1. technical
auditing in a
computer-based RELEVANT TO cat paper 8 and ACCA QUALIFICATION PAPERs f8
The accounting systems of many ¤ ISA 330 (Redrafted) The (i) Input controls
The aim of this article is to help students improve their
companies, large and small, are Auditor’s Responses to Examples include batch control
computer-based; questions in Assessed Risks. totals and document counts,
demonstrations of computer-based controls and
all ACCA audit papers reflect as well as manual scrutiny of
this situation. Internal controls in a documents to ensure they have
techniques, and the ways they may feature in exams.
Students need to ensure computer environment been authorised. An example of
understanding of this topic by giving practical
they have a complete The two main categories the operation of batch controls
understanding of the controls in are application controls and using accounting software would
a computer-based environment, general controls. be the checking of a manually
how these impact on the produced figure for the total
auditor’s assessment of risk, Application controls gross value of purchase invoices
and the subsequent audit These are manual or automated against that produced on screen
procedures. These procedures procedures that typically operate when the batch-processing option
will often involve the use at a business process level is used to input the invoices. This
of computer-assisted audit and apply to the processing total could also be printed out to
techniques (CAATs). of transactions by individual confirm the totals agree.
The aim of this article is to applications. Application controls The most common example of
help students improve their can be preventative or detective programmed controls over the
understanding of this topic by in nature and are designed accuracy and completeness of
giving practical illustrations of to ensure the integrity of the input are edit (data validation)
computer-based controls and accounting records. checks when the software checks
computer-assisted techniques Accordingly, application that data fields included on
and the way they may feature in controls relate to procedures transactions by performing:
exam questions. used to initiate, record, process ¤ reasonableness check, eg net
and report transactions or other wage to gross wage
Relevant auditing standards financial data. These controls ¤ existence check, eg that a
References will be made help ensure that transactions supplier account exists
throughout this article to occurred, are authorised and ¤ character check, eg that there
the most recent guidance are completely and accurately are no alphabetical characters
in standards: recorded and processed in a sales invoice number field
¤ ISA 300 (Redrafted) Planning (ISA 315 (Redrafted)). ¤ range check, eg no employee’s
an Audit of Financial Statements Application controls apply weekly wage is more
¤ ISA 315 (Redrafted) Identifying to data processing tasks than $2,000
and Assessing the Risks of such as sales, purchases ¤ check digit, eg an extra
Material Misstatement Through and wages procedures and character added to the account
Understanding the Entity and are normally divided into the reference field on a purchase
Its Environment following categories: invoice to detect mistakes
such as transposition errors
during input.

2. student accountant 08/2009
Studying Papers F8 or P7?
Performance Objectives 17 and 18 are linked
environment
and p7 (int and uk)
When data is input via a list. A regular printout of master ¤ prevent or detect errors
assessment of risk, and the resulting audit procedures.
keyboard, the software will often files such as the wages master during program execution,
display a screen message if any file could be forwarded monthly eg procedure manuals, job
understanding of the controls in a computer-based
of the above checks reveal an to the personnel department to scheduling, training and
anomaly, eg ‘Supplier account ensure employees listed have supervision; all these prevent
number does not exist’. personnel records. errors such as using wrong
environment, how these impact on the auditor’s
(ii) Processing controls data files or wrong versions of
Students need to ensure they have a complete
An example of a programmed General controls production programs
control over processing is a These are policies and ¤ prevent unauthorised
run-to-run control. The totals procedures that relate to many amendments to data files, eg
from one processing run, applications and support authorisation of jobs prior
plus the input totals from the the effective functioning of to processing, back up and
second processing, should application controls. They physical protection of files
equal the result from the second apply to mainframe, mini-frame and access controls such
processing run. For instance, and end-user environments. as passwords
the beginning balances on the General IT controls that ¤ ensure the continuity of
receivables ledger plus the sales maintain the integrity of operations, eg testing of
invoices (processing run 1) less information and security of data back‑up procedures, protection
the cheques received (processing commonly include controls over against fire and floods.
run 2) should equal the closing the following:
balances on the receivable ledger. ¤ data centre and (ii) System development controls
(iii) Output controls network operations The other general controls referred
Batch processing matches input ¤ system software acquisition, to in ISA 315 cover the areas
to output, and is therefore also change and maintenance of system software acquisition
a control over processing and ¤ program change development and maintenance;
output. Other examples of output ¤ access security program change; and application
controls include the controlled ¤ application system acquisition, system acquisition, development
resubmission of rejected development, and maintenance and maintenance.
transactions, or the review (ISA 315 (Redrafted)) ‘System software’ refers to
of exception reports (eg the the operating system, database
wages exception report showing ‘End-user environment’ refers management systems and
employees being paid more than to the situation in which the other software that increases
$1,000). users of the computer systems the efficiency of processing.
(iv) Master files and standing are involved in all stages of the Application software refers to
data controls development of the system. particular applications such as
Examples include one-for-one (i) Administrative controls sales or wages. The controls
checking of changes to master Controls over ‘data centre and over the development and
files, eg customer price changes network operations’ and ‘access maintenance of both types of
are checked to an authorised security’ include those that: software are similar and include:

3. technical
of application controls over the input and processing of data. Many answers
Students often confuse application controls and general controls. In the
June 2008 CAT Paper 8 exam, Question 2 asked candidates to provide examples
referred to examples of general controls – and thus failed to gain marks.
¤ Controls over application Computer-assisted audit techniques Using audit software, the auditor
development, such as good Computer-assisted audit can scrutinise large volumes of
standards over the system techniques (CAATs) are those data and present results that can
design and program writing, featuring the ‘application of then be investigated further. The
good documentation, testing auditing procedures using the software consists of program
procedures (eg use of test computer as an audit tool’ logic needed to perform most
data to identify program (Glossary of Terms). CAATs of the functions required by the
code errors, pilot running are normally placed in three auditor, such as:
and parallel running of old main categories: ¤ select a sample
and new systems), as well as (i) Audit software ¤ report exceptional items
segregation of duties so that Computer programs used by the ¤ compare files
operators are not involved in auditor to interrogate a client’s ¤ analyse, summarise and
program development computer files; used mainly for stratify data.
¤ Controls over program changes substantive testing. They can be
– to ensure no unauthorised further categorised into: The auditor needs to determine
amendments and that changes ¤ Package programs (generalised which of these functions
are adequately tested, eg audit software) – pre-prepared they wish to use, and the
password protection of programs for which the selection criteria.
programs, comparison of auditor will specify detailed
production programs to requirements; written to be Exam focus
controlled copies and approval used on different types of Sometimes, questions will
of changes by users computer systems present students with a scenario
¤ Controls over installation ¤ Purpose-written programs – and ask how CAATs might
and maintenance of system perform specific functions of be employed by the auditor.
software – many of the controls the auditor’s choosing; the Question 4 in the December
mentioned above are relevant, auditor may have no option 2007 Paper F8 exam required
eg authorisation of changes, but to have this software students to explain how audit
good documentation, access developed, since package software could be used to audit
controls and segregation programs cannot be adapted receivables balances. To answer
of duties. to the client’s system (however, this type of question, you need
this can be costly) to link the functions listed above
Exam focus ¤ Enquiry programs – those to the normal audit work on
Students often confuse that are part of the client’s receivables. Students should
application controls and general system, often used to sort and refer to the model answer to
controls. In the June 2008 print data, and which can be this question.
CAT Paper 8 exam, Question adapted for audit purposes, The following is an example of
2 asked candidates to provide eg accounting software may how this could be applied to the
examples of application controls have search facilities on some audit of wages:
over the input and processing modules, that could be used ¤ Select a random sample of
of data. Many answers referred for audit purposes to search employees from the payroll
to passwords and physical access for all customers with credit master file; the auditor could
controls – which are examples of balances (on the customers’ then trace the sample back
general controls – and thus failed module) or all inventory items to contracts of employment
to gain marks. exceeding a specified value (on in the HR department to
the inventory module). confirm existence

4. student accountant 08/2009
questions may present students with a scenario and ask how CAATs might be
balances. To answeR, you need to link the functions to audit work on receivables.
students to explain how audit software could be used to audit receivables
employed by the auditor. Question 4 in the December 2007 F8 exam required
¤ Report all employees earning Data without errors will ¤ Embedded audit facilities
more than $1,000 per week also be included to ensure (embedded audit monitor) –
¤ Compare the wages master file ‘correct’ transactions are also known as resident audit
at the start and end of the year processed properly. software; requires the auditor’s
to identify starters and leavers Test data can be used ‘live’, own program code to be
during the year; the auditor ie during the client’s normal embedded into the client’s
would then trace the items production run. The obvious application software. The
identified back to evidence, disadvantage with this choice embedded code is designed to
such as starters’ and leavers’ is the danger of corrupting the perform audit functions and
forms (in the HR department) client’s master files. To avoid this, can be switched on at selected
to ensure they were valid an integrated test facility will times or activated each time
employees and had been added be used (see other techniques the application program is
or deleted from the payroll below). The alternative (dead used. Embedded facilities can
at the appropriate time (the test data) is to perform a special be used to:
auditor would need to request run outside normal processing, – Gather and store
that the client retain a copy of using copies of the client’s information relating to
the master file at the start of master files. In this case, the transactions at the time of
the year to perform this test) danger of corrupting the client’s processing for subsequent
¤ Check that the total of gross files is avoided – but there is audit review; the selected
wages minus deductions less assurance that the normal transactions are written to
equates to net pay. production programs have audit files for subsequent
been used. examination, often called
(ii) Test data (iii) Other techniques system control and review
Test data consists of data There are increasing numbers file (SCARF)
submitted by the auditor for of other techniques that can be – Spot and record (for
processing by the client’s used; the main two are: subsequent audit attention)
computer system. The principle ¤ Integrated test facility – used any items that are
objective is to test the operation when test data is run live; unusual; the transactions
of application controls. For this involves the establishment are marked by the audit
reason, the auditor will arrange of dummy records, such as code when selection
for dummy data to be processed departments or customer conditions (specified by the
that includes many error accounts to which the dummy auditor) are satisfied. This
conditions, to ensure that the data can be processed. They technique is also referred to
client’s application controls can can then be ignored when as tagging.
identify particular problems. client records are printed out,
Examples of errors that might and reversed out later. The attraction of embedded
be included: audit facilities is obvious, as it
¤ supplier account codes that do equates to having a perpetual
not exist audit of transactions. However,
¤ employees earning in excess of the set-up is costly and may
a certain limit require the auditor to have an
¤ sales invoices that contain input at the system development
addition errors stage. Embedded audit facilities
¤ submitting data with incorrect are often used in real time and
batch control totals. database environments.

5. technical
assess control risk and plan audit work to minimise detection risk. The level
The auditor still needs to obtain an understanding of the system in order to
The key objectives of an audit do not change in a computer environment.
Impact of computer-based systems questions remain the same – but means that the auditor reconciles
of audit testing will depend on the assessment of key controls.
on the audit approach in answering them, the auditor input to output and hopes that
The fact that systems are considers both manual and the processing of transactions
computer-based does not alter the automated controls. was error-free. The reason for
key stages of the audit process; For instance, when answering the popularity of this approach
this explains why references to the the ICE question, ‘Can liabilities used to be the lack of audit
audit of computer-based systems be incurred but not recorded?’, software that was suitable for use
have been subsumed into ISAs the auditor needs to consider on smaller computers. However,
300, 315 and 330. manual controls, such as this is no longer true, and audit
(i) Planning matching goods received notes to software is available that enables
The Appendix to ISA 300 purchase invoices – but will also the auditor to interrogate copies
(Redrafted) states ‘the effect consider application controls, of client files that have been
of information technology such as programmed sequence downloaded on to a PC or laptop.
on the audit procedures, checks on purchase invoices. However, cost considerations still
including the availability of The operation of batch control appear to be a stumbling block.
data and the expected use totals, whether programmed or In the ‘through the machine’
of computer‑assisted audit performed manually, would also approach, the auditor uses CAATs
techniques’ as one of the be relevant to this question. to ensure that computer‑based
characteristics of the audit (iii) Testing application controls are
that needs to be considered ‘The auditor shall design and operating satisfactorily.
in developing the overall perform further audit procedures
audit strategy. whose nature, timing and extent Conclusion
(ii) Risk assessment are based on and are responsive The key objectives of an audit
‘The auditor shall obtain an to the assessed risks of material do not change in a computer
understanding of the internal misstatement at the assertion environment. The auditor still
control relevant to the audit.’ level.’ (ISA 330 (Redrafted)) needs to obtain an understanding
(ISA 315 (Redrafted)) This statement holds true of the system in order to assess
The application notes to irrespective of the accounting control risk and plan audit work to
ISA 315 identify the information system, and the auditor minimise detection risk. The level
system as one of the five will design compliance and of audit testing will depend on
components of internal control. It substantive tests that reflect the the assessment of key controls. If
requires the auditor to obtain an strengths and weaknesses of the these are programmed controls,
understanding of the information system. When testing a computer the auditor will need to ‘audit
system, including the procedures information system, the auditor is through the computer’ and use
within both IT and manual likely to use a mix of manual and CAATs to ensure controls are
systems. In other words, if the computer-assisted audit tests. operating effectively.
auditor relies on internal control In small computer-based
in assessing risk at an assertion ‘Round the machine (computer)’ systems, ‘auditing round
level, s/he needs to understand v ‘through the machine (computer)’ the computer’ may suffice if
and test the controls, whether approaches to testing sufficient audit evidence can
they are manual or automated. Many students will have no be obtained by testing input
Auditors often use internal control experience of the use of CAATs, and output.
evaluation (ICE) questions to as auditors of clients using small
identify strengths and weaknesses computer systems will often Peter Byrne is assessor for CAT
in internal control. These audit ‘round the machine’. This Paper 8