In: Accounting
Explain what is meant by ‘Computer Assisted Audit techniques (CAATs)’ and describe their major categories Distinguish between ‘General controls’ and ‘Application controls’ in a computerized environment. 28. In IT systems, application controls share a number of common features regardless of the particular application involved. These common features can be categorized as: ? input controls (controls over input data) ? processing controls ? data file controls ? controls over the output from the system (output controls). Required: Discuss these common features
The use of computers may result in the design of systems that
provide less visible evidence
than those using manual procedures. CAATs are such techniques
applied through the
computer which are used in verifying the data being processed by
it. System characteristics
resulting from the nature of EDP processing that demand the use of
Computer Aided Audit
Techniques (CAAT) are:
a) The absence of input documents (e.g. order entry in on-line
systems) or the generation of
accounting transactions by computer programs (e.g. automatic
calculation of discounts)
may preclude the auditor from examining documentary evidence.
b) The lack of a visible audit trail will preclude the auditor from
visually following transactions
through the computerized accounting system.
c) The lack of visible output may necessitate access to data
retained on files readable only
by the computer.
General EDP Controls: The purpose of general EDP controls is to
establish a framework of
controls over the activities of EDP department. It also provides
assurance that overall
objectives of internal control are achieved. General EDP controls
may include:
1. Organization and management controls: Designed to establish an
organizational
framework over EDP activities, including:
a) Establishing Policies and procedures relating to control
functions.
b) Appropriate segregation of functions (e.g. preparation of input
transactions,
programming and computer operations).
2. Application systems development and maintenance controls:
designed to provide
reasonable assurance that systems are developed and maintained in
an authorized in
efficient manner. They are also designed to establish control
over:
a) Testing, conversion, implementation and documentation of new or
revised systems,
b) Changes to application systems,
c) Access to systems documentation,
d) Acquisition of application systems from third parties.
3. Computer operation controls: designed to control the operation
of the systems and to
provide reasonable assurance that:
a) The systems are used for authorized purposes only,
b) Access to computer operations is restricted to authorized
personnel,
c) Only authorized programs are used,
d) Processing errors are detected and corrected
4. Systems software controls: Designed to provide reasonable
assurance that system
software is acquired or developed in an authorized and efficient
manner, including:
a) Authorization, approval, testing, implementation and
documentation of new systems
software and systems software modifications.
b) Restriction of access to systems software and documentation to
authorized personnel.
5. Data entry and program controls: Designed to provide reasonable
assurance that:
a) An authorization structure is established over transactions
being entered into the
system.
b) Access to data and programs is restricted to authorized
personnel.
c) There are other EDP safeguards that contribute to continuity of
EDP processing.
These are:
i) Offsite back-up of data and computer programs.
ii) Recovery procedures for use in the event of theft, loss or
intentional or accidental
destruction.
iii) Provision for offsite processing in the event of
disaster.
EDP application controls: The purpose of EDP application controls
is to establish specific
control procedures over the accounting applications in order to
provide reasonable assurance
that all transactions are authorized and recorded, and are
processed completely, accurately
and on timely basis. EDP application controls include:
1. Controls over input: designed to provide reasonable assurance
that:
a) Transactions are properly authorized before being processed by
the computer.
b) Transactions are accurately converted into machine readable form
and recorded in the
computer data files.
c) Transactions are not lost, added, duplicated or improperly
changed.
d) Incorrect transactions are rejected, corrected and, if
necessary, resubmitted on a timely basis.
2. Controls over processing and computer data files: designed to
provide reasonable
assurance that:
a) Transactions, including system generated transactions, are
properly processed by the computer.
b) Transactions are not lost, added, duplicated or improperly
changed.
c) Processing errors are identified and corrected on a timely
basis.
3. Controls over output: designed to provide reasonable assurance
that:
a) Results of processing are accurate.
b) Access to output is restricted to authorized personnel.
c) Output is provided to appropriate authorized personnel on a
timely basis.