Standards that have been WITHDRAWN: PSA 401, Auditing in a Computer Information System Environment PAPS 1001, CIS

Environment Stand-Alone Personal Computers PAPS 1002, CIS Environment On-line Computer Systems PAPS 1003, CIS Environment Database Systems PAPS 1008, Risk Assessments and Internal Control CIS Characteristics and Considerations PAPS 1009, Computer-Assisted Audit Techniques PSA 401 CIS Environment (withdrawn) When the CIS are significant, the auditor is required to obtain an understanding of the CIS environment and whether it may influence the assessment risks. Obtain a sufficient understanding of the INTRODUCTION accounting and internal control systems affected 1. The purpose of this International Standard on by the CIS environment. Auditing (ISA) is to establish standards and Determine the effect of the CIS environment on provide guidance on procedures to be followed the assessment of overall risk and of risk at the when an audit is conducted in a computer account balance and class of transactions level. information systems (CIS) environment. For Design and perform appropriate tests of control purposes of ISAs, a CIS environment exists when and substantive procedures. If specialized skills a computer of any type or size is involved in the are needed, the auditor would seek the assistance processing by the entity of financial information of of a professional possessing such skills, who may significance to the audit, whether that computer is be either on the auditors staff or an outside operated by the entity or by a third party. professional. If the use of such a professional is 2. The auditor should consider how a CIS planned, the auditor should obtain sufficient environment affects the audit. appropriate audit evidence that such work is 3. The overall objective and scope of an audit does adequate for the purposes of the audit, in not change in a CIS environment. However, the accordance with ISA 620, Using the Work of an use of a computer changes the processing, storage Expert. and communication of financial information and PLANNING may affect the accounting and internal control 5. In accordance with ISA 400 Risk Assessments systems employed by the entity. Accordingly, a and Internal Control, the CIS environment may affect: auditor should obtain an understanding of the The procedures followed by the auditor in accounting and internal control systems sufficient obtaining a sufficient understanding of the to plan the audit and develop an effective audit accounting and internal control systems. approach. The consideration of inherent risk and control 6. In planning the portions of the audit which may risk through which the auditor arrives at the risk be affected by the clients CIS environment, the assessment. auditor should obtain an understanding of the The auditors design and performance of tests of significance and complexity of the CIS activities control and substantive procedures appropriate to and the availability of data for use in the audit. meet the audit objective. This understanding would include such matters as: SKILLS AND COMPETENCE The significance and complexity of computer 4. The auditor should have sufficient knowledge of processing in each significant accounting the CIS to plan, direct, supervise and review the application. Significance relates to materiality of work performed. The auditor should consider the financial statement assertions affected by the whether specialized CIS skills are needed in an computer processing. An application may be audit. These may be needed to: considered to be complex when, for example:

 The volume of transactions is such that users would find it difficult to identify and correct errors in processing. The computer automatically generates material transactions or entries directly to another application. The computer performs complicated computations of financial information and/or automatically generates material transactions or entries that cannot be (or are not) validated independently. Transactions are exchanged electronically with other organizations (as in electronic data interchange (EDI) systems) without manual review for propriety or reasonableness. The organizational structure of the clients CIS activities and the extent of concentration or distribution of computer processing throughout the entity, particularly as they may affect segregation of duties. The availability of data. Source documents, certain computer files, and other evidential matter that may be required by the auditor may exist for only a short period or only in machine-readable form. Client CIS may generate internal reporting that may be useful in performing substantive tests (particularly analytical procedures). The potential for use of computer-assisted audit techniques may permit increased efficiency in the performance of audit procedures, or may enable the auditor to economically apply certain procedures to an entire population of accounts or transactions. 7. When the CIS are significant, the auditor should also obtain an understanding of the CIS environment and whether it may influence the assessment of inherent and control risks. The nature of the risks and the internal control characteristics in CIS environments include the following: Lack of transaction trails. Some CIS are designed so that a complete transaction trail that is useful for audit purposes might exist for only a short period of time or only in computer readable form. Where a complex application system performs a large number of processing steps, there may not be a complete trail. Accordingly, errors embedded in an applications program logic may be difficult to detect on a timely basis by manual (user) procedures. Uniform processing of transactions. Computer processing uniformly processes like transactions

with the same processing instructions. Thus, the clerical errors ordinarily associated with manual processing are virtually eliminated. Conversely, programming errors (or other systematic errors in hardware or software) will ordinarily result in all transactions being processed incorrectly. Lack of segregation of functions. Many control procedures that would ordinarily be performed by separate individuals in manual systems may be concentrated in CIS. Thus, an individual who has access to computer programs, processing or data may be in a position to perform incompatible functions. Potential for errors and irregularities. The potential for human error in the development, maintenance and execution of CIS may be greater than in manual systems, partially because of the level of detail inherent in these activities. Also, the potential for individuals to gain unauthorized access to data or to alter data without visible evidence may be greater in CIS than in manual systems. In addition, decreased human involvement in handling transactions processed by CIS can reduce the potential for observing errors and irregularities. Errors or irregularities occurring during the design or modification of application programs or systems software can remain undetected for long periods of time. Initiation or execution of transactions. CIS may include the capability to initiate or cause the execution of certain types of transactions, automatically. The authorization of these transactions or procedures may not be documented in the same way as those in a manual system, and managements authorization of these transactions may be implicit in its acceptance of the design of the CIS and subsequent modification. Dependence of other controls over computer processing. Computer processing may produce reports and other output that are used in performing manual control procedures. The effectiveness of these manual control procedures can be dependent on the effectiveness of controls over the completeness and accuracy of computer processing. In turn, the effectiveness and consistent operation of transaction processing controls in computer applications is often dependent on the effectiveness of general CIS controls.

 Potential for increased management supervision. CIS can offer management a variety of analytical tools that may be used to review and supervise the operations of the entity. The availability of these additional controls, if used, may serve to enhance the entire internal control structure. Potential for the use of computer-assisted audit techniques. The case of processing and analyzing large quantities of data using computers may provide the auditor with opportunities to apply general or specialized computer audit techniques and tools in the execution of audit tests. Both the risks and the controls introduced as a result of these characteristics of CIS have a potential impact on the auditors assessment of risk, and the nature, timing and extent of audit procedures. Assessment of Risk 8. In accordance with ISA 400, Risk Assessments and Internal Control, the auditor should make an assessment of inherent and control risks for material financial statement assertions. 9. The inherent risks and control risks in a CIS environment may have both a pervasive effect and an account-specific effect on the likelihood of material misstatements, as follows: The risks may result from deficiencies in pervasive CIS activities such as program development and maintenance, systems software support, operations, physical CIS security, and control over access to special privilege utility programs. These deficiencies would tend to have a pervasive impact on all application systems that are processed on the computer. The risks may increase the potential for errors or fraudulent activities in specific applications, in specific data bases or master files, or in specific processing activities. For example, errors are not uncommon in systems that perform complex logic or calculations, or that must deal with many different exception conditions. Systems that control cash disbursements or other liquid assets are susceptible to fraudulent actions by users or by CIS personnel. 10. As new CIS technologies emerge, they are frequently employed by clients to build increasingly complex computer systems that may include micro-to mainframe links, distributed data bases, end-user processing, and business management systems that feed information directly into the accounting

systems. Such systems increase the overall sophistication of CIS and the complexity of the specific applications that they affect. As a result, they may increase risk and require further consideration. AUDIT PROCEDURES 11. In accordance with ISA 400, Risk Assessments and Internal Control, the auditor should consider the CIS environment in designing audit procedures to reduce audit risk to an acceptably low level. 12. The auditors specific audit objectives do not change whether accounting data is processed manually or by computer. However, the methods of applying audit procedures to gather evidence may be influenced by the methods of computer processing. The auditor can use either manual audit procedures, computer-assisted audit techniques, or a combination of both to obtain sufficient evidential matter. However, in some accounting systems that use a computer for processing significant applications, it may be difficult or impossible for the auditor to obtain certain data for inspection, inquiry, or confirmation without computer assistance.