section 8 auditing complex edp systems. computer used extensively –simple batch processing...
TRANSCRIPT
![Page 1: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/1.jpg)
SECTION 8
Auditing Complex EDP Systems
![Page 2: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/2.jpg)
Auditing Complex EDP Systems
• Computer used extensively– simple batch processing
– complex on-line, real-time processing
• Computer affect two aspects if audit risk– assessing control risk
– managing detection risk
![Page 3: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/3.jpg)
Around vs. Through the Computer
• Around
– manually calculate INPUT and trace to OUTPUT
• Through
– test the controls in the computer
![Page 4: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/4.jpg)
Impact of Computer Controls
• Change in the Audit Trail
– less documentation offset by programmed controls
– file storage reduces need for hard copy
– testing shift to examination of EDP controls
![Page 5: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/5.jpg)
• Combination of Functions
– computer processing allows combining functions that are usually separate in manual systems
– e.g. input editing of a sales transaction» customer number» credit limit» inventory number and price
![Page 6: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/6.jpg)
Types of EDP Accounting Systems
• Batch Processing
– accumulated and processed in groups
– what is the main form of control?
– the main problem?
![Page 7: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/7.jpg)
Batch Processing System
Convert to machine
readable form
Input
T/A TapeOutput
CompareBatchTotal
Process
Transactions
Old Master New Master
![Page 8: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/8.jpg)
• Real-Time Processing
– transactions are edited on-line as they occur
– continuous file updating
– more complex than batch
– how does this method affect the audit trail?
![Page 9: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/9.jpg)
Batch Processing System
Input
Terminal
Master
File 2
Master
File 3
Master
File 1
Update
![Page 10: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/10.jpg)
Time Sharing and Service Bureaus• Time sharing
– an entity processes data for itself and other entities» i.e. shares its computer
• Service bureau
– process transactions for other entities» i.e. this is their business
![Page 11: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/11.jpg)
Separate Files vs. Integrated Data Base
• File System
– main characteristic?
• Data Base
– main characteristic?
![Page 12: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/12.jpg)
Hardware Configurations• Electronic Data Interchange (EDI)
– on-line format
– computer-to-computer exchange
– public standard format» Accredited Standards Committee of the American National
Standards Institute ANSI X12
![Page 13: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/13.jpg)
Two methods for EDI
1. The Direct Approach
Suppliers
Computer
Manufacturers
Computer
2. The Indirect Approach
Third Party NetworkCompany Computer
Customer 1
Customer 3
Customer 2
![Page 14: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/14.jpg)
• Small Computer Systems
– small firms
– low cost and advanced hardware
• Distributed Data Processing
– companies with branches and divisions
– geographic dispersion
![Page 15: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/15.jpg)
A Distributed System
Head Office Mainframe
Branch 1
Computer
Branch 3
Computer
Branch 2
Computer
Branch 4
Computer
– Types of computers at the branches?
![Page 16: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/16.jpg)
Kinds of EDP Controls
• Two main classifications
1. General controls
2. Application controls
![Page 17: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/17.jpg)
General Controls
a. Organization and Operating Controls
– segregation of duties very important
EDP Manager
ProgrammersSystems
Analysts
Computer
OperatorsData Control
Data
Librarian
Input
Preparation
Director of MIS
Chief Operating
Officer
![Page 18: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/18.jpg)
b. Systems Development & Documentation
– control over definition, design, development, testing, and documentation of systems
– once designed and developed, the system must be thoroughly tested
– systems and programs must be documented1.
2.
3.
![Page 19: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/19.jpg)
c. Access Controls
– prevents unauthorized use
– batch systems» who controls access in this case?
– on-line systems» primary control for access?
![Page 20: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/20.jpg)
d. Data and Procedural Controls
– to control daily operations
– backup files on and off the premises
– environmental controls
![Page 21: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/21.jpg)
Application Controls
– a separate set for each application controls
– How are application controls classified?
a. Input Controls
– computer edit controls
– ensure completeness and accuracy of input
![Page 22: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/22.jpg)
b. Process Controls
– concerned with data manipulation once it is in the computer
– what type of control can used as a process control?
c. Output Controls
– verification and distribution of output
![Page 23: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/23.jpg)
Techniques for Testing EDP-Based Controls
• Best to understand as a number of steps as shown in the following flowchart
Understand
EDP Controls
Assess Control
Risk
Design
Substantive Tests
Document
Understanding
NOTest
further
Test ControlsYES
![Page 24: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/24.jpg)
Gaining an Understanding of EDP Controls
Two main ways:– observation and enquiry– studying the system and program documentation
1. Observation and Enquiry– should look for the following:
a Segregation of functions
b Control of access to files and programs
![Page 25: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/25.jpg)
c Approval of new systems and programs
d Existence of hardware and environmental controls
e The functioning of data and procedural controls
f Backup files
![Page 26: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/26.jpg)
2. Systems and Program Documentation
– Documentation is an integral part
– Should include1.
2.
![Page 27: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/27.jpg)
The Testing of EDP Controls
– Auditor should be able to identify those controls that are necessary for the effectiveness of the application
– by testing these controls, which component of audit risk may be reduced?
– Two ways to look at testing1.
2.
![Page 28: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/28.jpg)
1. Auditing Around the Computer
Client Input
CPU
Client Output
Client InputAuditor Predetermines
Output
Predetermined Output
Audit Comparison
![Page 29: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/29.jpg)
2. Auditing Through the Computer
Auditor Input
CPU
Output
Auditor InputAuditor Predetermines
Results
Predetermined Results
Comparison
![Page 30: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/30.jpg)
Techniques for Auditing Through the Computer
1. Test Data Approach
– simulated data
– of what should this data consist?
– main problems of this approach1.
2.
![Page 31: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/31.jpg)
2. Mini Company Approach
– also called the Integrated Test Facility
– a fictitious entity is created
– fictitious transactions are processed along with regular transactions
– any problems with this approach?
![Page 32: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/32.jpg)
3. Simulation / Auditor’s Program Approach– Auditor creates an application program that simulates the system– uses client data as input
– potential uses of this approach» sampling
» computations
» comparing
» summarizing
![Page 33: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/33.jpg)
4. Generalized Audit Software
– most common type of audit software
– transportable from one client to another
– independent
– limited by the availability of the clients data files
![Page 34: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/34.jpg)
Small Computer Systems
• Widespread
• Weaknesses in General Controls
1. Lack of segregation of duties
2. Location of the computer
![Page 35: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/35.jpg)
3. Limited Knowledge of EDP
• Special Consideration for Application Controls
1. Data Entry
2. Data processing
3. Absence of Limit and Reasonableness Tests
![Page 36: SECTION 8 Auditing Complex EDP Systems. Computer used extensively –simple batch processing –complex on-line, real-time processing Computer affect two](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649e795503460f94b78b17/html5/thumbnails/36.jpg)
• Study and Evaluation of Internal Control
– The effect of computer size on the auditor
– General controls are often weak
– More reliance on application controls
– If application controls and any manual controls are not reliable, what should the auditor do with regards to testing?