Master of Business Administration- MBA Semester 3 MF0013 – Internal Audit & Control - 4 Credits

(Book ID: B1038) Assignment Set- 1

Q.1 Write the differences between Auditing and Accounting? Ans:

Audits are performed to ascertain the validity and reliability of information; also to provide an assessment of a system's internal control. The goal of an audit is to express an opinion on the person / organization / system (etc.) in question, under evaluation based on work done on a test basis. Due to practical constraints, an audit seeks to provide only reasonable assurance that the statements are free from material error. Hence, statistical sampling is often adopted in audits. In the case of financial audits, a set of financial statements are said to be true and fair when they are free of material misstatements - a concept influenced by both quantitative (numerical) and qualitative factors. Auditing is a vital part of accounting. Traditionally, audits were mainly associated with gaining information about financial systems and the financial records of a company or a business (see financial audit). However, recent auditing has begun to include non-financial subject areas, such as safety, security, information systems performance, and environmental concerns. With nonprofit organizations and government agencies, there has been an increasing need for performance audits, examining their success in satisfying mission objectives. As a result, there are now audit professionals who specialize in security audits, information systems audits, and environmental audits. In financial accounting, an audit is an independent assessment of the fairness by which a company's financial statements are presented by its management. It is performed by competent, independent and objective person(s) known as auditors or accountants, who then issue an auditor's report based on the results of the audit.

Accounting is defined (by the American Institute of Certified Public Accountants) (AICPA) as "the art of recording, classifying, and summarizing in a significant manner and in terms of money, transactions and events which are, in part at least, of financial character, and interpreting the results thereof. Today, accounting is called "the language of business" because it is the vehicle for reporting financial information about a business entity to many different groups of people. Accounting that concentrates on reporting to people inside the business entity is called management accounting and is used to provide information to employees, managers, owner-managers and auditors..

In other words, Accounting is a process of preparing the works, Auditing is a process of evaluating & scrutinizing of the work prepared. In other words, accountants are in charged of the day-to-day duties of marinating the accounts, implementing the board financial strategy, if any. At the end of the period, accountant would produce Financial Statement, a summary report of the financial performance throughout the period. Whereas, auditor conduct a check on the accuracy of the financial statements, to ensure that there is no material misstatement of the financial statement prepared. Accounting is concerned with the preparing of financial statements while auditing is concerned with checking of financial statements. The purpose of accounting is to show the performance and financial position of a business. The purpose of auditing is to certify the true and fair view of financial statements.

Accounting requires that an accountant must have accounting knowledge while auditing work required that an auditor must have accounting as well as auditing knowledge. Accounting is concerned with current data. It is constructive in nature. Auditing is concerned with past data. It is analytical in nature. The time period of accounting is usually one year. It takes one year to complete record. The time period of auditing is usually less than one year. It may be completed within one month. The accountant is permanent employee of the business. The auditor is an independent person. The work of an accountant starts when the work of the book keeper ends. The work of an auditor starts when the work of accountant ends. An accountant may not be a chartered accountant as per law. An auditor must be chartered accountant for public companies. The accountant has no liability for preparing final accounts. The auditor has liability after presenting audit report. Accounting is done on a day-to-day basis in business. It is the recording of transactions, the accounting for depreciation, debt, revenue, etc., that are all a part of reporting the company's financial activities. An audit is a thorough review of the records that have been generated by the day-to-day accounting. An audit can be performed by a company's own staff (an internal audit) or by an outside firm (an external audit.) External audits can be extremely time-consuming and harrowing for the internal staff. The auditors are looking for any discrepancies, poor business practices, non-compliance with state and federal law (in the U.S.), tax reporting deficiencies, and evidence of fraud or collusion, among other things. In the U.S., a publicly-held company must undergo an external audit at least once a year and must produce detailed financial reports that are submitted to the government and published as a matter of public record. Q.2 Write the factors to be considered while drawing up the audit Programme an auditor should give attention?

Ans: These factors are:

Quality in planning: planning refers to the detailed audit plans and subsequent audit programmes. No reference is being made to the macro level of planning that an SAI may carry out.

The preparation of an audit plan should take into account risk and materiality based on an understanding of the audited entity and its business. The plan should set out how and when the audit will be conducted and how sufficient and appropriate evidence is obtained in order to enable to conclusions to be drawn and support the audit opinion.

Requisites and measures to ensure quality control

The audit plan is divided into a number of detailed tasks, which are assigned to individual team members. To ensure quality control during the planning process, measures could include direction, supervision and review procedures to ensure that the audit task referred to above is adequately carried out.

Possible Checklist:

o Ensuring that planning is carried out in accordance with auditing policies, standards, manuals, guidelines and practices.

o Obtaining relevant information regarding laws and regulations that might have a significant impact on the audit objectives;

o Preliminary investigative audit (an audit that aims at conducting an initial study of specific issues to help prepare an audit task plan);

o Determining objectives and scope of audit; o Identification of sources (e.g. media, findings of audited entity’s internal audit, inspection and

other control bodies) as background for audits;

o Determining list of activities for audit; o Highlighting of special problems foreseen when planning the audit; o Ensuring that members of audit team have a clear and consistent understanding of the audit

plan; o Follow-up is made of issues in previous related audit; o Understanding the finance, accounting and other relevant functions of the organisation; o Identification of key elements of internal control system of auditee; o Using appropriate analytical procedures; o Identification and analysis of relevant ratios and comparative figures; o Identification of trends or deviations from predicted amounts; o Identification of sampling method and sampling population; o Choice of relevant performance indicators; o Assessment of inherent and controls risks; o Establishment of materiality criteria and thresholds; o Establishment of degree of confidence decided for audit; o Choice of appropriate experts/consultants; o Preparation of budget and schedule for audit; o Assessment of reasonable resources necessary to undertake audit; o Assessment of staff requirements and team allocated for audit; o Investigation and settlement of queries raised during review stage; o Drawing up, approval, review of audit programme by Head of Division; o Checklists used in the process of (a) drawing up, (b) issuing an opinion about, (c) approving an

audit task plan; o Other procedures and practices used in the planning phase of an audit; o Practices to continuously enhance quality control procedures in the planning phase of audit.

Quality in Execution

The field work has to be performed in accordance with the approved audit plans and should result in sufficient appropriate evidence being obtained to determine with reasonable confidence whether or not financial statements are free from material misstatements and irregularity or that facts relating to VFM/performance audits are scientifically and/or fairly arrived at.

The following methodologies and practices are used in the execution of audits: (European Implementing Guidelines for the INTOSAI Auditing Standards)

i. Sources: Methods and Nature of the reliability and evaluation of audit evidence include

Sources:

Generated by auditor directly Obtained by third party Obtained from auditee

Methods:

Inspection Observation Inquiry and Confirmation Computation Analysis of financial systems

Nature:

Documentary, visual or oral (the reliability of oral evidence, in particular, depends upon the source)

ii. Audit approach includes

Objectives

Regularity (financial and compliance) Performance or value for money (economic, effective, efficient)

Testing

Systems Based Approach (testing of internal controls) Direct Substantive Testing

iii. Study and examination of internal controls and tests of control

iv. Information Systems

General Installation Controls

Planning, staffing, reporting and segregation of duties Security awareness and policy of both hardware and software Continuity and disaster recovery Management of IT assets and use of external service providers

Application Audits

Organisation and Documentation Input Processing Data Transmission Standing Data Output

v. Audit Sampling

vi. Analytical Procedures

Trend Analysis Ratio Analysis

vii. Using the work of other auditors and experts

viii. Documentation:

This is particularly important for supervision, review and quality assurance. Working papers – current and permanent files; confidentiality; retention procedures.

ix. Performance Audit Methodology

Data Gathering Techniques

File examination Audit sampling Secondary analysis/literature search

Surveys Interviews Focus Groups Benchmarking

Techniques for Information Analysis

Programme Logic Model Descriptive Statistics to understand data distribution Regression analysis Cost-benefit analysis Cost-effectiveness Meta evaluation

Requisites and measures to ensure quality control in execution/field work

The field work, which would have been appropriately planned during the planning stage, should be assigned to individual team members. To ensure quality control during the execution/fieldwork process, measures could include direction, supervision and review procedures to ensure that team members understand their assigned tasks and that the chosen audit methodologies are adequately carried out.

Possible checklist

o Execution of audit is carried out in accordance with auditing policies, standards, manuals, guidelines and practices of SAI;

o Audit examiners have a sound understanding of techniques and procedures such as inspection, observation, enquiry, etc. to collect audit evidence;

o All phases of audit have been carried out as planned and approved; o Valid explanations are available for non-implementation of any phases of audit o Appropriate approval exists for significant deviations that have taken place from approved audit; o Staff resources used for audit are largely in line with those planned in terms of time, grade of

staff and expenses entailed; o Justification for material deviations for budgeted staff resources; o Appropriate audit techniques and audit procedures used to fulfil each audit objective in order to

provide for effective audit evidence o Use of Computer Assisted Aids, Techniques and Tools CAATTs); o All envisaged tests for evaluation and reliability of internal controls are used; o Appropriate analytical procedures are used and the reliability, independence and quality of

relevant supporting data is assessed; o Sampling methods are used according to SAI’s manuals; o All tests of transactions clearly indicate audit objectives, adequately explain nature and extent of

audit work and provide an overall conclusion as to results of audit work; o Audit steps and procedures have been designed to obtain sufficient, competent and relevant

evidence; o Full investigation is made of all queries during audit; o Existence of adequate working papers in respect of:

Evaluation of internal controls systems Audit of routine procedures Tests of controls Analytical review Substantive tests; Audit of computer-based applications.

o Working papers are appropriate cross-referenced; o Audit completion checklists are comprehensive and have been completed, approved and duly

evidenced; o Work of consultants and other experts has been properly monitored;

o Other procedures and practices used in the execution phase of an audit; and o Practices to continuously enhance procedures in the execution phase of audit.

Quality in Reporting

Typical methodologies for carrying out audit tasks

Reports both for regularity and VFM audits should be in standard format. In terms of European Implementation Guidelines (Annexe 1 of No. 31), the auditor must have specific regard to the following aspects of the report:

Title Signature and date Objectives and scope Completeness Addressee Identification of subject matters Legal basis Compliance with standards Timeliness

Audit Reports on specific financial statements contain an Unqualified Opinion (Clean Report), if no material shortcomings are detected and the Financial Statements “Properly Represent” (for Accounts on Cash-Based System) or “True and Fair View” (for Accounts on Accrual Based System). If an unusual or important matter (“Emphasis of Matter”) needs to be included in the Audit Report to enable the reader to correctly understand the Financial Statements, this should be contained in a separate paragraph from the Audit Opinion in order not to give the impression that the Audit Report is not qualified.

Q.3 Write the Guidelines for internal check for Big Departmental stores?

Q.4 Distinguish between internal control, internal check and internal Audit? ‘Control’

Control is the process by which organisations ensure that actions taken are:

in accordance with legal requirements and the financial regulations;

in accordance with the budget and that funds are available; and that,

appropriate approval processes exist;

effeectively and efficienctly; and that, the financial reporting of activity is reliable. '

Control also is designed to ensure that actions are consistent with the ethical behaviour expected of civil servants.

To satisfy this control process management have a duty to ensure that:

areas of responsibility are clearly defined;

the organisational structure is appropriate to the requirements of the service or activity (and that means that the structure of the organisation is changed as needs change);

personnel have and maintain a level of integrity and competence to perform their duties;

any instructions are written and formal rather than unwritten and informal;

there are clear and appropriate lines of reporting;

appropriate disciplinary arrangements exist and are implemented.

The ‘internal control’ process is therefore by definition ‘ex ante’. The element of the control process that relates to the verification and certification of transactions should cover all transactions (i.e. it is transaction based) and should require that all appropriate approvals are obtained before any payments are made (and/or orders placed or commitments made). Approval of transactions is only one element of the ‘control’ process and that element cannot be deemed to be effective unless all the other elements of the control process exist. Therefore to focus ‘control’ on ensuring that transactions are properly approved is to fail to recognise that transaction approval is one of the last elements in a whole process of control, not the principal substance of the control process.

INTERNAL CHECK The internal check and cross check of transactions of receipt and payment of money and stores should be inbuilt in the system and should take place spontaneously and smoothly. The main objective of internal check is to ensure that the funds and property of the Corporation are kept under proper custody and which may not be improperly applied either by error or by intent; that expenditure be incurred only after authorisation and is properly accounted for. For achievement of the objectives of the internal check, a sound accounting system should be in place in the organisation in which functions and powers of each accounts personnel should be clearly defined, the work of one person is checked by another independent person or his superior so that errors and fraud are prevented or detected early and remedial action may be taken.

The Accounting System and Procedures contained in this Manual, if followed in letter and intent, takes due care of internal check requirements regarding financial transactions which take place in the Corporation. In addition to the Accounting System contained in this Manual, a system of 100 per cent pre-check of all claims may be introduced in the Corporation as a measure of internal check to avoid audit observations and recovery in post audit. A detailed procedure of pre-check system may be prepared after decision of the management in this regard. ‘internal audit’

Internal audit is the process by which line management satisfies itself that:

the ‘control’ processes are appropriate and working properly (effective);

the objective of value for money is being achieved;

the management information and control systems are not corrupted and operate efficiently. Internal audit is not responsible for implementing specific internal control procedures, that is

the responsibility of the management.

The internal auditor’s role is to assess the operational effectiveness of the control processes and to ensure that they are appropriate to the objectives of the organisation. To avoid being compromised the internal auditor should remain independent from the day-to-day administration of the organisation and therefore should report directly to the senior management of the organisation. Internal audit, because it is designed to review operational effectiveness, should be systems based rather than transaction based. It should use sampling techniques to assess the quality of the control procedures and would be directed by the application of risk management techniques, i.e. it would focus its resources on the areas of greatest risk to the organisation. An important starting point is risk. Internal audit should review all the internal control processes which mitigate all the most significant risks the organisation faces. These will include reputational (e.g. bad press) and financial risks.

A key issue for internal audit to address is that of ‘materiality’, that is, is the issue of significance to the organisation? There is no standard quantitative definition of materiality but it is incumbent on the auditor to understand the concept of materiality and its application to the organisation to which the audit applies. The United Kingdom statement of auditing standards (SAS 220) addressed to external auditors defined materiality in the following way: ‘Auditors should consider materiality and its relationship with audit risk when conducting an audit: ‘Materiality is an expression of the relative significance or importance of a particular matter in

the context of financial statements as a whole –(and also for the public sector an event can be material if it is newsworthy). A matter is material if its omission would reasonably influence the decisions of an addressee of the auditors’ report; likewise a misstatement is material if it would have a similar influence. Materiality may also be considered in the context of any individual primary statement within the financial statements or of individual items included in them. Materiality is not capable of general mathematical definition as it has both qualitative and quantitative aspects.’

The United Kingdom Treasury has defined internal audit as ‘an independent and objective appraisal service within an organisation. ‘Internal audit primarily provides an independent and objective opinion to the Accounting Officer (in the United Kingdom usually the most senior civil servant in a Ministry) on risk management, control and governance, by measuring and evaluating their

effectiveness in achieving the organisation's agreed objectives. In addition, internal audit's findings and recommendations are beneficial to line management in the audited areas. Risk management, control and governance comprise the policies, procedures and operations established to ensure the achievement of objectives, the appropriate assessment of risk, the reliability of internal and external reporting and accountability processes, compliance with applicable laws and regulations, and compliance with the behavioural and ethical standards set for the organisation.

Q.5 Write the essential requirement of Computer Assisted Auditing Techniques (CAAT)? Ans: Computer Assisted Auditing Techniques Your company has been selected for audit by the Massachusetts Department of Revenue. Our goal is to determine the proper tax due and propose any adjustments to the tax reported, with minimal time and expense to your company and the Department of Revenue. Computer Assisted Audit Techniques (CAATS) is an important tool in attaining that goal. The Department of Revenue has invested in software that allows us to accept electronic records from virtually any bookkeeping or financial accounting system. If you submit your records electronically we can quickly select a statistically valid sample of transactions on which to base our audit. We do this work from our office, saving your staff time and inconvenience. Integrating CAATS into the audit process is part of our commitment to streamline the audit process. Our goal is to complete an efficient, understandable and accurate audit. We will provide an audit trail consistent with Generally Accepted Accounting Principles. Our CAATS program is based on a tested and sound database application and informed judgment. What is a Computer Assisted Audit? Audit functions formerly performed manually are now performed using standard financial accounting software, modified as necessary for a particular system. Generally, much of the same information is requested and analyzed as in a traditional audit. Once verified using computer techniques, data is retained so it can be used in other areas of the audit including error identification and segregation of transactions within accounts. Customized reports are generated by computer and a standard audit trail is maintained. What advantages does the use of CAATS have over a traditional audit? Most importantly, it saves time for you and DOR with no loss of quality or accuracy. Secondly, by analyzing data and generating specific reports using a standard program, data analysis is focused and allows for any future adjustment to be made with minimal effort. Thirdly, preliminary data can often be analyzed early in the audit process and a more efficient audit plan can be devised earlier. Specific Areas in which CAATS Is Useful: Computer Assisted Sampling. This permits the use of random statistical sampling, which tends to be more accurate and saves time in those instances in which it is appropriate (see FAQ section for details). File Management. Files are combined, compared, managed, segregated and ordered automatically using generally accepted computerized file management. Adjustments or other changes to data and reports are easily accomplished. The DOR auditor will review your accounts in order to request specific information from your records essential to the audit. Report Generation. Once data integrity is verified, the auditor can produce various reliable reports from the overall data population. Computer Audit Questionnaire Enclosed is a Computer Audit Questionnaire. Please complete and return this form prior to the commencement of your audit. The questionnaire provides DOR with information about your company’s computer system, recordkeeping, methods of data retrieval and additional information about your

accounting practices. This form is mandatory and will become part of your audit file. Consistent with DOR policy, the completed form is confidential. This questionnaire assists your auditor in identifying and requesting records essential to completing your audit expeditiously. DOR will assist you throughout your audit as you provide us with data in a usable format, and will explain reports, analysis of data and sampling in detail. Q.6 Write the Audit programme in an EDP environment?

AUDIT PROCEDURES IN EDP / CIS ENVIRONMENT (a) Traditional approach to audit of computer-processed information.

While processing the information processed on computers, The auditor may adopt a traditional approach, assuming that the processing of information has been under the manual system, and not through computers. The only difference he notices is that the object of his audit examination is computer printouts; and not the hand-written books of account. The result is that he does not suitably modify his audit program, and carries on work as before. However this approach has certain inherent flaws. First it does not involve evaluation of internal control system relating to computers, which may result in more errors and fraud than under the manual system. Secondly, the auditor may devote unduly long time on certain audit procedures, such as checking and posting of transaction which he can avoid if an effective internal control is in place. Thirdly, it ignores the benefits of costs and risks that would be available to the auditor if he adopts techniques suitable to auditing through computers.

(b) Auditing in EDP environment.

In this case the, the auditor should evaluate the internal control relating to electronic data processing and other controls, and accordingly make extensive use of computer(s) to determine the nature, timing and extent of compliance or substantive audit procedures. However, this requires him to have adequate knowledge of computer systems to plan, direct, supervise and review the work performed by others. For this, he may himself acquire the necessary specialized skills, or hire persons suited for the job.

HOW AUDITORS SHOULD APPROACH AUDITING IN EDP ENVIRONMENT

Electronic data processing environment is an area that requires special techniques in approaching, as it is apparently risky and more technological skills is needed to the Auditor before real audit is performed. However the professional guides issued by the International Auditing Standards have disclosed several methods that have to be followed by Auditors when doing audit in specialized areas this does not exclude auditing in an electronic data processing environment. In actual fact the auditor should approach auditing in electronic data processing environment as follows:

(a) Evaluate reliability of accounting and internal control system.

The auditor should ascertain how far the accounting and internal control system of the business is reliable. To this end, he should check the following:

(I) Are there restrictions on access to electronic data processing?

The restriction should be in respect of access to hardware, program and data files. Computer room should be under the custody of a responsible official. He alone should handle program and data files. Further, he should make these available only to the persons authorized for the purpose, and keep a record of issue of program and data files. Other restriction can be by way giving password (a secret code) to authorized computers users. Yet another restriction can be through giving different rights

different users, for example, some can only read data files, others may both read and alter data files, yet others may even alter program files.

The auditor should also see whether there are adequate methods of hardware control. For example, almost every computer once started itself checks the proper functioning of its various components and devices. If not it shows a message on the computer screen. If the computer system has parity check; it will show whether, due to cause such as dirty or humidity level, there is improper functioning in the transfer of data between the input-output devices. Such a flaw may cause loss or corruption of data, which the computer system itself will rectify by retrying the transfer. Computer system having a check by way of double reading of data, i.e. on a hard disc and that written to strong media, will show errors in the process.

(ii) Is there provision for timely detection and correction of errors?

Errors may arise during the feeding of data, processing, or due to any fault in the computer system. Here, the auditor should ensure that transactions processed by the computer have due authority, their recording in the computer data files is accurate, there is no loss, addition, duplication or improper change in them, and there is correction and resubmission of incorrect transactions. He should also see that there is correct use of master files, transaction files and program files. The Auditor should review the error – correction procedure, as it will show proper functioning of the internal control system.

(Iii) is there arrangement for resumption of system, if interrupted?

In case of electronic data processing systems due to power failure or any mechanical fault, there should be proper arrangement for resuming the system without loosing the entries or records.

(iv) Is electronic data processing – generated output accurate and complete?

Accuracy and completeness of output will depend on the accuracy and completeness of the data fed into the computer and its processing. This calls for proper input and controls. Recalculation of figures and comparing the output with manual records are other methods for the purpose. The auditor should see that there is restriction on access to processing of data such that accurate and complete output is produced, and that only authorized persons get it on time.

( v ) Is there adequate security provision for the stored data?

Because of wrong processing or due to natural or man-made reasons, there may be loss or destruction of stored data. The auditor should see that there are proper safety arrangements to secure the stored data in any such eventuality. While doing so, the auditor should also see whether there are proper backup and recovery procedures. These procedures involve keeping copies of programs and data at a place other than the place of location of the computer. Most application programs have an in-built system of maintaining two versions of computer file, the current one and the preceding one. The current version will contain alterations made during the latest processing, and the preceding one the pre-alteration version. Some computer systems even have three files, the current one, preceding the preceding version, and the version preceding the preceding version.

( vi ) Is the source code of application software in safe custody ?.

The auditor should ensure that the source code of application software is in safe custody of a responsible official. He should only allow access to it by a duly authorized person ( s ), and keep a record of the persons gaining access to it.

( b ) Assess "inherent and control" risks.

The auditor should assess inherent and control risk for material financial misstatement.

Risk Assessment and internal Control.

Risk in an electronic data processing environment may arise from the following;

1. There may not be adequate procedures to control program or system change. 2. Hardware or software malfunctioning may remain undetected. 3. During transmission, there may be loss or corruption of data. 4. Computer facilitates, files and program may be available to unauthorized access. 5. Users may not participate fully in review-output, to ensure its reasonableness and maintaining

responsibility for authorization.

( c ) Effect of inherent and control risk.

Inherent and control risk in electronic data processing environment may have either all round effect on all accounts, or account specific effect.

( I ) Risk having all round-effect on all accounts:

It may arise from deficiencies in program development, system soft ware support, physical electronic data processing security, and control over access to special privilege utility programs. These deficiencies will affect all application systems processed in computer and result in material misstatement in financial statements.

( ii ) Account specific risk:

Account specific risks may result in fraud and errors such as the summarized real cases resulted from inherent and control risks:

a) The Trolley Dodgers case- Control deficiencies in payroll transaction cycle allowed an accounting manager to embezzle several hundred thousand dollars.

b) Goodner Brothers, Inc – An employee of this tire wholesaler found himself in serious financial trouble. To remedy this problem, the employee took advantage of his employer's weak internal controls by stealing a large amount of inventory which he then sold to other parties.

c) Troberg stores- An important but commonly overlooked internal control objective is ensuring ‘compliance with applicable laws and regulations ‘ The management of this company violated the provisions of a national statute, imposing a heavy monetary cost on the company in the process.

AUDIT TECHNIQUES

( a ) Audit objectives remain the same whether processing of data is manual or computerized.

While designing audit procedures in electronic data processing environment, the auditor should keep in mind two things:

1) Ensure that there is adequate compliance and substantive procedures and transmitted data are correct and complete

2) Apply professional skepticism by cross verification of records, reconciliation between primary and subsidiary ledgers, questioning and critical assessment of audit evidence. The procedures adopted for the purpose may be manual, by way of computer-assisted audit techniques, or on combination of both.

Auditing "around" or "through" computers

In an electronic data processing environment, an auditor may carry out compliance procedures and substantive tests of transactions with the help of computers, or without it. If he conducts the audit in a traditional manner by examining the data and information generated by computer system of the client it will be auditing around the computer. In this case, the auditor only relies on the data and information printouts given to him by the client.

On the other hand, if the auditor himself uses computer system to carry out compliance and substantive test procedures, it will be auditing through the computer. However, this will require the auditor and / or his staff to possess adequate knowledge of electronic data processing.

(b) Computer – assisted audit techniques.

These may be as follows:

1. Test data:

They represented a set of test data prepared by the auditor himself, or by using any such data prepared by the internal auditor of the client. Test data comprise transactions of all kinds prepared specifically to test a program or a set of programs of the client. To evaluate the effectiveness of the client's program (s), the auditor may run his test data on the client's computer using the programs of the client himself.

Use of test data serves as an assurance about the correct functioning of tested programs. However, its limitation is that preparation of the test data requires care and expertise on the part of auditor. For example, it will involve selection of the type of master files or records (ledger like records where there is continuous updating through transaction records), e.g. processing of a test transaction showing receipt of payment from a debtor will reflect in the file that contains records of sundry debtors. More over, the test data should cover all types and variations, whether they are actual data used by the client, or certain modifications, to ascertain that the client's program includes necessary controls.

For control purposes, the auditor should maintain proper working papers regarding the use of test data. Working papers should show the programs put to test, and the results-both expected and actual. He should also ensure that the programs tested are those actually used by the client, and that actual records remain unaffected by the tests used by him.

2. Modified test data facility

It is a simulated form of a test data technique. Under it, the auditor creates artificial transactions, processes them along with normal processing of actual transactions of the enterprise, and compares the results of the two. This will expose whether the processing done by the enterprise is correct. However, employees operating the electronic data processing system in the enterprise should know nothing about this exercise.

3. Audit software

The auditor may use audit software specially developed for a particular audit or, more often, generalized audit software (GAS) Design of audit program created for a particular audit will serve the needs of testing the audit programs of the client. On the other hand, generalized audit software will perform certain common data processing functions, like checking calculations, examining the correctness of records, comparing client records with the data obtained through other procedures, summarize or rearrange data, selecting samples, etc.

Documentation

As evidence of proper planning and organization of his examination, the auditor should document the following:

His audit plan;

1. Nature, timing and extent of audit procedures performed by him; 2. Conclusion drawn from the evidence obtained; and 3. Safe storage of the evidence in electronic form.

Audit planning

Planning the audit for an electronic data processing environment client is not expected to be the same as planning the audit for the manual data processing client. The auditor is required to measure the usefulness and existence of reliable controls in the system before he or she start auditing. In electronic data processing environment an IT environment check list will have to be used together with interrogating the client main IT executives.

Important issues to be assessed regarding the whole of information technology field which comprises data processing systems are listed and elaborated in the schedule below:

1.Procedure: Find out the process to register new users to the system.

Inherent risk: Illegal access to components.

2 Procedure:Examine the reliability of the procedures taken when a previous user is required to leave or stop using the machine.

Inherent risk: Previous users still have access to the system

3. Procedure: Find out whether access to the computer room is free to any person

Inherent risk: Unauthorized personnel and visitors may enter the computer room for malicious motives

4. Procedure: Investigate whether there is any rotation of staff (segregation of duties) in system operations

Inherent risk: There may be fraud attempts by non changed staff.

5. Procedure: Using the organizational chart verify the existence of job description in IT positions in the entity

Inherent risk: Staff may be performing other people's duties involuntarily.

6. Procedure: Find out whether internet downloading and other uses of the internet is restricted to safeguard entity's information.

Inherent risk: Virus penetration into the system is simple due to uncontrolled internet activities

7.Procedure: Investigate to be sure that, the use of anti virus programs is present, there is safe storage of backups which are frequently tested to identify irrelevant backups

Inherent risk: Restoration of data is not possible when misfortunes occur.

Nature, timing and extent of audit procedures

It is customary for Auditors to perform timing and design of audit procedures that are supposed to suit the audit they need to execute. This is important because the audit evidence obtained after audit need to have relevance to the audit report issued. The relevance so mentioned is verified by reviewing the documentation of nature, timing and extent of procedures employed in the audit; this is done in a process called quality review.

Conclusions drawn from the evidence obtained

Conclusions drawn by the Auditor are the final output of the audit which when presented in a formal and standardized manner is called an audit report. Conclusions such as these need to be documented systematically and in a way that another auditor who have not participated in the audit should be able to use them in reporting without the need of more elaboration from the auditor involved in the audit.

Safe storage of the evidence in electronic form

After completion of the audit and collection of relevant and sufficient audit evidence it is advised that the Auditor should store the evidence so obtained in a safe storage and which is expected to be in electronic form. This may be put in disc storage devices which are not easily affected by viruses and not easily altered.