auditing
TERM 4
• system / data CAATS
• sample testing
Alexandra Shtein
,AUDIT PROCESS
AUDIT PROCESS
planning
-> Knowledge of the business
-> understanding the systems
Pre-engagement -> materialitly
activities -> audit risk and risk assessment
-> audit strategy and approach
Audit
evaluation and
reporting
procedures
-> test of
control
-> substantive…
HOW DO COMPUTERS IMPACT THE AUDIT PROCESS
What changes at the CLIENT? What changed for the AUDIT What must the AUDITORS do?
Characteristics of the accounting & The following DOES change: Consider additional aspects:
system of internal control CHANGES ◦ Risks on which the audit must ◦ Pre-engagement activities
For example: focus ◦ Obtain an understanding of the
◦ Transactions (generating, ◦ Methods of obtaining audit accounting and system of
processing and storage) (eg evidence internal control (knowledge of
manual VS automated) ◦ Methods of conducting audit the business)
◦ Manual & IT internal controls procedures ◦ During the planning of nature/
(there are additional risks for ◦ Nature, extent and timing of time and extent of auditor
the client) procedures procedures
◦ Information send to ◦ Performing the audit
management (reports are The following does NOT change : procedures
automated) ◦ Overall extent and objective
◦ Audit objectives
◦ Audit process
,PRE-ENGAGEMENT ACTIVITIES (STAGE 1 )
BEFORE accepting the audit engagement (the client ), consider if you have the following :
• Skills required (DO I have the skills required to audit a complex system , IF NOT hire a specialist )
• Resources (hardware, software & time) (AT the client AND at myself )
• Funding (can I do this audit in a cost effective manner
• May require a computer specialist services
PLANNING (STAGE 2 )
A) Knowledge of the Considering normal aspects when understanding the IS AND :
business & ◦ Complexity of accounting activities
understanding the ◦ Significance of the computer activities
system ◦ Data availability
◦ Method of processing used
B) Understand the system Obtain an understanding of the accounting and system of Internal control
◦ IC around transactions (& info) relevant to the audit
◦ Specifically controls relating to significant classes of transactions , accounts & balances and
process to prepare the financial statements
◦ Focus on systems relating to financial reporting framework
◦ Identify relevant risks ( AT financial statement AND accounting level)
Distinguish between :
• Direct (internal controls that address RMM AT account/assertion level)
• Indirect
C) Risk assessment CIS results in a change in the characteristics of the system
◦ Giving rise to additional risks & introduces compensating controls
◦ Has an impact on the auditors risk assessment AND timing, nature and extent of audit
AR = IR x CR x DR procedures
Internal control (IC) characteristics and risks associated with the CIS environment :
◦ Identify “NEW” risks (IR) which are introduced by the CIS
- Financial statement level: errors and unusual items in the AFS
- Account/ assertion level : with respect to figures in the financial statements
◦ Evaluate internal controls which have been implemented in CIS (CR)
◦ Magnitude and likelihood of IR & CR evaluated separately
Risk evaluation is a systematic and iterative process :
1) Identify controls
2) Evaluate the design (on paper)
3) Test implementation (high level test/ walk through
4) Test operations
Characteristic / factors of CIS that give risk to RISKS:
a) NATURE OF PROCESSING
§ Absence of input documents
§ No clear segregation of duties
§ Lack of visible audit trail
§ Potential errors & inconsistencies
b) DEVELOP & PROCEDURAL ASPECTS
§ Consistent processing
v Advantage (programmed internal controls)
v Disadvantage (programming errors)
§ High speed processing
§ Interdependence of controls
§ Programmed application controls ( dependent on the integrity of the program) (IE
general controls only place reliance on the general controls which have operated
effectively )
§ User control (dependent on suitable programmed controls )
, D) Audit approach Decide on :
(more information è Audit strategy (high level)
on following è Audit approach (account & assertion level)
page) è Audit plan (detailed audit procedures in terms of account)
Follow a RISK based audit
- Audit must consider the CIS environment and risks (IR & CR) in designing the audit procedure
to reduce DR (detection risk) to an acceptable level
- MUST consider risks at BOTH financial statement and account/ assertion level
Need to assess the computerized controls – this depends on the complexity of the system
OVERALL APPROACH
NATURE 1) Combined approach (test of controls & substantive procedures)
2) Substantive approach (substantive procedures )
TIMING 1) Before year end
2) AT year end
EXTENT 1) Extensive
2) Limited
AUDIT APPROACH
SIMPLISTIC computer system COMPLEX system
• Review of computerized controls is UNNECSSARY • Must evaluate the computerized controls
• May ignore the computer & perform manual audit procedures • “THROUGH”
• “AROUND” à 1st general controls
à Then application controls
3 types of audit approaches:
1) Audit “AROUND” the CLIENTS system
2) Audit “THROUGH” the CLIENTS system
3) Audit “WITH” with the AUDITORS system
TERM 4
• system / data CAATS
• sample testing
Alexandra Shtein
,AUDIT PROCESS
AUDIT PROCESS
planning
-> Knowledge of the business
-> understanding the systems
Pre-engagement -> materialitly
activities -> audit risk and risk assessment
-> audit strategy and approach
Audit
evaluation and
reporting
procedures
-> test of
control
-> substantive…
HOW DO COMPUTERS IMPACT THE AUDIT PROCESS
What changes at the CLIENT? What changed for the AUDIT What must the AUDITORS do?
Characteristics of the accounting & The following DOES change: Consider additional aspects:
system of internal control CHANGES ◦ Risks on which the audit must ◦ Pre-engagement activities
For example: focus ◦ Obtain an understanding of the
◦ Transactions (generating, ◦ Methods of obtaining audit accounting and system of
processing and storage) (eg evidence internal control (knowledge of
manual VS automated) ◦ Methods of conducting audit the business)
◦ Manual & IT internal controls procedures ◦ During the planning of nature/
(there are additional risks for ◦ Nature, extent and timing of time and extent of auditor
the client) procedures procedures
◦ Information send to ◦ Performing the audit
management (reports are The following does NOT change : procedures
automated) ◦ Overall extent and objective
◦ Audit objectives
◦ Audit process
,PRE-ENGAGEMENT ACTIVITIES (STAGE 1 )
BEFORE accepting the audit engagement (the client ), consider if you have the following :
• Skills required (DO I have the skills required to audit a complex system , IF NOT hire a specialist )
• Resources (hardware, software & time) (AT the client AND at myself )
• Funding (can I do this audit in a cost effective manner
• May require a computer specialist services
PLANNING (STAGE 2 )
A) Knowledge of the Considering normal aspects when understanding the IS AND :
business & ◦ Complexity of accounting activities
understanding the ◦ Significance of the computer activities
system ◦ Data availability
◦ Method of processing used
B) Understand the system Obtain an understanding of the accounting and system of Internal control
◦ IC around transactions (& info) relevant to the audit
◦ Specifically controls relating to significant classes of transactions , accounts & balances and
process to prepare the financial statements
◦ Focus on systems relating to financial reporting framework
◦ Identify relevant risks ( AT financial statement AND accounting level)
Distinguish between :
• Direct (internal controls that address RMM AT account/assertion level)
• Indirect
C) Risk assessment CIS results in a change in the characteristics of the system
◦ Giving rise to additional risks & introduces compensating controls
◦ Has an impact on the auditors risk assessment AND timing, nature and extent of audit
AR = IR x CR x DR procedures
Internal control (IC) characteristics and risks associated with the CIS environment :
◦ Identify “NEW” risks (IR) which are introduced by the CIS
- Financial statement level: errors and unusual items in the AFS
- Account/ assertion level : with respect to figures in the financial statements
◦ Evaluate internal controls which have been implemented in CIS (CR)
◦ Magnitude and likelihood of IR & CR evaluated separately
Risk evaluation is a systematic and iterative process :
1) Identify controls
2) Evaluate the design (on paper)
3) Test implementation (high level test/ walk through
4) Test operations
Characteristic / factors of CIS that give risk to RISKS:
a) NATURE OF PROCESSING
§ Absence of input documents
§ No clear segregation of duties
§ Lack of visible audit trail
§ Potential errors & inconsistencies
b) DEVELOP & PROCEDURAL ASPECTS
§ Consistent processing
v Advantage (programmed internal controls)
v Disadvantage (programming errors)
§ High speed processing
§ Interdependence of controls
§ Programmed application controls ( dependent on the integrity of the program) (IE
general controls only place reliance on the general controls which have operated
effectively )
§ User control (dependent on suitable programmed controls )
, D) Audit approach Decide on :
(more information è Audit strategy (high level)
on following è Audit approach (account & assertion level)
page) è Audit plan (detailed audit procedures in terms of account)
Follow a RISK based audit
- Audit must consider the CIS environment and risks (IR & CR) in designing the audit procedure
to reduce DR (detection risk) to an acceptable level
- MUST consider risks at BOTH financial statement and account/ assertion level
Need to assess the computerized controls – this depends on the complexity of the system
OVERALL APPROACH
NATURE 1) Combined approach (test of controls & substantive procedures)
2) Substantive approach (substantive procedures )
TIMING 1) Before year end
2) AT year end
EXTENT 1) Extensive
2) Limited
AUDIT APPROACH
SIMPLISTIC computer system COMPLEX system
• Review of computerized controls is UNNECSSARY • Must evaluate the computerized controls
• May ignore the computer & perform manual audit procedures • “THROUGH”
• “AROUND” à 1st general controls
à Then application controls
3 types of audit approaches:
1) Audit “AROUND” the CLIENTS system
2) Audit “THROUGH” the CLIENTS system
3) Audit “WITH” with the AUDITORS system
