top stories

Share

ACCA's response to the four exposure draft revisions to these International Auditing Practice Statements issued by the International Federation of Accountants (IFAC) is set out below.

Copies of the documents are available from the publications section of the IFAC web site: http://www.ifac.org/Guidance/EXD-Download.tmpl?PubID=9571635921721

The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the exposure draft of revisions to International Auditing Practice Statements: "CIS Environments - Stand-Alone Microcomputers", "CIS Environments - On-Line Computer Systems", "CIS Environments - Database Systems" and "Computer - Assisted Audit Techniques."

We welcome the revision of these statements, which we believe provide suitable guidance for auditors in relation to less-complex computerised information systems environments. We also welcome the announcement that IAPC intends to issue further IAPSs dealing with other aspects of computerised information systems, for example, electronic commerce.

In the remainder of this response we explain two concerns that we have about the proposed guidance. Our further comments are on the detail of the wording of the exposure draft, in some instances on matters that might affect the ease of translation into other languages.

Significant issues

CIS Environments - On-Line Computer Systems

Paragraph 33 of CIS Environments - On-Line Computer Systems includes the sentence: 'Where the entity permits access through the Internet, audit procedures can be used to test firewalls and other authorization and access controls, as well as the transaction processing.'

 We do not believe that auditors generally view testing of firewalls as an integral part of an audit of financial statements. The text of paragraph 33 refers to the danger that audit tests might corrupt client data. This could be interpreted as meaning that the testing of firewalls should take the form of 'hacking', i.e. attempting to force access through the use of aggressive programs. This is akin to suggesting that auditors test physical security over assets by attempting to steal them.

Computer-Assisted Audit Techniques

The proposed IAPS Computer-Assisted Audit Techniques initially uses the term CAATs to mean the applications of audit procedures using the computer as an audit tool (i.e. in accordance with ISA 200 'Glossary of Terms'). However, the body of the document includes references to the use of computers in a way that we consider are better referred to as 'audit automation'.

We believe that auditors generally draw a distinction between these two uses of a computer and that the proposed IAPS should reflect this in its structure and text.

We consider that the following aspects of computer use normally fall to be described as 'audit automation':

• Use of expert systems in the design of audit programs and in audit planning and risk assessment (second bullet point of paragraph 5);
  
  
• Creation of electronic working papers (seventh bullet point of paragraph 5);
  
  
  and
  
  
• The matters referred to in paragraph 7.

In addition, audit automation also includes computer control over the audit process, in particular the completeness of documentation of procedures and review.

Drafting points

General

1. The documents exhibit the following minor problems in their prose. ¨ The capitalisation of terms is not consistent within the body of the text; ¨ The apostrophe in expressions such as users ' needs should not be preceded by a space; and ¨ The expression 'a number of' is often used to mean 'several'. The prose can usually be simplified by substituting that word or omitting the expression all together.
   
   CIS Environments - Stand-Alone Microcomputers
   
   
2. Paragraph 2 describes microcomputers. The description uses terminology associated with computer systems in general (e.g. memory, data storage unit) rather than words specific to microcomputers. We believe that the description would be more accessible if it was more direct. In addition, the paragraph contains a reference to a 'modem', which we suggest would be better placed in paragraph 6, which is concerned with linking to other computers.
   
   We suggest that paragraph 2 be redrafted as follows:
   
   Microcomputers, often referred to as "personal computers" or "PCs," are economical yet powerful self-contained general purpose computers. They consist typically of a monitor (visual display unit), a case containing the computer electronics and a keyboard (and mouse). These features may be combined in portable "laptop" PCs. Programs and data may be stored internally on a hard disk or on removable storage media such as CD or floppy disk. PCs may be connected to printers and other devices, such as scanners.
   
   Should the paragraph not be redrafted in this way, we would point out that, in the last sentence of paragraph 2, the words 'scanners and modem' are a mixture of plural and singular and ought to be brought into agreement.
   
   
3. The second sentence of paragraph 5 repeats material concerning the storage of programs and data that is already in paragraph 2. The material does not sit logically within paragraph 5 and should be eliminated from it.
   
   
4. Paragraph 21(b) contains two terms that may prove difficult to translate, indeed one is potentially misleading.
   
   'Time frame' is used in the phrase 'within a time frame that is reasonable'. This construction may be simplified and rewritten as 'within a reasonable time'.
   
   
   'Criticality' is used with the intention of it referring to the extent to which the operation of a system is of vital importance. This is an incorrect use of the word and an alternative should be employed. The dictionary meaning of 'criticality' (a noun) relates to being at a point at which some quality, property, or phenomenon suffers a definite change.'
   
   CIS Environments - On-Line Computer Systems
   
   
5. In the first bullet point within paragraph 23, the words 'unique logon ids' are used. While it is apparent that 'ids' is being used as an abbreviation for 'identifications', the abbreviation is more usually rendered as 'IDs'.
   
   
6. In the fourth bullet point within paragraph 25, the words 'inventory relief' are used. 'Inventory relief' is a term with which we are not familiar and we suggest that the meaning of the point would be clearer if a longer description were used instead. For example 'updating of inventory records' (if that is what is meant).
   
   CIS Environments - Database Systems
   
   
7. The capitalisation of terms is not consistent in this document. For example in paragraph 5, the second word 'Systems' should not have an initial capital letter and in paragraph 17, 'Database' should not have an initial capital letter.
   
   Computer-Assisted Audit Techniques
   
   
8. In paragraph 5, the term 'analytical review procedures' is used in the second bullet point (also in paragraph 13). To conform to the usage in ISA 520 'Analytical Procedures', the word 'review' should be omitted.
   
   
9. Paragraph 12 deals with only one aspect of the impracticability of manual test, namely where there is a lack of hard copy evidence. We suggest that it would also be appropriate to refer here to the impracticality of carrying out certain procedures that depend on complex processing (such as advanced statistical analysis) or involve amounts of data that would overwhelm any manual procedure. These matters are not dealt with adequately in paragraphs 13 to 15, which are more concerned with cost justification of the initial investment in the design of CAATs.

Back to top