True / False: The audit objectives remain the same whether using a manual or computerized environment.
True
What are the 7 primary differences between a manual vs computerized environment
Segregation of duties
Disappearing audit trail
Uniform transaction processing
Computer-initiated transactions
Potential for increased errors & irregularities
Potential for increased supervision & review
Dependence on IT general controls over computer processing
Comparing a manual vs computerized environment, (1) which has the greater risk in the area of segregation of duties, (2) why, and (3) how is the increased risk mitigated?
The computerized environment
Transaction processing often results in a combination of functions that are normally separated.
Mitigation: increased supervision, reperformance.
Comparing a manual vs computerized environment, (1) which has the greater risk in the area of a disappearing audit trail, (2) why, and (3) how is the increased risk mitigated?
The computerized environment
In some systems, the new transactions overwrite older information.
Mitigation: (1) use a system that leaves a trail, (2) perform audit tests on a continuous basis
Comparing a manual vs computerized environment, (1) which has the greater risk in the area of uniform transaction processing, (2) why, and (3) how is the increased risk mitigated?
The manual environment
Since each transaction is entered individually, it is prone to human error.
Mitigation: frequent control review, additional substantiated tests
Comparing a manual vs computerized environment, (1) which has the greater risk in the area of computer-initated transactions, (2) why, and (3) how is the increased risk mitigated?
The computerized environment
Automated transactions are not subject to the same types of authorization as for manual transactions and may not be well documented
Mitigation: more frequent reviews
Comparing a manual vs computerized environment, (1) which has the greater risk in the area of errors & irregularities, (2) why, and (3) how is the increased risk mitigated?
The computerized environment
** Remote access
** Unauthorized access
** decreased human involvement = decreased opportunity for observation
** error or fraud may be built into the system or an update
** computer disruptions may cause errors (loss of a transaction if the disruption occurs mid-entry)
Mitigation: review access logs, firewalls, virus detection, be careful hiring IT staff, have battery backup.
Comparing a manual vs computerized environment, (1) which has the greater risk in the area of supervision and review, (2) why, and (3) how is the increased risk mitigated?
The manual environment
Generating reports and accessing raw data used in a review is difficult. In a computerized environment, this is rather easy.
Mitigation: switch to a computerized environment
Define the following (1) auditing around the computer, (2) auditing through the computer.
(1) using manual audit procedures
(2) using computer-assisted audit techniques (CAATs)
True / False: When auditing around the computer, the auditor must still directly test the application program
False
The auditor tests the input data (INPUT STAGE), processes the data independently, and then compares the results to the program's results (OUTPUT STAGE).
When in the use of auditing around the computer most appropriate?
For simple batch systems with a good audit trail.
True / False: Auditing around the computer for a simple batch system could result in the same level of confidence as would auditing through the computer.
True
True / False: When auditing through the computer, the auditor must still perform manual tests to validate the system
False
The emphasis of testing the system is on the INPUT and PROCESSING stages of transaction processing.
Describe transaction tagging
Electronically "marking" a specific transaction and then following it through the system.
Describe embedded audit modules
Using sections of the program code to collect transaction data for the auditor
[aka a detailed query system]
Ex: examine all transactions using acct code XYZ that are greater than $500
Describe running test data
Run a batch of data with a known outcome that includes the types of invalid conditions in which the auditor is interested to verify that the same results are achieved
Examples: use of an invalid number, entering excess pay rate, entering excess hours
Describe the use of an integrated test facility
Run a batch of data with a known outcome that includes the types of invalid conditions in which the auditor is interested, co-mingled with live data,to verify that the same results are achieved.
Client personnel are not informed that the test is being run.
The test data is run to dummy accounts (e.g., fictious vendors, branch, chart of accts) to separate it from the live data
Describe how a parallel simulation works
aka Reperformance Test
The auditor uses a separate system (usually provided by the client) to process a batch of live data and then compares the results. There are two methods:
(1) Controlled processing. The auditor observes an actual processing run and compares the actual results with the expected results based on the auditor's program
(2) Controlled reprocessing. The auditor uses an archived copy of the program to reprocess transactions.
Describe the function of a Generalized Audit Software Package (GASP)
The auditor can perform tests of controls and substantive tests directly on the client's system.
The auditor must first define the client's system to the GASP, and then specify the tests and selections desired. The GASP generates the programs necessary to interrogate the files, extract, and then analyze the data.
What are some of the tasks typically performed by GASPs
Examine transactions for control compliance
Select items meeting specified criteria
Recalculate amounts and totals
Reconcile data from two separate files
Perform statistical analysis on transactions
True / False: In a highly computerized system, substantive tests alone should suffice as audit evidence.
False
Tests of controls should be performed to assess control risk
True / False: The GASP requires little technical knowledge of the client's hardware & software features.