Standard on Auditing (ISA) 610 (Revised), Using the Work of
Internal Auditors}
- The entity’s internal audit function is likely to be relevant to the audit if the nature of the
internal audit function’s responsibilities and activities are related to the entity’s financial
reporting, and the auditor expects to use the work of the internal auditors to modify the
nature or timing, or reduce the extent, of audit procedures to be performed.
- Carrying out procedures in accordance with this ISA may cause the external auditor to re�evaluate the external auditor’s assessment of the risks of material misstatement.
Consequently, this may affect the external auditor’s determination of the relevance of the
internal audit function to the audit.
- Similarly, the external auditor may decide not to otherwise use the work of the internal
auditors to affect the nature, timing or extent of the external auditor’s procedures. In such
circumstances, the external auditor’s further application of this ISA may not be necessary.
Objectives of the Internal Audit Function
The objectives of internal audit functions vary widely and depend on the size and structure of the
entity and the requirements of management and, where applicable, those charged with
governance. The activities of the internal audit function may include one or more of the
following:
- Monitoring of internal control. The internal audit function may be assigned specific
responsibility for reviewing controls, monitoring their operation and recommending
improvements thereto.
- Examination of financial and operating information. The internal audit function may be
assigned to review the means used to identify, measure, classify and report financial and
operating information, and to make specific inquiry into individual items, including
detailed testing of transactions, balances and procedures.
- Review of operating activities. The internal audit function may be assigned to review the
economy, efficiency and effectiveness of operating activities, including non-financial
activities of an entity.
- Review of compliance with laws and regulations. The internal audit function may be
assigned to review compliance with laws, regulations and other external requirements,
and with management policies and directives and other internal requirements.
- Risk management. The internal audit function may assist the organization by identifying
and evaluating significant exposures to risk and contributing to the improvement of risk
management and control systems.
- Governance. The internal audit function may assess the governance process in its
accomplishment of objectives on ethics and values, performance management and
accountability, communicating risk and control information to appropriate areas of the
organization and effectiveness of communication among those charged with governance,
external and internal auditors, and management.
Determining Whether and to What Extent to Use the Work of the Internal Auditors
Whether the Work of the Internal Auditors is likely to be Adequate for Purposes of the
Audit
Factors that may affect the external auditor’s determination of whether the work of the internal
auditors is likely to be adequate for the purposes of the audit include:
Objectivity
- The status of the internal audit function within the entity and the effect such status has on the
ability of the internal auditors to be objective.
- Whether the internal audit function reports to those charged with governance or an officer
with appropriate authority, and whether the internal auditors have direct access to those
charged with governance.
- Whether the internal auditors are free of any conflicting responsibilities.
- Whether those charged with governance oversee employment decisions related to the internal
audit function.
- Whether there are any constraints or restrictions placed on the internal audit function by
management or those charged with governance.
- Whether, and to what extent, management acts on the recommendations of the internal audit
function, and how such action is evidenced.
Technical competence
- Whether the internal auditors are members of relevant professional bodies.
- Whether the internal auditors have adequate technical training and proficiency as internal
auditors.
- Whether there are established policies for hiring and training internal auditors.
Due professional care
- Whether activities of the internal audit function are properly planned, supervised, reviewed
and documented.
- The existence and adequacy of audit manuals or other similar documents, work programs and
internal audit documentation.
Communication
Communication between the external auditor and the internal auditors may be most effective
when the internal auditors are free to communicate openly with the external auditors, and:
- Meetings are held at appropriate intervals throughout the period;
- The external auditor is advised of and has access to relevant internal audit reports and is
informed of any significant matters that come to the attention of the internal auditors when
such matters may affect the work of the external auditor; and
- The external auditor informs the internal auditors of any significant matters that may affect
the internal audit function.
Planned Effect of the Work of the Internal Auditors on the Nature, Timing or Extent of the
External Auditor’s Procedures
Where the work of the internal auditors is to be a factor in determining the nature, timing or
extent of the external auditor’s procedures, it may be useful to agree in advance the following
matters with the internal auditors:
- The timing of such work;
- The extent of audit coverage;
- Materiality for the financial statements as a whole (and, if applicable, materiality level or
levels for particular classes of transactions, account balances or disclosures), and
performance materiality;
- Proposed methods of item selection;
- Documentation of the work performed; and
- Review and reporting procedures.
The nature, timing and extent of the audit procedures performed on specific work of the internal
auditors will depend on the external auditor’s assessment of the risk of material misstatement,
the evaluation of the internal audit function, and the evaluation of the specific work of the
internal auditors. Such audit procedures may include:
- Examination of items already examined by the internal auditors;
- Examination of other similar items; and
- Observation of procedures performed by the internal auditors.
The External Auditor’s Responsibility for the Audit
The external auditor has sole responsibility for the audit opinion expressed, and that
responsibility is not reduced by the external auditor’s use of the work of the internal audit
function on the engagement. Although the function may perform audit procedures similar to
those performed by the external auditor, neither the internal audit function nor the internal
auditors are independent of the entity as is required of the external auditor in an audit of financial
statements in accordance with ISA 200.
This ISA, therefore, defines the conditions that are necessary for the external auditor to be able to
use the work of internal auditors. It also defines the necessary work effort to obtain sufficient
appropriate evidence that the work of the internal audit function is adequate for the purposes of
the audit. The requirements are designed to provide a framework for the external auditor’s
judgments regarding the use of the work of the internal audit function to prevent over or undue
use of such work.
Objectives
The objectives of the external auditor, where the entity has an internal audit function and the
external auditor expects to use the work of the function to modify the nature or timing, or reduce
the extent, of audit procedures to be performed directly by the external auditor are:
a) To determine whether the work of the internal audit function can be used, and if so, in which
areas and to what extent; and having made that determination:
b) If using the work of the internal audit function, to determine whether that work is adequate
for purposes of the audit.
Determining Whether, in Which Areas, and to What Extent the Work of the Internal Audit
Function Can Be Used
Evaluating the Internal Audit Function
The external auditor shall determine whether the work of the internal audit function can be used
for purposes of the audit by evaluating the following:
a) The extent to which the internal audit function’s organizational status and relevant policies
and procedures support the objectivity of the internal auditors;
b) The level of competence of the internal audit function; and
c) Whether the internal audit function applies a systematic and disciplined approach, including
quality control.
The external auditor shall not use the work of the internal audit function if the external auditor
determines that:
a) The function’s organizational status and relevant policies and procedures do not adequately
support the objectivity of internal auditors;
b) The function lacks sufficient competence; or
c) The function does not apply a systematic and disciplined approach, including quality control.
As a basis for determining the areas and the extent to which the work of the internal audit
function can be used, the external auditor shall consider the nature and scope of the work that has
been performed, or is planned to be performed, by the internal audit function and its relevance to
the external auditor’s overall audit strategy and audit plan.
The external auditor shall make all significant judgments in the audit engagement and, to prevent
undue use of the work of the internal audit function, shall plan to use less of the work of the
function and perform more of the work directly:
(a) The more judgment is involved in:
i) Planning and performing relevant audit procedures; and
ii) Evaluating the audit evidence gathered;
(b) The higher the assessed risk of material misstatement at the assertion level, with special
consideration given to risks identified as significant;
(c) The less the internal audit function’s organizational status and relevant policies and
procedures adequately support the objectivity of the internal auditors; and
(d) The lower the levels of competence of the internal audit function.
- The external auditor shall also evaluate whether, in aggregate, using the work of the internal
audit function to the extent planned would still result in the external auditor being sufficiently
involved in the audit, given the external auditor’s sole responsibility for the audit opinion
expressed.
- The external auditor shall, in communicating with those charged with governance an
overview of the planned scope and timing of the audit communicate how the external auditor
has planned to use the work of the internal audit function.
- If the external auditor plans to use the work of the internal audit function, the external auditor
shall discuss the planned use of its work with the function as a basis for coordinating their
respective activities.
- The external auditor shall read the reports of the internal audit function relating to the work
of the function that the external auditor plans to use to obtain an understanding of the nature
and extent of audit procedures it performed and the related findings.
- The external auditor shall perform sufficient audit procedures on the body of work of the
internal audit function as a whole that the external auditor plans to use to determine its
adequacy for purposes of the audit, including evaluating whether:
a) The work of the function had been properly planned, performed, supervised, reviewed
and documented;
b) Sufficient appropriate evidence had been obtained to enable the function to draw
reasonable conclusions; and
c) Conclusions reached are appropriate in the circumstances and the reports prepared by the
function are consistent with the results of the work performed.
- The nature and extent of the external auditor’s audit procedures shall be responsive to the
external auditor’s evaluation of:
a) The amount of judgment involved;
b) The assessed risk of material misstatement;
c) The extent to which the internal audit function’s organizational status and relevant
policies and procedures support the objectivity of the internal auditors; and
d) The level of competence of the function and,
e) Shall include performance of some of the work.
- The external auditor shall also evaluate whether the external auditor’s conclusions
regarding the internal audit function and the determination of the nature and extent of use
of the work of the function for purposes of the audit
Documentation
If the external auditor uses the work of the internal audit function, the external auditor shall
include in the audit documentation:
(a) The evaluation of:
i) Whether the function’s organizational status and relevant policies and procedures
adequately support the objectivity of the internal auditors;
ii) The level of competence of the function; and
iii) Whether the function applies a systematic and disciplined approach, including quality
control;
(b) The nature and extent of the work used and the basis for that decision; and
(c) The audit procedures performed by the external auditor to evaluate the adequacy of the work
used.
The objectives and scope of internal audit functions typically include assurance and consulting
activities designed to evaluate and improve the effectiveness of the entity’s governance
processes, risk management and internal control such as the following:
COMPUTERIZED INFORMATION SYSTEMS
The following areas have been covered below;
i) Introduction to Computer Accountancy Systems.
ii) Introduction to Computers and the way they process data.
iii) Programs & operating Systems.
iv) Introduction to Computer Control.
v) Auditing in a Computerized Environment.
vi) The auditor’s Approach
vii) Auditing around the computer
viii) Auditing through the computer
ix) Real time and on-line Systems
Industry context
With the current trend in technological changes auditors need to be updated in system use to
make their work easier. This means that the auditor has to device new means of carrying out an
audit in a computerized environment. He also needs to understand how the controls work in such
a system.
KEY TERMS
Transaction Files: Are the equivalent of journals such as the sales journal or the purchases
journal or the cashbook.
Programs are the instructions telling the computer how each type of transaction is to be
processed.
Test data are designed to test the performance of the clients programs.
Exam Context
As the world embraces the emerging technological changes, so does the audit profession.
Bearing this in mind, questions bordering on the application of information technology will be
common in the exam. The questions that are likely to appear are the ones that deal with the
impact Information technology has had on audit.
Introduction
In the business environment today and in today’s world, there has been an irreversible push for
companies to automate their systems and their way of doing business so as to be competitive.
The push for companies to embrace the new technological changes has come with new
challenges for the audit environment. Unlike before where most systems were manual and the
procedures carried out by the auditor’s were tailor made for them, most company systems today
are automated. This means that the auditor has to device new means of carrying out an audit in a
computerized environment. He also needs to understand how the controls work in such a system.
In the chapter below, all this is covered so that the student can be able to understand and
appreciate the challenges and the gains in auditing in a computerized environment.
A computer system requires procedures to;
- Convert data to machine readable form.
- Input data into the computer.
- Process data.
- Store data in machine readable form.
- Convert data into desired output form.
For these procedures to be undertaken, a mixture of hardware and software is needed. The
hardware will consist of;
i) Input devices. These include keyboards, optical readers, and bar code scanners.
ii) Processing devices. These are the computers themselves. i.e. CPU
iii) Storages devices include hard disk, diskettes and magnetic tapes.
iv) Output devices. These include the visual display unit (VDU) and printers.
The computer software consists of programs and operating systems.
Programs are the instructions telling the computer how each type of transaction is to
beprocessed. These instructions include routines of checking and controlling data, matching data
with master files and performing mathematical operations on data. E.g. for sales transactions,
matching routines will enable the computer to identify the right sales price from the sales master
file and the right customer from debtors master file. Mathematical routines will include
calculating the total debtor’s amount and updating customer’s balance in the debtors’ master file.
Operating system relates to a series of related programs to provide instructions as to what files
are required to be on-line, what output devices are required to be ready and what additional file
need to be created for further processing. E.g. with a batch of sales transactions, the sales price
file and debtor’s file need to be on-line. The printer must be loaded with blank invoice forms and
the totals must be retained for posting to the sales and debtors control accounts in the general
ledger master file.
An operating system will provide details of further processing runs within the system. So, for
example, in sales these will include updating the general ledger, processing cash receipts and
credit notes to the debtor’s file, printing out monthly statements and printing out analysis of due
accounts for credit control purposes.
In a batch processing system, the operating system may consist of a set of instructions provided
to the operator but increasingly the operating system is part of the computer software such
thatwith real time system, the computer identifies source of an incoming signal and
automaticallyprocesses that transaction using the appropriate programs and the right file.
COMPUTER FILES
These are equivalent of books and records in a manual system and are described as either
transaction files or master files.
a) Transaction files.
These are equivalent of journal such as sales journal, the purchases journal or the cash book.
They contain details of individual transactions, but unlike books, a transaction file is not a
cumulative record. A separate file is set up for each batch. Thus in real time systems, a
transaction file is not necessary, but good systems will always create a transaction file for control
purposes to provide a security back up, incase of errors or computer malfunctions during
processing data to master file.
b) Master files.
These contain what is referred as standing data. They may be the equivalent of ledgers but may
also contain semi permanent data needed to process transactions. E.g. a debtor’s master file the
equivalent of debtor’s ledger but will also include data that in a manual system may be kept
separately such as invoicing address, discount terms and credit limits, even non accounting data
as cumulative sales to specific customers.
When master files are updated by processing them against a transaction file, the entire contents
of the file are usually re-written in a separate location so that after processing, the two files can
be compared and the difference agreed to the total of the transaction file. Any errors in updating
the master file will thus be detected and the process repeated. In practice, the old copy of the
master file and transaction file will be retained until the master file is updated again. This is the
grandfather-father-son approach. If the current master file is corrupted or lost due to machine or
operator error, previous versions provide back up from which the master file can be re-created.
Master files holding semi permanent data would in the case of debtor’s system include current
sales price list and in the case of personnel department, a personnel file giving details of wage
rates, authorized deductions and cumulative record of amounts paid to date for purpose of
providing tax certificates.
A special class of transactions includes those of amending standing data held in master files such
as sales price or wage rate. These transactions require special consideration because an error in
such data held in a master file will cause errors in all transactions processed against the master
file. E.g. an item priced erroneously in sales price list will mean all sales will be charged to
customers at the wrong price.
Real time and on-line systems
Traditional batch processing has the advantage that the data can be subjected to checks for
validity, accuracy and completeness before it is processed. But for organizations that need
information on strict time scale, this type of processing is unacceptable. This has led to the
development of on-line and real time systems and the number is growing particularly in airline
offices, banks and other financial institutions. The auditor’s duties do not change but his audit
techniques must change.
The key features of these systems are that they are based on the use of a remote terminal which is
just a VDU and a keyboard. These terminals will be scattered within the user department and
have access to the central computer store. The problem for the auditor arises from the fact that
master files held in the central computer store may be read and updated by the remote terminals
without an adequate audit trail. Necessary precautions have to be made therefore to ensure that
these terminals are used in a controlled way by authorized personnel only.
The security techniques include;
- Hardware constraints e.g. necessitating the use of a key of magnetic strip badge or card to
engage a terminal or placing the terminal in allocation to which access is carefully restricted
and which is constantly monitored by closed circuit television surveillance systems.
- The allocation of identification numbers to authorized terminal operators. With or without
the use of passwords, these are checked by the main frame computer against stored records of
authorized numbers or passwords.
- Using operator characteristics such as voice, fingerprints and hand geometry (finger length
ratios) as a means of identification by the mainframe computer.
- Restricting the access to particular programs or master files in the mainframe computer to
designated terminals.
- In top security systems, the authority to allocate authorities such as determination of
passwords and nominating selected terminals should be restricted to senior personnel other
than intended users.
- A special file maybe maintained in the central processor which records every occasion on
which access is made by particular terminals and operators to the central programs and files.
This log will be printed out on regular basis or on request by personnel with appropriate
authority.
What differentiate on-line system from real time system is that the on-line system has a buffer
store where input data is held by the central processor before accessing the master files. This
enables input from the remote terminals to be checked by a special scanning program before
processing commences.
With real systems however, action at the terminal causes an immediate response in the central
processor where the terminal is on-line. Security against unauthorized access and input is even
more important in real time systems because the effect of the input is that it instantaneously
updates the file held in the central processor and any edit checks on the input are likely to be
under the control of the terminal operators themselves. In view of these control problems, most
real time systems incorporate additional controls over the scrutiny of the master file.
In planning the audit, the auditor should consider how the presence of computerized information
systems may affect client’s accounting and internal control system and the conduct of the audit.
This is because computerized information systems have unique features compared to manual
systems and require inbuilt adequate controls to ensure that the accounting system can be relied
upon for complete and accurate accounting records. These features include;
- Consistency unlike manual systems. Computerized information systems will process
transactions consistently. This implies that if the system is properly programmed, the all
transactions will be processed consistently and accurately. On the other hand, if there are any
programming errors, the transactions will be consistently processed inaccurately.
- Concentration of functions and controls. In a computerized information system, few people
are involved in processing of financial information. This may compromise segregation of
duties such that persons involved in writing of programs may also be involved in processing
transactions. This increases risk of manipulation of operating programs and data. Programs
ad data are held together increasing the potential for unauthorized access and alteration.
- Computerized information systems are designed to limit paperwork. This result in less visible
evidence to support transactions processed which ultimately leads to loss of the audit trail.
- Ease of access of data and computer programs. Where there are no proper controls over
access to computers at remote terminals, there is increased danger of unauthorized access and
alteration of data and programs.
- Use of programmed controls. In a computerized environment, controls are programmed
together with data processing instructions e.g. protection of data against unauthorized access
may be by way of using passwords and user profiles that grant different levels of access to
the system. Use of programmed controls implies that the auditor must adopt an audit
approach to test effectiveness of those controls.
- System generated transactions. Many systems are capable of generating transactions
automatically without manual intervention e.g. calculation of interest from customer’s
accounts may be done and charged to income automatically. If the system set up is interfered
with, this could affect the accuracy and integrity of transactions generated.
- Data and programs are stored in portable magnetic disks and tapes which are vulnerable to
theft and intentional or accidental alteration.
SYSTEMS AUDIT APPROACH
- The systems audit is based on the following:
- The volume of transactions in a modern company and the cost of auditing preclude the
examination and verification of every transaction followed by the summarization of the
transactions into the financial statements.
- The verification of all transactions would not in itself be sufficient because it would not give
any assurance as to the completeness of transactions.
- The systems based audit depends on reliance on systems which prevent or detect any
variation from correct processing of documents into entries in the financial records, and
hence their inclusion in the financial statements. The auditor needs to understand the system
and verify that controls are effective throughout the period under review.
INTERNAL CONTROLS IN A COMPUTERIZED ACCOUNTING SYSTEM
To mitigate the risks occasioned by the features of a computerized information system, the
management should design internal controls over the system. These controls are mainly
classified into general controls and application controls.
1. General controls.
These relate to the environment within which the computer based systems are developed,
maintained and operated aimed at providing reasonable assurance that the overall objectives of
internal controls are achieved e.g. completeness, accuracy and validity of financial information
The objective of the general controls is to ensure the proper development and implementation of
applications and the integrity of program files and information. These controls could either be
manual or programmed and are classified into;
- System development controls
- Access controls.
- Computer operations and other controls.
a) System development controls.
These relate to controls that must be exercised by the client when developing new systems or
modifying existing systems. The controls that can be exercised during systems development can
be discussed in the following groupings.
Appropriate review testing and approval of new systems
Development of computer applications
- Standards over systems design, programming and documentation
- Full testing procedures using test data
- Approval by computer users and management
- Segregation of duties so that those responsible for design are not responsible for testing
- Installation procedures so that data is not corrupted in transition
- Training of staff in new procedures and availability of adequate documentation
The organization should set up a steering committee composed of senior management and high
level representatives of system users who should the development and implementation of the
new system.
Management should approve specifications of the new system after the steering committee has
assessed the user needs. Before the new system is commissioned for use, appropriate testing
should be carried out to ensure that both the hardware and the application programs are operating
effectively. The testing will provide assurance that the new system is reliable.
The information technology manager, user department and the appropriate management level
should give appropriate approval of new system before being placed under operation and after
reviewing completeness of system documentation and results of its testing.
General IT controls that relate to some or all applications are usually interdependent controls, i.e.
their
operation is often essential to the effectiveness of application controls. As application controls
may be
useless when general controls are ineffective, it will be more efficient to review the design of
general IT controls first, before reviewing the application controls.
Controls over program changes
Testing and documentation of program changes
- Complete testing procedures
- Documentation standards
- Approval of changes by computer users and management
- Training of staff using programs
Program changes refer to modifications made to existing programs. Changes in the computer
system should be subject to strict controls e.g. a written request for an application program
changes should be met by user department and authorized by designated manager or committee.
Once changes have been made, appropriate testing should be carried out to ensure that the
modified system is reliable.
The system documentation should then be amended to reflect the changes and appropriate
approval obtained for the modified system to start running.
User training should also be carried out as appropriate.
Prevention or detection of unauthorised changes to programs
- Segregation of duties
- Full records of program changes
- Password protection of programs so that access is limited to computer operations staff.
- Restricted access to central computer by locked doors, keypads
Maintenance of programs logs
- Virus checks on software: use of anti-virus software and policy prohibiting use of non�authorised programs or files
- Back-up copies of programs being taken and stored in other locations
Control copies of programs being preserved and regularly compared with actual programs
- Stricter controls over certain programs (utility programs) by use of read-only memory
System documentation
This involves putting together information that supports and explains computer applications. The
documentation provides details of capability of the system and how it is operated.
System documentation is important in conducting user training and also enables the management
to effectively review the system by considering whether appropriate controls have been put in
place during system development.
Parallel running
Before switching to the new system, the whole system should be tested by running it alongside
the old system for a specified period. This is important because it provides user with the
opportunity to familiarize themselves with the new system before it is fully implemented and
ensures that the new system is reliable and data is correctly carried forward from the old to the
new system.
b) Access controls.
The success of computerized information systems is largely dependent on the accuracy, validity
and credibility of the data processed by the system. Access controls to computer hardware,
software and data files is therefore vital.
Access controls provide assurance that only authorized individuals use the system and that the
usage is for authorized purposes only.
Access may be restricted to specified persons, files, functions or computer devices. This can be
achieved using both physical and programmed controls. Examples of access controls include;
- Physical restriction of access to computer facilities to specified persons only e.g. file servers
should be maintained in a secure location where access is granted to only specified persons.
- Controls over computers stored in the user department could be improved by making sure
that vital data on programs are not left running when the computer is left unattended.
- Passwords should be used by all staff when accessing computer facilities.
- Passwords should be changed regularly and access to password data held in a computer
system should be subject to stringent controls. This will ensure that some users do not gain
access to other people’s passwords.
- In granting user rights within the system, there should be appropriate segregation of duties to
ensure that rights granted are not excessive. e.g. a user should not have right to post data and
also make amendments on the same data.
- When designing the user rights, sensitive data and programs should only be accessible to few
individuals. In other cases, some files should be designed as ‘read only’ to avoid
unauthorized amendments.
- Programs and data that do not need to be online should be stored in secure locations.
- A system’s access log to record all attempts to log in the system should be maintained.
This would record name of user, data accessed or entered, time of log in and mode of access.
- When transmitting data over communication lines, it should be encrypted to make it difficult
for persons with access to communication lines from being able to modify the contents.
- There should be automatic log off i.e. the disconnection of active data terminal to prevent
viewing of sensitive data on unattended terminals.
Controls to ensure continuity of operation
- Storing extra copies of programs and data files off-site
- Protection of equipment against fire and other hazards
- Back-up power sources
- Disaster recovery procedures e.g. availability of back-up computer facilities.
- Maintenance agreements and insurance
The auditors will wish to test some or all of the above general IT controls, having considered
how they affect the computer applications significant to the audit.
c) Computer operations and other controls.
The organization should have a reconstruction or disaster recovery plan that will allow it to
regenerate important programs and data files incase of disasters or accidental destructions.
The recovery plan should create back up or duplicate copies of important data files and programs
which should be stored off site.
The recovery plan should also be tested on regular basis to ensure that it indeed works. Other
issues that should be addressed include:
- Undertaking protection measures against natural disasters such as setting up computer rooms
in areas protected from floods and fitted with smoke or fire detectors.
- There should be standby equipment to revert to incase of computer breakdown.
There should be adequate virus detection. Procedures for dealing with virus infection are.
Enroll Now To Read More
