Page 156 - DCOM204_AUDITING_THEORY
P. 156
Auditing Theory
Notes The common weaknesses mentioned above related to the organizational structure of an EDP
environment. In addition, system characteristics which result from the nature of EDP processing
include the following:
1. There is every possibility for the audit trail to get obscured by the loss of visibility of
the accounting records, and the increased amalgamation and summarization of data
by computer programs. On the other hand, in a manual system it is possible to follow
a transaction through the system by examining source documents, records, files and
reports.
2. Data may be entered directly into the computer system without supporting documents.
3. Computerized data may not be retained for as long as manually prepared accounting
data.
4. Through the use of remote terminals, it may be possible for unauthorized access to, and
alteration of, program and data by persons inside or outside the enterprise.
8.7 Internal Controls in an EDP Environment
It is highly desirable that the auditor obtains a sufficient understanding of the client’s internal
controls (I/C) to plan the audit and assess control risk. If on assessment the control risk is
showed to be low, the auditor can reduce substantive testing. When EDP is used in significant
accounting applications, then the auditor must consider the effects the computer has when
evaluating the internal controls. The auditor’s approach to considering IC is the same in a
computerized environment as in a manual environment:
Obtain and document understanding of the internal controls
1. Assess control risk
2. Perform tests of controls
3. Reassess control risk
4. Obtain and document understanding of the I/C
The extent to which the auditor needs to understand the computer system is dependent upon the
preliminary audit strategy selected:
1. Primarily substantive approach—treat computer as a black number crunching box and
just audit the inputs and outputs (auditing around the computer)
2. Lower assessment of control risk—you rely on the computer’s controls (audit through the
computer)
Assess Control Risk
The auditor needs to assess the risk that the internal controls (including EDP controls) will not
prevent or detect material errors or irregularities that will affect the financial statements. The
Auditor considers the strengths and weaknesses of the general controls first.
Example of this in the Advances Module One of the application (programmed) controls requires
authorization from a officer before an Cash credit account can overdraw above the drawing
limit fixed. However, if the general controls over changes to programs cannot be relied on, then
the advances module could be modified to allow an unauthorized clearing. Thus, the application
control could not be relied on either.
150 LOVELY PROFESSIONAL UNIVERSITY
