Special Considerations in an EDP Environment
It is highly desirable that the auditor obtains a sufficient understanding of the client’s internal controls (I/C) to plan the audit and assess control risk. If on assessment the control risk is showed to be low, the auditor can reduce substantive testing. When EDP is used in significant accounting applications, then the auditor must consider the effects the computer has when evaluating the internal controls. The auditor’s approach to considering I/C is the same in a computerized environment as in a manual environment:
(A) Obtain and document understanding of the internal controls
(B) Assess control risk
(C) Perform tests of controls
(D) Reassess control risk
(A).Obtain and document an understanding of the I/C
The extent to which the auditor needs to understand the computer system is dependent upon the preliminary audit strategy selected:
(a) Primarily substantive approach--treat computer as a black number crunching box and just audit the inputs and outputs (auditing around the computer)
(b) Lower assessment of control risk--you rely on the computer’s controls (audit through the computer)
(B) Assess Control Risk
The auditor needs to assess the risk that the internal controls (including EDP controls) will not prevent or detect material errors or irregularities that will effect the financial statements.
(a) The Auditor considers the strengths and weaknesses of the general controls first.
Example of this in the Advances Module — One of the application (programmed) controls requires authorization from a officer before an Cash credit account can overdraw above the drawing limit fixed. However, if the general controls over changes to programs cannot be relied on, then the advances module could be modified to allow an unauthorized clearing. Thus, the application control could not be relied on either.
(b) Identify the general controls on which the auditor plans to rely.
(c) Consider the strengths and weaknesses of application controls and user controls next.
(d) Identify the application and user controls on which the auditor plans to rely.
Now the auditor should make an initial assessment of whether the EDP controls appear reliable. He can :
1. Determine if the EDP controls do not, after detailed review, appear reliable, the audit objectives can be achieved by other means (AUDIT AROUND THE COMPUTER if possible)
OR
2. Determine EDP controls appear reliable & move to tests of controls
(C) Tests of Controls (TCs) in Computer Environment
The purpose of TCs is to obtain reasonable assurance that the internal controls are functioning properly. The general controls are tested first, then the application and user controls. The TCs are done on a cycle by cycle basis. So the deposit module will be tested separately from the advances module (and so on). The Auditor does this because the controls in each cycle are different and independent.
(D) Reassess control risk based on results of TCs
(1) High control risk would necessitate greater dependence on substantive testing and low reliance on computer controls.
(2). Low control risk means the computer controls can be relied upon to produce better & thus substantive testing can be reduced.
(3) No matter how good controls are some substantive testing should be done.
The areas that can be covered in audit under EDP environments are as under:
(1) Business Strategy
(2) Long Term IT Strategy
(3) Short Range IT Plans
(4) IS Security Policy
(5) Implementation of Security Policy
(6) IS Audit Guidelines
(7) Acquisition and Implementation of Packaged Software
(8) Development of software - in-house and outsourced
(9) Physical Access Controls
(10) Operating System Controls
(11) Application Systems Controls
(12) Database controls
(13) Network Management
(14) Maintenance
(15) Internet Banking.