Professional Documents
Culture Documents
by Katherine Bagshaw
01 Oct 1998
This article is the third in a series of four, covering the most commonly examined subjects in
paper 6. In the August edition of the Students Newsletter, we looked at the audit of
inventories. This month, we look at auditing in a Computer Information Systems (CIS)
environment.
Auditing in a CIS environment is, of course, the rule rather than the exception. The paper 6
examiner states that students should assume that accounting systems in exam questions are
computerised. Auditors all over the world now use computers to a greater or lesser extent, and
the proportion of their clients without a single PC must be very small . So once again, the
subject is important in practice as well as in theory.
There is a substantial body of guidance in this area which includes the following ISAs
(International Standards on Auditing) and IAPSs (International Auditing Practice Statements):
(i) ISA 401, Auditing in a Computer Information Systems Environment;
(ii) ISA 402, Audit Considerations Relating to Entities Using Service Organisations;
(iii)IAPS 1001, CIS Environments Stand-Alone Microcomputers;
(iv) IAPS 1002, CIS Environments On-Line Computer Systems;
(v) IAPS 1003, CIS Environments Databases;
(vi) IAPS 1008, CIS Environments Risk Assessments and Internal Control CIS
Characteristics and Considerations;
(vii)IAPS 1009, CIS Environments Computer-Assisted Audit Techniques.
Much of the IAPSs are taken up with descriptions of the various types of system and the issues
involved in auditing them. This article will take a rather more practical approach to exam
questions, as in previous articles. Dont worry about this area if you are not particularly
computer literate, the examiner does not expect you to have any specialist knowledge and you
can answer questions perfectly well with very little practical experience. Remember that there is
some crossover with the paper 5 syllabus here and you get double benefit from studying the
area!
There are four basic types of question that come up in the exam:
Type A what are the particular features and risks involved in auditing in a CIS environment?
Type B what CIS controls would you expect to find in this particular area?
Type C how do auditors use computers in performing audits?
Type D how would you use CAATS (ComputerAssisted Audit Techniques) in this area?
The area covered by ISA 402 is one that has not been examined frequently in the past, and it is
unlikely to form the subject matter of a full question.
TYPE A Questions
Type A questions deal with the features and risks involved in auditing in a CIS environment.
The IAPSs noted above deal with the features and risks of different types of system, but there
are elements common to them all. A typical Type A question might read as follows:
Type A question
Set out the CIS factors you will take into consideration when planning
the audit of a small enterprise that has acquired a network of PCs in its
only office, during the current period.
The suggested answer that follows is split into two parts. Part (a) deals with general CIS factors
which would be applicable to many different types of system. Part (b) deals with the effect of
the change in the system on audit planning.
TYPE B Questions Type B questions are probably the commonest. They require you either to
set out what controls you would expect to see in a particular area, or, they ask you to explain the
weaknesses in a given situation. We dealt with the approach to exam questions, and controls
generally, in a previous article. Here, we will simply revise the basic types of computer control,
in order to familiarise ourselves with the terminology.
We saw in the previous article, that the control environment is assessed alongside specific
control procedures. In the context of computers, we deal with general CIS controls and CIS
application controls. Note that not all computer controls are necessarily computerised!
(a) General CIS Controls
The purpose of general CIS controls is to establish a framework of
overall control. General CIS controls act as an umbrella to CIS
application controls. Rather than deal with the control objectives
set out by IAPS 1008, which are rather too theoretical for most
students, the following constitutes a list of general CIS controls that
you can draw on to answer questions in this area:
(i) Access controls include the use of security personnel, locked
doors, keypads, swipecards and logical access controls
(passwords) that allow only authorised individuals access to the
relevant areas of the system. More sophisticated procedures would
include voice, fingerprint and retina recognition. Systems software
data shows who has attempted to enter the system, when, what
files were used and so on. Analysis of this data goes some way to
detecting, and therefore preventing, unauthorised access.
(ii) Encryption and callback procedures help prevent hacking,
particularly where public telecommunications lines or networks are
involved. File transfer protocols are necessary to ensure the
complete and accurate transfer of data without loss.
(iii) Read Only Memory (ROM) is necessary for the more important
program and data files, version control and file libraries help
protect data generally.
(iv) The use of antiviral software, the enforcement of policies
Your firm audits companies which use PCs and minicomputers in processing
and recording their accounting information. In the larger and more modern
systems, data is input into the system through terminals in remote
departments.
You are required to write a memorandum to the senior partner of your
audit firm on the application and use of PCs in the work of external
auditors. You should include topics (a) to (d) above and any others you
consider relevant. (20 marks)
To get maximum marks for a question like this, you need to use a proper memorandum format,
as in the suggested answer below. Every firm has a different layout for memos, so the precise
format is not important. There can be anything up to four marks allocated to style and
presentation in a 20 mark question such as this.
Types C & D Suggested Answer
MEMORANDUM
To: S. Partner
From: J Smith
Date: 12 August, 19X8
Subject: The Application and Use of PCs
This memorandum covers the use of PC applications on audits
under the following headings:
(a) spreadsheets
(b) statistical packages
(c) word processors
(d) CAATs
(e) practice considerations
(a) Spreadsheets
Spreadsheets are sheets, similar to analysis paper, divided
into individually referenced cells that can be programmed with
formulae in order to calculate and recalculate quickly and
accurately. They hold much more data than can be comfortably
held on analysis paper.
Conclusion
Auditing in a CIS environment is a wide area, but it is examined at a fairly basic level.
Familiarise yourself with the terminology and your paper 5 studies will also benefit.
The next and last article in this series will deal with the verification of balance sheet items.
http://www.accaglobal.com/archive/sa_oldarticles/49859