edp audit
123
AUDITING AND EDP
I. AUDITOR’S CONSIDERATION OF INTERNAL CONTROLS IN AN EDP ENVIRONMENT
The second standard of field work requires that we obtain a sufficient understanding of the client’s internal controls (I/C) to plan the audit and assess control risk. We hope that our assessment of control risk shows it to be low so that we can reduce substantive testing, thereby reducing audit costs. When EDP is used in significant accounting applications, then you must consider the effects the computer has when evaluating the internal controls. The auditor’s approach to considering I/C is the same in a computerized environment as in a manual environment:
--Obtain and document understanding of the internal controls --Assess control risk --Perform tests of controls --Reassess control risk
A. Obtain and document an understanding of the I/C
1. The extent to which the auditor needs to understand the computer system is dependent upon the preliminary audit strategy selected:
a. Primarily substantive approach--treat computer as a black number crunching box and just audit the inputs and outputs (auditing around the computer)
b. Lower assessment of control risk--you rely on the computer’s controls (audit through the computer)
B. Assess Control Risk
1. The auditor needs to assess the risk that the internal controls (including EDP controls) will not prevent or detect material errors or irregularities that will effect the financial statements.
a. CONSIDER THE STRENGTHS AND WEAKNESSES OF THE GENERAL CONTROLS FIRST
Example of this in the payables cycle--one of the application (programmed) controls requires that the computer match the voucher with appropriate supporting documentation before a check is issued. However, if the general controls over changes to programs cannot be relied on, then the payables program could be modified to allow an unauthorized check. Thus, the application control could not be relied on either.
b. Identify
AUDITING AND EDP
I. AUDITOR’S CONSIDERATION OF INTERNAL CONTROLS IN AN EDP ENVIRONMENT
The second standard of field work requires that we obtain a sufficient understanding of the client’s internal controls (I/C) to plan the audit and assess control risk. We hope that our assessment of control risk shows it to be low so that we can reduce substantive testing, thereby reducing audit costs. When EDP is used in significant accounting applications, then you must consider the effects the computer has when evaluating the internal controls. The auditor’s approach to considering I/C is the same in a computerized environment as in a manual environment:
--Obtain and document understanding of the internal controls --Assess control risk --Perform tests of controls --Reassess control risk
A. Obtain and document an understanding of the I/C
1. The extent to which the auditor needs to understand the computer system is dependent upon the preliminary audit strategy selected:
a. Primarily substantive approach--treat computer as a black number crunching box and just audit the inputs and outputs (auditing around the computer)
b. Lower assessment of control risk--you rely on the computer’s controls (audit through the computer)
B. Assess Control Risk
1. The auditor needs to assess the risk that the internal controls (including EDP controls) will not prevent or detect material errors or irregularities that will effect the financial statements.
a. CONSIDER THE STRENGTHS AND WEAKNESSES OF THE GENERAL CONTROLS FIRST
Example of this in the payables cycle--one of the application (programmed) controls requires that the computer match the voucher with appropriate supporting documentation before a check is issued. However, if the general controls over changes to programs cannot be relied on, then the payables program could be modified to allow an unauthorized check. Thus, the application control could not be relied on either.
b. Identify