ELEVANT TO CAT QUALIFICATION PAPER 8 AND ACCA QUALIFICATION
PAPERS F8 AND P7
SPECIFIC ASPECTS OF AUDITING IN A
COMPUTER-BASED ENVIRONMENT
Information technology (IT) is integral to modern accounting and management
information systems. It is, therefore, imperative that auditors should be fully
aware of the impact of IT on the audit of a client’s financial statements, both in
the context of how it is used by a client to gather, process and report financial
information in its financial statements, and how the auditor can use IT in the
process of auditing the financial statements.
The purpose of this article is to provide guidance on following aspects of
auditing in a computer-based accounting environment:
? Application controls, comprising input, processing, output and master
file controls established by an audit client, over its computer-based
accounting system and
? Computer-assisted audit techniques (CAATs) that may be employed by
auditors to test and conclude on the integrity of a client’s
computer-based accounting system.
Exam questions on each of the aspects identified above are often answered to
an inadequate standard by a significant number of students – hence the reason
for this article.
Dealing with application controls and CAATs in turn:
APPLICATION CONTROLS
Application controls are those controls (manual and computerised) that relate
to the transaction and standing data pertaining to a computer-based
accounting system. They are specific to a given application and their objectives
are to ensure the completeness and accuracy of the accounting records and
the validity of entries made in those records. An effective computer-based
system will ensure that there are adequate controls existing at the point of
input, processing and output stages of the computer processing cycle and over
standing data contained in master files. Application controls need to be
ascertained, recorded and evaluated by the auditor as part of the process of
determining the risk of material misstatement in the audit client’s financial
statements.
Input controls
Control activities designed to ensure that input is authorised, complete,
accurate and timely are referred to as input controls. Dependent on the
complexity of the application program in question, such controls will vary in
terms of quantity and sophistication. Factors to be considered in determining
these variables include cost considerations, and confidentiality requirements
with regard to the data input. Input controls common to most effective
application programs include on-screen prompt facilities (for example, a
request for an authorised user to ‘log-in’) and a facility to produce an audit
2
SPECIFIC ASPECTS OF AUDITING IN A COMPUTER-BASED
ENVIRONMENT
JANUARY 2011
trail allowing a user to trace a transaction from its origin to disposition in the
system.
Specific input validation checks may include:
Format checks
These ensure that information is input in the correct form. For example, the
requirement that the date of a sales invoice be input in numeric format only –
not numeric and alphanumeric.
Range checks
These ensure that information input is reasonable in line with expectations. For
example, where an entity rarely, if ever, makes bulk-buy purchases with a value
in excess of $50,000, a purchase invoice with an input value in excess of
$50,000 is rejected for review and follow-up.
Compatibility checks
These ensure that data input from two or more fields is compatible. For
example, a sales invoice value should be compatible with the amount of sales
tax charged on the invoice.
Validity checks
These ensure that the data input is valid. For example, where an entity
operates a job costing system – costs input to a previously completed job
should be rejected as invalid.
Exception checks
These ensure that an exception report is produced highlighting unusual
situations that have arisen following the input of a specific item. For example,
the carry forward of a negative value for inventory held.
Sequence checks
These facilitate completeness of processing by ensuring that documents
processed out of sequence are rejected. For example, where pre-numbered
goods received notes are issued to acknowledge the receipt of goods into
physical inventory, any input of notes out of sequence should be rejected.
Control totals
These also facilitate completeness of processing by ensure that pre-input,
manually prepared control totals are compared to control totals input. For
example, non-matching totals of a ‘batch’ of purchase invoices should result in
an on-screen user prompt, or the production of an exception report for
follow-up. The use of control totals in this way are also commonly referred to
as output controls (see below).