Bca 450: auditing and investigation

Questions
1. Explain what post balance sheet events and post audit client review are
Post balance sheet events review

A post balance sheet event is something that occurs after a reporting period, but before the
financial statements for that period have been issued or are available to be issued. The two types
of post balance sheet events are:

 An event provides additional information about conditions in existence as of the balance

sheet date, including estimates used to prepare the financial statements for that period.
 An event provides new information about conditions that did not exist as of the balance
sheet date.
Helps to identify events occurring after the balance sheet date which may have an implication
on the financial statements, and it is the auditor’s responsibility to perform such review. An
example illustrating the importance of PBSE review would be the disposal of a building after
year-end at a price significantly below its net book value. Through the enquiry with the
management on significant events that occurred after the balance sheet date and review of
Directors’ meeting minutes, the audit team was made aware of such events and had requested that
an impairment charge be provided for in the financial statements under audit. Had the PBSE
review not been performed, the auditor would not have been aware of the subsequent sale and
would have proceeded to issue a clean report on the financial statements which did not include
this significant impairment provision.
Another example which illustrates the importance of PBSE review relates to review of credit
notes issued after year-end. The audit team, in the course of the review of credit notes issued after
year-end, had identified a credit note issued to a customer for a substantial amount which was
unusual. Through further enquiry with the management, the audit team discovered that the credit
note issued relates to sales discount provided to a distributor for meeting the sales target for the
financial year. It was then that the audit team realized that the management had not made any
provision for such liability as at balance sheet date. Further procedures were subsequently
performed by the audit team to assess the pervasiveness of the issue and to evaluate the need for
adjustments in the financial statements
Post audit client review
All audits with concerns and recommendations require a Post-Audit Review. The post-audit
review process is intended to ensure that management has addressed all recommendations
included in the Audit Report.  The Post-Audit Review takes place soon after the agreed
implementation deadline to which management has committed in the management response.
During the review, Internal Audit tests the effective implementation of each audit
recommendation.  If recommendations have not been satisfactorily addressed, a second Post-
Audit Review is scheduled.

2. State and explain the specific issues which are involved in post balance sheet events
and post audit client review.

Due professional care. Auditors failing to exercise due professional care in the enforcement
cases and to maintain an attitude of professional skepticism in the cases. In general, this failure on
the auditors’ part can be found throughout the sanctioned audit engagements.

Applying GAAP. Auditors failing to apply or incorrectly applied GAAP pronouncements. Many
of the GAAP violations related to unusual assets with unique accounting valuation issues (often
described in the lower levels of the GAAP hierarchy).

Audit program design. Planning the audit engagement is crucial to its success. Deficiencies in
audit planning are due to failing to:

Properly assess inherent risk and adjust the audit program accordingly.

Recognize the heightened risk associated with non-routine transactions.

Prepare an audit program (or inappropriately reused one from prior years).

Audit evidence. Due to overreliance on inquiry as a form of audit evidence. Auditors failing to
corroborate management’s explanations or to challenge explanations that were inconsistent or
refuted by other evidence the auditor had already gathered.
Accounts receivable. Deficiencies in confirming accounts. These deficiencies included

Failure to confirm enough receivables.

Failure to perform alternative procedures when confirmations were not returned or were
returned with material exceptions.

Problems with sending and receiving confirmation requests (for example, failing to corroborate
confirmations received via fax or allowing the client to mail confirmation requests).

Related parties. The auditor’s failure to recognize or disclose transactions with related parties.
The auditor being either unaware of the related party or appeared to cooperate in the client’s
decision to conceal a transaction with this party. Such transactions often resulted in inflated asset
values.
3. Describe the advanced aspects of computer auditing

Internal controls in a computer environment

The two main categories are application controls and general controls.
Application controls
These are manual or automated procedures that typically operate at a business process level and
apply to the processing of transactions by individual applications. Application controls can be
preventative or detective in nature and are designed to ensure the integrity of the accounting
records.
Accordingly, application controls relate to procedures used to initiate, record, process and report
transactions or other financial data. These controls help ensure that transactions occurred, are
authorized and are completely and accurately recorded and processed (ISA 315 (Redrafted)).
Application controls apply to data processing tasks such as sales, purchases and wages procedures
and are normally divided into the following categories:
(i) Input controls
Examples include batch control totals and document counts, as well as manual scrutiny of
documents to ensure they have been authorised. An example of the operation of batch controls
using accounting software would be the checking of a manually produced figure for the total
gross value of purchase invoices against that produced on screen when the batch-processing
option is used to input the invoices. This total could also be printed out to confirm the totals
agree.
The most common example of programmed controls over the accuracy and completeness of input
are edit (data validation) checks when the software checks that data fields included on
transactions by performing:

 reasonableness check, eg net wage to gross wage

 existence check, eg that a supplier account exists
 character check, eg that there are no alphabetical characters in a sales invoice number field
 range check, eg no employee’s weekly wage is more than $2,000
 check digit, eg an extra character added to the account reference field on a purchase
invoice to detect mistakes such as transposition errors during input.

When data is input via a keyboard, the software will often display a screen message if any of the
above checks reveal an anomaly, eg ‘Supplier account number does not exist’.
(ii) Processing controls
An example of a programmed control over processing is a run-to-run control. The totals from one
processing run, plus the input totals from the second processing, should equal the result from the
second processing run. For instance, the beginning balances on the receivables ledger plus the
sales invoices (processing run 1) less the cheques received (processing run 2) should equal the
closing balances on the receivable ledger.
(iii) Output controls
Batch processing matches input to output, and is therefore also a control over processing and
output. Other examples of output controls include the controlled resubmission of rejected
transactions, or the review of exception reports

(iv) Master files and standing data controls

Examples include one-for-one checking of changes to master files, eg customer price changes are
checked to an authorised list. A regular printout of master files such as the wages master file
could be forwarded monthly to the personnel department to ensure employees listed have
personnel records.
General controls
These are policies and procedures that relate to many applications and support the effective
functioning of application controls. They apply to mainframe, mini-frame and end-user
environments. General IT controls that maintain the integrity of information and security of data
commonly include controls over the following:

 data centre and network operations

 system software acquisition, change and maintenance
 program change
 access security
 application system acquisition, development, and maintenance (ISA 315 (Redrafted))

‘End-user environment’ refers to the situation in which the users of the computer systems are
involved in all stages of the development of the system.

(i) Administrative controls

Controls over ‘data centre and network operations’ and ‘access security’ include those that:

 prevent or detect errors during program execution, eg procedure manuals, job scheduling,
training and supervision; all these prevent errors such as using wrong data files or wrong
versions of production programs
 prevent unauthorised amendments to data files, eg authorisation of jobs prior to
processing, back up and physical protection of files and access controls such as passwords
 ensure the continuity of operations, eg testing of back - up procedures, protection against
fire and floods.
(ii) System development controls

The other general controls referred to in ISA 315 cover the areas of system software
acquisition development and maintenance; program change; and application system
acquisition, development and maintenance.
‘System software’ refers to the operating system, database management systems and other
software that increases the efficiency of processing. Application software refers to particular
 applications such as sales or wages. The controls over the development and maintenance of
both types of software are similar and include:

 Controls over application development, such as good standards over the system design and
program writing, good documentation, testing procedures (eg use of test data to identify
program code errors, pilot running and parallel running of old and new systems), as well
as segregation of duties so that operators are not involved in program development
 Controls over program changes – to ensure no unauthorised amendments and that changes
are adequately tested, eg password protection of programs, comparison of production
programs to controlled copies and approval of changes by users
 Controls over installation and maintenance of system software – many of the controls
mentioned above are relevant, eg authorisation of changes, good documentation, access
controls and segregation of duties.
Computer-assisted audit techniques

Computer-assisted audit techniques (CAATs) are those featuring the ‘application of auditing
procedures using the computer as an audit tool’ ( Glossary of Terms ). CAATs are normally
placed in three main categories:

(i) Audit software

Computer programs used by the auditor to interrogate a client’s computer files; used mainly for
substantive testing. They can be further categorised into:

 Package programs (generalised audit software) – pre-prepared programs for which the
auditor will specify detailed requirements; written to be used on different types of
computer systems
 Purpose-written programs – perform specific functions of the auditor’s choosing; the
auditor may have no option but to have this software developed, since package programs
cannot be adapted to the client’s system (however, this can be costly)
 Enquiry programs – those that are part of the client’s system, often used to sort and print
data, and which can be adapted for audit purposes, eg accounting software may have
search facilities on some modules, that could be used for audit purposes to search for all
 customers with credit balances (on the customers’ module) or all inventory items
exceeding a specified value (on the inventory module).

Using audit software, the auditor can scrutinise large volumes of data and present results that can
then be investigated further. The software consists of program logic needed to perform most of
the functions required by the auditor, such as:

 select a sample
 report exceptional items
 compare files
 analyse, summarise and stratify data.

The auditor needs to determine which of these functions they wish to use, and the selection
criteria.

(ii) Test data

Test data consists of data submitted by the auditor for processing by the client’s computer system.
The principle objective is to test the operation of application controls. For this reason, the auditor
will arrange for dummy data to be processed that includes many error conditions, to ensure that
the client’s application controls can identify particular problems.
Examples of errors that might be included:

 supplier account codes that do not exist

 employees earning in excess of a certain limit
 sales invoices that contain addition errors
 submitting data with incorrect batch control totals.

Data without errors will also be included to ensure ‘correct’ transactions are processed properly.

Test data can be used ‘live’, ie during the client’s normal production run. The obvious
disadvantage with this choice is the danger of corrupting the client’s master files. To avoid this,
an integrated test facility will be used (see other techniques below). The alternative (dead test
data) is to perform a special run outside normal processing, using copies of the client’s master
files. In this case, the danger of corrupting the client’s files is avoided – but there is less assurance
that the normal production programs have been used.

(iii)    Other techniques

There are increasing numbers of other techniques that can be used; the main two are:

 Integrated test facility – used when test data is run live; involves the establishment of
dummy records, such as departments or customer accounts to which the dummy data can
be processed. They can then be ignored when client records are printed out, and reversed
out later.
 Embedded audit facilities (embedded audit monitor) – also known as resident audit
software; requires the auditor’s own program code to be embedded into the client’s
application software. The embedded code is designed to perform audit functions and can
be switched on at selected times or activated each time the application program is used.
Embedded facilities can be used to:
–  Gather and store information relating to transactions at the time of processing for
subsequent audit review; the selected transactions are written to audit files for subsequent
examination, often called system control and review file (SCARF)
–  Spot and record (for subsequent audit attention) any items that are unusual; the
transactions are marked by the audit code when selection conditions (specified by the
auditor) are satisfied. This technique is also referred to as tagging.

4. The attraction of embedded audit facilities is obvious, as it equates to having a perpetual

audit of transactions. However, the set-up is costly and may require the auditor to have an
input at the system development stage. Embedded audit facilities are often used in real
time and database environments.

Impact of computer-based systems on the audit approach

The fact that systems are computer-based does not alter the key stages of the audit
process; this explains why references to the audit of computer-based systems have been
subsumed into ISAs 300, 315 and 330.
(i) Planning
The Appendix to ISA 300 (Redrafted) states ‘the effect of information technology on the
audit procedures, including the availability of data and the expected use of computer -
assisted audit techniques’ as one of the characteristics of the audit that needs to be
considered in developing the overall audit strategy.

(ii) Risk assessment

'The auditor shall obtain an understanding of the internal control relevant to the audit.’
(ISA 315 (Redrafted))
The application notes to ISA 315 identify the information system as one of the five
components of internal control. It requires the auditor to obtain an understanding of the
information system, including the procedures within both IT and manual systems. In other
words, if the auditor relies on internal control in assessing risk at an assertion level, s/he
needs to understand and test the controls, whether they are manual or automated. Auditors
often use internal control evaluation (ICE) questions to identify strengths and weaknesses
in internal control. These questions remain the same – but in answering them, the auditor
considers both manual and automated controls.
For instance, when answering the ICE question, ‘Can liabilities be incurred but not
recorded?’, the auditor needs to consider manual controls, such as matching goods
received notes to purchase invoices – but will also consider application controls, such as
programmed sequence checks on purchase invoices. The operation of batch control totals,
whether programmed or performed manually, would also be relevant to this question.

(iii) Testing
‘The auditor shall design and perform further audit procedures whose nature, timing and
extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level.’ (ISA 330 (Redrafted))
This statement holds true irrespective of the accounting system, and the auditor will
design compliance and substantive tests that reflect the strengths and weaknesses of the
system. When testing a computer information system, the auditor is likely to use a mix of
manual and computer-assisted audit tests.
 4. How has computer auditing made auditors effective and efficient?
a) Helps through the speed of proof in the output of financial and non-financial information,
and this detect errors quickly and enables instant correction compared to manual
operation.
b) E-operation helps the auditor to use analysis techniques in comparisons and ratios and
produces indicators and parameters that help in monitoring and evaluating performance
quickly.
c) Electronic data operation helps the auditor in the application of the internal information
network system and the external information network in the control of the internal and
external branches of the enterprise.
d) The auditor can use the methods of advanced operations research in analysis and
evaluation and in the presentation of reports such as statistical analysis, means of control,
self-control, statistical sampling method and system analysis method.
e) Electronic operation helps in the speed of retrieval of data and information stored in the
memory of the computer or on memory modules and storage, and this can review some of
the observations.
f) The auditor assists in the use of the computer's capabilities in carrying out the audits by
establishing auditing and auditing programs that may be programs that are ready or
prepared for a particular purpose or programs

5. Explain challenges faced in computer auditing

a) Risks associated feature disappearance of paper documents: with e-commerce now
accounting data is tidy and unreadable, and the attendant risks of ease of committing fraud
and manipulation, not only that but also the difficulty of detecting and next to it can be
accompanied by data errors or a defect in the entry process the main memory or be
operated incorrectly in the absence of effective oversight Procedures with it.
b) Risks associated with bond Audit: Includes risk audit guaranteed under the electronic
operation of the data absence of the original documents after the initial input and are
disposed of as well as the inability to note the processes and operating because they are
 inside the computer and this would preclude the availability of a good support to scrutiny
as follows these risks errors in the transfer process, the vocabulary of the system
c) The risks associated with the protection of information: the risks and proceed to the
possibility of data theft or enter into programs in order to achieve personal benefits or
exploit this information against the unit represented by
d) Risks for both the seller and the buyer: such as dealing with fake companies and the use of
counterfeit cards due to the weakness of the internal control system and the never
continuation developments subsequent developments.
e) Risks associated virus computer: the risk of computer viruses that it caused many
problems in the data and programs as they are used to destroy part of the software so that
it cannot be recovered.
f) risk reincarnation: low cost to build a website and easily copied pages of websites makes it
very easy to build illegal sites posing interface real sites to fool the visitors to give their
personal information credit their own cards, believing that Wears sites are sites for
companies respectable
6. challenges faced by an audit committee
a) Legislative and regulatory requirements
Public sector entities operate within a unique regulatory framework with a number of pieces of
legislation and regulations that need to be complied with.
The terms of reference of a public sector audit committee do not always clearly define the
requirements of the audit committee in relation to the entity’s environment.

b) Role clarity
Accountability, role clarity and reporting lines are not always clear in the public sector (with
regard to the shareholder, the “directors” and management as applicable in the private sector).
The manner in which some public sector entities are structured makes this a specific challenge.
For example, in the case of public entities, the accounting authority is seen as the board; however,
the minister is involved in the appointment of the audit committee with the board. This
appointment process may create some uncertainty as to direct reporting lines; however, there
should be reporting to both parties.
The roles of the audit committees and other committees, such as the finance committee, risk
committee (where separate), municipal public
accounts committee and performance committee, should be clarified to minimize overlap and
promote the effective use of these structures.
c) Independence
The independence of the audit committee may be impaired due to previous/current relationships
of audit committee members or the audit committee as a whole and political standing, among
other factors.
d) Knowledge, skills and experience
The requirements of the legislative environment for public sector audit committees makes the
composition of audit committees an essential consideration. Members need to have sufficient
knowledge, skills and experience in a number of fields. The audit committee should collectively
have an understanding of integrated reporting (including financial reporting), internal financial
controls, the external and internal audit process, corporate law, risk management, sustainability
issues, information technology governance and the governance processes in the organization.
Added to that is the public sector specific knowledge required about matters such as performance
management, risk management and compliance with laws and regulations.
The difficulty in attracting a pool of suitable persons to serve on the public sector audit
committees is another challenge in the public sector.
Other matters that require attention are the remuneration of committee members and political
influence in the appointment process.
e) Commitment
Adequate dedication and commitment on the part of members and proper preparation for
meetings, reading documents prior to meetings, follow-up procedures and attendance of and
participation in meetings are not receiving sufficient attention.
f) Lack of support from management
The audit committee is sometimes unable to evaluate situations due to the absence of quality
information which should be made available by management. The audit committee therefore
cannot fulfill all its responsibilities.
 7. What is the rationale of having an audit committee
a) Oversee the hiring of the auditors, including communicating with the auditors regarding
the audit process, timing, issues, etc.
b) Assess business and fraud risk for the organization and determine plans to address these
risks;
c)  Monitor accounting policies;
d) Monitor the internal control process;
e) Establish policies to prevent fraud, including developing a whistleblower policy.
References
• Audit Committee Institute – Global Audit Committee Survey
• KPMG’s Global Audit Committee Survey.
• Ahmed, ManhalMajid, Re-engineering of the Audit Profession in the Information
Technology Context
• Hassoun and al-Qaisi, 1991, p. 156
• Alngide and al-naiem, 2002, p. 42