Controls over accuracy of computer input
Show Author: Tommie Singleton So many times, auditors of all types use a computer-generated report to perform some aspect of assurance. For example, financial auditors may pull a computer-generated list of accounts receivable (i.e., subsidiary listing) and use it to confirm receivables. IT auditors sometimes do the same thing with lists of access, logs or other reports relevant to IT audits. A popular use today is to generate data sets (a similar resulting object) to conduct data mining or data analytics. It is tempting to look at a neat report that came from a computer and to have a “leap of faith” as to the veracity and reliability of the information of that report. Standard setters have realized the fallacy of that thinking and have issued guidance to auditors regarding computer-generated reports. The Public Company Accounting Oversight Board (PCAOB) inspection reports show that one major area of deficiency in financial audits of issuers is not gaining assurance regarding the accuracy and completeness of the report’s information. The GoalThe goal has been stated by standard setters. It is the completeness and accuracy of the information in the report upon which the auditor is relying. Accuracy alone is insufficient. One needs to obtain assurance about both the completeness and the accuracy. The US Government Accountability Office (GAO) uses data reliability to refer to the accuracy and completeness of data. They define data reliability as “sufficiently reliable data,” “not sufficiently reliable data” and “data of undetermined reliability.” A determination of data reliability should lead to the assessment of assurance on accuracy and completeness of a computer-generated report from these data, although it may be necessary to couple that with another test for report settings. It is possible for data to be reliable for one particular purpose but not reliable for another because of differences in data fields. Why?Consider the example of a financial audit. The financial auditor might use a key report from the information system (i.e., computer) as the key information or an important audit procedure. In this case, the reliance upon the information is critical to the conclusions about the assertion of the account balance, class of transactions or disclosure being tested. Consider an IT audit. The same result is true. If the IT auditor is using a computer-generated list of credit card charges (or similar financial data), or a list of users and accesses, the conclusion after testing is highly dependent on the accuracy and completeness of the information being used. Therefore, the IT auditor will want to first look at the computer-generated report and figure out why it is appropriate, with specificity, to rely on the report and why the completeness and accuracy of the report is reliable. ProceduresThere are generally two ways to gain assurance for completeness and accuracy. One is to compare the report to information or data external to the system and the other is to compare the report to the internal database. The best way to get assurance from a computer-generated report is to compare it for completeness and accuracy against data/information independent of the computer system. For instance, if the entity produces something and has a standard rate or formula for billing, there is operational data to support the amount reflected in those billings. That information could be used for completeness and accuracy of a listing of billings by making some simple calculations. It is possible external information exists in other repositories as well. Other similar tests would include tests such as the following:
When external information is not readily available, the comparison would need to be the report against the database in the system. The following are examples of how that can be accomplished:
Sometimes a test performed might provide assurance for completeness but not accuracy, and vice versa. For instance, in confirming receivables, the auditor may not have assurance of accuracy and completeness over the list of subsidiary accounts and decide to confirm a high percentage of accounts (for example, 80 percent) as a compensating test. However, that test only confirms accuracy and not completeness. Also, a paperless transaction or system will not have source documents from which to test data or the report. In the case of the latter, internal controls are critical to obtaining assurance about accuracy and completeness. Finally, sometimes one cannot attain sufficient assurance about the accuracy and completeness of the data and report, as indicated by the ratings the GAO uses for data reliability. When that happens, what do auditors do with the report? They select an alternative approach. For instance, there are two ways to confirm receivables. The first, confirmation letters, uses a list of subsidiary accounts. If accuracy and completeness of that list cannot be attained, the alternative confirmation is subsequent payments. ConclusionWith the combined growth in computer-generated reports, and the growing attention by reviewers and standard setters on the accuracy and completeness of reports used in audits, there is a need to understand the situation and to develop a framework for obtaining that assurance. Obviously, the key is to, first, use a valid source for testing and, second, obtain assurance for both. Tommie Singleton, CISA, CGEIT, CPA, is the director of consulting for Carr Riggs & Ingram, a large regional public accounting firm. His duties involve forensic accounting, business valuation, IT assurance and service organization control engagements. Singleton is responsible for recruiting, training, research, support and quality control for those services and the staff that perform them. He is also a former academic, having taught at several universities from 1991 to 2012. Singleton has published numerous articles, coauthored books and made many presentations on IT auditing and fraud. What is input control in auditing?input controls: Determine that appropriate input controls are used to ensure accuracy and completeness of data. Evaluate the effectiveness of various input controls in fulfilling their objectives. audit Procedures: Check digit verification ensures accuracy of the data entered.
What is specific control of input control?Input controls check data for accuracy and completeness when they enter the system. There are specific input controls for input authorization, data conversion, data editing, and error handling.
What are the types of ITGC controls?5 Types of ITGC Controls. Physical and Environmental Security. Data centers must be protected from unplanned environmental events and unauthorized access that could potentially compromise normal operations. ... . Logical Security. ... . Backup and Recovery. ... . Incident Management. ... . Information Security. ... . People. ... . Process. ... . Technology.. What are examples of application controls?Application control includes completeness and validity checks, identification, authentication, authorization, input controls, and forensic controls, among others.
|