Implementing SAS no. 55 in a computer environment; strategies for addressing control risk in entities that use computers to process accounting transactions.
Understandilng Statement on Auditing Standards no. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, is not easy. Because audilt practitioners have raised a number of questions as they try to come to grips with this standard, the control risk task force of the American American, river, 30 mi (48 km) long, rising in N central Calif. in the Sierra Nevada and flowing SW into the Sacramento River at Sacramento. The discovery of gold at Sutter's Mill (see Sutter, John Augustus) along the river in 1848 led to the California gold rush of Institute of CPAs auditing standards board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public issued a new audit guide to assist auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together in implementing the standard. The audit guide, Consideration of the Internal Control Structure in a Financial Statement Audit, provides both illustrations and discussions of alternative strategies auditors can select in a broad range of audit environments and what needs to be done under each strategy. (For a more detailed discussion of the guide, see JofA, Sept.90, page 107.)
Because the majority of businesses use computers to process significant accounting transactions, the guide contains many examples of the computer processing aspects of an entity's internal control structure. This article summarizes much of the guidance and , in the process, answers some of the most frequently asked questions about how to apply SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. no. 55 in a computerized computerized
adapted for analysis, storage and retrieval on a computer.
computerized axial tomography
see computed tomography. environment.
For audit practitioner not intimately familiar with computerized environments, it's it's
1. Contraction of it is.
2. Contraction of it has. See Usage Note at its.
it's it is or it has
it's be ~have important to recognize both their weaknesses and their strenghts. On one hand, computer systems involve certain basic risks, such as the difficulty of detecting unauthorized changes to data files (although safeguards do exist). There are also certain benefits to computer systems. For example, with consistent use of the same computer program, like transactions will be processed in exactly the same way, and human error won't won't
Contraction of will not.
won't will not
won't will be a factor.
KNOWLEDGE OF THE INTERNAL
SAS no. 55 says the auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. must gain sufficient understanding of an entity's internal control structure to plan the audit. Exactly what that means will vary based on the facts and circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact.
2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or and the audit strategy selected. But in every case, the auditor needs to know enough about the three elements of the control structure--the control environment, the accounting system and control procedures--to recognize the potential for material misstatements that can occur in an assertion and to be able to use that information in designing an effective audit plan. Exhibit 1, page 64, provides some examples of the computer aspects of these three elements.
THE CONTROL ENVIRONMENT
The first element the auditor must understand is the client's control environment. This includes matters such as management's philosophy and operating style, the method of assigning as·sign
tr.v. as·signed, as·sign·ing, as·signs
1. To set apart for a particular purpose; designate: assigned a day for the inspection.
2. authority and delegating responsibility and the "tone at the top." These factors can have a pervasive pervasive,
adj indicates that a condition permeates the entire development of the individual. effect on other elements of the control structure. In a small organization, the owner--manager sets the tone for the care given to executing and recording transactions. In a larger organization, senior management's attitude determines the care with which lower management levels carry out the entity's plans.
In considering the computer aspects of the control environment, the auditor should focus on such factors as management's involvement in setting and monitoring computer operations policies, testing programs changes or controlling access to programs and data files. Obtaining an understanding of these control environment factors may involve inspecting accounting and computer operations manuals and reports, and making inquiries regarding implementation of policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental .
THE ACCOUNTING SYSTEM
An auditor must understand how the computerized accounting system processes significant classes of transactions. This would include
* What computer reports are produced.
* Which computer files are accessed and updated.
* The nature of computer processing, from initiation of a transaction to its inclusion in the general ledger General Ledger
A company's accounting records. This formal ledger contains all the financial accounts and statements of a business.
The ledger uses two columns: one records debits, the other has offsetting credits. . Different processing methods are subject to different risk of error.
* How data are summarized in the financial reporting process.
* How transactions are converted to machine-readable ma·chine-read·a·ble
Easy to feed directly into a computer, as data that have been stored magnetically.
in a form suitable for processing by a computer form.
Computers are often used to summarize sum·ma·rize
intr. & tr.v. sum·ma·rized, sum·ma·riz·ing, sum·ma·riz·es
To make a summary or make a summary of.
sum information for financial statements and the auditor should understand whether the client has a setup program (1) Same as install program.
(2) See BIOS setup. that specifies how accounts processed by the computer are summarized and included in the financial statements.
How much should the auditor learn about the third element of the control structure--control procedures? Control procedures take on unique characteristics in a computer environment. The guide acknowledges the auditor often lears about certain control procedures while obtaining an understanding of the control environment and accounting system. For example, it's difficult not to learn about such basic control procedures as reconciliation of subsidiary records to general ledger accounts. When an auditor plans to follow a primarily substantive approach to audit a particular assertion, the knowledge of control procedures obtained when examining the control environment and accounting system is usually sufficient to design sustantive procedures.
When the auditor plans to assess control risk at a lower level than would be obtained by following a primarily substantive approach, he or she will place more emphasis on understanding and testing control procedures. Although such decisions are a function of strategy, the guide points out two circumstances in which an auditor must understand and test control procedures.
To audit an assertion. In some cases, the auditor isn't is·n't
Contraction of is not.
isn't is not
isn't be able to design substantive tests that will be sufficiently effective to detect a material misstatement mis·state
tr.v. mis·stat·ed, mis·stat·ing, mis·states
To state wrongly or falsely.
mis·statement n. . For example, if a nonprofit A corporation or an association that conducts business for the benefit of the general public without shareholders and without a profit motive.
Nonprofits are also called not-for-profit corporations. Nonprofit corporations are created according to state law. intity receives a large amount of cash donations, it would be difficult for the auditor to audit the completeness assertion related to cash receipts without understanding and testing the effectiveness of control procedures over incoming cash receipts.
Similarly, if a financial institution angages in futures transactions, the auditor may need to understand and test the control procedures that provide assurance all futures transactions are accounted for. Under these circumstances, the auditor would plan to assess control risk significantly below the maximum and would need to understand and test relevant control procedures.
To plan an audit that isn't unreasonably costly. A client's system is sometimes so complex that taking a substantive approach would be unreasonably expensive: for example, when a company has an electronic data interchange See EDI.
(application, communications) electronic data interchange - (EDI) The exchange of standardised document forms between computer systems for business use. EDI is part of electronic commerce. system. The company's computer system is linked to those of its suppliers or customers, and transactions may be automatically initiated by the system. The auditor may find the only reasonable strategy is to obtain an understanding of controls and perform tests on them sufficient to support a lower assessed level of control risk.
While the knowledge the auditor seeks of the three control structure elements is a matter of judgment, SAS no. 55 says the auditor cannot--because of a decision to assess control risk at the maximum--ignore the control structure. Such knowledge is needed to identify the types of potential misstatements and related risks and to design effective substantive tests. Substantive tests are not designed in a vacuum--they must be based on a certain knowledge of the entity's control structure.
USE OF COMPUTER PROCESSING
KNOWLEDGE TO SUPPORT
AN AUDIT STRATEGY
From both an accounting and auditing perspective, the computer has become an important business tool. Few businesses today are able to function without one. As a result, an understanding of the computer-related control environment and accounting system issues illustrated in exhibit 1 is necessary to plan a primarily substantive approach. The guide presents several audit strategies for which varying degrees of understanding and tests of controls are both efficient and effective. These strategies are described below.
PLANNING A PRIMARILY SUBSTANTIVE
When transactions and their processing aren't aren't
Contraction of are not. See Usage Note at ain't.
aren't are not
aren't be complicated and substantive tests are economical, the auditor frequently plans a primarily substantive approach to reduce audit risk to an acceptable level. The auditor focuses on the control environment and the accounting system; he rarely sets out to obtain an understanding of control procedures directly or to test their operating effectiveness. However, while focusing on the control environment and the accounting system, the auditor often will learn about some control procedures, including computer procedures.
For example, the auditor might learn the computer keeps track of numerical numerical
expressed in numbers, i.e. Arabic numerals of 0 to 9 inclusive.
a numerical code is used to indicate the words, or other alphabetical signals, intended. sequences of sales orders The sales order, sometimes abbreviated as SO, is an order received by a business from a customer. A sales order may be for products and/or services. Given the wide variety of businesses, this means that the orders can be fulfilled in several ways. , shipping records and sales invoices and produces a daily report of unmatched transactions (for example, sales orders that have not been shipped and billed). This feature of the computer system, along with the manual follow-up follow-up,
n the process of monitoring the progress of a patient after a period of active treatment.
follow-up plan of items on the list, may provide the auditor with some assurance that all sales are recorded. In order for this knowledge to be useful for assessing control risk, the auditor must perform tests of controls. While obtaining the understanding, or subsequently, he may
* Question employees about follow-up procedures. Do items appear on the report on a timely basis? How long does it take for items to clear from the report? How often do items that should have cleared still appear on the report?
* Make corroborating inquiries of salespeople sales·peo·ple
Persons who are employed to sell merchandise in a store or in a designated territory. and the shipping department supervisor regarding the accuracy of items listed as exceptions on the report.
* Examine reports to determine that selected items appear on the report and clear from the report on a timely basis.
What can the auditor conclude from these tests? In answering this question, it must be recognized the effectiveness of these controls depends on the effectiveness of both the programs that generated the computer listing and follow-up procedures. While the tests focus primarily on follow-up procedures, they also may provide evidence about the operation of the computer programs themselves. If these tests include corroborating inquiries of client personnel (such as salespeople and shipping department supervisors who are in a position to know whether open sales orders, either individually or as an estimated total number of open orders, should be appearing on the exception reports when they are not), the auditor may draw a conclusion about whether the computer program is operating effectively.
Under these circumstances, could the auditor assess control risk for the completeness assertion related to sales as low? In most cases, such observations, inquiries and limited inspection of documents probably would not support a low assessed level. However, depending on the assertion and the results of the tests of controls, the auditor may be able to assess control risk at a significant lower level than if those control procedures had not been considered.
PLANNING A LOWER ASSESSED LEVEL
OF CONTROL RISK
Where the auditor plans a lower assessed level of control risk in a computer environment, the following strategies discussed in the guide may be helpful.
Tests of user control procedures. Some clients have control procedures that require personnel essentially to manually verify (1) To prove the correctness of data.
(2) In data entry operations, to compare the keystrokes of a second operator with the data entered by the first operator to ensure that the data were typed in accurately. See validate. certain computer operations, thereby checking the completeness and accuracy of the computer output. The guide refers to these controls as user control procedures. For example, to check the completeness of computer processing, users may keep manual record counts of shipments or receipts and compare them with the number of computer-processed records to ensure all such transactions are recorded.
Testing user controls may be an effective alternative to testing procedures the computer performs. However, user control procedures are relatively uncommon in today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. environment. The volume and complexity of computer processing usually doesn't does·n't
Contraction of does not. allow for them, and from a client's viewpoint such procedures are generally inefficient compared to other controls. Even if such user procedures are in effect, the auditor will often find other approaches for testing controls are more efficient.
Direct tests of programmed and manual follow-up procedures. Another approach the auditor can consider is to test directly the computer's accounting procedures as well as related manual follow-up procedures. An auditor can, for example, use computer-assisted audit techniques such as test data or parallel simulation to test programmed procedures that produce exception reports. These tests provide direct evidence of the design and operation of programmed procedures, but only for the specific times applied. Accordingly, an auditor would need to perform such tests repeatedly--at various times during the audit, or on data files for a number of dates--to see the effectiveness of the program's operation throughout the period. It can be costly to assess control risk at a low level using this approach.
The auditor also needs to test the procedures for following up on items listed on exception reports. To do this, the auditor could observe and ask employees about the follow-up procedures performed and examine reports and related documentation, as necessary.
Tests of computer general controls and manual follow-up procedures. Computer general control procedures influence the effectiveness of other control procedures. This is shown in exhibit 2, below. Specifically, computer general control procedures include controls over
* Program design, testing and implementation.
* Changes to programs.
* Operation of programs and use of data files.
* Access to programs and data files.
Understanding and testing general control procedures can provide an efficient and effective alternative when the auditor needs evidence of the consistent operation of programmed procedures throughout the period. If computer general control procedures operate effectively, there is assurance programmed procedures are designed properly and function consistently throughout the period. Evidence of effective computer general control procedures, combined with evidence of effective follow-up procedures, can support a lower--and even a low--assessed level of control risk.
An auditor could obtain evidence about the effectiveness of computer general control procedures over program development by examining
* Reviews of program change logs.
* Approvals by appropriate user department and data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a personnel.
* Program testing procedures.
* Acceptance of test results.
* Use of transfer and compile To translate a program written in a high-level programming language into machine language. See compiler. logs.
Because effective general control procedures can provide assurance that programs are developed properly and function consistently over time, the combination of tests of general control procedures and tests of manual follow-up procedures often supports a low control-risk assessment.
COMPUTER PROCESSING AND
INTERNAL CONTROL STRUCTURE
The auditor must understand the elements of the client's internal control structure sufficiently to enable him to identify the kinds of potential misstatements that could occur in the financial statements, to assess the risk of material misstatement and to design substantive tests. This includes understanding relevant computer processing. Because the vast majority of audits, even audits of small businesses, are conducted for companies that have significant computer processing of accounting transactions, the auditor must understand that computer processing.
SAS no. 55 and the guide explain that the auditor must understand how transactions are processed through computerized accounting systems. The auditor can take a primarily substantive approach and use evidence gained about design and effectiveness of controls to support assessments of control risk at less than the maximum. Where it's efficient to focus additional audit attention on controls, the guide presents the auditor with a variety of strategies. Implementing SAS no. 55 with the help of the guide requires the practitioner to exercise considerable audit judgment. At the same time, it facilitates more effective and efficient audits.
RICHARD Ri·chard , Joseph Henri Maurice Known as "Rocket." 1921-2000.
Canadian hockey player. A right wing for the Montreal Canadiens (1942-1960), he led his team to eight Stanley Cup championships and was the first player to score 50 goals in a M. STEINBERG Noun 1. Steinberg - United States cartoonist (born in Romania) noted for his caricatures of famous people (1914-1999)
Saul Steinberg , CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , is a partner of Coopers & Lybrand, New York City New York City: see New York, city.
New York City
City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. . Co-chairman of the American Institute of CPAs control risk audit guide task force, he is chairman of the AICPA AICPA
See American Institute of Certified Public Accountants (AICPA). task force on consideration of the internal control structure in a computer environment. He also served as chairman of the AICPA task force on the auditor's use of microcomputers and is a member of the AICPA computer audit subcommittee sub·com·mit·tee
A subordinate committee composed of members appointed from a main committee.
Noun . RAYMOND N. JOHNSON, CPA, PhD, is a professor of accounting and chairman of the accounting department at Portland State University School of Business, Portland, Oregon Oregon, city, United States
Oregon, city (1990 pop. 18,334), Lucas co., NW Ohio, a suburb adjacent to Toledo, on Lake Erie; inc. 1958. It is a port with railroad-owned and -operated docks. The city has industries producing oil, chemicals, and metal products. . A member of the AICPA task force that developed the control risk audit guide, he is also a member of the board of directors of the Oregon Society of CPAs.