auditing in a computer environment

8/6/2019 Auditing in a Computer Environment

1/90

APT FINANCIAL CONSULTANTSMwakalobo@apt financialconsultants

AUDITING IN COMPUTER ENVIRONMENT

What isaudit in a

computer

environment?


2/90



Approaches

Auditing around the computer

Auditing through the Computer

Auditing with the computer


3/90



Use of computer of audit

automation

Working Papers

Statistical sampling andanalytical procedures

Decision Support System;


4/90


AUDITING IN COMPUTR ENVIRONMENT

Types of software on PC in order to aid his auditwork

Standard software for word processing ,spreadsheets

Expert systems.

Generally, an auditor can use his PC to assistfor

Production of time budget and budgetarycontrol.

Analytical procedures. The maintenance of permanent file

information


5/90


AUDITING IN COMPUTER ENVIROMENT

The computer systems challenges lack of visible evidence and

systematic errors. What to do?

techniques available to him, The internal controls,

the availability of the data

the length of time it is retained in areadily usable form.


6/90



Controls over audit computersSecurity, and Accuracy (of input,

processing and output). The auditor

should exercise controls when PCsare used by auditor in their work are

as follows:

Access controls for users by means of

passwords


7/90



Controls over audit computersBack up of data contained on files,

regular production of hard copy; back-up

disks held off the premises.Viral protection for programs and

Training users.

Evaluation and testing of programs use6.Proper recording of input data , to

ensure reasonableness of output.


8/90


INTERNAL CONTROLS IN CIS

The internal control over

computer based accountingsystem

Application controls

General controls


9/90



The internal control over computer based

accounting system Application controls:

The objective of application

controls (manual or programmed)are to

Ensure completeness and

accuracyof accounting records

validity of entries made resulting

from both manual and

programmed processing.


10/90

APT FINANCIAL CONSULTANTSMwakalobo@apt financial

consultants


The internal control over computer based

accounting system

General controls;

relates to the environment CIS

are developed, maintained and

operated, and which are thereforeapplicable to all the applications.

The objectives of general controls are .

The application controls and general controls

are inter-related.Strong general controls

contribute to assurance, which may be obtained

by an auditor in relation


11/90


consultants


The specific requirements in order to

achieve the overall objectives ofapplication controls are:-

Control over the completeness and

authorization of inputControl over the completeness and

accuracy of processing

Control over the maintenance of master

files and the standing data contained

therein


12/90


consultants


In order to achieve the overall objective of general

controls, the controls required are:-

Control over applications development

To prevent or detect unauthorized changes to

programs

To ensure that all programs changes are adequately

tested and documented

Control to prevent and detect errors during program

execution

To prevent unauthorized amendments to data files

To ensure that system software is properly installedand maintained

To ensure that proper documentation is kept

To ensure continuity of operations.


13/90


consultants

COMPUTER ASSISTED AUDIT TECHNIQUES

(CAATs)

DefinitionTechniques in that the auditors are

afforded opportunities to use either the

enterprises or another computerto assistthem in performance of audit work.

CAATs, are ways in which the auditor may

use the computer in a computerized

information system to gather, or assist in

gathering, audit evidence.


14/90


consultants

CATEGORIES OF CAAT

Audit software

Test data

Other techniques


15/90


consultants

CATEGORIES OF CAAT

Audit software:

generalized audit softwarespecialized audit software or

Interrogation softwares

utility programs and existing entity programs.

Regardless of the source of the

programs, the auditor shouldsubstantiate their validity for auditpurposes prior to use.


16/90


consultants

CATEGORIES OF CAAT

Audit software some usesStratify accounting population and

select monetary unit statistical

samples.

Carry out an aging /usage analysis

of stocks

Perform detailed analytical reviewsof financial statements


17/90


consultants

TYPES OF CAATs

Test data

Is a CAAT in which test data

prepared by the auditor isprocessed on the current

production version of the client's

software, but separately from theclient's normal input data.


18/90


consultants

TYPES OF CAATs

Other techniques embedded audit facilities

Integrated test facility

System Review and control file (SCARF)

Application program examination Internal control evaluation via; Flowchart

verification (Logical Path analysis ) ,Program

code verification (Code ComparisonPrograms), Printoutexamination.


19/90


consultants

CAATs and Sustentative testing

During substantive testing some, CAATs

are used frequently.

Audit software is used extensively toexamine accounting records maintained

on computer files

CAATs assists in carrying out analytical

review procedures


20/90


consultants

Limits of CAATs

Limits of CAATs

Evaluation of general controls

Use ICQ or the ICE approach.


21/90


consultants

PROGRAM AUTHENTICITY

Source Program authenticity

guarantee that the correct applicationprogram is being tested.

Live test data, integrated test

facilities and embedded audit facilities

as described above are audit

techniques, which help in this respect.

General controls

Copy must be identical to orignal


22/90


consultants

KNOWLEDGE BASED SYSTEM

Knowledge based systemsDecision Support Systems and

Expert systems can be used to

assist with the auditors ownjudgment and decisions.


23/90


consultants

MANUAL Vs CAATs

Factors to consider in choosing between CAATs

and manual Techniques:-

Practicability of carrying out audit tests manually

Cost effectiveness of the procedures under

considerations.

Availability of audit time

The availability of appropriate computer facilities and

independence issue

The level of audit experience and expertise. The extent of possible reliance upon internal audit

work


24/90


consultants

PLANNING AN AUDIT IN A COMPUTERENVIRONMENT

Planning an audit in a Computer

environment

Possibilities of attending during

system development stage

Consideration of use of CAATs

Practicability of manual audit

Expertise


25/90


consultants

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

Use of CAATS

The pattern cost associated with CAATs, The extent of tests of controls or substantive

procedures achieved by both alternatives,

Ability to incorporate within the use of CAAT a

number of different audit tests. Time of reporting


26/90


consultants

PLANNING AN AUDIT IN A COMPUTER ENVIRONMENT

In using CAAT, computer facilities, computer files

and programs are available;

the auditors should plan the use ofCAAT in good time so that these copies

are retained for their use.

Internal auditor CAATs , consider ISAAvailability of computer facilities


27/90


consultants

INTERNAL CONTROL EVALUATION

Internal control evaluation

ICQ .Weak controls = extensive

substantive procedures

In determining whether they wish toplace reliance on application controls or

general controls ,the auditors will be

influenced by the cost effectiveness and

ease of testing by the following matters

General controls and application

controls


28/90


consultants

INTERNAL CONTROL EVALUATION

Check systematic errors and program

intergrityManual examination may be useful in

small computer application

Observation, examination ofdocumentary evidence or reperforming

the procedures may be useful.

CAATs can also be useful


29/90


consultants

ev ew o nanc a statements

Review of financial statementsCAATs (audit software)

e.g analytical review.

The working papers should indicate thework performed by CAAT, the auditors

conclusion, the manner in which any

technical problems were resolved andmay include any recommendations

about modification of CAAT for future

audits.


30/90


consultants

AUDITTRAIL.

Audit trail. As the complexity of computer systems has

increased there has been a corresponding loss

of audit trail.Most systems have searching

facilities that are much quicker to use thansearching through print outs by hand.

This offsets the so- called loss of audit

trail to a significant extent. The trail is still

there, although it may have to be followedthrough in electronic form.


31/90


consultants

COMPUTER SERVICE BUREAUX

These are third part service organization who

provide EDP facilities to their clients Factor to consider

make or buy decisions

Consider and Analyze the cost benefit; Level of managements own computing

knowledge and their willingness to take

risk to unknown third party;


32/90


consultants


Factors to consider

The volume and frequency of processingrequirements ;

The complexity of the program package

required ;The simpler the program the easierit would be to process in house on Micro;

The importance of timelines in processing of

data check the efficiency and economy ofDP

The confidentiality of the data being

processed.


33/90


consultants

Types of Bureaux

Independent companies formedto provide specialist computer

services

Computer manufacturers with

bureau

Computer users (e.g.universities)


34/90


consultants

PLANNING AND CONTROL EXERCISED BY THE USER

When the system using bureaux is

set up it is essential that a full feasibility study and

system design should be carriedout.

In practice the bureau may provide

assistance in performing thesetasks.


35/90


consultants

PLANNING AND CONTROL EXERCISED BY THE USER

The control should include :

Prior vetting of bureau standards ; Input controls at preparers end; bunching

and providing or authorizing in the same

way as usual;Transit controls ;Physical transfer of

documents ;

batch controls ,physical security andauthorized personnel;


36/90


37/90


38/90


consultants


A third party review an independent firm to carry

out review of internal controls, both the generaland application based. The report is then made

available to the auditors of clients of the bureaus.

This saves the bureau having to make provision

for many different sets of auditors all asking to runCAATs on the bureaux system and complete

roughly similar ICQ/ICE forms.

Direct evaluation of the bureau by the auditor

using the CAATs , ICQ and ICE.; Standby /back up /emergency arrangement ;


39/90


consultants


The compliance and substantive testing ofprogrammed procedures, the CAATs such

as discussed above are appropriate where

the client has the data and files on the

premises. They may not be possible in

context of the computer service bureau.

The client may have to arrange to have

files copied by the bureau or supplied tothe auditor for testing.


40/90


consultants

CONTROLS INON-LINEANDREALTIMESYSTEMS

Controls in real time systems

The main control problem is that primarily theconcern is on large, multiuser systems with

terminals (dumb terminals or networked PCs)

;The same person is often responsible for

producing and processing the same information.Internal check ,supervisory controls should be

strengthened (segregation of duties) ;The ability

of a person using remote terminal to gain access

to databases at will results in the need forspecial controls to ensure that files are neither

read nor written to (nor destroyed).


41/90


consultants

CONTROLS INON-LINEANDREALTIMESYSTEMS

Physical controls; Operating system; Use passwords( or lockwords)

or special badges or key; Restriction by the

operating system of a certain users to certain

files .eg wages dept can be given access to onlywages file; Logging of all attempted violation of

the above controls .eg Automatic shut down of

the PC or terminal used; All violations should be

speedily and thoroughly investigated

Application controls; Validity checks on input;

Reporting of unusual transactions; Passwords


42/90


consultants

DATABASE MANAGEMENT SYSTEMS (DBMS)

Main controls; Control to prevent or detect unauthorizedchanges to programs;

No access to live program file by any personnel

except for the operation personnel at the central

computer; Password protection on

programs;Restricted access to the central computerand terminal ;Maintenance of console; Periodic

comparison of live production programs to control

copies and supporting documentation.


43/90


consultants

DATABASE MANAGEMENT SYSTEMS (DBMS)

Main controls; Controls to prevent or detect errorduring operation;

Restriction of access to terminals by use of

password; Satisfactory application control over

input , processing and master file ;Use ofoperation manuals and training all

users;Maintenance of logs showing unauthorized

attempts to access; Physical protection over data

files ;Training in emergency procedures

Controls to ensure integrity of the database system;

Restriction of access to data dictionary


44/90

S S S


45/90


consultants

DATA BASE MANAGEMENT SYSTEM

The audit ofDBMS creates particular problems asthe two principal CAATs , test data and audit

software, tendto work unsatisfactorily on

programs and files contained within such system.

The auditor may, however, be able to useembedded audit facilities. Close liaison with the

internal auditor may provide audit comfort. The

auditors should if possible be involved at the

evaluation, design and development stages, so thatthey are able to determine their audit requirements

and identify control problems before

implementation.

SMALL COMPUTER SYSTEM


46/90


consultants

SMALL COMPUTER SYSTEM

Control problems in small computersystems

The problems surrounding PCs can be

grouped as ; Lack of planning over the acquisition

and use of PCs;

Lack of documentary evidence ; Lack of security and confidentiality.

COMPUTER FRAUD


47/90


consultants

COMPUTER FRAUD

Input fraud :

Processing fraud;

Fraudulent use of computersystem;

Output fraud;

FACTORS RISK TO COMPUTER FRAUD


48/90


consultants

FACTORS- RISK TO COMPUTER FRAUD

Increase in computer literacyCommunications e.g. telephone and

PCs and hackers

Reduction of internal

Improvements in quality of software and

increase in implementation of good

software has not kept pace with

improvements in hard ware


49/90


consultants

COUNTERACT COMPUTER FRAUD

Planned approach to counteract computer fraud.

All staff should be properly trained and shouldfully appreciate their role in computer function

Management policy on fraud should be clear

and firm

A study should be carried to examine where the

company is exposed to possible fraud

A company should map out an approach or plan

in each area of the business to tackle andpreventfraud.


50/90


consultants

CONTROLSTOPREVENTCOMPUTERFRAUDS

As with a control system, three areas to examine are;prevention, detection and correction

Access to the computer terminals and other parts of the

computer should be restricted

Access to sensitive areas of the system should be logged

and monitored

Errors logs and reports should be monitored and

investigated on regular basis

Staff recruitment should include careful vetting ,include

taking up all references

Expert systems software may be used to monitor unusual

transactions

DEVELOPMENTS IN COMPUTERIZED


51/90


consultants

DEVELOPMENTS IN COMPUTERIZED

ENVIRONMENT

Many auditors are now finding their clients

conducting business through the internet.

As always, the principle audit concern ,

will be controls over the use of the

internet and the strength of audit

evidence obtained through the internet

INTERNET


52/90


consultants

INTERNET

Controls over the Internet Unauthorized use of the internet

Staffs may use internet for unauthorized

purchases

Staff may use internet for accessing data

which have a costs (call)

People may be able to access business

internal systems via the internetand obtainconfidential information or launch virus which

disrupts internal systems

CONTROLS IN INTERNET


53/90


consultants

CONTROLS IN INTERNET

Controls from these risks include Use of passwords,

Disabling certain terminals

Firewalls

Authorization the technique make sure that a

message has come from an authorized

sender

Virus control softwareregular updating Physical controls ;against fire, damage etc

AUDIT EVIDENCE IN THE INTERNET


54/90


consultants

AUDITEVIDENCE IN THE INTERNET

Audit evidence in the Internet Certain general observations can be made about

audit evidence obtained through the Internet

Internet evidence generated by the auditor will be

stronger than evidence generated by client. Comfort

may be obtained if the auditor can access the internet

and test what the client has posted

Internet evidence can be obtained in written form and

thus stronger than oral evidence

If the internal controls mentioned above are strong,the auditors will have more confidence in the quality

of evidence

WHAT ABOUT E MAIL?


55/90


consultants

WHAT ABOUT E-MAIL?

Email may have numerous advantages inreducing office paperwork and speeding up

communication, but it also has dangers from an

audit point of view. e.g. unscrupulous employee

in a large organization might find it quite easy tosend and e-mail from his or her bosss computer

authorizing a substantial bonus /payrise

H/W; what controls could you put to prevent thisfrom happening

CONTROL IN INTERNET SYSTEM


56/90


consultants

CONTROL IN INTERNET SYSTEM

Control of network system is of uttermost

importance .the auditors must be able to analysethe risk of unauthorized access such as line tapping

or interception and to evaluate preventive

measures

Authentication programs and encryption are usedfor security.the auditor must understand those

matter and should be able to make

recommendations on implementation.

Password securityis extremely important, and the

auditors may be called upon to recommend

complex password procedures for sophisticated

systems.

ELECTRONIC DATA INTERCHANGE


57/90


consultants

ELECTRONIC DATA INTERCHANGE

Electronic data interchange (EDI) is now used verywidely because it cuts the task of re-inputting data

that has already been input into a system inelectronic form, saving time and improvingaccuracy

EDI is authentic? What authorization measures

are in place to ensure that transactions abovecertain value are properly authorized beforebeing transmitted or accepted?

What is the legal position of the two parties if the

transaction is disputed?Encryption and authentication offer some help, as do

transaction logs that identify the originator or anytransactions generated and transmitted.

WHAT IS EDI


58/90


consultants

WHAT IS EDI

Is the automated computer-to-computer exchange of structured

business transactions between an

enterprise and its vendors,customers, or other trading

partners in a standard format,

with a minimum of human

intervention

CONSIDERATION OF AUDIT


59/90


consultants

CONSIDERATION OF AUDIT

STANDARDS

ISA 315, Understanding the Entityand Its Environment and

Assessing the Risks of Material

Misstatement and ISA 330, The Auditors

Procedures in Response to

Assessed Risks became effective.

CONSIDERATION OF AUDIT STANDARDS


60/90


consultants


Major issues to be considered by an

auditor as per ISA

An auditor should consider new CIS

environment affects the audit

The overall objective of audit in CIS auditnever changes.

The design and performance of appropriate

tests of Controls and Substantiveprocedures to achieve the audit objective

are likely to change.



61/90


consultants


Major issues to be considered by an

auditor as per ISA

The existence of computer is likely to have

an impact on the clients inherent risk and

control risk.The auditor should have sufficient

knowledge of CIS to plan, direct supervise

and review the work performed.

The auditor should consider whether

specialized CIS skills are needed in an

audit.

ISA


62/90


consultants

ISA

The ISA makes it clear that auditors should have

sufficient knowledge of the CIS to perform such

audit effectively.I t is not necessary for overlymember of audit team to be a computer expert

auditors must consider need for specialized CIS

skills.ISA 620 using the work of expert is relevant.

In planning the portions of audit which may be

affected by the clients environment the auditor

should obtain an understanding of significance and

complexity of CIS activities and the availability of

data for use in the audit.

ISA


63/90


consultants

ISA

Auditor must obtain understanding of

accounting and IC sufficient to plan an

effective approach.

Where CIS is significant, the auditor must

assess the effect of the CIS on in hereunto

control risk.

Complexity normally increases risk and

pensive deficiencies in program

development, mtc, physical security andaccess controls would have an effect on

all applications that the system served.

ELECTRONIC COMMERCE


64/90


consultants

ELECTRONIC COMMERCE

IAPS 1013

Is any Commercial activity that takes place by means

of connected computers. E.g. offering goods for sale

directly from office computer; the purchasers

computer and office computer is connected over

Internet.

How do we audit ex-commerce?

International Audit Practice Standard ISPS 1013

(IAPs) in intended to assist auditors in identifying andassessing the new risk to which the business in

exposed when it undertakes e-commerce

transactions.

MAJOR AREAS OF FOCUS BY THE IAPS 1013


65/90


consultants

MAJOR AREAS OFFOCUS BY THE IAPS 1013

The skill and knowledge requiredto understand the implications of e-

commerce on audit

The extent of knowledge an auditor

should have about the clients

business environment and

activities.

MAJOR AREAS OF FOCUS BY THE IAPS 1013


66/90


consultants

MAJOR AREAS OFFOCUS BY THE IAPS 1013

The business, legal, regulatory andother risk faced by entries engaged

in e-commerce transactions.

The effect of electronic records onaudit evidence.

The statement may be also helpful

to the auditor of any business

engaged in e-commerce.

Wh i IT di ?


67/90


consultants

What is an IT audit?

Like operational, financial and compliance auditors,Information Technology (IT) auditors work to:

Understand the existing internal control

environment

Identify high risk areas through a formalmethodology

Ensure that adequate internal controls are in place

and operate effectively (through the testing of

said controls)

Recommend control implementation where risk

exists

Wh IT AUDIT?


68/90


consultants

Why IT AUDIT?

Because of Information TechnologyR

ISK!! Risk: The probability that a particularthreat

exploits a particularvulnerability(i.e. an issue

which may impact ability to meet objective).

Threat: Event or entity with the potential tocause unauthorized access, modification,

disclosure, or destruction of info resources.

Vulnerability: Weakness in a system control, or a

design flaw, that can be exploited to violate

system, network, or data integrity.

What Reduces IT Risk and


69/90


consultants

What Reduces IT Riskand

What about any Remaining Risk?

Internal Controls (i.e.safeguards)

Control: Protective measure implementedto ensure company assets (IT orotherwise) are both available and accurate

in order to meet the businessrequirements of that asset.

Residual Risk: The risk that is left overafterreasonable internal controls havebeen both evaluated and implemented.

Internal Controls do not eliminate all risk!!

INTERNAL CONTROLS OTHER MATTERS


70/90


consultants

The are two major types of controls:Application Controls

General Controls.


71/90


consultants

What about OTHER types of audits that may impact


72/90


consultants

What about OTHER types ofaudits that may impact

Security Administrationfunctions

Traditional Audit Types: Financial opinion audits (CPAs)

Operational process audits now

includes environmental & construction

Compliance laws/regulations and

policies, standards, and procedures

IT usually considered operational

unless performed so opinion auditorsmay rely on financial info provided

Hybrid - Integrated Audit today almost all

audits are actually hybrid


73/90


consultants

Operational Audits

Review operating policies/procedures Documented policies/procedures?

Informal policies/procedures?

Work flow examined (thru flowchart ordescription requested/developed)

Controls identified and documented

Examine the business process andrecommend improvements control

related or efficiency/effectiveness



74/90


consultants

General Controls: The purpose of General controls is to

establish a framework of overall control

over the CIS activities and to provide a

reasonable level of assurance that the

overall objectives of IC are achieved.



75/90


consultants

Categories of General Controls:

Organizational and Management control

-Helps to provide a proper organizational

framework including regression of

incompatible functions.Application development and Mtc controls

-To ensure that applications are properly

developed, tested and maintained.



76/90


consultants

Categories of General Controls:

Operational controls To ensure properlyauthorized access to system and the

detection of errors.

Systems software controls to ensure theintegrity of the development and usage of

systems software.

Data entry & program controls to ensurethe integrity of data and program files.

CIS APPLICATION CONTROLS


77/90


consultants

CIS application controls.

The purpose of this control is to

establish specific control procedures

over the acting applications toprovide reasonable assurances that

all transactions are authorized,

recorded and processed, completely,accurately and on a timely bases.



78/90


consultants

The Controls Include:

Controls over input designed to providereasonable assurance that:-

Transactions are properly authorized before

being processed by the computer transactions

are accurately converted into machinedreadable form and recorded in the compute

data files.

Transactions are not lost, duplicated or

improperly changed.

Processing errors are identified and corrected

on timely basis



79/90


consultants

The Controls Include:

Controls over output designed to providereasonable assurance that:-

Results of processing are accounts; Access to

output is restricted to authorized personnel;

Output is provided to appropriate authorizedpersonnel on timely basis ;Normally the

technique which control the accuracy of input

and processing while help to control master file

date; Since master file standing data items areused many times over in processing, they take

on greaten importance than transaction date

and more costly controls such as one - for one

checks ma be ustified.

MANUAL AND PROGRAMMED CONTROLS


80/90


consultants

Many controls over computers are manual controls, and

prodding that the manual controls exercised byusers are sufficient to provide reasonable assurance

of the completeness, accuracy and authorization of

output, test of control may be limited to those

manual controls. In a payroll system, for example, ifusers test check gross pay, deductions net pay and

authorization at the output stage, and if they

compare net pay with approved bank transfer

documentation and perform regular bankreconciliations; there may be no need to test

programmed controls.

MANUAL CONTROLS


81/90


consultants

Other Controls:

Manual Controls

Physical Controls:

-Is a matter of common sense.

-Limit access to a computer room, -

Locks and keys, only to specified people -Prevention of smooking.

Back-up of disks:

-Create and update an identical back updisk for every disk in the system; Data

files&Program files; The disk should be

stored in separate place.

MANUAL CONTROLS


82/90


consultants

Other Controls:

Manual Controls

Data filing:

-Each disk should be labeled clearly and filed

securely.The labeled disks should be filed in special disk

boxes to provide a degree of protection against liquid

being spoilt on the disks or their being bent or plied. Documentation: It is vital, as it provides both a support

system for work already stored on disk and filed, and

progress report on data currently being processed or

updated.

StaffTraining:

Proofing:There is always room for manual checking or

proofing, to control data on disk.

PROGRAMMED CONTROLS


83/90


consultants

Programmed Controls:

Passwords; Date/time stamps for compass on

of two revisions of data; Prompts Asking the

user to continue with an action or not.

Check Digit:A means of control on that theyascertain whether or not a number, such as

ISBN is valid. E.g. customer account No. The

computer will detect of the number is ever inputincorrectly.

Batch totals and hash totals:


84/90

SMALL STAND ALONE MICRO-COMPUTER


85/90


consultants

Main problems.

Internal Controls.

Major controls appropriate in

this environment are:-

Authorization:

Physical security

AUDIT PROCEDURES

Substantive tests

Internal controls


86/90


consultants

Inherent limitations of the system of IC inelimination of frauds & errors.

The need to balance the cost of control with its

benefits; The fact that IC are applied to systematic

transaction, not one-off year-end adjustments,which are often larger and subject to error; The

potential human error; Possibility of circumvention

of IC through coolness in of managers or

employees with other parts inside /outside theentity; Abuse of controls or override of controls e.g.

ordering of personal goods; Obsolescent of

controls

FURTHER CONSIDERATION OF CAATs


87/90


consultants

Further considerations of CAATs

ISA requires auditors to obtain appropriate auditevidence to be able to allow reasonableconditions on which to base their opinion.

Advantages of CAATS: Helps to test larger number of data hence increase

confidence in their opinion; Helps to test AccountingSystems its records (Tables & Disk files) rather thanrelying on testing printout; Are cost effective once

set up for obtaining audit evidence; Comparison caneasily be made from clerical audit work henceincrease confidence.

OTHER DETAIL MATTERS


88/90


consultants

Difficulties of using computer

programs cost.Cost; Changes to clients system; Small

installations PC; Over elaboration;

Larger quantities of output; Version of

file used for lest.

Test Data:

Is a data submitted by the auditor for

processing the clients computer-based

accounting system.

OTHER DETAIL MATTERS


89/90


consultants

Major approached to the use of test data

Using live dataUsing dummy data in a normal

production nun.

Using dummy data in special nun.Difficulties of test data:

Cost

Limited objectiveDangers of live testing

Difficult in recording audit evidence


90/90

auditing in a computer environment

Documents