Jefferson L. Eliseo Prof.

Mc Joshua De Lima

Bsa 4 BCOMP 5

Philippine Auditing Practices Statements (PAPS) 1009

Computer Assisted Audit Techniques

Introduction

In Computer information system, the objective of the Auditor do not primarily change, as
well as its scope. Regardless of the information system used by the entity, it can be manual or
computerized. However, the methods implemented by the Auditor in testing the control may also
be affected by the use of computer. The processing and storage of financial information may
affect the organization and procedures used by the entity to achieve adequate internal control.
In testing the reliability of general controls includes observing the clients personnel in
performing their assign task, checking the program documentation and testing the security
measures. in testing Application controls, the Auditor may either audit around the computer or
use the Computer Assisted Audit Techniques or (CAATs).

Description of Computer Assisted Audit Techniques (CAATs)

The Computer Assisted Audit Techniques or (CAATs) are computer programs and data
which the used as part of the audit procedures in able to process data on audit significance
contained in an entity’s information system. In computerized accounting systems, if there is no
visible evidence that is available that can be perform, it may be impracticable for the auditor to
test it manually. Also when the entity used advance computer information system. The auditor
will have to audit directly the clients computer program using CAATs. This is also called White
Box Approach. Compute assisted audit techniques are computer programs and data that the
auditor may use in performing various audit procedure. It can be tests of details of transactions
and balances, analytical review procedures, test o general and application controls, sampling
programs to extract data for audit testing and reperforming of calculation performed by the
entity’s accounting system. One of the common type of CAAT is the use of audit software to
process data of audit significance from the entity’s information system. An audit software that
has widespread popularity because it is easy to use and require little computer background on the
part of the auditor. CAATs includes the following in performing auditing procedures.
Test Details

Analytical procedure

Test of General Controls

Sampling programs

Test of controls

Recalculations

Reperformance

Consideration in the use of CAATs

In determining whether to use CAATs, the auditor must consider the following:

Availability of sufficient IT knowledge, skills and expertise and experience of the members
of the audit team to execute, plan and use the result of the particular CAAT.

Availability of CAAT suitable computer facilities and data in appropriate format.

Impracticability of manual tests due to lack of evidence such as in respect of authorities of

system generated transactions operation of the programmed control procedure, retention
of transactions detailed in electronic from with summary totals only being printed in hard
copy.

Impact on effectiveness and efficiency for example it may be more efficient to extract data
from the entity’s record using a software than do it manually

Time constraints must also be consider because of the availability of data when the auditor
need those data. If certain data are kept only for a short period of time, the auditor may
need to alter the timing of the performance of CAAT that requires such time.

Using CAATs

Major Steps to be consider by the auditor in applying the CAAT are:

set the objective of the CAAT application

determine the content and accessibility of the entity’s files

 identify the specific files or database to be examined

understand the relation between the data tables where a database is to to be examined

defined the specific tests or procedures and related transactions and balances affected

define the output requirements

arrange with the user and IT departments, if appropriate, for example, for copies of the
relevant files or database tables to be made at appropriate cut off date and time

identify the personnel who may participate in the design and application of the CAAT

refine the estimates of costs and benefits

ensure that the use of the CAAT is properly controlled and documented

arrange the administrative activities, including the necessary skills and computer facilities

reconcile data to be used for the CAAT with the accounting reccords

execute the CAAT application

evaluate the results.

Using CAATs in Small Entity IT Environments

The effectiveness of certain CAATS particularly the audit software may increase due to the
result of greater emphasis in test detail of transactions and balances to analytical
procedure. Thus, the level of general controls may be less reliance on the system of
internal control.

Manual methods can be more effective when smaller volume of data are to be process.

Smaller entity may not be able to provide enough technical assistance to the auditor, making
the use of CAATs not practicable.

Restricting the auditor choice of CAATs because certain audit package or audit software may
not operate on small computer. Some of the data file may be copied and process on
another suitable computer.

Computer assisted Audit Techniques (CAATs)

1. Audit productivity software

Tools used by auditors that facilitate their productivity by automating the auditing function, and
reduce the amount of time they spend on other administrative tasks. These tools include
electronic working papers, groupware, engagement management, reference libraries, and
document management. Examples of office productivity software include word processors,
database management systems (DBMS), graphics software and spreadsheet applications.

2. Generalized Audit Software Tools

One of the common type of CAAT is the use of audit software to process data of audit
significance from the entity’s information system. An audit software that has widespread
popularity because it is easy to use and require little computer background on the part of the
auditor. it can be used on both mainframes and PC systems, it allows the auditor to perform
his/her test independent of the entity’s computer processing personnel. This audit software is
designed to perform common audit tasks such as reading data files, selecting and analyzing
information, summarizing and totaling files, performing or verifying calculation, creating data
files, providing totals of unusual items and reporting in an auditor specified format.

3. Testing computer application controls

. These test follow two general approaches: The Black Box: Testing around the computer -
auditors performing black box testing do not rely on a detailed knowledge of the application’s
internal logic. They seek to understand the functional characteristics of the application by
analyzing flowcharts and interviewing knowledgeable personnel in the client’s organization. The
auditor tests the application by reconciling production input transactions processed by the
application with output results. The advantage of the black box approach is that the application
need not be removed from service and tested directly. And The White Box. Testing through the
computer - relies on an in-depth understanding of the internal logic of the application being
tested. Several techniques for testing application logic directly are included. This approach uses
small numbers of specially created test transactions to verify specific aspects of an application’s
logic and controls. Auditors are able to conduct precise tests, with known variables, and obtain
results that they can compare against objectively calculated results.

4. Computer Aided Audit Tools and Techniques for Testing Controls

Computerized assisted audit techniques or computer assisted audit tools and techniques is a
increasing field within the environment of the IT profession. CAATs is the method of using
computer to automate the IT audit process. Computer assisted audit techniques also includes the
use of basic office productivity software such as spreadsheet, word processors and text editing
programs and many more advance software packages using statistical analysis and business
intelligence tools but also more dedicated specialized software are available CAATs are computer
programs and data which the auditor uses as part of the audit procedures to process data of audit
significance contained in an entity information system. some of the commonly used CAATs
include Test data, Integrated test facility and Parallel Stimulation.

5. Continuous Auditing Techniques

Continuous audit or a detailed audit is an audit which involves a detailed examination of books of
account at regular intervals i.e. one month or three months. The auditor visits clients at regular
intervals during the financial year and checks each and every transaction. At the end of the year
auditor checks the profit and loss account and the balance sheet. A continuous audit is not of much
use to small firm as its accounts can be audited at the end of the financial year without much loss
of time.

Philippine Auditing Practices Statements 1013

Electronic Commerce – Effect on the Audit of Financial Statements

Introduction

The continued evolution of technology, the economics of the internet, and the growth of e-
commerce are significantly affecting the traditional business environment. E-commerce is
changing the competitive market and making international trading viable for a much larger
number of businesses. The electronic commerce (E-Commerce) represents one of the challenges,
which faces both accountants and auditors, since many organizations have changed to adapt E-
commerce. Some popular companies have engaged in e-commerce such as Amazon and eBay. E-
commerce, or e-business, via the internet is now bringing fundamental changes to the way
business is conducted. However, in the midst of these changes in the business environment, the
auditor's responsibility to provide an opinion on the financial report has remained unchanged.
Usually, management will identify e-commerce business risks, and address those risks with
appropriate security and control measures. In contrast, the auditor will consider e-commerce
business risks only in so far as they affect audit risk. Audit risk relates to the risk that the entity's
financial report (on which the auditor provides an audit report) is materially misstated. Although
communication and transactions over networks and through computers are not new features of
the business environment, the increasing use of the internet for e-commerce introduces new
variables of risk and control requiring audit consideration. When transactions are initiated by
unknown parties on the internet, there are risks relating to the authenticity and integrity of
trading partners and e-commerce transactions.

Skills and Knowledge

The complexity of the entity’s e-commerce activities will be different depends on the the level
of skills and knowledge required to understand the effect of e-commerce. When e-commerce has
a significant effect on the entity’s business, appropriate levels of both information technology
(IT) and Internet business knowledge may be required to

A. Understand, so far as they may affect the financial statements: The entity’s e-commerce
strategy and activities; The technology used to facilitate such activities; and The risks involved in
the entity’s use of e-commerce and entity’s approach to managing those risks.

B. Determine the nature, timing and extent of audit procedures and evaluate audit evidence; and
C. Consider the effect of the entity’s dependence on e-commerce activities on its ability to continue
as a going concern.

Knowledge of the Business

The knowledge of the auditor of the business is important when it comes to assessing the
significance of e-commerce to the business activities of the entity and its effects of the audit risk.
This new development carries risks, which may not be identified in their early stages. Therefore,
as the auditor reconsiders the impact of e-commerce in each new reporting period, the audit
profession must remain aware of the potential impact of evolving internet technology and
emerging standards of industry practice on audit procedures.

Risk Identification

We all know that E-commerce provides many benefits to consumers, such as convenience,
greater choice, lower prices, and more information, but there are also a number of barriers
restricting its potential to grow. These are the following

Loss of transaction integrity leading to inadequacy of audit trail

Security risks including virus attacks, fraud by customers, employees, and those unauthorized
individuals who can access the system.
 System availability – if the system is fails to work, entity may suffer temporary loss of revenue,
impaired cash flow, or diminished public image.
Loss of information privacy - The fact that breaches of Internet security are reported with great
frequency means that there is a danger that potential users will be reluctant to engage in e-
commerce because of fears about security
Improper accounting policies such as capitalization of expenditures such as website
development cost, complex contractual arrangements, translation of foreign currencies.
Noncompliance with taxation
Verifying the identity of customers and suppliers

Internal Control Consideration

Being involve in internet based electronic commercial process makes the entity prone to
different illegal activities that can harm our system. it also make us vulnerable to international or
non international attacks. the implementation of internal controls system is very important for the
management to have and inherent risk to inter organizational systems that support electronic
transaction.

PSA 315 states that internal control is designed and implemented to achieve the entity’s
objectives with regard to: Reliability of financial reporting; Effectiveness and efficiency of
operations; and Compliance with applicable laws and regulations.

IT benefits an entity’s internal control by enabling an entity to:

1.Consistently apply predefined business rules and perform complex calculations in processing
large volumes of data;
2. Enhance the timeliness, availability, and accuracy of information;
3. Reduce the risk that control will be circumvented; and
4. Enhance the ability to achieve effective segregation of duties by implementing controls in
applications, databases, and operating systems.

The Effect of Electronic Records on Audit Evidence

Electronic records may be more easily altered than paper records without leaving evidence of
such alteration when security controls are inadequate to prevent unauthorized changes to the
accounting system or records. Auditors should consider the need to perform procedures
depending on the assessment of the controls.

Auditor’s risk assessment procedures shall include:

1.Inquiries of management and of others within the entity who, in the auditor’s judgment, may
have information that is likely to assist in identifying risks of material misstatement due to fraud
or error.

2. Analytical procedures – evaluation of financial information made by a study of plausible

relationships among both financial and nonfinancial data.
3. Observation and inspection.

It Risks and Controls

1. Identifying IT Risks

The Application may not run due to wrong implications run, incorrect version use or wrong
configuration entered by the employee of staff.

An authorized use of the the system of the entity may result to corruption od data or loss of
important files such as financial documents.

Wrong priorities may be given to jobs because of disruption and delay in processing.

Lack of back ups and contingency planning increases the risks of being unable to processing.

Due to poor help desk function, users problems remain unresolved.

2. Identifying IT Controls

IT Controls in a computer system are all the manual and programmed methods, policies and
procedures that ensure the protection of the entity’s assets, the accuracy and reliability of its
records, and the operational adherence to the management standards. Presence of controls in a
computerized system is significant from the audit point of view as these systems may allow
duplication of input or processing, conceal or make invisible some of the processes, and in some
of the auditee organizations where the computer systems are operated by third party service
providers employing their own standards and controls, making these systems vulnerable to
remote and unauthorized access.

3. Documenting IT Controls
The auditors must identify the IT controls before documenting them, as well as considering the
relevant objectives and risk of it to the entity and process level. The control must reduce the risk
to an acceptable level but must not have excessive cost. Controls may be identified at any level
of the organization. Here are the 5 COSO components.

Control environment

Risk assessment

Control activities

Information and Communication

Monitoring

4. Monitoring IT Risks and Controls

It is important that we understand the monitoring of risk is intended to be a daily, on going

process on the entire project of the entity. Project team members and other stakeholders should
be encourage to be cautious in looking for risk symptoms as well as for new project risk. By
regularly checking the risk and control action plan, we will be able to identify how successful it
has been. We should make regularly progress checks with the person who is responsible for the
monitoring within the entity.