Page 150 - DCOM204_AUDITING_THEORY
P. 150
Auditing Theory
Notes (e) Is there adequate security provision for the stored data?
Because of wrong processing or due to natural or man-made reasons, there may be
loss or destruction of stored data. The auditor should see that there are proper safety
arrangements to secure the stored data in any such eventuality. While doing so, the
auditor should also see whether there are proper backup and recovery procedures.
These procedures involve keeping copies of programs and data at a place other than
the place of location of the computer. Most application programs have an in-built
system of maintaining two versions of computer file, the current one and the
preceding one. The current version will contain alterations made during the latest
processing, and the preceding one the pre-alteration version. Some computer systems
even have three files, the current one, preceding the preceding version, and the
version preceding the preceding version.
(f) Is the source code of application software in safe custody?.
The auditor should ensure that the source code of application software is in safe
custody of a responsible official. He should only allow access to it by a duly authorized
person ( s ), and keep a record of the persons gaining access to it.
2. Assess “inherent and control” risks: The auditor should assess inherent and control risk
for material financial misstatement.
Risk Assessment and internal Control
Risk in an electronic data processing environment may arise from the following;
(a) There may not be adequate procedures to control program or system change.
(b) Hardware or software malfunctioning may remain undetected.
(c) During transmission, there may be loss or corruption of data.
(d) Computer facilitates, files and program may be available to unauthorized access.
(e) Users may not participate fully in review-output, to ensure its reasonableness and
maintaining responsibility for authorization.
3. Effect of inherent and control risk: Inherent and control risk in electronic data processing
environment may have either all round effect on all accounts, or account specific effect.
(a) Risk having all round-effect on all accounts: It may arise from deficiencies in program
development, system soft ware support, physical electronic data processing security,
and control over access to special privilege utility programs. These deficiencies will
affect all application systems processed in computer and result in material
misstatement in financial statements.
(b) Account specific risk: Account specific risks may result in fraud and errors such as the
summarized real cases resulted from inherent and control risks:
(i) The Trolley Dodgers case – Control deficiencies in payroll transaction cycle
allowed an accounting manager to embezzle several hundred thousand dollars.
(ii) Goodner Brothers, Inc – An employee of this tire wholesaler found himself in
serious financial trouble. To remedy this problem, the employee took
advantage of his employer’s weak internal controls by stealing a large amount
of inventory which he then sold to other parties.
(iii) Troberg stores – An important but commonly overlooked internal control
objective is ensuring ‘compliance with applicable laws and regulations’ The
management of this company violated the provisions of a national statute,
imposing a heavy monetary cost on the company in the process.
144 LOVELY PROFESSIONAL UNIVERSITY
