purpose of internal controls
prevent, detect and/or correct intention/unintentional errors that arise as a result of inherent/control risks at firm level and process level
strong internal control environment implies…?
- accurate & reliable financial outputs –> low probability of (un)intentional errors arising from weak controls
- mgmt less likely to manipulate figures
- lower audit effort because detecting RMM lower
audit procedures for testing internal controls
phase 2. control design
phase 3a. control implementation (walkthrough)
phase 3b. test of controls
purpose of control design
to understand the design and implementation of IC environment
purpose of control implementation (walkthrough)
verify that controls are working as per understanding
purpose of test of controls
to conclude that the controls were operating effectively
what is the difference between the different phases
phase 2: determine preliminary CR
phase 3: revisit and reassess the CR level after doing the walkthrough
– conclude whether IC were operating effectively throughout the year
types of IT controls
IT general controls and IT application controls
how to audit information systems’ internal controls?
computer-aided audit tools
what does the auditor need to know when auditing information system?
- sources of information used
- how is the information captured and processed
- how the information produced is used
what are the 2 kinds of processing approaches to testing IT application controls
- test data
- integrated testing facility (ITF)
what are the 2 kinds of non-processing approaches to testing IT application controls
- program code review
- review of job accounting data
procedures to test data approach
- feed test data to client application
- ensure testing application is actual program
- auditor compare results of processing with expectations
- completed during audit field work
data required to test data approach
- data which should be processed normally
- data which should be rejected
- data which triggers system alerts
procedures to integrated test facility
- create dummy entity on live master file
- enter txn for processing by the entity
- staff responsible for processing txn should not be able to distinguish live txns from auditor’s
- done throughout the FY not just audit period
limitations of test data approach
inability to verify that it was working well throughout the year
limitations of ITF
disruptive to client’s daily operations - need to perform additional work to remove dummy txns before month-end closing
limitations of non-processing approaches
external audit may not have time/resources to perform
client may not be keen to share information
