2015年ACCA考试《审计与认证业务F8》知识点分析(4).doc

2015年ACCA考试审计与认证业务F8知识点分析（4）本文由高顿ACCA整理发布，转载请注明出处ELEVANT TO CAT QUALIFICATION PAPER 8 AND ACCA QUALIFICATIONPAPERS F8 AND P7SPECIFIC ASPECTS OF AUDITING IN ACOMPUTER-BASED ENVIRONMENTInformation technology (IT) is integral to modern accounting and managementinformation systems. It is, therefore, imperative that auditors should be fullyaware of the impact of IT on the audit of a clients financial statements, both inthe context of how it is used by a client to gather, process and report financialinformation in its financial statements, and how the auditor can use IT in theprocess of auditing the financial statements.The purpose of this article is to provide guidance on following aspects ofauditing in a computer-based accounting environment:? Application controls, comprising input, processing, output and masterfile controls established by an audit client, over its computer-basedaccounting system and? Computer-assisted audit techniques (CAATs) that may be employed byauditors to test and conclude on the integrity of a clientscomputer-based accounting system.Exam questions on each of the aspects identified above are often answered toan inadequate standard by a significant number of students hence the reasonfor this article.Dealing with application controls and CAATs in turn:APPLICATION CONTROLSApplication controls are those controls (manual and computerised) that relateto the transaction and standing data pertaining to a computer-basedaccounting system. They are specific to a given application and their objectivesare to ensure the completeness and accuracy of the accounting records andthe validity of entries made in those records. An effective computer-basedsystem will ensure that there are adequate controls existing at the point ofinput, processing and output stages of the computer processing cycle and overstanding data contained in master files. Application controls need to beascertained, recorded and evaluated by the auditor as part of the process ofdetermining the risk of material misstatement in the audit clients financialstatements.Input controlsControl activities designed to ensure that input is authorised, complete,accurate and timely are referred to as input controls. Dependent on thecomplexity of the application program in question, such controls will vary interms of quantity and sophistication. Factors to be considered in determiningthese variables include cost considerations, and confidentiality requirementswith regard to the data input. Input controls common to most effectiveapplication programs include on-screen prompt facilities (for example, arequest for an authorised user to log-in) and a facility to produce an audit2SPECIFIC ASPECTS OF AUDITING IN A COMPUTER-BASEDENVIRONMENTJANUARY 2011trail allowing a user to trace a transaction from its origin to disposition in thesystem.Specific input validation checks may include:Format checksThese ensure that information is input in the correct form. For example, therequirement that the date of a sales invoice be input in numeric format only not numeric and alphanumeric.Range checksThese ensure that information input is reasonable in line with expectations. Forexample, where an entity rarely, if ever, makes bulk-buy purchases with a valuein excess of $50,000, a purchase invoice with an input value in excess of$50,000 is rejected for review and follow-up.Compatibility checksThese ensure that data input from two or more fields is compatible. Forexample, a sales invoice value should be compatible with the amount of salestax charged on the invoice.Validity checksThese ensure that the data input is valid. For example, where an entityoperates a job costing system costs input to a previously completed jobshould be rejected as invalid.Exception checksThese ensure that an exception report is produced highlighting unusualsituations that have arisen following the input of a specific item. For example,the carry forward of a negative value for inventory held.Sequence checksThese facilitate completeness of processing by ensuring that documentsprocessed out of sequence are rejected. For example, where pre-numberedgoods received notes are issued to acknowledge the receipt of goods intophysical inventory, any input of notes out of sequence should be rejected.Control totalsThese also facilitate completeness of processing by ensure that pre-input,manually prepared control totals are compared to control totals input. Forexample, non-matching totals of a batch of purchase invoices should result inan on-screen user prompt, or the production of an exception report forfollow-up. The use of control totals in this way are also commonly referred toas output controls (see below)Check digit verificationThis process uses algorithms to ensure that data input is accurate. Forexample, internally generated valid supplier numerical reference codes, should3SPECIFIC ASPECTS OF AUDITING IN A COMPUTER-BASEDENVIRONMENTJANUARY 2011be formatted in such a way that any purchase invoices input with an incorrectcode will be automatically rejected.Processing controlsProcessing controls exist to ensure that all data input is processed correctlyand that data files are appropriately updated accurately in a timely manner.The processing controls for a specified application program should bedesigned and then tested prior to live running with real data. These maytypically include the use of run-to-run controls, which ensure the integrity ofcumulative totals contained in the accounting records is maintained from onedata processing run to the next. For example, the balance carried forward onthe bank account in a companys general (nominal) ledger. Other processingcontrols should include the subsequent processing of data rejected at the pointof input, for example:A computer produced print-out of rejected items. Formal written instructions notifying data processing personnel of theprocedures to follow with regard to rejected items. Appropriate investigation/follow up with regard to rejected items.Evidence that rejected errors have been corrected and re-input.Output controlsOutput controls exist to ensure that all data is processed and that output isdistributed only to prescribed authorised users. While the degree of outputcontrols will vary from one organisation to another (dependent on theconfidentiality of the information and size of the organisation), commoncontrols comprise:? Use of batch control totals, as described above (see input controls). Appropriate review and follow up of exception report information toensure that there are no permanently outstanding exception items. Careful scheduling of the processing of data to help facilitate thedistribution of information to end users on a timely basis. Formal written instructions notifying data processing personnel ofprescribed distribution procedures. Ongoing monitoring by a responsible official, of the distribution of output,to ensure it is distributed in accordance with authorised policy.Master file controlsThe purpose of master file controls is to ensure the ongoing integrity of thestanding data contained in the master files. It is vitally important that stringentsecurity controls should be exercised over all master files.These include: appropriate use of passwords, to restrict access to master file data the establishment of adequate procedures over the amendment of data,comprising appropriate segregation of duties, and authority to amendbeing restricted to appropriate responsible individuals? regular checking of master file data to authorised data, by anindependent responsible official4SPECIFIC ASPECTS OF AUDITING IN A COMPUTER-BASEDENVIRONMENTJANUARY 2011? processing controls over the updating of master files, including the use ofrecord counts and control totals.COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs)The nature of computer-based accounting systems is such that auditors mayuse the audit client companys computer, or their own, as an audit tool, toassist them in their audit procedures. The extent to which an auditor maychoose between using CAATs and manual techniques on a specific auditengagement depends on the following factors:the practicality of carrying out manual testing the cost effectiveness of using CAATs the availability of audit time the availability of the audit clients computer facility the level of audit experience and expertise in using a specified CAAT the level of CAATs carried out by the audit clients internal audit functionand the extent to which the external auditor can rely on this workThere are three classifications of CAATs namely:Audit softwareTest dataOther techniquesDealing with each of the above in turn:Audit softwareAudit software is a generic term used to describe computer programs designedto carry out tests of control and/or substantive procedures. Such programsmay be classified as:Packaged programsThese consist of pre-prepared generalised programs used by auditors and arenot client specific. They may be used to carry out numerous audit