EDP CA IPCC PDF

Preview

Summary

Download EDP CA IPCC PDF

Description

CA Ravi Taori

EDP

ELECTRONIC DATA PROCESSING (EDPElectronic Data Processing, CIS Computerized Information System means use of computers in information recording, processing or reporting) 1. IMPACT OF EDP ON INFORMATION PROCESSING SYSTEM A. Organizational Structure in the CIS Environment: In a CIS environment, an entity will establish an organizational structure and procedures to manage the CIS activities. Characteristics of a CIS organizational structure include(a) Concentration of functions and knowledge—although most systems employing CIS methods will include certain manual operations, generally the number of persons involved in the processing of financial information is significantly reduced. Furthermore, certain data processing personnel may be the only ones with a detailed knowledge of the interrelationship between the source of data, how it is processed and the distribution and use of the output. It is also likely that they are aware of any internal control weaknesses and, therefore, may be in a position to alter programs or data while stored or during processing. Moreover, many conventional controls based on adequate segregation of incompatible functions may not exist, or in the absence of access and other controls, may be less effective.

(in Short) (Reduction in numberFew people with detailed knowledge of whole systemthey can exploit internal control weaknessIn position to alter programs or data Conventional controls such as segregation of duty may not exist Overall effectiveness of internal control system reduces) (Example) (Earlier 2 Clerks & 1 Senior in HR, 2 Cl & 1 Senior in Factory, 2 Cl & 1 Senior in Finance & 5 people to calculate salary in Salary Department. (14 People) Now 1 Data Entry Person at HR, 1 at Factory, No one in Finance & 2 in for calculating salary, 2 in IT Department) (6 People) (2 in IT department understand flow of whole system, they know where data is saved, they have access to stored data, they have master password to change it without any trail. They know programming also, they can hide PF / Tax percentage and club multiple headings, deduct more and transfer amount in name of dummy employees and withdraw them) (b) Concentration of programs and data—transaction and master file data are often concentrated, usually in machine-readable form, either in one computer installation located centrally or in a number of installations distributed throughout an entity. Computer programs which provide the ability to obtain access to and alter such data are likely to be stored at the same location as the data. Therefore, in the absence of appropriate controls, there is an increased potential for unauthorized access to, and alteration of, programs and data.

(Earlier data was recorded and kept in manually in registers: - employee personal records, attendance & overtime records, performance records, salary records. Any change in data could be easily identified if there is scribbling or use of white ink. Further there were multiple data keepers. Now there is RDBMS and all data is saved in interrelated tables, access to input software and RDBMS is available with-IT department and top management which can be misused, even external people can easily exploit it, they can delete it or change) B. Design and Procedural Aspects: The development of CIS systems will generally result in design and procedural characteristics that are different from those found in manual systems. These different design and procedural aspects of CIS systems include: (SSC @ DP dekhe ke samjh gaya

auditguru.in

7.1

CA Ravi Taori

EDP

ki ab design badaljayega) (a) Single transaction update of multiple or data base computer files—a single input to the accounting system may automatically update all records associated with the transaction (e.g. shipment of goods documents may update the sales and customers’ accounts receivable files as well as the inventory file). Thus, an erroneous entry in such a system may create errors in various financial accounts.

(Entry of appointment letter updates employee records, attendance records, commission records, performance records etc.) (b) Systems generated transactions—certain transactions may be initiated by the CIS system itself without the need for an input document. The authorization of such transactions may not be evidenced by visible input documentation nor documented in the same way as transactions which are initiated outside the CIS (e.g., interest may be calculated and charged automatically to customers’ account balances on the basis of pre-authorized teams contained in a computer program).

(Employees are asked to give security deposit, standard interest is applied and provided to employees, system computes interest and adds it to remuneration automatically) (c) Consistency of performance—CIS systems performed functions exactly as programmed and are potentially more reliable than manual systems, provided that all transaction types and conditions that could occur are anticipated and incorporated into the system. On the other hand, a computer program that is not correctly programmed and tested may consistently process transactions or other data erroneously. (Diwali Bonus of 10% was announced to all

employees, there was option in software to give standard bonus to all employees but 25 employees who got cars and two wheelers were not eligible for such increment but there was no option to remove few employees) (In bank interest rate for senior citizens was increased by 1.5%, software changed interest on all deposits but only new deposits were eligible for increase, so many rates were changed manually) (d) Vulnerability of data and program storage media—large volumes of data and the computer programs used to process such data may be stored on portable or fixed storage media, such as magnetic disks and tapes. These media are vulnerable to theft, or intentional or accidental destruction. (Very easy to steal electronic data) (e) Programmed control procedures—the nature of computer processing allows the design of internal control procedures in computer programs. These procedures can be designed to provide controls with limited visibility (e.g. protection of data against unauthorized access may be provided by passwords). Other procedures can be designed for use with manual intervention, such as review of reports printed for exception and error reporting, and reasonableness and limit checks of data.

(Limited Visibility  Employee Files & Salary Slips are password protected Exception Reporting  Positive PF / Tax, Negative Overtime & Bonus Reasonableness Checks  More than 50% Over Time / % Change in salary as compared to last month & leaves cannot cross 26 in month, overtime per day cannot cross 8 hours) C. Nature of Processing: The use of computers may result in the design of systems that provide less visible evidence than those using manual procedures. In addition, these systems may be accessible by a larger number of persons. System characteristics that may result from the nature of CIS processing include: (a) Absence of input documents—data may be entered directly into the computer system without

auditguru.in

7.2

CA Ravi Taori

EDP

supporting documents. In some on-line transaction systems, written evidence of individual data entry authorization (e.g. approval for order entry) may be replaced by other procedures, such as authorization controls contained in computer programs (e.g. credit limit approval).

(Earlier physical documents were available for job application forms, offer letter, appointment letter, attendance register, salary calculation etc. Now they are either directly entered through web portal and communication takes place through email, physical documents are missing) (b) Lack of visible transaction trail—certain data may be maintained on computer files only. In a manual system, it is normally possible to follow a transaction through the system by examining source documents, books of account, records, files and reports. In a CIS environment, however, the transaction trail may be partly in machine-readable form, and furthermore it may exist only for a limited period of time.

(Appointment letter from HR, Attendance & Overtime from Factory, Investment Details from Finance and Manual Calculation in Salary Department, complete flow was visible. Now everything is in system) (c) Lack of visible output—certain transactions or results of processing may not be printed. In a manual system, and in some CIS systems, it is normally possible to examine visually the results of processing. In other CIS systems, the results of processing may not be printed, or only summary data may be printed. Thus, the lack of visible output may result in the need to access data retained on files readable only by the computer.

(Earlier complete salary calculations were visible and photocopy was attached to salary slip, now all calculations take place in system and only headings are available in salary slip) (d) Ease of access to data and computer programs—data and computer programs may be accessed and altered at the computer or through the use of computer equipment at remote locations. Therefore, in the absence of appropriate controls, there is an increased potential for unauthorized access to, and alteration of, data and programs by persons inside or outside the entity. (Earlier records were kept in lock and key and custody of senior to avoid manipulation

but now they can be accessed from anywhere in the world and manipulation can be done without any awareness) 2. IMPACT OF CIS ON AUDITING i.

1 Objective & Scope of Audit: - The overall objective and scope of an audit does not change in CIS environment. However, the use of a computer changes the processing and storage of financial information and may affect the organization and procedures employed by the entity to achieve adequate internal control. Accordingly, the procedures followed by the auditor in his study and evaluation of the accounting system and related internal controls and nature, timing and extent of his other audit procedures may be affected by CIS environment.

(Earlier knowledge & personal ethics of people involved in authorization & processing were carefully evaluated but now software programming & installation are important part of internal control evaluation) ii.

2 Skills and Competence: When auditing in CIS environment, the auditor should have an understanding of computer hardware, software and processing systems sufficient to plan the engagement and to understand how CIS affects the study and evaluation of internal control and application of auditing procedures including computer-assisted audit techniques. The auditor should also have sufficient knowledge of CIS to implement the auditing procedures, depending on the particular audit approach adopted. (Earlier accounts and audit knowledge

was sufficient but now IT knowledge is also required) iii.

6 Work Performed by Others: The auditor is never able to delegate his responsibility for forming important audit conclusions or for forming and expressing his opinion on the financial information. Accordingly, when he delegates work to assistants or uses work performed by

auditguru.in

7.3

CA Ravi Taori

EDP

other auditors or experts, the auditor should have sufficient knowledge of CIS to direct, supervise and review the work of assistants with CIS skills or to obtain reasonable assurance that the work performed by other auditors or experts with CIS skills is adequate for his purpose, as applicable.

(Earlier manual records such as audit note book or copy of trial balance was used to keep track work done by team but now excel sheets, audit servers etc. are used. E.g. AuditShelf.Com etc.) iv.

3 Planning: The auditor should gather information about the CIS environment that is relevant to the audit plan, including information as to: Obtain Knowledge (Similar to Question 5) How the CIS function is organized and the extent of concentration or distribution of computer processing throughout the entity. (Only sales or all functions) The computer hardware and software used by the entity. (Intel Vs AMD, Windows Vs Linux) Each significant application processed by the computer (Salary Processing), the nature of the processing (e.g. batch, on-line), and data retention policies (8 years). Planned implementation of new applications or revisions to existing applications.

(Upgradation of Inventory Module and Implementation of GST) Plan Following When considering his overall plan, the auditor should consider matters, such as:  Planning how, where and when the CIS function will be reviewed including scheduling the works of CIS experts, as applicable. (Generally, before starting regular audit)  Determining the degree of reliance, if any, he expects to be able to place on the CIS controls in his overall evaluation of internal control. Degree of Reliance Vouching High 20% Medium 50% Low 70%  Planning auditing procedures using computer-assisted audit techniques. v.

4 Accounting System and Internal Control: During the review and preliminary evaluation of internal control, the auditor should acquire knowledge of the accounting system to gain an understanding of the overall control environment and the flow of transactions. If the auditor plans to rely on internal controls in conducting his audit, he should consider the manual and computer controls affecting the CIS function (general CIS controls) and the specific controls over the relevant accounting applications (CIS application controls).

(Below discussion is all about problems in collecting audit evidence & how CAAT can help) vi.

5 Audit Evidence: A CIS environment may affect the application of compliance and substantive procedures in several ways. The use of computer assisted audit techniques may be required because: The absence of input documents (e.g. order entry in on-line systems) or the generation of accounting transactions by computer programs (e.g. automatic calculation of discounts) may preclude the auditor from examining documentary evidence. (Observe live data punching by

employees) The lack of a visible audit trail will preclude the auditor from visually following transactions through the computerized accounting system. (Recalculate amounts) The lack of visible output may necessitate access to data retained on files readable only by the computer. (Study RDBMS which cannot be printed) The timing of auditing procedures may be affected because data may not be retained in computer files for a sufficient length of time for audit use, and the auditor may have to make specific arrangements to have it retained or copied.

auditguru.in

7.4

CA Ravi Taori

EDP

(Designed special software or gave standing instructions) The effectiveness and efficiency of auditing procedures may be improved through the use of computer-assisted audit techniques in obtaining and evaluating audit evidence, for example: (i) Some transactions may be tested more effectively for a similar level of cost by using the computer to examine all or a greater number of transactions than would otherwise be selected.

(Cross checking sales transaction with multiple records) (ii) In applying analytical review procedures, transactions or balance details may be reviewed and reports printed of unusual items more efficiently by using the computer than by manual methods. 3. EDP ENVIRONMENT IS SIMPLER SINCE THE TRIAL BALANCE ALWAYS TALLIES? DO YOU AGREE? 1. Errors like omission of certain entries, duplication of entries, errors of commission, error of principle compensating errors, 2. Possibility of “Window Dressing” and/or “Creation of Secret Reserves” 3. The emergence of new forms of financial instruments like options and futures, derivatives, off balance sheet financing etc 4. In an audit, besides the tallying of a trial balance, there are also other issue like estimation of provision for depreciation, valuation of inventories, obtaining audit evidence, ensuring compliance procedure and carrying out substantive procedure, verification of assets & liabilities their valuation etc. 4. AUDIT TRIAL IN EDP ENVIRONMENT Audit Trail: ‘Audit trail’ refers to a situation where it is possible to relate, on a “one – to –one” basis, the original input with the final output. In a manual accounting system, it is possible to relate the recording of a transaction of each successive stage enabling an auditor to locate and identify all documents from beginning to end for the purposes of examining documents, totaling and cross – referencing. In first and early second-generation computer systems, a complete audit trail was generally available. However, with the advent of modern machines, the CIS environment has become more complex. This led to use of exception reporting by the management which effectively eliminated the audit trail between input and output. (List of new employees, drastic increase or decrease in salary, excessive commissions etc.) The lack of visible evidence may occur at different stages in the accounting process, for example(i) Input documents may be non-existent where sales orders are entered online. In addition, accounting transactions such as discounts and interest calculations may be generated by computer programmes with no visible authorization of individual transactions. (ii) The system may not produce a visible audit trail of transactions processed through the computer. Delivery notes and supplier’s invoices may be matched by a computer programme. In addition, programmed control procedures such as checking customer credit limits, may provide visible evidence only on an exception basis. In such cases, there may be no visible evidence that all transactions have been processed. (iii) Output reports may not be produced by system or a printed report may only contain summary totals while supporting details are retained in computer files.

auditguru.in

7.5

CA Ravi Taori

EDP

Special Audit Techniques: In the absence of audit trail, the auditor needs the assurance that the programmes are functioning correctly in respect of specific items by using special audit techniques. The absence of input documents or the lack of visible audit trail may require the use of Computer Assisted Audit Techniques (CAATs) i.e. using the computer as an audit tool. The auditor can use the computer to test- the logic and controls existing within the system, and the records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor. The effectiveness and efficiency of auditing procedure may be enhanced through the use of CAATs. Properly, two common types of CAATs are in vogue, viz., test pack or test data and audit software or computer audit programmes 5. MENTION SOME ITEMS WITH WHICH THE AUDITOR SHOULD BE FAMILIAR TO UNDERSTAND THE COMPUTER: SYSTEM USED BY THE CLIENT. He should be familiar with the following aspects to understand the computer system used by the client. Extent of Computerization: 1



 Nature of Hardware used 2 Nature of Software used 3 Report Generation 6 Operating Methods 4 System Logic 5 6.



  

Areas covered by the computer information system, activities performed by the system, the nature of manual records maintained on a parallel basis, etc. The concept of various input devices, output devices, processing devices, storage devices, inter-connectivity between various nodes through Local Area Network, data-sharing and time-sharing arrangements, etc. Operating environment used i.e. Windows, MS-DOS etc, the nature of application software packages, whether readymade or tailor-made specifically for the Company, etc. Ability to read and understand vario...