What are the controls being evaluated by auditor in CIS environment?
Internal controls over computer processing include both manual procedures and procedures built into the computer programs. These controls can be divided into: General controls These are controls, which relate to the environment within which computer-based accounting systems are
developed, maintained and operated aimed at providing reasonable assurance that the overall objectives of internal controls are achieved. These controls could either be manual or programmed. The objectives of general controls are to ensure proper development and implementation of applications and the integrity of program and data files and of computer operations. General controls will be considered under the headings of: Systems development controls These relate to: Review, testing and approval of new systems The basic principles of these controls are that:- Program Changes Similar requirement
apply to changes as well as to new systems although the level of testing and authorisation will vary with the magnitude of changes. It is particularly important that the documentation be brought up to date. A common cause of control breakdown is the unsuspecting reliance of new staff on out of date documents. Documentation Procedures Adequate documentation is important to both the auditor and management. For management documentation provides a basis for:
Parallel running Before switching to the new system, the whole system should be tested by running it parallel with the existing system. Parallel running refers to running the new and old system along each other for a specified period of time say month. This is important because;
Organisational controls These relate to: -
Segregation of functions The principal segregation in a centralised system is between the user and computer departments. Those who process the data should have no responsibilities for initiating or altering the data. The following segregation’s are important:
Job title and responsibilities
Policies and Procedures relating to control functions A particular worry is that the operation of program controls could be interfered with during the running of the system by someone with necessary skills. For these reasons:
Access control Computer systems are often dependent on accuracy and validity of data held on file Access controls to the computer hardware, software and data files are therefore vital. Access controls are both physical and programmed. Physical controls apply to both hardware and data files stored in form of magnetic disks or diskettes. Example of access controls.
Other controls They include controls over:
(ii) APPLICATION CONTROLS The objectives of application controls which may be manual or programmed are to ensure the completeness and accuracy of the accounting records and the validity of the entries made therein resulting from both manual and programmed processing. These relate to the transactions and standing data pertaining to each computer based accounting system and are therefore specific to each such application. With the increasing sophistication of computer operating systems it is becoming more common for controls to be programmed as part of each application. Application controls are generally divided into:
Input controls Most errors in computer accounting systems can be traced to faulty input. Controls over the completeness and validity of all input are therefore vital. Some controls affect both completeness and validity and therefore will be considered separately. These include controls over data conversion, controls over rejections and the correction and the reprocessing of the rejections, batch controls and computer edit controls. Completeness These controls ensure that all transactions are recorded. That all sales for example are recorded in the cash register or all purchase invoices are posted to the accounting records. They are particularly important over the recording of revenue and receipt of assets. Validity Controls over validity ensure that only actual transactions that have been properly authorised are recorded. These controls are most important over the recording of liabilities such as wages, creditors etc. As in a manual system, control is established by the written authorisation on input documents such as the departmental managers signature on employees time cards. It is important that there is adequate separation of duties such that those who initiate a transaction or who have access to cash, cheques or goods as a result of the transaction being entered should not have the responsibility for entering the transaction. As with completeness, the computer can be programmed to assist in this control in which case some of the requirements above can be relaxed for example the computer can initiate purchases when stock levels reach a pre-determined re-order level. It can then validate the payment by matching the invoice with the order and goods-inward notes.Access controls as discussed earlier play an important role in validity in that the computer is programmed to accept input only from authorised users. The computer can also be programmed to verify authority limits as well. Data Conversion There must be controls to ensure that all data on source documents is properly entered into the computer. In the early days, when entry was by punched card, each card was verified as punched by a second machine operator. But now that most data is entered using a keyboard or a terminal other controls are more common. The most common input controls are edit controls. Examples of edit controls include;
Processing controls Processing controls ensure that transactions are:
Processing controls include:
c) Output controls Are necessary to ensure that:-
These controls include:
Controls over master files and standing data These are aimed at ensuring completeness, accuracy and authorisation of amendments to master files and standing data files. These controls are similar to controls over input. E.g. controls to prevent the deletion of any account, which contains a current running balance. Once standing data has been written onto a master file, it is important that there are adequate controls to ensure that the data remains unaltered until an authorised change is made. Examples of controls
What control function is performed by auditors?Auditor's Role in the Control Process
Once the auditor gains an understanding of the client's system of internal controls, the auditor must assess control risk. Control risk is the risk that the client's system will fail to prevent or detect and correct an error.
What is auditing in a CIS environment?For purposes of International Standards on Auditing, a CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party.
What are the factors the auditor must evaluate to understand control environment?What are the factors the auditor must evaluate to understand it? The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about IC. The control environment serves as the umbrella for the other four components.
What are the internal controls in a computerized environment?Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud.
|