edp audit

Only available on StudyMode
  • Download(s) : 52
  • Published : November 1, 2013
Open Document


Text Preview
123
AUDITING AND EDP

I.AUDITOR’S CONSIDERATION OF INTERNAL CONTROLS IN AN EDP ENVIRONMENT

The second standard of field work requires that we obtain a sufficient understanding of the client’s internal controls (I/C) to plan the audit and assess control risk. We hope that our assessment of control risk shows it to be low so that we can reduce substantive testing, thereby reducing audit costs. When EDP is used in significant accounting applications, then you must consider the effects the computer has when evaluating the internal controls. The auditor’s approach to considering I/C is the same in a computerized environment as in a manual environment:

--Obtain and document understanding of the internal controls
--Assess control risk
--Perform tests of controls
--Reassess control risk

A.Obtain and document an understanding of the I/C

1.The extent to which the auditor needs to understand the computer system is dependent upon the preliminary audit strategy selected:

a.Primarily substantive approach--treat computer as a black number crunching box and just audit the inputs and outputs (auditing around the computer)

b.Lower assessment of control risk--you rely on the computer’s controls (audit through the computer)

B.Assess Control Risk

1.The auditor needs to assess the risk that the internal controls (including EDP controls) will not prevent or detect material errors or irregularities that will effect the financial statements.

a.CONSIDER THE STRENGTHS AND WEAKNESSES OF THE GENERAL CONTROLS FIRST

Example of this in the payables cycle--one of the application (programmed) controls requires that the computer match the voucher with appropriate supporting documentation before a check is issued. However, if the general controls over changes to programs cannot be relied on, then the payables program could be modified to allow an unauthorized check. Thus, the application control could not be relied on either.

b.Identify the general controls on which you plan to rely.

c.Consider the strengths and weaknesses of application controls and user controls next.

d.Identify the application and user controls on which you plan to rely.

Now make an initial assessment of whether the EDP controls appear reliable. You can:

1.Determine that the EDP controls do not, after detailed review, appear reliable--you should achieve your audit objectives by other means (AUDIT AROUND THE COMPUTER if possible) OR
2.Determine EDP controls appear reliable & move to tests of controls

C.Tests of Controls (TCs) in Computer Environment

1.Recall that the purpose of TCs is to obtain reasonable assurance that the internal controls are functioning properly. The general controls are tested first, then the application and user controls. Also, recall that TCs are done on a cycle by cycle basis. So the accounts receivable application will be tested separately from the payroll application (and so on). We do this because the controls in each cycle are different and independent.

The tables on following pages give examples of TCs which can be manually performed. In addition EDP controls can be tested through use of the computer as described in the following section on EDP Audit Techniques.

D.Reassess control risk based on results of TCs
1.High control risk would necessitate greater dependence on substantive testing and low reliance on computer controls. 2.Low control risk means the computer controls can be relied upon to produce better #s & thus substantive testing can be reduced. 3.No matter how good controls are you MUST do some substantive testing. TABLE 1

CONTROL RISK ASSESSMENT/ TESTS OF CONTROLS
FOR EDP GENERAL CONTROLS

Potential
Misstatements
Necessary
Controls
Possible Tests
of Controls

OPERATION CONTROLS
1) Errors may be made in
inputting or processing
data or distributing
output.

2) EDP personnel may
initiate and...
tracking img