OVERVIEW

Objective

¾

To outline features, risks and controls in a computer information systems (CIS) environment and for e-commerce.

CIS

PLANNING

CONSIDERATIONS CONTROLS

GENERAL

CONTROLS APPLICATION CONTROLS

¾ Meaning

¾ Impact on audit

¾ _{Skills and competence} ¾ _{Complex activities} ¾ _{Data availability}

¾ Impact on internal controls

¾ Risks

¾ _{Risk assessment}

¾ _{System changeover} ¾ Classification ¾_¾ Classification _{Alternative classification}

ELECTRONIC COMMERCE

¾ IAPS 1013

¾ Skills and knowledge

¾ Understanding the entity

¾ Risk assessment

¾ Security risks

¾ Legal and regulatory issues

¾ Internal control considerations

¾ Audit evidence

¾ Systems and infrastructure failures

¾ Outsourcing arrangements

¾ Going concern

MICRO-COMPUTERS ON-LINE SYSTEMS DATABASE SYSTEMS

¾ Characteristics ¾ Audit implications ¾ Effective controls ¾ Spreadsheet packages

¾ Definition ¾ User functions ¾ Terminal devices ¾ Types systems ¾ Characteristics systems ¾ Internal control ¾ Risk of fraud or error

¾ Elements ¾ Characteristics

1

CIS

1.1

Meaning

Computer information system − a CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party.

¾

Virtually all business systems and financial systems involve computerised information systems to some degree or other. In the examination, assume that the system is

computerised (including internet applications) unless told specifically otherwise.

1.2

Impact on audit

¾

The overall audit approach will be the same regardless of the balance between manual and computer based controls. Understanding the entity, its environment and internal control (the control environment, risk assessment, information systems, control activities and control monitoring) are all essential procedures for any system.

¾

Ethical considerations are the same, e.g. the auditor has to be competent to conduct the audit – so they will have to be able to have the technical and practical knowledge to audit CIS.

¾

Differences between manual and computer information systems arise when:

‰ assessing the forms of risk of material misstatement;

‰ assessing information systems, control activities (e.g. general and application

controls) and control monitoring (e.g. embedded monitoring procedures);

‰ designing tests of control and substantive procedures; and

‰ in the tools auditors may use to achieve their objectives (e.g. the use of computer assisted audit techniques, CAATS (see Session 21)).

2

PLANNING CONSIDERATIONS

2.1

Skills and competence

¾

Depending on the complexity of the information system and use (e.g. real-time processing, e-commerce) specialist skills may be needed to:

‰ obtain an understanding of the business environment, the entity’s objectives,

strategies and business risks (e.g. critical dependence on IT, risk of system failure, of inappropriate IT investment and/or project management, of data corruption);

‰ obtain a sufficient understanding of internal control (the control environment, risk assessment process, information systems, control activities, control monitoring, use of reporting facilities, use of automated monitoring systems);

‰ determine the audit risk assessment, including the assignment team discussion on

audit risks; and

2.2

Complex activities

¾

Examples that impact on planning include:

‰ Senior management and those charged with governance do not fully understand the capabilities and processes of the system, e.g. they leave it to the IS manager and their team.

‰ Users find it difficult to identify and/or correct errors due to the nature of the

systems and/or high volume of transactions.

‰ Material transactions are automatically generated (e.g. a sale reducing book inventory to below the re-order level generating a purchase requisition which is electronically communicated to the supplier – supply chain management).

‰ Automatic generation of transactions that are not independently validated (e.g. interest/discounts).

‰ Electronic initiation of the transaction process, eg receipt of order through a web-site or by e-mail.

‰ Electronic data interchange of transactions without manual review for propriety or reasonableness.

‰ Audit trail invisible without the use of interrogation tools.

2.3

Data availability and timing of audit procedures

¾

Source documents and certain computer files required for audit may exist only for a short period of time before being overwritten. Either such data is stored for the auditor or the auditor carries out their testing at various stages throughout the year when the data is available.

¾

Some systems may enable the use of embodied audit interrogation and process tracking (eg control operation is continuously checked). This will allow continuous audit monitoring by internal and/or external auditors (i.e. real-time auditing).

¾

The use of computer-assisted audit techniques (CAATs) will often increase audit

efficiency and enable economic application of certain procedures to entire populations of account balances or transactions. CAATs are essential where systems are complex and the audit trail cannot be manually followed.

¾

Client’s internal reports may be useful in performing substantive procedures (e.g. analytical procedures).

2.4

Impact on internal controls

¾

CIS internal controls will relate to those controls external to the system (basically manual controls) and those internal to the system (e.g. operated by the system program,

programmed controls).

‰ consistently apply predefined rules and uniformity of processing (e.g. eliminating

manual processing errors; effective application of controls);

‰ consistently apply complex calculations in processing large volumes of transactions

or data;

‰ enhance the timeliness, availability, and accuracy of information;

‰ facilitate the additional analysis of information, thus improving management supervision;

‰ enhance the ability to monitor the performance of the entity’s activities and its policies and procedures (eg control monitoring);

‰ reduce the risk that controls will be circumvented (the program will need to be manually changed);

‰ enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.

These factors, as applied to the processing of data and the application of controls, must be taken into consideration when planning the audit to ensure an effective and efficient approach.

2.5

Risks and risk assessment

¾

Business risks that are specific to CIS include:

‰ Reliance on systems or programs that are inaccurately processing data (e.g. programming error resulting in all like transactions being incorrectly processed), processing inaccurate data (e.g. incorrectly captured or transferred from a previous process) or both.

‰ Unauthorized access (hacking) to transaction data that may result in the destruction, corruption or changes to that data, particularly where multi- access (internal and/or external) is allowed to the database, e.g.

−

recording of unauthorized transactions

−

recording transactions that have not occurred, or

−

inaccurate recording of transactions.

‰ IT personnel gaining unauthorised access privileges (e.g. hacking) resulting in a

breakdown of the IT segregation of duties, e.g. an analyst gaining access to a programme being modified by a programmer.

‰ Unauthorized changes to standing data in master files, e.g. adding non-existent employees; changing salary details.

‰ Unauthorized changes to systems or programs, e.g. a programmer making unscheduled/unauthorised changes to a program.

‰ Inappropriate controls within the systems development lifecycle, e.g. failure to adequately test each development stage resulting in a program that does not meet user requirements.

‰ Inappropriate or lack of manual intervention, e.g. failure to act upon error reports

‰ Failure to make necessary changes to systems or programs when required (can be

by management or IS personnel) e.g. to meet customer needs; upgrading software to maintain competitive advantage.

‰ Potential loss of data or inability to access data as required, e.g. system crash, denial of service attack, prolonged downtime.

‰ Automatic initiation or execution of transactions (e.g. interest/discount

calculations). Authorization may not be documented, but implicit in management’s acceptance of the design of the system.

‰ The audit trail of the transactions may be fragmented, in that it may exist only for a

short time.

¾

Understanding the business risk faced by the entity’s reliance on CIS is essential. Care must be taken by the auditor to ensure that management carry out appropriate risk assessment and have adequate policies and controls in place to minimise the IT/IS risk.

‰ Inconsistencies between the entity’s IT strategy and its business strategies can

impact going concern.

‰ Changes in the IS environment that are unrecognised or are not correctly project

managed will impact going concern.

‰ Installation of significant new IT systems related to financial reporting that have not

been correctly ‘thought through’, tested and implemented (including data transfer and staff/user training) may result in material misstatements in the financial statements (as well as potential going concern implications for incorrect decisions made by management based on incorrect information).

¾

At the assertion level, risk in a CIS environment may have an effect on the likelihood of material error which is:

¾

Deficiencies in certain activities (e.g. program development, software support, physical security) that are considered pervasive in that they will impact a broad spectrum of CIS activity.

¾

Potential for errors (or fraudulent activities) may be increased in specific applications, files or processing activities.

¾

Examples as above:

‰ Poor program development may

result in the accounting records not reflecting actual transactions.

‰ Poor access and physical security may result in data corruption leading to misstatements within the financial data.

¾

Examples include:

‰ Systems that control cash

disbursements may be susceptible to fraudulent actions by users or CIS personnel.

‰ A specific exception report is not

produced because of a

programming error meaning that updates to the standing data of that function are not checked and authorised.

2.7

System changeover

¾

Whenever there is a change within a system during the year (e.g. manual to

computerised, pc network fileserver to mid-ware server) the impact on business risk, audit risk and the audit plan must be thought through, eg:

‰ Completeness and accuracy of transferring data from the old system to the new.

‰ Two systems operating at different times during a financial year using different

internal control functions.

‰ Timing of the changeover and its impact on materiality.

2.7.1

Data controls

¾

Essential to ensure that the integrity of data is maintained during the changeover. If the opening data of the new system is incorrect, so will be the closing data.

¾

The whole project for data changeover should be reviewed (and tested as necessary) by the auditor to ensure that, for example:

‰ the old data is normalised (eg errors corrected, repeated data eliminated);

‰ data-mapping has taken place (eg the old and new data formats are reconciled to allow for transfer of data without error);

‰ data transfer programs tested (eg by internal audit);

‰ transferred data has been verified and validated (including use of control totals);

‰ appropriate backups of old and new data taken in case of system error or collapse.

2.7.2

Direct changeover

¾

An “overnight” switch from one system to another.

¾

Only adopted when there is insufficient similarity between the old and new systems to make an alternative method possible.

¾

Has none of the cost and time overheads of parallel running and pilot implementation.

¾

Requires very thorough testing, planned file creation and training strategies as there is

no opportunity for gradual training and further testing once the new system has “gone live”.

¾

It is the quickest and easiest implementation strategy, BUT has the highest business risk. If the new system fails, the old system is usually not available to be re-instated.

2.7.3

Parallel running

¾

Old and new systems are run simultaneously (therefore costly in terms of time and support) for an agreed period of time, the same data entered into both and their results compared (cross-checked).

¾

Sources of errors are located and the new system modified as necessary.

¾

When appropriate, the old system is abandoned and transactions passed only through the new one.

¾

The safest approach as the old system will not be closed down until the new system has been fully bedded in. But the most costly

2.7.4

Stepped changeover

¾

Pilot operation is often used before direct or stepped changeover.

2.7.5

Pilot operation

¾

Retrospective parallel running processes historic data and compares new system results with those already known. This parallel running “out-of phase” is effectively a large test data exercise.

¾

Alternatively, a limited number of transactions are processed live “in-phase” parallel . Though less rigorous than above, it is less costly than duplicated entry.

Parallel running, out of phase Piecemeal introduction

¾

New system run on data from previous period and results checked

¾

Easier to control than parallel running

¾

Changeover effected when results

satisfactory.

¾

Useful in businesses which have several branches (e.g. retail stores)

¾

Unlikely to be suitable for an integrated system.

3

GENERAL IT CONTROLS

The policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued operational integrity and security of data and information systems.

¾

They aim to establish a framework of overall control and commonly address the risks noted within section 2.5 above, eg controls over:

‰ the data centre and network operations;

‰ system software acquisition, change and maintenance;

‰ development of computer applications; ‰ access security;

3.1

Classifications

¾

There are various classification of general controls, e.g.

Administration controls

Systems development controls

¾

Segregation of duties** between development (analysts and

programmers), maintenance (librarian) and operation.

¾

Logical access controls (e.g. passwords)** to enter systems.

¾

Automatic computer log of program

changes (independently reviewed by IT manager).

¾

Restricted physical access ** (e.g. to computer room).

¾

Firewall and virus update protection.

¾

Regular file copying (“dumping”).

¾

Job scheduling.

¾

Back up power resources.

¾

Disaster recovery procedures.

¾

Maintenance and insurance.

¾

Standard procedures and

documentation – including feasibility study and systems specification with flowcharts or data flow diagrams

¾

System and program testing (test and

actual data). Usually pilot operation.

¾

File conversion – requires a complete

print out and check of file contents before setting up operational master files.

¾

Acceptance and authorisation procedures – e.g. by a responsible official of the project steering committee.

¾

Training of user staff.

** Often classified as Physical controls

¾

Alternatively:

¾ Policies & procedures

¾ Segregation of

incompatible functions (eg preparing input, programming) ¾ Testing, conversion, documentation ¾ Restricted access

¾ Authorisation –

personnel and programs

¾ Processing errors

are detected and corrected ¾ Authorisation and testing ¾ Restricted access to utilities that may not leave an audit trail

¾ Authorisation

structure

¾ Off-site back-up

¾ Recovery procedures ORGANIZATION AND MANAGEMENT APPLICATION SYSTEMS DEVELOPMENT COMPUTER

4

APPLICATION CONTROLS

Manual or automated procedures that typically operate at a business process level. Can be preventative or detective in nature and are designed to ensure the integrity of the

accounting records. Relate to procedures used to initiate, record, process and report transactions or other financial data.

¾

Provide reasonable assurance that all transactions are authorised and recorded, and are processed completely, accurately and on a timely basis.

4.1

Classification

Input Processing Output Master file

¾

Passwords (to

terminals)

¾

Validation checks

¾

Verification checks

¾

Batch totals

¾

Error investigation

and feedback procedures

¾

Document counts

¾

Check digits

¾

Reasonableness

(“range”) checks

¾

Existence checks

¾

⇒ mis-match reports

(“file no data” or “data no file”)

¾

Sequence checks

¾

Format checks

¾

“Run-to-run”

controls to ensure no data lost

¾

Checking control

totals

¾

Investigating

rejected items

¾

Reviewing accounts

and trial balances

¾

Periodic print-out of

standing data and compa- rison to inde- pendent control totals and data

¾

Authorization of

master file standing data updates.

¾

Exception reporting

(and authorisation) of all changes made to standing data.

4.2

Alternative classification

¾

2 types

Transaction controls Aim to ensure

File controls Aim to ensure

‰ completeness ‰ accuracy ‰ validity

‰ file continuity ‰ asset protection, eg

– keys, security-coded entry – approval and recording

5

ELECTRONIC COMMERCE

5.1

IAPS 1013

¾

It is likely that within the examination one of the scenarios will incorporate an element related to the internet, eg orders placed over a website. IAPS 1013 Electronic Commerce: Effect on the Audit of Financial Statements provides guidance on the application of

Auditing Standards where the reporting entity uses the Internet (or other public network) for e-commerce.

¾

Whilst specifically for e-commerce, much of the guidance can be applied generally to the audit approach of any IT/IS process.

5.2

Skills and knowledge

¾

The auditor requires appropriate levels of IT and e-com skills and knowledge to understand the potential impact on the financial statements of:

‰ the entity’s e-com strategy and activities;

‰ the technology used and the IT skills and knowledge of entity staff;

‰ the risks arising from the entity’s use of e-com; ‰ the entity’s approach to managing those risks; and

‰ the adequacy of the internal control system as it affects the financial reporting

process.

¾

Specialist skills and knowledge may be required, for example:

‰ to understand the inherent risks and management’s response to them;

‰ to make suitable inquiries and understand the implications of responses received;

‰ to determine the nature, extent and timing (“NET”) of audit procedures and

evaluate audit evidence in terms of its relevance, reliability and sufficiency (“RRS”);

‰ to evaluate the effect of the entity’s ability to continue as a going concern (having regard for its dependence on e-com activities).

¾

If the auditor uses the work of an expert (e.g. if it is appropriate for a professional to test security through vulnerability or penetration tests) ISA 620 Using the Work of an Expert will be relevant.

5.3

Understanding the entity

¾

In considering the impact of e-com business risks on the reporting entity’s financial statements the auditor should assess the entity’s:

‰ involvement with e-com;

5.3.1

Extent of involvement in Internet e-com

¾

Internet e-com can be used to:

‰ provide only information (e.g. about the entity’s activities) which can be accessed by third parties (e.g. investors, customers, suppliers, providers of finance and

employees);

‰ process business transactions with established customers;

‰ gain access to new markets and new customers by providing information and transaction processing via the Internet;

‰ access Application Service Providers (ASPs);

‰ create an entirely new business model.

¾

The risks of simply providing information, without third party interactive access, are relatively low, whereas the security infrastructure and related controls will need to be more extensive when a web site is used for transacting business. Also, conducting business through a public network is inherently riskier than through a private network.

5.4

Risk assessment

5.4.1

Business activities and industry

¾

E-com activities may:

‰ be complementary to a traditional business activity (e.g. selling books delivered by conventional methods from a contract initiated via the website); or

‰ represent a new line of business (e.g. selling and delivering products downloadable via the Internet).

¾

The effect of business risks on an entity’s financial statements may be greater in those industries that have been most influenced by e-com. For example:

‰ computer software and hardware; ‰ banking and securities trading;

‰ travel and holiday services;

‰ books, magazines and recorded music;

‰ advertising, news and media; ‰ gifts and “mail order’;

‰ education and training.

5.4.2

Internet e-com strategy

¾

The security, completeness and reliability of an entity’s financial information may be affected by:

‰ the way IT is used for e-com; and

‰ the entity’s assessment of acceptable risk levels.

¾

Although these risk may be mitigated by the internal control system, particularly the security infrastructure and related controls, there will always be some residual risk that cannot be eliminated (e.g. arising from “hackers’).

¾

Management must therefore determine the level of risk it is willing to accept regarding its e-com activities based on a trade-off between:

‰ the entity’s tolerance for risk; and

‰ the cost-effectiveness of added controls and other risk management techniques.

¾

In considering the entity’s e-com strategy, and how it fits with its overall business

strategy, the auditor should assess:

‰ whether e-com supports a new activity or is expected to improve the efficiency of existing activities;

‰ sources of revenue and how these are changing (e.g. whether the entity will be acting as a principal or agent for goods or services sold);

‰ management’s evaluation of how e-com affects earnings and financial requirements;

‰ management’s attitude to risk and how this may affect the entity’s risk profile; ‰ the extent to which e-com opportunities and risks have been identified in a

documented strategy that is supported by appropriate controls (or whether

development of e-com is on an ad hoc basis – responding to opportunities and risks as they arise).

5.4.3

Risk identification

¾

The auditor should identify those business risks arising from e-com activities that may have a material effect on the financial statements or the conduct of the audit or the auditor’s report, e.g.:

‰ loss of transaction integrity (which may be compounded by a lack of “audit trail’); ‰ pervasive e-com security risks (e.g. denial-of-service, viruses and fraud through

unauthorised access − see also below);

‰ non-compliance with legal and regulatory requirements (including taxation), especially when transacting across international boundaries;

‰ failure to ensure that contracts evidenced only by electronic means are binding (e.g. by failing to ensure the authenticity of third parties);

‰ systems and infrastructure failures or “crashes’;

‰ improper accounting policies related to capitalization (e.g. of website development costs) and revenue recognition issues;

5.5

Security risks

5.5.1

Recording and processing e-com transactions

¾

When a private network is used for commercial activities (e.g. EDI), transactions are transmitted between trading partners through a dedicated “pipeline” with secure access provided only to trading partners.

¾

However, when commercial activities are carried out over the Internet, the “pipeline” is a “public highway” and, if appropriate security controls are not established, the

information in the “pipeline” might be intentionally or accidentally accessed by unauthorized parties.

¾

There are pervasive security risks associated with e-com because, for example:

‰ internet protocols may carry no identity, so anyone can hold themselves out to be

someone else;

‰ the network, transport and data layers of the Internet may not having been

designed with security in mind;

‰ there is no central management of the Internet.

¾

Further security risks arise from processing transactions over the Internet. For example:

‰ reliance on relevant and adequate systems design to prevent or detect and report exceptions for human intervention;

‰ reliance on programmed controls dealing with large volumes of transactions at fast processing speeds, with adequate controls to prevent errors or abuses being

detected; and

‰ risks arising from remote transactions initiated by users, including controls to

distinguish between a customer or supplier, an employee and a hacker.

¾

Management may be particularly concerned with the adequacy of security measures where:

‰ there is direct access via a public network to the entity’s systems and to customer information;

‰ payments (e.g. electronic funds transfers and credit card payments) are processed via the Internet;

‰ failure of encryption-based security could allow crimes to be carried out more easily over the Internet.

5.5.2

Security infrastructure and related controls

¾

Some business risks arising in e-com should be addressed through the implementation of an appropriate security infrastructure and related controls to:

‰ obtain payment from, or secure credit facilities for, customers; ‰ facilitate the return of goods and claims under product warranties;

‰ establish privacy and information protection protocols;

‰ meet taxation and other legal and regulatory compliance issues;

‰ agree terms of trade including transaction tracking and non-repudiation procedures

(i.e. procedures to ensure a party to a transaction cannot later deny having agreed to specified terms).

5.6

Legal and regulatory issues

¾

Currently there is no international legal framework for e-com nor an efficient international infrastructure to support such a framework (e.g. electronic signatures, document registries, dispute mechanisms, consumer protection, etc).

¾

However, various jurisdictions have been (and are in the process of) introducing the necessary legislation to support electronic commerce, especially across boarders.

¾

ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements requires

that an auditor recognize that non-compliance with laws and regulations may materially affect the financial statements, when planning and performing audit procedures.

‰ For example, the charging and collection of value added (VAT) and sales taxes on

cross-boarder internet sales is an issue that the auditor must ensure clients comply with.

5.7

Internal control considerations

¾

The auditor should consider the effectiveness of the control environment and control procedures which can mitigate many of the risks associated with e-com activities (to the extent they are relevant to the financial statement assertions) in accordance with ISA 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment.

¾

The following aspects of internal control, which are described below, are particularly relevant:

‰ security;

‰ transaction integrity; and

‰ process alignment.

Also

‰ maintaining the integrity of control procedures in a rapidly changing technological

environment;

‰ ensuring access to relevant records to meet the entity’s needs and for audit

5.7.1

Security

¾

The security infrastructure and related controls may include:

‰ an information security policy;

‰ an information security risk assessment; ‰ physical measures; and

‰ logical and other technical safeguards (e.g. user identifiers, passwords and

firewalls).

¾

Security risks related to the recording and processing of e-com transactions will usually be addressed through the security infrastructure and related controls. To the extent they are relevant to the financial statement assertions the auditor considers, for example:

‰ the use of firewalls to protect systems from unauthorized or harmful software, data or other material in electronic form;

‰ the use of encryption to maintain the privacy and security of transmissions (e.g. through authorized decryption keys);

‰ controls over the development and implementation of systems used to support e-com activities;

‰ whether existing security controls continue to be effective as new technologies that

can be used to attack Internet security become available;

‰ whether the control environment supports the control procedures implemented − as with any system, even sophisticated control procedures may not be effective if they operate within an inadequate control environment.

5.7.2

Transaction integrity

¾

The nature and extent of risks related to the completeness, accuracy, timeliness and authorization of information provided for recording and processing in the financial records (transaction integrity) depends on the nature and the level of sophistication of e-com activities.

Example 1

The receipt of a customer order over the Internet is an originating transaction for Mazona, which sells cosmetics. This transaction automatically initiates all other stages in processing the transaction.

Required:

Suggest six objectives of automated controls that relate to the integrity of transactions as they are captured and then immediately and automatically processed.

Solution

¾

¾

¾

¾

¾

¾

5.7.3

Process alignment

¾

The way different IT systems are integrated with one another so as to operate as one system (i.e. process alignment) is particularly important for e-com.

¾

Transactions generated on a web site must be properly processed by internal “back office” systems (e.g. accounts, customer relationships and inventory management). Many web sites are not automatically integrated with such systems.

¾

The way e-com transactions are captured and transferred to the entity’s accounting system may affect:

‰ the completeness and accuracy of transaction processing and information storage;

‰ the timing of revenue recognition (also purchases and other transactions); ‰ identification and recording of disputed transactions.

¾

When it is relevant to the financial statement assertions, the auditor considers the controls over:

‰ the integration of e-com transactions with internal systems (e.g. full integration with

accounting systems is relatively rare); and

5.8

Audit evidence

5.8.1

Effect of electronic records

¾

There may not be any paper records for e-com transactions (and electronic records may be more easily destroyed or altered than paper records without leaving evidence of destruction or alteration).

¾

The auditor must therefore consider whether security of information policies and the security controls implemented are adequate to prevent unauthorized changes to the accounting system.

¾

When considering the integrity of electronic evidence the auditor may test automated controls including:

‰ record integrity checks; ‰ electronic date stamps;

‰ digital signatures; and ‰ version controls.

¾

Depending on the auditor’s assessment of the appropriateness of design and effectiveness of these controls, the auditor may also consider the need for external confirmation of transaction details or account balances (ISA 505).

5.9

Systems and infrastructure failures

¾

When e-com activities are significant the auditor should consider the measures taken by the entity:

‰ to prevent systems failures; and

‰ to ensure business continuity in the event of a system or infrastructure failure.

Example 2

Solution

Systems failures

Either at the entity or at a service organization (used for outsourced functions).

¾

¾

¾

¾

Infrastructure failures

Infrastructure failures are not ordinarily within the direct control of the entity and may be caused by:

¾

¾

¾

¾

Consequences

¾

¾

¾

¾

5.10 Outsourcing arrangements

¾

Entities which do not have the necessary technical expertise may depend on service organizations, e.g.:

‰ Internet Service Providers (ISPs);

‰ Application Service Providers (ASPs); and

‰ Data hosting companies.

¾

Service organizations may also be used for e-com related activities (e.g. order fulfilment, delivery of goods, call centre operations and some accounting functions).

¾

The auditor considers how the entity responds to risks arising from the outsourced activities in accordance with ISA 402 Audit Considerations Relating to Entities Using Service Organizations including business continuity plans and service level agreements (e.g. security response times and back-up), if relevant (see Session 14).

5.11 Going concern

¾

Many businesses report losses on e-com activities (which can be expensive to implement and support) when starting up. Significant losses may cast doubt on the going concern basis.

¾

When e-com is particularly important to an industry in which an entity’s own e-com activities are not well developed, questions about the entity’s business prospects may cast significant doubt on its ability to continue as a going concern − especially when cash is spent more quickly than it is earned.

¾

When significant doubt exists, the auditor considers ISA 570 Going Concern and the need to obtain information concerning the entity’s liquidity position and its financing

arrangements.

6

MICROCOMPUTERS

6.1 Characteristics

6.2 Audit implications

¾

Lack of segregation of duties (between data preparation, computer

operation, distribution of output and systems modification)

⇒ Control risk increased relative to an equivalent manual system – errors may go undetected and/or fraud may be

perpetrated

¾

Inadequate physical security. No need

for specially controlled environment, ∴ access rarely restricted

⇒ Increased risk of corruption, damage, loss or theft

¾

Ease of access (e.g. via terminals). People with little computer

knowledge may gain unauthorized access to master files and programs

⇒ Risk of misuse or corruption

¾

Inadequate staff training. Limited specialist knowledge may result in insufficient training, e.g. in recovery procedures.

⇒

⇒

Users lack expertise to make modifications therefore risk of program errors is reduced. Danger that ‘amateur’ approach to ‘I can fix it’ will corrupt program and data.

¾

Lack of computer expertise/

technically qualified staff ⇒ Auditor’s involvement at selection/implementation stages is crucial

¾

Lack of program testing – package

software may not be entirely suitable for client’s purposes

¾

Lack of computer control facilities – e.g. operations logs and reconstruction facilities

⇒ It is more effective to perform pre-implementation review to suggest additional facilities

¾

Shortage of computer time ⇒ May limit use of CAATs

¾

On-line (or real-time) and controlled

by menus displayed on terminals ⇒ Risk of error or fraud may be increased

¾

Integrated ledgers ⇒ Risk of certain errors (e.g. "single entry")

eliminated

6.3

Effective controls

6.3.1

Policies and procedures

¾

Policies and procedures that will enhance the overall control environment, include:

‰ Acquisition, implementation and documentation standards.

‰ User training.

‰ Physical security, data back-up and storage guidelines.

‰ Password management.

‰ Personal usage policies.

‰ Software acquisition and usage standards.

‰ Data protection standards.

‰ Program maintenance and technical support.

‰ Appropriate level of segregation of duties and responsibilities.

‰ Virus protection.

6.3.2

Application controls

¾

A system of transaction logs and batch balancing.

¾

Direct supervision.

¾

Reconciliation of record counts or hash totals.

¾

An independent function to

‰ receive all data for processing

‰ ensure that all data are authorized and recorded

‰ follow up all errors detected during processing

‰ verify the proper distribution of output

6.4

Spreadsheet packages

6.4.1

Advantages

6.4.2

Disadvantages

9

Widely used for production of financial accounts from trial balances produced by larger CISs

8

Entries can be easily altered/ manipulated

8

Relatively easy to corrupt/erase data

(deliberately or accidentally)

8

Rudimentary password system

9

Data may be moved from one place

to another within spreadsheet

8

Little or no audit trail

8

Very difficult to verify computer generated totals (no edit checks in software)

9

Relatively easy to access data

8

Standing data can be altered because access cannot be prevented

8

No log showing unauthorized attempts to access standing data.

7

ON-LINE SYSTEMS

7.1

Definition

Computer systems that enable users to access data and programs directly through terminal devices.

7.2

User functions

¾

Entering transactions (e.g. sales transactions in a retail store, cash withdrawals in a bank).

¾

Making inquiries (e.g. current customer account or balance information).

¾

Requesting reports (e.g. a list of inventory items with negative “on hand” quantities).

¾

Updating master files (e.g. setting up new customer accounts and changing general

7.3

Terminal devices

General purpose terminals

Special purpose terminals

Inc

re

asi

ng t

ec

hnol

ogi

ca

l

sophi

st

ic

at

ion

¾

Basic keyboard and screen

¾

Intelligent terminal (has

additional functions of validating data and maintaining transaction logs)

¾

Microcomputers (have additional local processing and storage capabilities).

¾

Point of sale (POS) devices e.g. on-line cash registers and optical scanners used in the retail trade.

¾

Automated teller machines (ATM, bank-a-mat) – used to initiate, validate, record, transmit and complete various banking and other transactions, e.g. top up of mobile phone credit.

¾

7.4

Types of on-line computer systems

7.4.1

On-Line/Real Time (OLRT) processing

¾

Individual transactions are entered at terminal devices, validated and used to update related computer files immediately. E.g. cash receipts applied directly to customers’ accounts, issues of inventories, airline booking systems

7.4.2

On-line/batch processing

¾

Individual transactions are entered at a terminal device, subjected to certain validation checks and added to a transaction file. Later, the transaction file (which may be validated further) is used to update the relevant master file.

7.4.3

On-line/inquiry

¾

Restricts users at terminal devices to making inquiries of master files (e.g. customer credit status).

7.4.4

On-line downloading/uploading processing

¾

Transfer of data from a master file to an intelligent terminal device for further processing (e.g. from head office to a branch).

7.5

Characteristics of on-line computer s

ystems

¾

On-line data entry and validation – data failing validation would not be accepted.

¾

Possible lack of visible transaction trail – where supporting documents are not provided for all transactions entered (e.g. telephone mail order and cash point withdrawals).

¾

Potential programmer access – to develop new programs and modify existing ones.

7.6

Internal control

7.6.1

Access controls

¾

To restrict access to programs and data. Specifically, to prevent or detect

‰ unauthorized access to terminal devices, programs and data ‰ entry of unauthorized transactions

‰ unauthorized changes to data files

‰ use of operational computer programs by unauthorized personnel

‰ use of computer programs that have not been authorized.

¾

Includes:

‰ passwords (need procedures for assignment/maintenance)

‰ on-line monitors that control what users are permitted to access ‰ physical controls (e.g. key locks on terminal devices).

7.6.2

Transaction logs

¾

Reports designed to create an audit trail for each on-line transaction (often document the terminal, time and user as well as the transaction’s details).

7.6.3

Application controls

¾

Pre-processing authorization – permission to initiate a transaction (e.g. use of a bank card and a “PIN” before making a cash withdrawal).

¾

Terminal device edit, reasonableness and other validation tests – programmed routines that check input data and processing results for completeness, accuracy and reasonableness.

¾

Cut-off procedures – to ensure that transactions are processed in the proper accounting

period.

¾

File controls – to ensure that correct data files are used for on-line processing.

¾

Master file controls – similar to those used for controlling other input transaction data.

¾

Balancing – establishing control totals over data being submitted for processing and

comparing with control totals during and after processing.

7.7

Risk of fraud or error

Example 3

Solution

(1) On-line terminal devices

(2) On-line data entry is performed at or near the point where transactions originate

(3) On-line processing is interrupted

(4) Invalid transactions are corrected and re-entered immediately

(5) Data entry is performed on-line by individuals who understand the nature of the transactions involved (6) On-line access to data and programs through

telecommunications

(7) Transactions are processed immediately on-line

(8) On-line terminal devices are located throughout the entity.

8

DATABASE SYSTEMS

A collection of records and files designed in such a way that all (different) users can search and obtain a wide range of data and process it into standard and ad hoc reports. It is organised and accessed through a Data Base Management System.

8.1

Elements

DATABASE DATABASE

M ANAGEM ENT SYSTEM (DBM S)

¾

A collection of data that is organized to permit users to share it in different application programs.

¾

May be single-user in microcomputer environments

¾

Creates, maintains and operates the database

¾

Facilitates physical storage of data

¾

Makes data available to application

8.2

Characteristics

¾

Data sharing – data is recorded only once, keeping data redundancy to a minimum. For example, an inventory item’s unit cost may be used by one application to produce a cost of sales report and by another application to prepare an inventory valuation.

¾

Data independence – from application programs to facilitate sharing.

8.3

Control considerations

¾

Security and integrity of data.

¾

Authorised access and updating of data.

¾

Exception reporting including failed access attempts and details of all data changed.

FOCUS

You should now be able to:

¾

appreciate the planning considerations associated with CISs;

¾

provide examples of computer system controls;

¾

list examples of application controls and general IT controls;

EXAMPLE SOLUTION

Solution 1 — Systems and infrastructure failures and their consequences

Systems failures

¾

Server failure;

¾

Disk system failure; or

¾

Software failure.

Either at the entity or at a service organization (used for outsourced functions).

Infrastructure failures

Infrastructure failures are not ordinarily within the direct control of the entity and may be caused by:

¾

major trunk line failure; or

¾

power failure.

Consequences

¾

Damage to an entity’s reputation with potential loss of customers;

¾

Loss of data; and

¾

Loss of payment subsequent to the delivery of a product or service.

Solution 2 — Increased risk of fraud and error

Risk is increased by circumstances 1, 3, 6 & 8 (and reduced by other circumstances).

1 On-line terminal devices – may provide opportunity for unauthorised uses and access to data and programs from remote locations.

2 On-line data entry is performed at or near the point where transactions originate ⇒ less risk that the transactions will not be recorded.

3 On-line processing is interrupted (e.g. due to faulty telecommunications) ⇒ greater chance that transactions or files may be lost and that the recovery may not be accurate and complete.

4 Invalid transactions are corrected and re-entered immediately ⇒ less risk that transactions will not be corrected and re-submitted on a timely basis. 5 Data entry is performed on-line by individuals who understand the nature

of the transactions involved ⇒ fewer errors than if individuals unfamiliar with transactions.

7 Transactions are processed immediately on-line ⇒ less risk that they will be processed in the wrong accounting period.

8 On-line terminal devices are located throughout the entity ⇒ opportunity for unauthorised use of a terminal device and entry of unauthorised transactions may increase.

Solution 3 — Automated controls

¾

To validate input.

¾

To prevent duplication or omission of transactions.

¾

To ensure transactions are recorded in the correct accounting period (i.e. correct cut-off).

¾

To confirm that the terms of trade have been agreed before an order is processed (e.g. if payment is required when an order is placed).

¾

To distinguish between customer browsing and orders placed (so that

browsing is not incorrectly treated as an order).

¾

To ensure non-repudiation (i.e. a party to a transaction cannot later deny having agreed to specified terms).

¾

To ensure transactions are with approved parties (when appropriate).

¾

To address issues that might cause any part of the transaction to fail (e.g.

credit card authorization failure).

¾

To prevent incomplete processing by ensuring all steps are completed and recorded or otherwise rejecting the order (e.g. order accepted, payment received, goods/services dispatched and accounting system updated).

¾

To ensure the proper distribution of transaction details (e.g. when data is

collected centrally and communicated to others to execute the transaction).

¾

To ensure records are properly retained and accounts balance after each