Audit Trail in EDP (N’04)
Audit is doable if one can relate ‘one-to-one’ basis, the original input along with the final output
a) In some situations, output is as complete and as detailed as in any manual system.
E.g. Detailed calculations, casts, postings etc for Credit Notes
Trail from beginning to end = complete, auditor can get all documents for vouching, totalling and cross-referencing. Any form of audit checking is possible, including depth testing in either direction.
End to end
b) In some situations, the system may not produce a visible audit trail of transactions processed
Input documents may be non-existent if sales orders are entered online.
Discounts and interest calculations may be generated by computer programmes with no visible authorization of individual transactions
The system matches Goods Received Notes and Suppliers Invoices
Programmed control procedures such as checking customer credit limits = Visible evidence only on an exception basis
The system may not produce output reports at all or reports produced are only summary totals while supporting details are retained in computer files.
“SA 200 (Revised) Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing”, audit risk is a function of the risks of material misstatement and detection risk
Audit risk = Function of the risks of material misstatement and detection risk
Audit risk = Technical term related to auditing
≠ Auditor’s business risks such as loss from litigation, adverse publicity
· Inherent risk (risk that material errors will occur);
Complex Calculations/Estimates/Technological Obsolescence leading to Inventory Overvaluation
· Control risk (risk that the client’s system of internal control will not prevent or correct such errors);
Internal control, no matter how well designed/operated, can only reduce, but not eliminate, risks of material misstatement, because of the inherent limitations of internal control.
Human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override
· Detection risk (risk that any remaining material errors will not be detected by the auditor).
Relationship between Detection Risk and the Assessments of Inherent and Control Risks
Detection Risk α 1/ (Inherent Risk+ Control Risk)
If IR+CR=high, DR has to be low and thus more persuasive audit evidence
Internal Control in small business (M’11)
Obtain to obtain same degree of assurance as in large company before he issues unqualified opinion
Controls relevant to large entities not practical in the small business
Limited staff strength
Lack of Internal Check: Same person could have both operating and custodial responsibilities; nil or limited segregation of functions
In many cases, inadequate segregation of duties off-set by owner’s supervisory controls because of direct personal knowledge of the business
Audit Risk: It is reasonable to expect that risk of not detecting errors may go up substantially
Perform substantive procedure to get evidence necessary to support auditors’ opinion on f/s
Internal Control and the Computerised Information System (CIS) Environment
Requirements of Internal Control System at a Service Bureau (M’04)
Situation: Dabur Ltd outsources its payroll processing to Mafoi Consultants, an external agency that specialises in payroll processing. Dabur Ltd is the “user” and Mafoi Consultants is “bureau”.
But the complexity in internal control arises because Mafoi is an external party:
1. Co-ordination between Mafoi and Dabur = clearly defined while senior officers of Dabur appointed as liaison officer
2. System testing including all clerical procedures at the user company
3. If errors identified, prompt correction and resubmission to meet the Mafoi’s processing schedule
4. Clerical control to verify the accuracy of computer processing
5. Since Dabur has no physical control over the files ; it should maintain high control over the data on master files
Comment- The overall objective and scope of an audit does not change in an Electronic data Processing (EDP) environment. (M’00)
Situation A: Auditing the accounts of a small trader which are maintained manually
Situation B: Auditing the account of a small firm which uses Tally Accounting package for accounting
Situation C: Auditing the accounts of State Bank of India which uses a complex Enterprise Resource Planning (ER) Package
The complexity of audit increases at each stage, because in SBI, the accounting will be mostly system driven. Even interest calculation is done by the computer and credited to customer account automatically
Objective of Audit of financial statements = t&f view
Scope = function (terms of the engagement, relevant legislation and ICAI)
Overall objective and scope = same in EDP environment
Using a computer -> Change in processing and storage of financial information -> Change in internal control procedure -> Change in auditor’s evaluation procedure for ASIC and NTE of substantive procedures
Auditor should have knowledge of computer hardware, software and processing systems; how auditing procedures including computer-assisted audit techniques (CAAT) would be differently applied
Comment - “Installation of Computer Operating System has created both benefits and problems for auditors” (M’99, M’04)
Difficult to imagine a PC (stand-alone/networked) without an operating system ->Flexibility to user +auditor -> need based extraction of data e.g., region-wise, city-wise, examination centre-wise student records to compare the performance -> sample selection
Unless data access restricted - passwords and other access controls; system hacked and database manipulated
Comment - ‘Doing an audit in an EDP environment is simpler since the trial balance always tallies. (N’00, M’10)
In Tally you make a Journal Entry with a debit and a credit, posting to the ledger and then to the Trial Balance are done by the computer system itself and there is no possibility of any error. However what if an entry got omitted or there was a wrong account credited or capital expense charged to revenue? Merely totalling of the debit and credit column of trial doesn’t make the auditor’s life easy.
The statement is true but job of an auditor does not become simpler.
At present, arithmetical accuracy ≠ enough; but focus on the nature of transactions recorded in the books
Errors of omission / commission/compensating errors, duplication of entries
“Window Dressing” and/or “Creation of Secret Reserves” where the trial balance tallied
Financial instruments like F&O (futures/options), derivatives, off balance sheet financing etc - Recording and disclosure of transactions
Estimation of provision for depreciation, Inventory Valuation
Evidence – Tests of Compliance and Substantive procedure, verification of assets & liabilities their valuation etc. = Judgement to be exercised by the auditor.
Responsibility of expressing an audit opinion and objectives of an audit are not changed in the audit in EDP environment
CA Anurag Singal secured All India Ranks 25 and 22 in CA inter and Final. He has authored the book “Auditing Mantras’ for CA IPCC. http://www.auditingmantras.com/ He can be mailed at firstname.lastname@example.org