AUDITING IN COMPUTER ENVIRONMENT

What is
audit in a
computer
environme
nt?

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDITING IN COMPUTER ENVIRONMENT

Approaches
Auditing around the computer
Auditing through the Computer
Auditing with the computer

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDITING IN COMPUTER ENVIRONMENT

Use of computer of audit

automation
Working Papers
Statistical sampling and
analytical procedures

Decision Support System;

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDITING IN COMPUTR ENVIRONMENT

Types of software on PC in order to aid his audit

work
Standard software for word processing ,
spreadsheets
Expert systems.
Generally, an auditor can use his PC to assist for
Production of time budget and budgetary
control .
Analytical procedures.
The maintenance of permanent file
information
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDITING IN COMPUTER ENVIROMENT

The computer systems challenges

lack of visible evidence and
systematic errors. What to do?
techniques available to him,
The internal controls,
the availability of the data
the length of time it is retained in
a readily usable form.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDITING IN COMPUTER ENVIRONMENT

Controls over audit computers

Security, and Accuracy (of input,
processing and output). The auditor
should exercise controls when PCs
are used by auditor in their work are
as follows:
Access controls for users by means of
passwords
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDITING IN COMPUTER ENVIRONMENT

Controls over audit computers

Back up of data contained on files,
regular production of hard copy; back-up
disks held off the premises.
Viral protection for programs and
Training users.
Evaluation and testing of programs use
6.Proper recording of input data , to
ensure reasonableness of output.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS IN CIS

The internal control over

computer based accounting
system

Application controls

General controls

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS IN CIS

The internal control over computer based

accounting system
Application controls:
The objective of application
controls (manual or programmed)
are to
Ensure completeness and
accuracy of accounting records
validity of entries made resulting
from both manual and
programmed processing.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS IN CIS

The internal control over computer based

accounting system
General controls;
relates to the environment CIS
are developed, maintained and
operated, and which are therefore
applicable to all the applications.
The objectives of general controls are .
The application controls and general controls

are inter-related. Strong general controls

contribute to assurance, which may be obtained
by an auditor in
relation
Mwakalobo@apt
APT
FINANCIAL
financial

CONSULTANTS

INTERNAL CONTROLS IN CIS

The specific requirements in order to

achieve the overall objectives of
application controls are: Control over the completeness and
authorization of input
Control over the completeness and
accuracy of processing
Control over the maintenance of master
files and the standing data contained
therein
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS IN CIS

In order to achieve the overall objective of general
controls, the controls required are: Control over applications development
To prevent or detect unauthorized changes to
programs
To ensure that all programs changes are adequately
tested and documented
Control to prevent and detect errors during program
execution
To prevent unauthorized amendments to data files
To ensure that system software is properly installed
and maintained
To ensure that proper documentation is kept
To ensure continuity of operations.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COMPUTER ASSISTED AUDIT TECHNIQUES

(CAATs)
Definition
Techniques

in that the auditors are

afforded opportunities to use either the
enterprises or another computer to assist
them in performance of audit work.
CAATs, are ways in which the auditor may
use the computer in a computerized
information system to gather, or assist in
gathering, audit evidence.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CATEGORIES OF CAAT

Audit software
Test data
Other techniques
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CATEGORIES OF CAAT

Audit software:
generalized audit software
specialized audit software or
Interrogation softwares
utility programs and
existing entity programs.
Regardless of the source of the
programs, the auditor should
substantiate their validity for audit
purposes prior to use.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CATEGORIES OF CAAT

Audit software some uses

Stratify

accounting population and

select monetary unit statistical
samples.
Carry out an aging /usage analysis
of stocks
Perform detailed analytical reviews
of financial statements
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

TYPES OF CAATs
Test data
Is a CAAT in which test data
prepared by the auditor is
processed on the current
production version of the client's
software, but separately from the
client's normal input data.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

TYPES OF CAATs

Other techniques
embedded audit facilities
Integrated test facility
System Review and control file
( SCARF)
Application program examination

Mwakalobo@apt
financial

Internal control evaluation via; Flowchart

verification (Logical Path analysis ) ,Program
code verification (Code Comparison
Programs), Printout examination.

APT FINANCIAL
CONSULTANTS

CAATs and Sustentative testing

During substantive testing some, CAATs

are used frequently.

Audit software is used extensively to
examine accounting records maintained
on computer files
CAATs assists in carrying out analytical
review procedures
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Limits of CAATs

Limits of CAATs
Evaluation

of general controls
Use ICQ or the ICE approach.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PROGRAM AUTHENTICITY

Source Program authenticity

guarantee

that the correct application

program is being tested.
Live test data, integrated test
facilities and embedded audit facilities
as described above are audit
techniques, which help in this respect.
General controls
Copy must be identical to orignal

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

KNOWLEDGE BASED SYSTEM

Knowledge based systems

Decision

Support Systems and

Expert systems can be used to
assist with the auditors own
judgment and decisions.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

MANUAL Vs CAATs

Factors to consider in choosing between CAATs

and manual Techniques: Practicability of carrying out audit tests manually
Cost effectiveness of the procedures under
considerations.
Availability of audit time
The availability of appropriate computer facilities and
independence issue
The level of audit experience and expertise.
The extent of possible reliance upon internal audit
work
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

Planning an audit in a Computer

environment
Possibilities of attending during
system development stage
Consideration of use of CAATs
Practicability of manual audit
Expertise

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

Use of CAATS

The pattern cost associated with CAATs,

The extent of tests of controls or substantive
procedures achieved by both alternatives,
Ability to incorporate within the use of CAAT a number
of different audit tests.
Time of reporting

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

In using CAAT,
computer

facilities, computer files

and programs are available;
the auditors should plan the use of
CAAT in good time so that these copies
are retained for their use.
Internal auditor CAATs , consider ISA
Availability of computer facilities
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROL EVALUATION

Internal control evaluation

ICQ .
Weak controls = extensive
substantive procedures
In determining whether they wish to
place reliance on application controls or
general controls ,the auditors will be
influenced by the cost effectiveness and
ease of testing by the following matters
General controls and application
controls
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROL EVALUATION

Check systematic errors and program

intergrity
Manual examination may be useful in
small computer application
Observation, examination of
documentary evidence or reperforming
the procedures may be useful.
CAATs can also be useful
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Review of financial statements

Review of financial statements

CAATs

(audit software)
e.g analytical review.
The working papers should indicate the
work performed by CAAT, the auditors
conclusion, the manner in which any
technical problems were resolved and
may include any recommendations about
modification of CAAT for future audits.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDIT TRAIL.

Audit trail.
As the complexity of computer systems has

increased there has been a corresponding loss

of audit trail. Most systems have searching
facilities that are much quicker to use than
searching through print outs by hand.
This offsets the so- called loss of audit
trail to a significant extent. The trail is still
there, although it may have to be followed
through in electronic form.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COMPUTER SERVICE BUREAUX

These are third part service organization who

provide EDP facilities to their clients

Factor to consider
make or buy decisions
Consider and Analyze the cost benefit;
Level of managements own computing
knowledge and their willingness to take
risk to unknown third party;

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COMPUTER SERVICE BUREAUX

Factors to consider
The

volume and frequency of processing

requirements ;
The complexity of the program package
required ;The simpler the program the easier
it would be to process in house on Micro;
The importance of timelines in processing of
data check the efficiency and economy of DP
The confidentiality of the data being
processed.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Types of Bureaux
Independent

companies formed
to provide specialist computer
services
Computer manufacturers with
bureau
Computer users (e.g.
universities)
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PLANNING AND CONTROL EXERCISED BY THE USER

When the system using bureaux is

set up it is essential that
a full feasibility study and
system design should be carried
out.
In practice the bureau may provide
assistance in performing these
tasks.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PLANNING AND CONTROL EXERCISED BY THE USER

The control should include :

Prior vetting of bureau standards ;
Input controls at preparers end; bunching
and providing or authorizing in the same
way as usual;
Transit controls ;Physical transfer of
documents ;
batch controls ,physical security and
authorized personnel;
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PLANNING AND CONTROL EXERCISED BY THE USER

The control should include :

Electronic transmission of data ;batch totals,
passwords and possibly encryption coding for very
sensitive data;
Control over and action on rejection; there must be
strong control over the level of rejections; whose
fault, the bureaus or ours?;

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COMPUTER SERVICE BUREAUX

Output controls :logging /registering

receipt of output material and original

documentation ,distribution and filing;
Master file amendment controls;
suggested control include the usual use of
pre-numbered properly authorized forms.
Special control of periodic print out of all
master file amendments;
Adequate insurance covering loss of data
or documents and computer breakdown at
the bureau itself ;The external auditor
Mwakalobo@apt
APT FINANCIAL
review of bureau
controls ;
financial

CONSULTANTS

COMPUTER SERVICE BUREAUX

A third party review an independent firm to carry

out review of internal controls, both the general

and application based. The report is then made
available to the auditors of clients of the bureaus.
This saves the bureau having to make provision
for many different sets of auditors all asking to run
CAATs on the bureaux system and complete
roughly similar ICQ/ICE forms.
Direct evaluation of the bureau by the auditor
using the CAATs , ICQ and ICE.;
Standby /back up /emergency arrangement ;
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COMPUTER SERVICE BUREAUX

The compliance and substantive testing of

programmed procedures, the CAATs such

as discussed above are appropriate where
the client has the data and files on the
premises. They may not be possible in
context of the computer service bureau.
The client may have to arrange to have
files copied by the bureau or supplied to
the auditor for testing.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONTROLS IN ON-LINE AND REAL TIME SYSTEMS

Controls in real time systems

The main control problem is that primarily the
concern is on large, multiuser systems with
terminals (dumb terminals or networked PCs)
;The same person is often responsible for
producing and processing the same information.
Internal check ,supervisory controls should be
strengthened (segregation of duties) ;The ability
of a person using remote terminal to gain access
to databases at will results in the need for
special controls to ensure that files are neither
read nor written to (nor destroyed).
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONTROLS IN ON-LINE AND REAL TIME SYSTEMS

Physical controls;

Operating system; Use passwords( or lockwords)

or special badges or key; Restriction by the
operating system of a certain users to certain
files .eg wages dept can be given access to only
wages file; Logging of all attempted violation of
the above controls .eg Automatic shut down of
the PC or terminal used; All violations should be
speedily and thoroughly investigated
Application controls; Validity checks on input;
Reporting of unusual transactions; Passwords

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

DATABASE MANAGEMENT SYSTEMS (DBMS)

Main controls; Control to prevent or detect unauthorized

changes to programs;
No access to live program file by any personnel
except for the operation personnel at the central
computer; Password protection on
programs;Restricted access to the central computer
and terminal ;Maintenance of console; Periodic
comparison of live production programs to control
copies and supporting documentation.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

DATABASE MANAGEMENT SYSTEMS (DBMS)

Main controls; Controls to prevent or detect error

during operation;
Restriction of access to terminals by use of
password; Satisfactory application control over
input , processing and master file ;Use of
operation manuals and training all
users;Maintenance of logs showing unauthorized
attempts to access; Physical protection over data
files ;Training in emergency procedures
Controls to ensure integrity of the database system;
Restriction of access to data dictionary
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

DATABASE MANAGEMENT SYSTEMS (DBMS)

Controls to ensure integrity of the database

system; Restriction of access to data

dictionary( point of definition and
interrelationship of data); Segregation of duties
between data processing manager and data
base administration personnel; Liaison between
database administration function and systems
development personnel ;Preparation and update
as necessary of user manual in conjunction with
data dictionary
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

DATA BASE MANAGEMENT SYSTEM

The audit of DBMS creates particular problems as

the two principal CAATs , test data and audit

software, tend to work unsatisfactorily on
programs and files contained within such system.
The auditor may, however, be able to use embedded
audit facilities. Close liaison with the internal auditor
may provide audit comfort. The auditors should if
possible be involved at the evaluation, design and
development stages, so that they are able to
determine their audit requirements and identify
control problems before implementation.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

SMALL COMPUTER SYSTEM

Control problems in small computer

systems
The problems surrounding PCs can be
grouped as ;
Lack of planning over the acquisition
and use of PCs;
Lack of documentary evidence ;
Lack of security and confidentiality .
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COMPUTER FRAUD
Input

fraud :
Processing fraud;
Fraudulent use of computer
system;
Output fraud;

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

FACTORS- RISK TO COMPUTER FRAUD

Increase

in computer literacy
Communications e.g. telephone and
PCs and hackers
Reduction of internal
Improvements in quality of software and
increase in implementation of good
software has not kept pace with
improvements in hard ware

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

COUNTERACT COMPUTER FRAUD

Planned approach to counteract computer fraud.

All staff should be properly trained and should

fully appreciate their role in computer function
Management policy on fraud should be clear
and firm
A study should be carried to examine where the
company is exposed to possible fraud
A company should map out an approach or plan
in each area of the business to tackle and
prevent fraud.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONTROLS TO PREVENT COMPUTER FRAUDS

As with a control system, three areas to examine are;

prevention, detection and correction

Access to the computer terminals and other parts of the
computer should be restricted
Access to sensitive areas of the system should be logged
and monitored
Errors logs and reports should be monitored and
investigated on regular basis
Staff recruitment should include careful vetting ,include
taking up all references
Expert systems software may be used to monitor unusual
transactions
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

DEVELOPMENTS IN COMPUTERIZED
ENVIRONMENT

Many auditors are now finding their clients

conducting business through the internet.

As always, the principle audit concern ,
will be controls over the use of the
internet and the strength of audit
evidence obtained through the internet

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNET

Controls over the Internet

Unauthorized use of the internet

Staffs may use internet for unauthorized
purchases
Staff may use internet for accessing data
which have a costs (call)
People may be able to access business
internal systems via the internet and obtain
confidential information or launch virus which
disrupts internal systems

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONTROLS IN INTERNET

Controls from these risks include

Use of passwords,
Disabling certain terminals
Firewalls
Authorization the technique make sure that a
message has come from an authorized
sender
Virus control software regular updating
Physical controls ;against fire, damage etc

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

AUDIT EVIDENCE IN THE INTERNET

Audit evidence in the Internet

Certain general observations can be made about

audit evidence obtained through the Internet
Internet evidence generated by the auditor will be
stronger than evidence generated by client. Comfort
may be obtained if the auditor can access the internet
and test what the client has posted
Internet evidence can be obtained in written form and
thus stronger than oral evidence
If the internal controls mentioned above are strong
,the auditors will have more confidence in the quality
of evidence

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

WHAT ABOUT E-MAIL?

Email may have numerous advantages in

reducing office paperwork and speeding up

communication, but it also has dangers from an
audit point of view. e.g. unscrupulous employee
in a large organization might find it quite easy to
send and e-mail from his or her bosss computer
authorizing a substantial bonus /payrise
H/W; what controls could you put to prevent this

from happening
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONTROL IN INTERNET SYSTEM

Control of network system is of uttermost

importance .the auditors must be able to analyse

the risk of unauthorized access such as line tapping
or interception and to evaluate preventive measures
Authentication programs and encryption are used
for security .the auditor must understand those
matter and should be able to make
recommendations on implementation.
Password security is extremely important, and the
auditors may be called upon to recommend
complex password procedures for sophisticated
systems.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

ELECTRONIC DATA INTERCHANGE

Electronic data interchange (EDI) is now used very

widely because it cuts the task of re-inputting data
that has already been input into a system in
electronic form, saving time and improving
accuracy
EDI is authentic? What authorization measures
are in place to ensure that transactions above
certain value are properly authorized before
being transmitted or accepted?
What is the legal position of the two parties if the
transaction is disputed?
Encryption and authentication offer some help, as do
transaction logs that identify the originator or any
transactions generated and transmitted.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

WHAT IS EDI
Is the automated computer-to-

computer exchange of structured

business transactions between an
enterprise and its vendors,
customers, or other trading
partners in a standard format, with
a minimum of human intervention
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONSIDERATION OF AUDIT
STANDARDS
ISA 315, Understanding the Entity

and
Its
Environment
and
Assessing the Risks of Material
Misstatement and

ISA
330,
The
Auditors
Procedures
in
Response
to
Assessed Risks became effective.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONSIDERATION OF AUDIT STANDARDS

Major issues to be considered by an

auditor as per ISA

An auditor should consider new CIS
environment affects the audit
The overall objective of audit in CIS audit
never changes.
The design and performance of appropriate
tests of Controls and Substantive
procedures to achieve the audit objective
are likely to change.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CONSIDERATION OF AUDIT STANDARDS

Major issues to be considered by an auditor

as per ISA
The existence of computer is likely to have
an impact on the clients inherent risk and
control risk.
The auditor should have sufficient knowledge
of CIS to plan, direct supervise and review
the work performed.
The auditor should consider whether
specialized CIS skills are needed in an audit.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

ISA
The ISA makes it clear that auditors should have

sufficient knowledge of the CIS to perform such

audit effectively.I t is not necessary for overly
member of audit team to be a computer expert
auditors must consider need for specialized CIS
skills.ISA 620 using the work of expert is relevant.
In planning the portions of audit which may be
affected by the clients environment the auditor
should obtain an understanding of significance and
complexity of CIS activities and the availability of
data for use in the audit.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

ISA

Auditor must obtain understanding of

accounting and IC sufficient to plan an

effective approach.
Where CIS is significant, the auditor must
assess the effect of the CIS on in hereunto
control risk.
Complexity normally increases risk and
pensive deficiencies in program
development, mtc, physical security and
access controls would have an effect on all
applications that the system served.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

ELECTRONIC COMMERCE
IAPS 1013
Is any Commercial activity that takes place by means

of connected computers. E.g. offering goods for sale

directly from office computer; the purchasers
computer and office computer is connected over
Internet.
How do we audit ex-commerce?
International Audit Practice Standard ISPS 1013

(IAPs) in intended to assist auditors in identifying and

assessing the new risk to which the business in
exposed when it undertakes e-commerce transactions.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

MAJOR AREAS OF FOCUS BY THE IAPS 1013

The skill and knowledge required to

understand the implications of ecommerce on audit

The extent of knowledge an auditor
should have about the clients
business environment and
activities.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

MAJOR AREAS OF FOCUS BY THE IAPS 1013

The business, legal, regulatory and

other risk faced by entries engaged

in e-commerce transactions.
The effect of electronic records on
audit evidence.
The statement may be also helpful
to the auditor of any business
engaged in e-commerce.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

What is an IT audit?
Like operational, financial and compliance auditors,

Information Technology (IT) auditors work to:

Understand the existing internal control
environment
Identify high risk areas through a formal
methodology
Ensure that adequate internal controls are in place
and
operate effectively (through the testing of
said controls)
Recommend control implementation where risk
exists
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Why IT AUDIT?
Because of Information Technology RISK!!
Risk: The probability that a particular threat
exploits a particular vulnerability (i.e. an issue
which may impact ability to meet objective).
Threat: Event or entity with the potential to
cause unauthorized access, modification,
disclosure, or destruction of info resources.
Vulnerability: Weakness in a system control, or a
design flaw, that can be exploited to violate
system, network, or data integrity.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

What Reduces IT Risk and

What about any Remaining Risk?

Internal Controls (i.e. safeguards)

Control: Protective measure implemented
to ensure company assets (IT or
otherwise) are both available and accurate
in order to meet the business
requirements of that asset.
Residual Risk: The risk that is left over
after reasonable internal controls have
been both evaluated and implemented.
Internal Controls do not eliminate all risk!!
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS OTHER MATTERS

The are two major types of controls:

Application

Controls
General Controls.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

What about OTHER types of audits that

may impact Security Administration
functions
Traditional Audit Types:

Financial opinion audits (CPAs)

Operational process audits now

includes environmental & construction

Compliance laws/regulations and

policies, standards, and procedures

IT usually considered operational

unless performed so opinion auditors
may rely on financial info provided
Hybrid - Integrated Audit today almost all
audits are actually hybrid
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Operational Audits
Review operating policies/procedures

Documented policies/procedures?
Informal policies/procedures?
Work flow examined (thru flowchart or
description requested/developed)
Controls identified and documented
Examine the business process and
recommend improvements control related or
efficiency/effectiveness

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS OTHER MATTERS

General Controls:
The purpose of General controls is to

establish a framework of overall control

over the CIS activities and to provide a
reasonable level of assurance that the
overall objectives of IC are achieved.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS OTHER MATTERS

Categories of General Controls:

Organizational and Management control
-Helps to provide a proper
organizational framework including
regression of incompatible functions.
Application development and Mtc controls
-To ensure that applications are properly
developed, tested and maintained.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

INTERNAL CONTROLS OTHER MATTERS

Categories of General Controls:

Operational controls To ensure properly
authorized access to system and the
detection of errors.
Systems software controls to ensure the
integrity of the development and usage of
systems software.
Data entry & program controls to ensure
the integrity of data and program files.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CIS APPLICATION CONTROLS

CIS application controls.

The purpose of this control is to
establish specific control procedures
over the acting applications to
provide reasonable assurances that
all transactions are authorized,
recorded and processed, completely,
accurately and on a timely bases.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CIS APPLICATION CONTROLS

The Controls Include:
Controls over input designed to provide

reasonable assurance that: Transactions are properly authorized before

being processed by the computer transactions
are accurately converted into machined
readable form and recorded in the compute
data files.
Transactions are not lost, duplicated or
improperly changed.
Processing errors are identified and corrected
on timely basis
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

CIS APPLICATION CONTROLS

The Controls Include:

Controls over output designed to provide

reasonable assurance that: Results of processing are accounts; Access to

output is restricted to authorized personnel; Output
is provided to appropriate authorized personnel on
timely basis ;Normally the technique which control
the accuracy of input and processing while help to
control master file date; Since master file standing
data items are used many times over in
processing, they take on greaten importance than
transaction date and more costly controls such as
one - for one checks may be justified.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

MANUAL AND PROGRAMMED CONTROLS

Many controls over computers are manual controls, and
prodding that the manual controls exercised by
users are sufficient to provide reasonable assurance
of the completeness, accuracy and authorization of
output, test of control may be limited to those
manual controls. In a payroll system, for example, if
users test check gross pay, deductions net pay and
authorization at the output stage, and if they
compare net pay with approved bank transfer
documentation and perform regular bank
reconciliations; there may be no need to test
programmed controls.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

MANUAL CONTROLS
Other Controls:

Manual Controls
Physical Controls:
-Is a matter of common sense.
-Limit access to a computer room,
-Locks and keys, only to specified
people
-Prevention of smooking.
Back-up of disks:
-Create and update an identical back up
disk for every disk in the system; Data
files&Program files; The disk should be
Mwakalobo@apt
APT FINANCIAL
stored
in separate place.
financial
CONSULTANTS

MANUAL CONTROLS
Other Controls:

Manual Controls
Data filing:
-Each disk should be labeled clearly and filed
securely.The labeled disks should be filed in special disk
boxes to provide a degree of protection against liquid
being spoilt on the disks or their being bent or plied.
Documentation: It is vital, as it provides both a support
system for work already stored on disk and filed, and
progress report on data currently being processed or
updated.
Staff Training:
Proofing:There is always room for manual checking or
proofing, to control data on disk.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PROGRAMMED CONTROLS
Programmed Controls:

Passwords; Date/time stamps for compass on

of two revisions of data; Prompts Asking the

user to continue with an action or not.
Check Digit: A means of control on that they
ascertain whether or not a number, such as
ISBN is valid. E.g. customer account No. The
computer will detect of the number is ever input
incorrectly.
Batch totals and hash totals:
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

PROGRAMMED CONTROLS

Programmed Controls:
Reasonable checks: Checks to ensure that
data input is reasonable given the type of input
it is e.g. A payroll system would check that his
recorded for a falls within a range of 30 to 50.
Existence checks: Checks to ensure that the
data input is valid by checking that the entity
already exists in the system. E.g. employee
number.
Dependency checks: Data input fields can be
compared with other fields for reasonableness.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

SMALL STAND ALONE MICRO-COMPUTER

Main problems.

Internal Controls.
Major controls appropriate in
this environment are: Authorization:
Physical security
AUDIT PROCEDURES
Substantive tests

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Internal controls
Inherent limitations of the system of IC in
elimination of frauds & errors.
The need to balance the cost of control with its
benefits; The fact that IC are applied to systematic
transaction, not one-off year-end adjustments,
which are often larger and subject to error; The
potential human error; Possibility of circumvention
of IC through coolness in of managers or
employees with other parts inside /outside the
entity; Abuse of controls or override of controls e.g.
ordering of personal goods; Obsolescent of controls
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

FURTHER CONSIDERATION OF CAATs

Further considerations of CAATs

ISA requires auditors to obtain appropriate audit

evidence to be able to allow reasonable
conditions on which to base their opinion.

Advantages of CAATS:

Helps to test larger number of data hence increase

confidence in their opinion; Helps to test Accounting
Systems its records (Tables & Disk files) rather than
relying on testing printout; Are cost effective once set
up for obtaining audit evidence; Comparison can
easily be made from clerical audit work hence
increase confidence.

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

OTHER DETAIL MATTERS

Difficulties of using computer

programs cost.
Cost; Changes to clients system; Small
installations PC; Over elaboration;
Larger quantities of output; Version of
file used for lest.
Test Data:
Is a data submitted by the auditor for
processing the clients computer-based
accounting system.
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

OTHER DETAIL MATTERS

Major approached to the use of test data

Using

live data
Using dummy data in a normal
production nun.
Using dummy data in special nun.
Difficulties of test data:
Cost
Limited objective
Dangers of live testing
Difficult in recording audit evidence
Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS

Mwakalobo@apt
financial

APT FINANCIAL
CONSULTANTS