Aas 29
Aas 29
Introduction
Planning
Assessment of Risk
Audit Procedures
Documentation
Effective Date
Introduction
1. The purpose of this Auditing and Assurance Standard (AAS) is to
establish standards on procedures to be followed when an audit is
conducted in a computer information systems (CIS) environment. For
the purposes of this AAS, a CIS environment exists when one or more
computer(s) of any type or size is (are) involved in the processing of
financial information, including quantitative data, of significance to
the audit, whether those computers are operated by the entity or by a
third party.
2. The overall objective and scope of an audit does not change in a
CIS environment. However, the use of a computer changes the
processing, storage, retrieval and communication of financial
information and may affect the accounting and internal control
systems employed by the entity. Accordingly, a CIS environment may
affect:
(a) the extent to which the CIS environment is used to record, compile
and analyse accounting information;
(b) the system of internal control in existence in the entity with regard
to:
If specialised skills are needed, the auditor would seek the assistance
of an expert possessing such skills, who may either be the auditor’s
staff or an outside professional. If the use of such a professional is
planned, the auditor should, in accordance with AAS 9, “Using the
Work of an Expert”, obtain sufficient appropriate audit evidence that
the work performed by the expert is adequate for the purposes of the
audit.
Planning
5. In accordance with the Auditing and Assurance Standard (AAS) 6,
“Risk Assessments and Internal Control”, the auditor should obtain an
understanding of the accounting and internal control systems
sufficient to plan the audit and to determine the nature, timing and
extent of the audit procedures. Such an understanding would help the
auditor to develop an effective audit approach.
¨ Potential for errors and irregularities: The potential for human error
in the development, maintenance and execution of computer
information systems may be greater than in manual systems, partially
because of the level of detail inherent in these activities. Also, the
potential for individuals to gain unauthorised access to data or to alter
data without visible evidence may be greater in CIS than in manual
systems.
(a) ensure that authorised, correct and complete data is made available
for processing;
(e) provide adequate data security against fire and other calamities,
wrong processing, frauds etc.;
Assessment of Risk
9. The auditor should make an assessment of inherent and control
risks for material financial statement assertions, in accordance with
AAS 6, “Risk Assessments and Internal Control”.
10. The inherent risks and control risks in a CIS environment may
have both a pervasive effect and an account-specific effect on the
likelihood of material misstatements, as follows:
¨ The risks may result from deficiencies in pervasive CIS activities
such as program development and maintenance, system software
support, operations, physical CIS security, and control over access to
special-privilege utility programs. These deficiencies would tend to
have a pervasive impact on all application systems that are processed
on the computer.
11. As new CIS technologies emerge for data processing, they are
frequently employed by clients to build increasingly complex
computer systems that may include micro-to-mainframe links,
distributed data bases, end-user processing, and business management
systems that feed information directly into the accounting systems.
Such systems increase the overall sophistication of computer
information systems and the complexity of the specific applications
that they affect. As a result, they may increase risk and require further
consideration.
Audit Procedures
12. In accordance with AAS 6, “Risk Assessments and Internal
Control”, the auditor should consider the CIS environment in
designing audit procedures to reduce audit risk to an acceptably low
level. He should make enquiries and particularly satisfy himself
whether:
Documentation
14. The auditor should document the audit plan, the nature, timing
and extent of audit procedures performed and the conclusions drawn
from the evidence obtained. In an audit in CIS environment, some of
the audit evidence may be in the electronic form. The auditor should
satisfy himself that such evidence is adequately and safely stored and
is retrievable in its entirety as and when required.
Effective Date
15. This Auditing and Assurance Standard (AAS) becomes operative
for all audits related to accounting periods beginning on or after 1st
April, 2003.