As we discussed in Section 3, auditors are concerned with application controls and general controls. There are inter-related. Strong general controls contribute to the assurance which may be obtained by an auditor in relation to application controls. On the other hand, unsatisfactory general controls may undermine strong application controls or exacerbate unsatisfactory application controls. The draft version of the auditing guideline Auditing in a computer environment contained useful appendices identifying typical, and desirable, application and general controls. The following points will particularly influence the auditors’ approach. (a) Before auditors place reliance on application controls which involve computer programs, they need to obtain reasonable assurance that the programs have operated properly, by evaluating and testing the effect of relevant general controls or by other tests on specific parts of the programs. (b) Sometimes a programmed accounting procedure may not be subject to effective application controls. In such circumstances, in order to put themselves in a position to limit the extent of substantive procedures, the auditors may choose to perform tests of controls by testing the relevant general controls either manually or by using CAATs, to gain assurance of the continued and proper operation of the programmed accounting procedure. (c) In a computer environment there is the possibility of systematic errors. This may take place because of program faults or hardware malfunction in computer operations. However, many such potential recurrent errors should be prevented or detected by general controls over the development and implementation of applications, the integrity of the program and data files, and of computer operations. (d) The extent to which the auditors can rely on general controls may be limited because many of these controls might not be evidenced, or because they could have been performed inconsistently. In such circumstances, which are particularly common where small computers are involved, the auditors may obtain assurance from tests on manual application controls or by tests on specific parts of the programs. Management policy It is important for management to have a clear overall policy on the use of computers. A policy statement should include the following: Commitment to information security. Specific procedures, including passwords, data protection and distribution of information. 89
Legal requirements (data protection legislation) and licensing agreements Overall supervision by senior management Consequently of disobeying rules A policy statement is of particular importance if users are operating on personal computers. Instructions should include policies on: environmental protection security anti-virus checks training documentation standards error correction procedures back-up procedures Examples of application controls
You've reached the end of your free preview.
Want to read all 118 pages?
- Summer '18
- The Land, Financial audit