Kế toán, kiểm toán - Auditing in a computerized environment

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/IrwinModule HAuditing in a Computerized Environment"To err is human, but to really foul things up you need a computer.“ Paul Ehrlich, Technology commentator Mod H-2Impact of Computerized ProcessingIssues introduced in a computerized environmentInput errorsSystematic vs. random processing errorsLack of an audit trailInappropriate access to computer files and programsReduced human involvement in processing transactionsConsider controls over computerized processing in understanding, assessment, and testing phases of evaluation of internal controlMod H-3Types of Computer ControlsGeneral ControlsRelate to all applications of a computerized processing system (pervasive)Deficiencies will affect processing of various types of transactionsAutomated Application ControlsRelate to specific business activitiesDirectly address management assertionsMod H-4Categories of General ControlsHardware controlsData not altered or modified as transmitted through systemProgram development controlsProgram acquisition and development properly authorizedPrograms tested and validated before being placed in useMod H-5Categories of General Controls (continued)Program change controlsProgram changes are properly authorized and conducted consistent with entity policiesPrograms have appropriate documentationComputer operations controlsRelate to processing of transactions and backup and recovery of dataIncludes separation of duties of analysts, programmers, and operatorsMod H-6Categories of General Controls (continued)Access to programs and data controlsRelate to restricting use of programs and data to authorized usersExamples include passwords, automatic terminal logoff, and reviewing access rights and comparing to usageMod H-7Types of Automated Application ControlsInput controlsProcessing controlsOutput controlsMod H-8Input ControlsProvide reasonable assurance thatAll transactions inputTransactions input once and only onceTransactions input accuratelyExamplesData entry and formattingCheck digitsRecord countsBatch totalsHash totalsMod H-9Processing ControlsProvide reasonable assurance thatTransactions are processed accuratelyAll transactions are processedTransactions are processed once and only onceExamplesTest processing accuracy of programsFile and operator controlsRun-to-run totalsControl total reportsLimit and reasonableness testsError correction and resubmissionMod H-10Output ControlsProvide reasonable assurance thatOutput reflects accurate processingOnly authorized persons receive output or have access to files generated from processing ExamplesReview of output for reasonablenessControl total reportsMaster file changesOutput distribution limited to appropriate person(s)Mod H-11Auditing in a Computerized EnvironmentAuditing “around” the computerReconcile input with output produced by computer processingDo not evaluate directly evaluate operating effectiveness of computer controlsAppropriate when computer is not used extensively and computer controls are limitedAuditing “through” the computerEvaluate operating effectiveness of computer controls and logic of computer processingAppropriate when computer is used extensively and client has implemented significant computer controlsMod H-12Testing Computer ControlsTesting controlsInquiryObservationInspect documentary evidenceReperformanceEvaluating computer processing and programsTest processing of actual transactionsTest processing of simulated transactionsMod H-13Techniques Using Actual TransactionsAudit teams evaluate controls by “observing” processing of actual transactions through computerized system in a typical processing runProgram-embedded techniquesSpecial modules coded into computer programsExamples include tagging, embedded audit modules, snapshot, monitoring systems activity, extended records, and program analysis techniquesParallel simulationMod H-14Techniques Using Simulated TransactionsTest data: Tested in a separate processing run by clientIntegrated test facility: Simulated data processed along with actual dataAuditors’Manual ProcessingClientSystemProcessingCompareMod H-15BenchmarkingAudit team tests operating effectiveness of automated application controls to establish baselineCan continue to rely on automated application controls if:Test general controls related to program changes, access to programs and data, and computer operationsGeneral controls continue to operate effectivelyAutomated application controls have not changed since the baselineMod H-16