|
|
This is only a preview of the paper
Click here to register and get the full text.
Existing members click here to login
|
|
|
...
An EDP environment is defined in International Standard on Auditing (ISA) 15, Auditing in an EDP environment, as follows:
“For purpose of International Standards on Auditing, an EDP environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party.”
Companies, regulators and the business world in general has turned to the auditing profession for the development of strategies and procedures to assess the reasonableness of the information provided by these electronic systems and the controls used by companies to make sure that such information is reliable and accurate. As a result a new breed of auditors has emerged within the traditional financial auditing profession; the EDP auditor.
What is EDP Auditing?
First it was called EDP Audit, then IS Audit, and now IT Audit. In the early days of EDP Audit the mission was to bring management’s attention and control to the technically oriented world of data processing. In those days the EDP Auditors were the management control generalists who understood the basics of information systems, and the Data Processing Managers were frequently the technicians who unfortunately often did not understand the basics of business management.
EDP Auditing is the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources effectively. ...
The EDP audit function developed as a result of the need to provide general management with independent, unbiased reviews and assessments of information technology applications throughout the business. Thus, the main objective of auditing a computer-assisted organization is to ensure that the data processing functions are in accordance with corporate goals and that internal controls are adequate. ... Advances in technology gave the EDP Auditors more to be concerned about; as basic management and operational controls were now dependent on implementation of specific technical controls, and the computing environment became more complex. And as technology became more "technical", EDP Auditors became convinced that they should be "technical" as well, and began the perpetual struggle to try to keep up with emerging technology advances.
In order to understand the EDP audit concept and all it involves we must first establish: What is an audit? ... “An audit is the independent examination of financial info of any entity, whether profit oriented or not, and irrespective of its size, or legal form, when such an examination is conducted with a view to expressing an opinion thereon… Compliance with the basic principles requires application of auditing procedures and reporting practices appropriate to the particular circumstances.”
Overall scope and objective of audit does not change in an EDP environment, it may change the organization and procedures employed by the entity to achieve adequate internal control. ...
An EDP environment exists when a computer of any type or size is involved in the processing by the entity of financial info of significance to the audit, whether that computer is operated by the entity or by a 3rd party.
The EDP Auditor
The EDP auditor needs an understanding of computer hardware, software and processing systems to plan and understand how EDP affects the study and evaluation of internal control and application of procedures. He also needs sufficient knowledge of EDP to implement these procedures and to direct, supervise and review the work of assistants or obtain reasonable assurance that the work performed by other auditors or experts is adequate.
In order to perform effectively EDP auditors must understand their role within the company’s organizational structure and operations, have a clear understanding of the audit objectives and have extensive knowledge of the systems. ... EDP auditors must be able to use the latest audit tools and methodologies and understand the current technological developments in equipment, communication, and software.
In general the EDP Auditor is responsible for evaluating the effectiveness of controls in computerized and related manual systems, either operating or in development and must have a clear understanding of what a control is, know what the basic types of controls are, understand how control objectives should be formulated, and have a conceptual definition of a system of internal control.
There are many types of reviews performed by an EDP auditor. ...
Principal functions, duties and responsibilities of an EDP auditor are:
1. Gather information about the EDP environment relevant to the audit plan ie. how EDP function is organized, hardware and software used, significant applications processed by the computer, nature of processing, and data retention policies, planned implementation of new applications or revisions to existing applications. ... Consider matters such as: determining the degree of reliance he expects to place on the EDP controls, how where and when the EDP function will be reviewed, planning auditing procedures using the computer-assisted audit techniques. ... If going to rely on internal controls, must consider manual and computer controls affecting the EDP function and specific controls over the relevant accounting applications. ... 2) timing of auditing procedures may be affected because data may not be retained by computer files 3) may improve the effectiveness and efficiency of procedures. ...
EDP Audit Approach
An EDP audit approach is based on a traditional financial audit, so therefore they are both very similar. ...
Internal auditors are company employees who are dedicated to auditing company processes and areas. ... EDP Audit is an area within the Internal Audit function. The internal EDP auditor’s function is to monitor the adequacy, effectiveness, and efficiency of a company’s operations. The internal auditors are concerned with the data processing functions and its internal controls while external EDP auditors are concerned only with the internal control. ... Thus, the external EDP auditor looks at the data processing function to determine whether sufficient controls exist. ...
Whether internal or external the EDP auditor must first understand the nature of the company and its business by examining organization charts, annual reports, marketing brochures, and so on. ... Finally, the EDP auditor must determine the role the computer plays by obtaining key job descriptions, systems flowcharts, systems and programming standards manuals, hardware and software configurations, and the current status of key projects.
An EDP auditor must focus on identifying the types of internal controls used by the organization in their data-processing environment. ... The two general types of EDP controls are basic controls and supporting controls. ...
Once the EDP auditor understands the systems as defined, he or she must evaluate the internal controls with two purposes in mind. ... The long-range plan should define the direction of the EDP auditing efforts, as well as identify major projects to be undertaken. ...
The Use of EDP Audit Approaches and Tools
Data processing is a highly complex and technical filed, and to audit it effectively will require the use of specialized audit approaches and tools. First, it is necessary to consider the major types of EDP audits and activities:
· Functional or Data Center Audits are operational or control-type audits of the total environment of the data-processing function. ... This allows the EDP audit department to test independently user operations and computer-maintained records. ...
There are also various techniques used to perform an audit test in an EDP environment:
· Test data Method – this method entails running a computer application in a test environment using a test data. ...
Potential EDP Auditing Problems
While early EDP Auditors achieved success in meeting their objectives, the current generation of "technology auditors" now chase a faster and more elusive target. ...
None of the issued guidance, neither SAS 48 nor newly issued SAS 55, "Consideration of Internal Control Structure in A Financial Statement Audit," require the auditor to rely on computer-based controls (controls that exist in machine readable format only; “programmed procedures”) even in an EDP environment. ...
The auditor might also choose to test and rely on user controls that are designed to control the quality of EDP processed data. ...
In an environment in which accounting data is processed by computer, controls should exist in one of two forms: 1) user controls, or 2) EDP controls. User controls are entirely independent of the EDP process and are manually performed by groups using the EDP output. ...
EDP-based controls rely on the existence of: 1) programmed control procedures, and 2) the manual follow-up of computer exception reports. ...
The auditor in an EDP environment should recognize that although the components of EDP control function independently of one another, no single component of an EDP control can be relied upon to prevent or detect errors without the effective operation of the others. Furthermore, if the auditor fails to properly distinguish between user controls and the manual follow-up component of an EDP control, improper audit design will likely result. This mistake is easily made because both user controls and the manual component of an EDP control normally involve manual procedures. ...
Costs of the EDP Audit Function
Since EDP Audit is a relatively new field companies are still in the process of developing the audit function within their organizations. Establishing an EDP audit function can be a complex, time consuming and very expensive process. After an initial assessment of the entity’s technological complexity and dependency on this technology is made the extent of EDP audit needed can be determined. ...
Based on the assessment management must then establish the need for EDP audit based on identified risks and to what extent they wish to maintain internal controls. ...
Companies need to evaluate many factors in selecting the course of action to establish a cost-effective EDP function.
Approximate Word count = 7921
Approximate Pages = 31.7
(250 words per page double spaced)
|
|
|
|
|
|