Transcript of Chapter 22: Auditing In A Computer Information Systems (CIS)

Environment
Auditing In A Computer Information Systems (CIS) Environment Auditors will audit around the
computer by reviewing and examining source documents or input and checking the final output
based on those documents. As computer systems became more fully integrated and the volume
of transactions increased, it became increasingly difficult to audit around the computer because
much of the audit trial was lost within the computer. Then auditor investigates the data
processing system by feeding the computer with hypothetical transactions covering all the types
of situations in which the auditor is instructed and ascertaining the answers produced are correct
and wrong data are rejected. If the system is satisfactorily controlled, the auditor relies upon the
system and infers that the financial accounting information processed by the system is correct.
This indicates that the audit procedures have changed to adapt to the increasing computer
environment. Introduction The overall objective and scope of an audit does not change in a CIS
environment, the use of a computer changes the processing, storage and communication of
financial information and this may affect the accounting and internal control systems employed
by the entity. Effects of Computers on the Audit Process The inherent risks and control risks in a
CIS environment may have both a pervasive effect and an account-specific effect on the
likelihood of material misstatements, as follows Assessment of Risk There are many techniques
which auditors can use to audit through the computer to test EDP applications. Some of the more
common techniques are described below. Audit Techniques Using Computers The level of skills
and knowledge required to understand the effect of e-commerce on the audit will vary with the
complexity of the entity’s e-commerce activities. The auditor considers whether the personnel
assigned to the engagement have appropriate IT and Internet business knowledge to perform the
audit. Skills and Knowledge Risk Identification Auditing in an CIS environment, auditor focuses
upon the adequacy of controls over transactions, not upon the transactions themselves, as in
manual systems. procedures followed by the auditor in obtaining a sufficient understanding of
the accounting and internal control systems.
consideration of inherent risk and control risk through which the auditor arrives at the risk
assessment.
auditor's design and performance of tests of control and substantive procedures appropriate to
meet the audit objective. CIS environment may affect: The auditor should have sufficient
knowledge of the CIS to plan, direct, supervise and review the work performed. The auditor
should consider whether specialized CIS skills are needed in an audit. obtain a sufficient
understanding of the accounting and internal control systems affected by the CIS environment.
Determine the effect of the CIS environment on the assessment of overall risk and of risk at the
account balance and class of transactions level.
Design and perform appropriate tests of control and substantive procedures. These may be
needed to: If specialized skills are needed, the auditor would seek the assistance of a professional
possessing such skills, who may be either on the auditor's staff or an outside professional. If the
use of such professional is planned, the auditor should obtain sufficient appropriate audit
evidence that such work is adequate for the purposes of the audit, in accordance with PSA 620,
"Using the Work of an Expert." In accordance with PSA 315 (Redrafted), "Identifying and
Assessing the Risk of Material Misstatements Through Understanding the Entity and Its
Environment," the auditor should obtain an understanding of the accounting and internal control
systems sufficient to plan the audit and develop an effective audit approach. Planning In
planning the portions of the audit which may be affected by the client's CIS environment, the
auditor should obtain an understanding of the significance and complexity of the CIS activities
and the availability of data for use in the audit. the volume of transactions is such that users
would find it difficult to identify and correct errors in processing.
the computer automatically generates material transactions or entries directly to another
application.
transactions are exchanged electronically with other organizations (as in Electronic Data
Interchange (EDI) Systems) without manual Review 1. The significance and complexity of
computer processing in each significant accounting application. Significance relates to
materiality of the financial statement assertions affected by the computer processing. An
application may be considered to be complex when, for example: 2. The organization structure of
the client's CIS activities and the extent of concentration or distribution of computer processing
throughout the entity, particularly as they may affect segregation of duties 3. The availability of
data. Source documents, certain computer files, and other evidential matter that may be required
by the auditor may exist for only a short period or only in machine-readable form. Client CIS
may generate internal reporting that may be useful in performing substantive tests. The potential
for use of computer-assisted audit techniques may permit increased efficiency in the performance
of audit procedures, or may enable the auditor to economically apply certain procedures to an
entire population of accounts or transactions. When the CIS are significant, the auditor should
also obtain an understanding of the CIS environment and whether it may influence the
assessment of inherent and control risks. The nature of the risks and the internal control
characteristics in CIS environments include the following: Some CIS are designed so that a
complete transaction trail that is useful for audit purposes might exist for only a short period of
time or only in computer readable form. Where a complex application system performs a large
number of processing steps, there may not be a complete trail. Accordingly errors embedded in
an application's program logic may be difficult to detect on a timely basis by manual procedures.
1. Lack of transaction trails. Computer processing uniformly processes like transactions with the
same processing instructions. The clerical errors ordinarily associated with manual processing
are virtually eliminated. Conversely, programming errors will ordinarily result in all transactions
being processed incorrectly. 2. Uniform processing of transactions Many control procedures that
would ordinarily be performed by separate individuals in manual systems may be concentrated in
CIS. Individual who has access to computer programs, processing or data may be in a position to
perform incompatible functions. 3. Lack of segregation of functions The potential for human
error in the development, maintenance, and execution of CIS may be greater than in manual
systems, partially because of the level of detail inherent in these activities. The potential for
individuals to gain unauthorized access to data or to alter data without visible evidence may be
greater in CIS than in manual systems 4. Potential for errors and irregularities. In addition,
decreased in human involvement in handling transactions processed by CIS can reduce the
potential for observing errors and irregularities. Errors or irregularities occurring during the
design or modification of application programs or systems software can remain undetected for
long periods of time. CIS may include the capability to initiate or cause the execution of certain
types of transactions, automatically. The authorization of these transactions or procedures may
not be documented in the same way as those in a manual system, and management's
authorization of these transactions may be implicit in its acceptance of the design of the CIS and
subsequent modification. 1. Initiation or execution of transactions Computer processing may
produce reports and other output that are used in performing manual control procedures. The
effectiveness of these controls over the completeness and accuracy of computer processing. In
turn, the effectiveness and consistent operation of transaction processing controls in computer
applications is often dependent on the effectiveness of general CIS controls. 2. Dependence of
other controls over computer processing CIS can offer management a variety of analytical tools
that may be used to review and supervise the operations of the entity. The availability of these
additional controls, if used, may serve to enhance the enitre internal control structure. 3. Potential
for increased management supervision The case of processing and analyzing large quantities of
data using computers may provide the auditor with opportunities to apply general or specialized
computer audit techniques and tools in the execution of audit tests. 4. Potential for the use of
computer-assisted audit techniques 5. Both the risks and the controls introduced as a result of
these characteristics of CIS have potential impact on the auditor's assessment of risk, and the
nature, timing and extent of audit procedures. The risk may result from deficiencies in pervasive
CIS activities such as program development and maintenance, systems software support,
operations, physical CIS security, and control over access to networks, operating systems,
programming and databases. These deficiencies would tend to have a pervasive impact on all
application systems that are processed on the computer. The risks may increase the potential for
errors or fraudulent activities in specific applications, in specific databases or master files, or in
specific processing activities. For example, errors are not uncommon in systems that perform
complex logic or calculations, or that must deal with many different exception conditions.
Systems that control cash disbursements or other liquid assets are susceptible to fraudulent
actions by users or by CIS personnel. As new CIS technologies emerge, they are frequently
employed by clients to build increasingly complex computer systems that may include internal /
external / intranet technologies, distributed data bases, end -user processing, and business
management systems that feed information directly into the accounting systems. Such systems
increase the overall sophistication of CIS and the complexity of the specific applications that
they affect. As a result, they may increase risk and require further consideration. The auditor's
specific audit objectives do not change whether accounting data is processed manually or by
computer. However, the methods of applying audit procedures to gather evidence may be
influenced by the methods of computer processing. The auditor can use either manual audit
procedures, computer-assisted audit techniques, or a combination of both to obtain sufficient
evidential matter. However, in some accounting systems that use a computer for processing
significant applications, it may be difficult or impossible for the auditor to obtain certain data for
inspection, inquiry, or confirmation without computer assistance. Audit Clients Using Computer
information Systems (CIS) The audit procedures applicable to evaluating the internal controls in
CIS systems are: If a client uses CIS, the auditor must be capable of understanding the entire
system to evaluate the client's internal control. The auditor's primary concern therefore is to
determine whether the system provides reasonable assurance that errors and irregularities have
been and will be prevented or detected on a timely basis by employees in the course of their
normal activities. A. Review of the System After reviewing the CIS controls, the auditor
attempts to gather evidence to provide reasonable assurance that the prescribed controls are
functioning properly. Depending upon the sophistication of the EDP equipment, the nature of the
system, the adequacy of the audit trail and the audit objectives the auditor chooses either: B.
Compliance Testing of CIS Controls -the auditor does not use the computer to perform tests,
select samples, etc. If there is an adequate audit trial, the auditor can do the following: 1.)
Auditing around (without using) the computer a. Examine for evidence of controls i.e., error
logs, batch control records, etc.

b.) Trace transactions using printouts to follow input documents through to final report,

c.) Process sample transactions manually, process a batch of transaction and compare with the
printouts. Computers are useful in performing the audit. The auditor can use a computer program
(provided by the client or prepared by the auditor) to examine data files and perform many of the
clerical tasks previously performed by a junior auditor. 2. Audit through (with the use of)
computer. Because of the speed of the computers these tests can sometimes be performed for an
entire file rather than for only a sample of transactions. Many auditors have generalized
computer audit packages which will run on most computers and perform many audit tasks.
Substantive testing like compliance testing can be performed either with or without the use of the
computer. C. Substantive Testing of Computer-based Records Auditor uses a program written to
gain access to the computer-based records. Once access has been achieved, the auditor can use
the computer to perform those procedures which are clerical in nature. Sources of programs are:
2. Substantive testing with the use of (through) a computer 1. Substantive testing without using
the computer Printouts are used to test the correctness of accounts and as a basis from which
samples will be selected for further testing or confirmation. a. Auditor written programs
-Specifically written to client's files.
b. Auditee Programs
- Coded by the company's own programmer to meet the auditor's needs. This will require
additional precautions on the part of the auditor.
c. Utility Programs
- Provided by software vendors and used to obtain data.
d. Generalization computer audit programs
-These programs offer audit-oriented functions for use in accessing and testing records. The
auditor may use various types of software on either microcomputers or mainframe computers.
For example, auditors often use microcomputer electronic spreadsheets to prepare working trial
balances, lead, and other schedules. Such spreadsheets may significantly simplify the
computational aspects of tasks such as incorporating adjustments and reclassifications on a
worksheet. Three other software may be used on either a microcomputer or a mainframe
computer: generalized audit software, system utility software, and customized (written specially
for one client) audit programs. Generalized audit software is used most frequently because it
allows the auditor to access various client's computer files. A. Audit Software 1. Testing client
calculation
2. Making additional calculations
3. Extracting data from the client files
4. Examining records which meet criteria specified by the auditor
5. Selecting audit samples
6. Comparing data that exist on separate files
7. Summarizing data
8. Comparing data obtained through other audit procedures with client records
9. Identify weaknesses in internal control
10. Prepare flowcharts of client transaction cycles and of client programs
11. Prepare graphic displays of data for easier analysis
12. Correspondence (engagement letters, representations letters, attorney's letters. Some of the
audit procedures that may be performed by generalized audit software includes: A set of dummy
transactions is developed by the auditor and processed by the client's computer programs to
determine whether the controls which the auditor intends to rely on are functioning as expected.
Some of these transactions may include errors to test the effectiveness of programmed controls
and to determine how transactions are handled. Every possible transaction value need not be
tested. In fact, prior exam questions have suggested that each control need only be tested once.
Several possible problems associated with test data are that the auditor must: B. Test Data (1.)
Make certain the test data is not included in the client's accounting records (2.) Determine that
the program tested is actually used by the client to process data. (3.) Devote the necessary time to
develop adequate data to test key controls. These techniques collect evidence as
transactions are processed, immediately reporting information requested by the auditor or storing
it for later access. They are appropriate when an auditor desires to perform tests of controls or
substantive tests. C. Concurrent Audit Techniques Three concurrent techniques are: Auditors
embed software routines at different points within an application to capture and report images
called snapshots of a selected transactions as it is processed at preselected points in a program.
For example, in an accounts receivable application, an auditor can have snapshots taken of the
available credit limit before and after the selected sales transaction is processed to make sure that
an appropriate credit limit is carried forward. II. Snapshots This method introduces dummy
transactions into the system in the midst of live transactions and is usually built into the system
during the original design. One way to accomplish this is to incorporate a simulated division or
subsidiary into the accounting system with the sole purpose of running test data through it. The
test data approach is similar, therefore, its limitations are also similar, yet the test data approach
does not run simultaneously through the live system. The running of dummy transactions in the
midst of live transactions makes the task of keeping the two transaction types separate more
difficult. I. Integrated Test Facility (ITF) This uses audit software embedded in the client's
system, called an embedded audit module, to gather information at predetermined points in a
system. This information is stored in special file and is reported only to the auditors at
predetermined intervals. For example, an auditor may establish an audit module that counts the
number of times the credit manager overrides established credit limits. SCARFs can be used to
test controls and also for substantive tests. III. System Control Audit Review Files (SCARF)
(Also known as Controlled Processing / Reprocessing) D. Parallel Simulation This method
processes actual client data through an auditor's software program (and frequently, although not
necessarily, the auditor's computer). After processing the data, the auditor compares the output
obtained with output obtained from client. This method verifies processing of actual transactions
(as opposed to test data and ITF that use dummy transactions) and allows the auditor to verify
actual client result. The limitations of this method include: In the performance of code
comparison, an auditor examines two versions of a program to determine whether they are
identical. One version of the program, frequently called the blueprint is known to be the
appropriate program. In many cases, the auditor has tested the blueprint during a previous audit.
The other version of the program is the one in current use by the client. Code comparison can be
done by visually comparing the coding of the two programs or by using a computer program to
make the comparison. E. Code Comparison More internal audit departments and a few external
auditing firms are ending their dependence on audit software programs run on a mainframe by
using an audit workstation. Using a microcomputer and the necessary software, the auditor
extracts the necessary data from the client’s files and performs the desired tests directly on the
microcomputer. F. Audit Workstation (1.)The time it takes the auditor to build an exact duplicate
of the client’s system
(2.)Incompatibility between auditor and client software
(3.)The time involved in reprocessing large quantities of data

However, the auditor can simply test portions of the system to reduce the overall time and
concentrate on key controls. 1.Determine data needed – at this step the auditor analyzes the
information stored on the mainframe and determines what information would be useful.
2.Write extract routine – on a one-time basis, the auditor writes specifications that extract the
information required and place it in a a format that can be transferred to the audit
microcomputer.
3.Ruin extract program - as often as required, the extract program is run to create the file that
will be transferred to the microcomputer. There are seven steps in the use of an audit
workstation. 4.Download extracted file – moving the files from the mainframe to the
microcomputer makes this the most technical step in the process. However, there are new
software packages available for the mainframe and the microcomputer that make this process
relatively simple.
5.Perform analysis –the auditor is now free of the mainframe and is able to perform the desired
analysis. Using a spreadsheet package, the auditor can prepare financial statements, generate
ratios, and prepare totals. Using a data base package that the auditor can run statistical analyzes.
The audit workstation may eventually replace manual workpapers. Every auditor would then
have his/her own laptop computer. 6.Prepare report – the auditor now has the necessary analyses
to develop a more substantial analytical report.
7.Workpapers – to document the process, the auditor can write a report using a work processing
package and can save the results electronically. A number of auditors use commercially available
software, often referred to as data manager to download client data to the auditor’s
microcomputer. After the client data have been downloaded, the auditor uses commercially
available software to perform specific audit procedures. For example, an auditor may download a
client’s account receivable file and age it to compare to the client’s aging. Microcomputer-based
Systems Some auditing firms have begun developing expert systems, which are programs
designed to mimic the decision-making processes of an expert in the field. Expert systems were
first developed to assist physician in making informed diagnoses. These systems are user
friendly, asking the user for specific information and then reporting on the decision. Some have
the capacity to produce a map on how they reached a conclusion. Newly developed expert
systems for accounting include programs for computation of income taxes and evaluation of loss
reserves for a bank. Expert systems are costly to develop and will require a substantial amount of
investment to produce results that are useful to auditors. Using the Microcomputer in
Administration of an Audit The availability of powerful, low-cost microcomputers and software
are cost effective tools that many auditors have found helpful in administering and performing an
audit. These are commercially available software and software developed by public accounting
firms that can assist the auditor in:

1.Preparing working papers

2.Executing audit procedures
3.Researching
4.Engagement management, and
5.Time budgeting Among the commercially available software that auditors have found useful
are:
(a.)Word processors
(b.)Electronic spreadsheets
(c.)Graphic packages to present data, and
(d.)Communication programs.
To increase the efficiency of these programs, auditors have designed templates that contain
(a)Predesigned working papers
(b)Formulas with which to check computations made in a working paper 
Some public accounting firms have placed on CD-ROM and hard disks professional standards
and firm literature that could facilitate research in the field both by professionals and
undergraduate accounting students. Auditors use word processors to prepare working papers,
financial statements and accompanying notes, management letters, and other documents. There
are also other types of commercially available software that can assist in engagement
management, such as

1.Audit program generates that assist in developing audit programs

2.Preparation of flowchart
3.Performance analytical procedures
4.Preparation of working papers Specialized audit programs may be developed to perform
specific audit tasks. For example, programs have been written to generate computer-made
flowcharts of other programs. A trained auditor can examine the flowcharts to test the logic of
application programs and to ensure that the client’s documentation describes the program that is
actually being used.

Another audit technique that may be used is Tagging and Tracing Transactions. This process
involves tagging or specifically marking or highlighting certain transactions by the auditor at the
time of their input. The computer provides the auditor with a printout of the details of the steps in
processing tagged transactions. This printout is examined for evidence of unauthorized program
steps. Some auditors use utility programs during their audits. Utility programs are provided by
major systems vendors to provide programmers and computer operators with working tools. For
example, a utility program can copy files, make comparison or sort data. Specialized Audit
Program and Additional Techniques Electronic Commerce – Effect on the Audit of Financial
Statements (PAPS1013) The purpose of PAPS1013 is to provide guidance to assist auditors of
financial statements where an entity engages in commercial activity that takes place by means of
connected computers over a public network, such as the Internet (E-commerce).
Communications and transactions over networks and through computers are not new features of
the business environment. For example, business processes frequently involve interaction with a
remote computer, the use of computer networks, or electronic data interchange (EDI). However
the increasing use of the Internet for business to consumer, business to business, business to
government and business to employee e-commerce is introducing new elements of risk to be
addressed by the entity and considered by the auditor when planning and performing the audit of
the financial statements. The Internet refers to the worldwide network of computer networks; it is
a shared public network that enables communication with other entities and individuals around
the world. It is interoperable, which means that any computer connected to the Internet. The
Internet is a public network, in contrast to a private network that only allows access to authorized
person or entities. The use of a public network introduces special risk to be addressed by the
entity. Growth of Internet activity without due attention by the entity to those risks may affect
the auditor’s assessment of risk. •Understand, so far as they may affect the financial statements:
-The entity’s e-commerce strategy and activities
-The technology used to facilitate the entity’s e-commerce activities and the IT skills and
knowledge of entity personnel.
-The risks involved in the entity’s use of e-commerce and the entity’s approach to managing
those risks, particularly the adequacy of the internal control system, including the security
infrastructure and related controls, as it affects the financial reporting process;

•Determine the nature, timing and extent of audit procedures and evaluate audit evidence
•Consider the effect of the entity’s dependence on e-commerce activities on its ability to
continue as a going concern When e-commerce has a significant effect on the entity’s business,
appropriate levels of both Information Technology (IT) and Internet business knowledge may be
required to: In some circumstances, the auditor may decide to use the work of an expert, for
example if the auditor considers it appropriate to test controls by attempting to break through the
security layers of the entity’s system (vulnerability or penetration testing). When the work of an
expert is used, the auditor obtains sufficient appropriate audit evidence that such work is
adequate for the purposes of the audit, in accordance with PSA 620 (Revised and Redrafted),
“Using the Work of an Auditor’s Expert.” The auditor also considers how the work of the
experts is integrated with the work of others on the audit, and what procedures are undertaken
regarding risks identified through expert’s work. PSA 315 (Redrafted) requires that the auditor
obtain knowledge of the business sufficient to enable the auditor to identify and understand the
events, transactions and practices that may have a significant effect on the financial statements or
on the audit report. Knowledge of the business includes a general knowledge of the economy and
the industry within which the entity operates. The growth of e-commerce may have a significant
effect on the entity’s traditional business environment.

The auditor’s knowledge of the business is fundamental to assessing the significance of e-

commerce to the entity’s business activities and any effect on audit risk. The auditor considers
changes in the entity’s business environment attributable to e-commerce, and e-commerce
business risk as identified so far as they affect the financial statements. Although the auditor
obtains much information from inquiries of personnel directly involved with the entity’s e-
commerce activities, such as the Chief Information Officer or equivalent may also be useful.
Knowledge of the Business In obtaining or updating knowledge of the entity’s business, the
auditor considers, so far as they affect the financial statements: The entity’s business activities
and industry The entity’s e-commerce strategy, including the way it uses IT for e-commerce and
its assessment of acceptable risk levels, may affect the security of the financial records and the
completeness and reliability of the financial information produced. The entity’s e-commerce
strategy Different entities use e-commerce in different ways. For example, e-commerce might be
used to:
Provide only information about the entity and its activities, which can be accessed by third
parties such as investors, customers, suppliers, finance providers, and employees;
Facilitate transactions with established customers whereby transactions are entered via the
Internet;
Gain access to the new markets and new customers by providing information and transaction
processing via the Internet;
Access Application Service Providers (ASPs); and
Create and entirely new business model. The extent of the entity’s e-commerce activities Many
entities do not have the technical expertise to establish and operate in-house systems needed to
undertake e-commerce. These entities may depend on service organizations such as Internet
Services Providers (ISPs), Application Service Providers (ASPs) and data hosting companies to
provide many or all of the IT requirements of e-commerce. The entity may also use service
organizations for various other functions in relation to its e-commerce activities such as order
fulfillment, delivery of goods, operation of call centers and certain accounting functions.

When the entity uses a service organization, certain policies, procedures and records maintained
by the service organization may be relevant to the audit of the entity’s financial statements. The
auditor considers the outsourcing arrangements used by the entity to identify how the entity
responds to risks arising from the outsourced activities. The entity’s outsourcing arrangements E-
commerce activities may be complementary to an entity’s traditional business activity. For
example, the entity may use the Internet to sell conventional products, delivered by conventional
methods from a contract executed on the Internet. In contrast, e-commerce may represent digital
products via the Internet.

The Internet lacks the clear, fixed geographic lines of transit traditionally have characterized the
physical trade of many goods and services. In many cases, particularly where goods or services
can be delivered via the Internet, e-commerce has been able to reduce or eliminate many of the
limitations imposed by time and distance. Certain industries are more conducive to the use of e-
commerce; therefore e-commerce in these industries is in a more mature phase of development.
When an entity’s industry has been significantly influenced by e-commerce over the Internet,
business risks that may affect the financial statements may be greater.
Examples of industries that are being transformed by e-commerce include:
Computer software 
Securities trading
Banking
Travel services
Books and magazines
Recorded music
Advertising
News media; and
Education
In addition many other industries, in all business sectors, have been significantly affected by e-
commerce. Involvement of those charged with governance in considering the alignment of e-
commerce activities with the entity’s overall business strategy;
Whether e-commerce supports a new activity for the entity, or whether it is intended to make
existing activities more efficient or reach new markets for existing activities;
Sources of revenue for the entity and how these are changing (for example, whether the entity
will be acting as a principal or agent for goods or services sold); Matters that may be relevant to
the auditor when considering the entity’s e-commerce strategy in the context of the auditor’s
understanding of the control environment, include: Management’s evaluation of how e-
commerce affects the earnings of the entity and its financial requirements;
Management’s attitude to risk and how this may affect the risk profile of the entity;
The extent to which management has identified e-commerce opportunities and risks in a
documented strategy that is supported by appropriate controls, or whether e-commerce is subject
to ad hoc development responding to opportunities and risks as they arise; and
Management’s commitment to relevant codes of best practice or web seal programs. The extent
of e-commerce use affects the nature of risks to be addressed by the entity. Security issues may
arise whenever the entity has a web site. Even if there is no third party interactive access,
information-only pages can provide an access point to the entity’s financial records. The security
infrastructure and related controls can be expected to be more extensive where the web site is
used for transacting with business partners, or where systems are highly integrated.

As an entity becomes more involved with e-commerce, and as its internal systems become more
integrated and complex, it becomes more likely that new ways of transacting business will differ
from traditional forms of business activity and will introduce new types of risks. •Loss of
transaction integrity, the effects of which may be compounded by the lack of an adequate audit
trail in either paper or electronic form;
•Pervasive e-commerce security risks, including virus attacks and the potential for the entity to
suffer fraud by customers, employees and others through unauthorized access;
•Improper accounting policies related to, for example, capitalization of expenditures such as
website development costs, misunderstanding of complex contractual arrangements, title transfer
risks, translation of foreign currencies, allowances for warranties or returns, and revenue
recognition issues such as:
-Whether the entity is acting as principal or agent and whether gross sales or commission only
are to be recognized;
-If other entities are given advertising space on the entity’s web site, how revenues are
determined and settled;
-The treatment of volume discounts and introductory offers;
-Cut off
•Noncompliance with taxation and other legal and regulatory requirements, particularly when
Internet e-commerce transactions are conducted across international boundaries;
•Failure to ensure that contracts evidenced only by electronic means are binding;
•Over reliance on e-commerce when placing significant business systems or other business
transactions on the Internet; and
•Systems and infrastructure failures of crashes Management faces many business risks relating to
the entity’s e-commerce activities, including: Verify the identity of customers and suppliers;
Ensure the integrity of transactions;
Obtain agreement on terms of trade, including agreement of delivery and credit terms and
dispute resolution processes, which may address tracking of transactions and procedures to
ensure a party to a transaction cannot later dent having agreed to specified terms (non-
repudiation procedures);
Obtain payment from, or secure credit facilities for, customers; and
Establish privacy and information protection protocols.

The auditor uses the knowledge of the business obtained to identify those events, transactions
and practices related to business risks arising from the entity’s e-commerce activities that, in the
auditor’s judgement, may result in a material misstatement of the financial statements or have a
significant effect on the auditor’s procedures or the audit report. The entity addresses certain
business risks arising in e-commerce through the implementation of an appropriate security
infrastructure and related controls, which generally include measures to: A comprehensive
international legal framework for e-commerce and an efficient infrastructure to support such a
framework (electronic signatures, document registries, dispute mechanisms, consumer
protection, etc) does not yet exist. Legal frameworks in different jurisdictions vary in their
recognition of e-commerce. Nonetheless, management needs to consider legal and regulatory
issues related to the entity’s e-commerce activities, for example, whether the entity has adequate
mechanisms for recognition of taxation liabilities, particularly sales or value-added taxes, in
various jurisdictions. Factors that may give rise to taxes on e-commerce transactions include the
place where:
The entity is legally registered;
Its physical operations are based;
Its web server is located;
Goods and services are supplied from; and
Its customers are located or goods and services are delivered.

These may all be in different jurisdictions. This may give rise to a risk that taxes due on cross-
jurisdictional transactions are not appropriately recognized. Legal and Regulatory Issues PSA
250 (Redrafted) “Consideration of Laws and Regulations in an Audit of Financial Statements”
requires that when planning and performing audit procedures and in evaluating and reporting the
results thereof, the auditor recognize that noncompliance by the entity with laws and regulations
may materially affect the financial statements. PSA 250 (Redrafted) also requires that, in order to
plan the audit, the auditor should obtain a general understanding of the legal and regulatory
framework applicable to the entity and the industry and how the entity is complying with the
framework. That framework may, in the particular circumstances of the entity, include certain
legal and regulatory issues related to its e-commerce activities. While PSA 250 (Redrafted)
recognizes that an audit cannot be expected to detect noncompliance with all laws and
regulations, the auditor is specifically required to perform procedures to help identify instances
of noncompliance with those laws and regulations where noncompliance should be considered
when preparing financial statements. When a legal or regulatory issue arises that, in the auditor’s
judgement, may result in a material misstatement of the financial statements or have a significant
effect on the auditor’s procedures or the audit report, the auditor considers management’s
response to the issue. In some cases, the advice of a lawyer with particular expertise in e-
commerce issues may be necessary when considering legal and regulatory issues arising from an
entity’s e-commerce activity. Adherence to national and international privacy requirements;
Adherence to national and international requirements for regulated industries;
The enforceability of contracts;
The legality of particular activities (e.g. Internet gambling)
The risk of money laundering; and
Violation of intellectual property rights. Legal or regulatory issues that may be particularly
relevant in an e-commerce environment include: Internal Control Consideration Internal control
can be used to mitigate many of the risks associated with e-commerce activities. The auditor
considers the control environment and control procedures the entity has applied to its e-
commerce activities to the extent they are relevant to the financial statement assertions. In some
circumstances, for example, when electronic commerce systems are highly automated, when
transaction volumes are high, or when electronic evidence comprising the audit trail is not
retained, the auditor may determine that it is not possible to reduce audit risk to an acceptably
low level by using substantive procedures. CAATs are often used in such circumstances.
As well as addressing security, transaction integrity and process alignment , as discussed below,
the following aspects of internal control are particularly relevant when the entity engages in e-
commerce:
Maintaining the integrity of control procedures in the quickly changing e-commerce
environment;
Ensuring access to relevant records for the entity’s needs and for audit purposes. The entity’s
security infrastructure and related controls are particularly important features of its internal
control system when external parties are able to access the entity’s information system using a
public network such as the Internet. Information is secure to the extent that the requirements for
its authorization, authenticity, confidentiality, integrity, non-repudiation and availability have
been satisfied.The entity will ordinarily address security risks related to the recording and
processing of e-commerce transactions through its security infrastructure and related controls.
The security infrastructure and related controls may include an information security policy, an
information security risk assessment, and standards, measures, practices, and procedures within
which individual systems are introduced and maintained, including both physical measures and
logical and other technical safeguards such as user identifiers, passwords and firewalls. Security
Transactions Integrity Process alignment refers to the way various IT systems are integrated with
one another and thus operate, in effect, as one system. In the e-commerce environment, it is
important that transactions generated from an entity’s web site are processed properly by the
entity’s internal systems, such as the accounting system, customer relationship management
systems and inventory management systems (often known as “back office” systems). Many web
sites are not automatically integrated with internal systems. Process Alignment The effective use
of firewalls and virus protection software to protect its systems from the introduction of
unauthorized or harmful software, data or other material in electronic form,
The effective use of encryption, including both:
-Maintaining the privacy and security of transmission through, for example, authorization of
decryption keys; and
-Preventing the misuse of encryption technology through, for example, controlling and
safeguarding private decryption keys;
Controls over the development and implementation of systems used to support e-commerce
activities;
Whether security controls in place continue to be effective as new technologies that can be used
to attack Internet security become available;
Whether the control environment supports the control procedures implemented. For example,
while some control procedures, such as digital certificate-based encryption systems, can be
technically advanced, they may not be effective if they operate within an inadequate control
environment. To the extent they are relevant to the financial statement assertions the auditor
considers such matters as: The auditor considers the completeness, accuracy, timeliness and
authorization of information provided for recording and processing in the entity’s financial
records (transaction integrity). The nature and the level of sophistication of an entity’s e-
commerce activities influence the nature and extent of risks related to the recording and
processing of e-commerce transactions.

Audit procedures regarding the integrity of information in the accounting system relating to e-
commerce transactions are largely concerned with evaluating the reliability of the systems in use
for capturing and processing such information. In a sophisticated system, the originating action,
for example, receipt of a customer order over the Internet, will automatically initiate all other
steps in processing the transaction. Therefore, in contrast to audit procedures for traditional
business activities, which ordinarily focus separately on control processes relating to each stage
of transaction capture and processing audit procedures for sophisticated e-commerce often focus
on automated controls that relate to the integrity of transactions as they are capture and then
immediately and automatically processed. Validity input;
Prevent duplication or omission of transaction;
Ensure the terms of trade have been agreed before an order is processed, including delivery and
credit terms, which may require, for example, that payment is obtained when an order is placed;
Distinguish between customer browsing and orders placed, ensure a party to a transaction cannot
later deny having agreed to specified terms (non-repudiation), and endure transactions are with
approved parties when appropriate.
Prevent incomplete processing by ensuring all steps are completed and recorded (for example,
for a business to consumer transaction: order accepted, payment received, goods/services
delivered and accounting system updated) nor if all steps are not completed and recorder, by
rejecting the order;
Ensure the proper distribution of transaction details across multiple systems in a network (for
example, when data is collected centrally and is communicated to various resource managers to
execute the transaction);
Ensure records are properly retained, backed-up and secured. In an e-commerce environment,
controls relating to transaction integrity are often designed to, for example: The completeness
and accuracy of transaction processing and information storage;
The timing of the recognition of sales revenues, purchases and other transactions.

When it is relevant to the financial statement assertions, the auditor considers the controls
governing the integration of e-commerce transactions with internal systems, and the controls
over systems changes and data conversion to automate process alignment.
The way e-commerce transactions are captured and transferred to the entity’s accounting system
may affect such matters as: There may not be any paper records for e-commerce transactions,
and electronic records may be more easily destroyed or altered than paper records without
leaving evidence of such destruction or alteration. The auditor considers whether the entity’s
security of information policies, and security controls as implemented, are adequate to prevent
unauthorized changes to the accounting system or records, or to systems that provide data to the
accounting system. The Effect of Electronic Records on Audit Evidence MAGTO, Jela A.
Brought to you by: GALIMBA, John Michael PANGCOGA, Norhasna U. PACASUM, Prince
Muaddib M. Thank You!
Have a nice day ahead!