Textbook: International Auditing Standards. Topic: "Auditing Standards and Professional Ethics" Test Regulations on international audit practice have
International Standards Auditors (ISAs) are published by the International Auditing Practices Committee (IAPC). The IAPC is the Standing Committee of the Council of the International Federation of Accountants (IFAC) which was established in 1977 and is based in New York. membership in the International Accounting Standards Committee (IASC) based in London. The two organizations are independent of each other, the former deals with auditing, the latter deals with accounting.
The Preface to ISAs and Related Services states that the International Auditing Practices Committee (IAPC) has two areas: ISAs and ISAs.
International Auditing Standards are general guidance materials to assist auditors in fulfilling their audit responsibilities financial reporting. They consider the professional qualities of auditors (such as competence and independence), the requirements for audit reports and certificates.
International provisions on audit practice – provide auditors with practical assistance in applying standards and good practices. These provisions do not have the status of standards.
International Standards on Auditing include general standards (two), operating standards (four) and reporting standards (four).
These standards apply to all audit engagements. Compliance with these standards is very important for an audit. The standards provide minimum requirements that must be met in order for an auditor to declare an audit in full compliance with International Standards on Auditing.
The audit must be carried out objectively and with the due attention of professionally trained people.
Working standards
§ Work must be properly planned and executed. If the auditor has assistants, they must be properly supervised.
§ To plan an audit, it is necessary to obtain information about the structure internal control. If the control risk is assessed below its maximum value, sufficient appropriate evidence must be collected by testing to support the assessment.
§ The basis for evaluating audited financial statements should be material information obtained through audits, observations, interviews, confirmations, calculations and analysis.
Reporting standards
§ The report must contain a list of financial statements subject to audit and a mention of the responsibilities of management and the auditor.
§ The report should communicate the scope of the audit.
§ The auditor's report must either contain the auditor's opinion on the financial statements as a whole, or must reflect the reasons why this opinion cannot be expressed.
§ The conclusion must indicate that all material aspects of the financial position, results of operations and movement are accurately presented. Money in financial reports. The opinion should be based on International Financial Reporting Standards or, in special cases, on appropriately disclosed accounting principles. The report must clearly explain any qualifications in the application.
100- 199Introductory aspects
100 Preface to International Standards on Auditing and Related Services
110 Glossary of terms
120 Conceptual framework of the International Standards on Auditing
200 – 299 Liability
200 Objective and general principles governing an audit of financial statements
210 Terms of audit engagements
220 Audit quality control
230 Documentation
240 Fraud and errors
250 Consideration of laws and regulations in an audit of financial statements
300-399 Planning
300 Planning
310 Business Knowledge
320 Materiality in audit
400-499 Internal control
400 Risk assessments and internal controls
401 Audit in a computer information systems environment
402 Audit matters of entities using the services of service organizations
500 -599 Audit evidence
500 Audit evidence
501 Audit Evidence - Additional Issues Regarding Specific Items
510 Initial agreements - opening balances
520 Analytical procedures
530 Audit sampling and other random testing procedures
540 Audit of accounting estimates
550 Related parties
560 Subsequent events
570 Going concern
580 Entity management representations
600 - 699 Using the work of others
600 Using the work of another auditor
610 Review of service operation internal audit
620 Using the work of an expert
700- 799 Audit findings and reporting
700 Auditor's report on financial statements
710 Comparative indicators
720 Other information in documents containing audited financial statements
800 - 899 Specialized areas
800 Auditor's report on special purpose audit engagements
810 Checking perspective financial information
900 - 999 Related services
910 Financial Statement Review Agreement
920 Agreement to follow agreed-upon procedures for financial information
930 Financial Compilation Agreement
1000 - 1100 Regulations on International Auditing Practice
1000 Interbank confirmation procedures
1001 CIS environment - autonomous microcomputers
1002 CIS environment - interactive computer systems
1003 CIS environment - database systems
1004 Interaction of bank supervisors with external auditors
1005 Features of the audit of small enterprises
1006 Audit of international commercial banks
1007 Relationship with entity management
1008 Risk Assessments and Internal Controls - Characteristics of CIS and Related Issues
1009 Computer-assisted audit methods
1010 Consideration of environmental issues in an audit of financial statements
1011 Application for management and auditors 2000
International Regulations on Auditing Practice provide practical assistance to auditors in implementing standards and promoting good practice. These provisions do not fulfill the functions of standards.
921 Agreement to follow agreed-upon procedures for financial information
931 Financial information compilation agreement
2. Characteristics of International Standards on Auditing
In general, auditing standards regulate the organization and implementation of audit activities. Each of the standards regulates a specific area or type of audit activity.
Audit Standards disclose the purpose and general principles of an audit of financial statements. Due to the fact that the most important of all types of audit work is the confirmation of the reliability of financial statements, this is of a social nature, because. the publication of absolutely reliable financial statements is very important for society as a whole.
Standard "Quality control of audit activity". This standard regulates the procedure for monitoring the quality of audit activities both on the part of the client and on the part of the audit organizations themselves. In addition, the chambers of auditors exercise some control in this regard. The audit organizations themselves should show the greatest interest in monitoring the quality of audit activities. First of all, this should be manifested in the selection of personnel involved in the performance of audit work.
In order to constantly monitor the professional level of its employees, each audit organization is obliged to provide them with all changes in the field of the legislative framework, as well as in the organization and maintenance of accounting and tax accounting.
Control over the quality of audit activities by the client assumes that the client evaluates the actions of auditors in the course of work in terms of compliance with applicable standards, and most importantly, the absence of penalties from the tax authorities after the audit.
Control over the quality of audit activity by the chambers of auditors lies in the fact that it is they who are primarily obliged to provide audit organizations with all changes in the legislative framework. In addition, the Republican Chamber of Auditors, which is responsible for issuing certificates, is responsible for the level of professionalism of auditors.
Documentation standard. This standard regulates the requirements for working with documents. All documentation used in the process of conducting an audit can be divided into client documentation and documentation compiled directly by auditors in the course of audit activities - this documentation is called working papers of auditors.
All documentation must be used by auditors in such a way as to ensure its complete safety and confidentiality of the information contained in it. Therefore, depending on the organization of the audit, these conditions are provided either by the client, if the audit is performed directly at the enterprise, or by the audit organization, if the audit is performed directly in it.
In cases where the verification of client documents is carried out in an audit organization, the documents must be transferred to it on the basis of an act signed by the parties. The return of verified documents must also be made on the basis of an act.
Documents submitted for verification must be prepared for transmission. This means that they must be numbered, organized and bound in such a way that their safety is ensured. Each transferred folder must indicate the actual number of documents, and the act names all transferred folders indicating the number of documents in them.
The working papers of the auditors are created by them and are used for the relevant conclusions and conclusions based on the results of the audit. Different audit firms can use the special forms of such working documents created by them.
The working papers of the auditors are:
Current records
The results of observations
the results of the received responses to inquiries,
· Written explanations of officials to the questions of auditors, etc.
As a rule, auditors' working papers should be kept together with photocopies. separate documents client in special files created for each client with whom the audit organization performs audit activities.
Standard “Compliance with laws and regulations in the audit of financial statements. In accordance with this standard, compliance with laws and regulations applies equally to both the audited entity and the firm itself.
In relation to the audit organization, the most important condition for its activities is compliance with the provisions of the Law "On Audit". Due to the fact that the audit organizations are ordinary business entities, they are equally subject to the actions of all legislative acts in the field of the economy. Therefore, audit organizations are primarily obliged to comply with the requirements of these laws.
Conducting an audit on business entities implies that auditors are required to establish to what extent the entity being audited complies with the provisions of the current legislation in its activities. Therefore, in case of establishing any violations, the auditors are obliged to bring to the attention of the management of this entity information about the violations identified. Because the we are talking about violations of laws, then the auditors are obliged to refer to the subparagraph, paragraph, article of the relevant law with the obligatory indication of what consequences the revealed violation may lead to. Depending on whether this violation on the part of the client is intentional or unintentional, there will be actions of both the auditor and the audited entity.
At unintentional violation and the possibility of its elimination, the auditor can issue recommendations to the client to eliminate these violations.
If the violation is committed by the client deliberately and the client does not accept the auditor's recommendations, then, depending on the actual situation, the auditor has the right to either issue a negative audit report or refuse to issue a report.
Planning standard. This standard regulates the planning of audit activities both on the part of the audit organization and on the part of the client.
On the part of the client, planning should include the possible timing of the audit, as well as the period of time during which the audit should be carried out.
On the part of the audit organization, planning its activities involves, firstly, long-term planning, i.e. for one year or for more distant prospects, as well as for a quarter, a month and for a specific object.
The planning should take into account the existing composition of employees, their level of professionalism, as well as the types of audit work and services that must be performed.
For each specific object of the audit, depending on which group of performers will perform the work, it is necessary to provide for the distribution of the scope of work between the performers, taking into account that the entire scope of work is completed within the time period stipulated by the contract. With this distribution of work, it must be taken into account that the audit can be divided into independent stages of its implementation, for example, such as:
Standard "Knowledge of the client's business". Knowledge of the client's business is necessary for an audit organization in almost any type of audit work or provision of services. This is manifested in the fact that in the process of conducting an audit it is necessary to know the specifics of the client's activities, the specific features of taxation in this activity, the laws and regulations governing this activity, etc. However, the level of knowledge of the client's business should be different depending on what kind of services the audit organization provides to the client.
The highest level of this knowledge should be in the event that the audit organization performs calculations for its client related to economic forecasting. In such a situation, in addition to general information about knowing the client's business, additional information is needed about who are the most important competitors, about their real financial situation, about those management methods, production technology, scientific and technological achievements that are used by competing firms. It is necessary to study information about possible markets.
Calculations related to economic forecasting are mainly performed using economic and mathematical methods. The most important of them are correlation-regression analysis, as well as methods of game theory and queuing. When using the method of correlation-regression analysis, first of all, the tightness of the relationship between different economic indicators that affect both each other and the final financial results of the enterprise is studied. The specificity of this method is the fact that the calculation results can be the most reliable only if the initial information used for the calculations is massive. Therefore, the number of observations, on the basis of which it is possible to start performing calculations, should be at least 8-10.
Standard "Risk assessment and internal control" . Due to the fact that the audit of the economic activity of the audited entity in many cases is carried out selectively, there is a possibility of an audit risk.
Recommendations for carrying out these procedures, set out in PMAP 1000 "Interbank Confirmation Procedures", are addressed to external auditors, internal bank auditors and bank inspectors. Bank managers may also be users of information obtained as a result of confirmations. Confirmation is a response to a request to confirm information contained in accounting records and is a valuable form of audit evidence obtained from an independent source. The sources are:
Other banks in the country where the audited bank is a resident;
Other banks in foreign countries;
Clients of the audited bank.
The recommendations of PMAP 1000 are mainly used for confirming the relationship of the audited bank with other banks, but in some cases these approaches can also be used for confirmation procedures between the bank and its customers that are not credit institutions.
Confirmations may be required for:
Balance sheet indicators (balances on current, deposit, loan and other accounts);
Off-balance sheet items (guarantees, forward contracts in foreign currencies, precious metals, securities, obligations to repurchase options, offset agreements, given and received obligations and pledges);
Additional information (on zero balances on correspondent accounts; on correspondent accounts that were closed during the year prior to the confirmation date; on loan repayment terms, interest rates, unused credit resources; provision or receipt of depositary services, etc.).
In formulating the request, the auditor considers the following factors related to the audited party:
Significance of the size of account balances;
Scope of activity;
Degree of reliability of internal control.
Then the wording of the request in the form of a request is selected:
On confirmation of the amounts specified in the request and other information;
On providing a breakdown of the amounts of balances and other information.
When conducting interbank confirmation procedures, it is not practiced to form a request in the form of an offer to send a response only if the information provided in the letter is incorrect or incomplete; it is important for the auditor to receive answers to all inquiries.
The auditor is advised to direct the inquiry to the head office of the bank, and not to any departments that are supposed to have the necessary information, as the auditor's assumptions may be incorrect. The request must be authorized by the verified (requesting) bank. Request letters may be sent at different times depending on the urgency of the information required. For a better understanding of the request, the letter includes:
Description of the nature of the requested article, transaction, information, as well as an indication of the amount and currency;
The date of occurrence and repayment of the obligation, the conditions for the operation.
In 1989, the Committee on International Auditing Practices (KIAP) and the Basel Committee of Inspectors, including representatives of central banks and supervisory authorities from Europe and the United States, approved PMAP 1004 "Interaction of inspectors for banking supervision and external auditors." The adoption of this provision was aimed at strengthening mutually beneficial relations between bank auditors and inspectors, clarifying the nature of their functions, and increasing the efficiency of bank audit and supervision. The IFAC recognizes that in some countries the interaction of the mentioned reviewing parties is closer, therefore, the PMAP 1004 measures are not intended to replace existing relationships, but to supplement them. In 2001, the CMAP and the Basel Committee proposed the adoption of International Auditing Practice Statement 1004 as the auditing standard.
The responsibilities of the bank's management, in addition to those directly related to doing business, are to:
Organization of appropriate control systems;
Caution in conducting operations;
Compliance with laws and regulations;
Ensuring the protection of the interests of shareholders, depositors, creditors.
The management of the bank is responsible for:
Preparation of financial statements and provision of the auditor of the bank and supervisory authorities with information that affects the content of the statements;
Organization and efficiency of the work of the internal audit unit, its personnel and technical support; taking action to correct deficiencies identified by internal auditors.
Management's responsibility cannot be transferred to external supervisors or to the bank's independent auditor.
The functions of the banking supervisor are to protect the interests of bank depositors by checking compliance with the requirements, such as:
Honesty, high qualifications and experience of persons exercising control and management of the bank's activities;
Capital adequacy to cover banking risks (liquidity, interest rate, investment risks; currency and off-balance sheet risk); creation of reserves to cover possible losses on bad and doubtful debts;
Satisfactory liquidity of the bank.
The methods used by inspectors to perform these functions may be as follows:
Conducting regular interviews with bank management;
Periodic field inspections;
Comparison equity a bank with the total amount of its assets and off-balance sheet liabilities, weighted by relative risk, to determine capital adequacy;
Application of specially designed risk assessment systems;
Analysis of the valuation of the bank's assets and classification of loans;
Studying reports and statistical data of the bank;
Evaluation of the effectiveness of information systems, accounting and internal control systems.
Inspectors can influence banks through the following measures:
Revocation of licenses from banks that violate the established requirements.
The role of the external auditor of the bank is to express an opinion on the reliability of the statements. In addition to shareholders, the users of the auditor's report can be depositors, creditors and inspectors. To form an opinion on a bank's financial statements, the auditor must evaluate the accounting and internal control systems, plan the audit, and determine the nature, extent and timing of audit procedures. The specifics of checking banks is due to the following circumstances:
The need for banks to develop strict internal control systems, since individual bank assets are most vulnerable to abuse;
Large volume and complexity of transactions requiring complex accounting and internal control systems, as well as the use of computer information systems;
Decentralization of management in the presence of a network of branches and divisions;
Carrying out transactions that are not reflected in the balance sheet accounts and therefore difficult to detect;
State regulation of the activities of banks and the consequent need to verify compliance with legal requirements.
Since the audit cannot be continuous, the auditor determines the areas of greatest risk. These are, as a rule, questions concerning the probability of repayment of loans, return on investment, the presence of significant contingent and unconditional liabilities. The auditor is recommended to evaluate and, if possible, use the work of the internal audit unit of the bank.
With regard to planning, determining the level of materiality and audit risk, the scope of the audit, the actions of the auditor when errors and fraud are detected, the formulation of an opinion, the auditor should adhere to the standards and recommendations established by the relevant ISAs.
In addition to mandatory requirements on drawing up conclusions, the auditor of the bank is recommended to draw up a written report for management, which will contain comments on the shortcomings of internal control, other omissions that do not entail modification of the audit report.
The relationship between the inspector and the auditor of the bank is formed on. basis of similar interests and objects of study. However, there are certain differences in the assessment and verification of various aspects, presented in Table. 7.1.
Table 7.1. Differences in the interests of the inspector and auditor of the bank
Untitled Document
| Areas of study |
Aspects of interest |
|
| inspector |
auditor |
|
| Bank stability |
Confirmation of the viability of the bank (in order to protect the interests of depositors) based on information contained in the financial statements |
Impact of a Bank's Compliance with the Going Concern Assumption on the Reliability of Financial Statements |
| Evaluation of the effectiveness of the internal control system |
Determining Good Bank Management |
Planning the scope of future work |
Evaluation of the accounting system |
Obtaining reliable information for assessing and controlling banking risks |
Confirmation of the proper maintenance of accounting records to express an opinion on the reliability of the statements |
The inspector, using audited reporting, should take into account the objectives of the auditor's work and some subjectivity of audit judgments. Nevertheless, the information provided by the auditor in letters and reports to the bank's management can be effectively used by the inspector to gain a broader understanding of the various aspects of the bank's activities. At the same time, information received from the supervisory authority to the bank's management can be used by auditors for the following purposes:
An independent assessment by inspectors confirms the adequacy of reserves to cover losses on bad and doubtful debts;
The special standards established by the inspector may be used in carrying out analytical procedures;
Information on matters of concern to inspectors should be taken into account by the auditor.
Circumstances may arise in which the auditor or inspector deems it necessary to bring information to the attention of the other party (discovered signs of fraud; facts that threaten the existence of the bank, etc.). In these cases, it is recommended to contact the verifying parties in the presence of the bank's management so as not to violate the principle of confidentiality. Direct contacts are allowed in exceptional situations, for example, when the presence of bank management jeopardizes the achievement of the objectives of the discussion of information between the inspector and the auditor.
In accordance with the legislation of a number of countries, the auditor may draw up special reports designed to assist the inspector. In particular, the auditor may express an opinion on compliance with:
Licensing conditions, established requirements and regulations included in the reports;
Legislative requirements when the bank conducts operations audited by the auditor;
Requirements for accounting and functioning of internal control systems.
The bank inspector may be directly involved in the appointment and removal of auditors in order to ensure a high level of bank audit.
It is possible to expand the functions of the auditor in the field of supervision on the following conditions:
The auditor may assist the inspector, but must not assume any of the latter's duties;
The contact of the inspector with the auditor in normal cases should be through the management of the client;
Before concluding an agreement with the inspector, the auditor must take into account a possible conflict of interest and resolve this issue with the bank's management;
The requirements of the supervisory authorities regarding the information provided by the auditor should be specific and not go beyond the professional competence of the auditor, as well as not increase the volume of his work in comparison with the usual;
Measures should be taken to maintain the confidentiality of information received by the auditor and transferred to the supervisory authorities.
The possibilities for expanding the functions of the auditor depend on the nature of supervision in a particular country. PMAP emphasizes the need for ongoing dialogue between supervisors and auditors in order to harmonize financial reporting standards at the international and national levels.
Recommendations on the application of ISAs when auditing commercial banks whose activities extend beyond national borders are reflected in PMAP 1006 “Audit of International Commercial Banks” (currently this provision is called “Audit of Bank Financial Statements”).
An international commercial bank is characterized as a financial institution that accepts deposits and provides loans, as well as providing other financial services in various countries.
When forming the terms of an agreement on the audit of an international commercial bank The auditor should take into account the following factors:
Sufficient expertise in areas of banking that are important to the audit;
Adequacy of special knowledge in the field of computer information systems and systems used by the audited bank electronic transfer Money;
Availability of opportunities to perform necessary work within the country and abroad.
In addition, the letter of engagement includes references to:
Requirements of the legislation applicable to banks;
Decisions of banking supervisory authorities and other regulatory authorities, as well as relevant professional accounting organizations;
industry practice;
Requirements for special reports and audit procedures;
The nature of the relationship between the auditor and the bank inspector.
The specifics of understanding the client's business is to study the economic and control environment prevailing in the territory of those countries where the bank operates, as well as market conditions each sector in which the bank operates.
When assessing the inherent risk, the auditor should take into account that the bank's activities are inherent in the risks associated with banking products and services, as well as operational risks (Table 7.2).
Table 7.2. Characteristics of banking risks
Untitled Document
| Type of risk |
Risk Characterization |
| Risks associated with banking products and services |
|
Credit risk Including: Country (transfer) risk Substitution risk Settlement risk |
Risk of non-fulfilment by the client or partner of obligations in full at the specified time or at some time in the future The risk that a foreign counterparty or client will not cover its obligation due to various external factors belonging to a foreign state The risk of losses as a result of replacing a transaction under a contract that has not been executed by a client or counterparty with another transaction at a market price The risk of losing the principal amount of the debt in full when repaying a transaction without receiving the amount from the client or counterparty |
| Interest rate risk |
Risk of loss arising from the dependence of earnings on future changes in interest rates |
| Liquidity risk |
The risk of loss arising from the lack of sufficient funds to repay its obligations |
| Market risk |
Risk of loss due to changes in the market prices of investments |
| fiduciary risk |
The risk of loss arising from the inability to ensure the safety of one's own assets or the profitability of property entrusted by another party |
| Operational risks |
|
| Risks associated with the need to use computer information systems |
The risk of untimely execution of operations due to their large volume Risk of significant errors and data loss due to system failures Risk of data corruption as a result of unauthorized intervention in the system Market risk arising from a lack of timely and reliable financial information |
| Risk posed by the use of electronic funds transfer systems |
Risk of loss due to incorrect payments caused by fraud or error |
| Risks associated with the geographical diversification of the bank's activities |
Risk of omissions when summarizing information about dependence on a client or type of service on the scale of the entire activity of the bank The risk of failures in the control system due to the physical isolation of management and personnel processing operations |
Risk caused by the need to monitor and manage risks over a limited period of time |
Intraday risk (may include interest rate, currency and market risk) |
The risk associated with the need to perform transactions with a large amount of cash |
Risk of loss due to fraud or theft |
The risk that depends on the irrational ratio of borrowed and own funds |
The risk of a significant change in capital as a result of relatively small losses in the value of all assets The risk of loss of confidence on the part of investors and the inability, as a result, to raise the necessary funds at an acceptable price |
The risk caused by the variability of the external environment factors of the bank's activities |
The risk of adopting an incorrect banking risk management strategy when developing new activities |
Risk caused by the need to comply with laws and regulations |
The risk of imposing sanctions on the bank and restrictions on its activities |
When determining materiality, the auditor of an international commercial bank should pay attention to the following circumstances:
Due to the disproportionate ratio of the bank's own and borrowed funds, some errors, while remaining insignificant for the balance sheet indicators, may have a significant impact on the data of the bank's capital statement and other forms of reporting;
Errors related only to balance sheet figures and off-balance sheet liabilities may be less significant than misstatements related to both the indicated data and income statement indicators;
Materiality levels need to be established to verify compliance with regulatory requirements (eg minimum capital requirements).
In assessing the system of internal control and, in particular, the impact on it of the use of computer information systems (CIS), the auditor should increase the level of attention in cases where:
CIS is used to calculate and record the most important elements of the bank's income and expenses;
With the help of CIS, currency and trading positions on securities are determined, and profits and losses arising from changes in these positions are calculated;
A significant part of operational information on the state of assets and liabilities is formed on the basis of records produced by CIS.
The auditor may have confidence in the banking system of internal control, the results of the work of internal and other auditors, especially in relation to banks whose branches are geographically dispersed, if the procedures provided for in ISAs will give him such an opportunity. PMAP 1006 recommends that the auditor also interact with banking supervisors.
In expressing an opinion on the financial statements of an international commercial bank, the auditor should consider the need to:
following special forms and terminology defined by legislation;
Adjustments to the accounts of foreign branches and subsidiaries in accordance with the accounting principles applied by the parent bank;
Reflections in the audit report of the facts of the existence of hidden reserves, if their formation is permitted by law.
PMAP 1006 provides a list of audit methods used in relation to certain items in the financial statements of banks, examples of checklists for assessing the internal control system and financial ratios used in the analysis of the financial position and performance of the bank.
In fulfilling the requirements of ISA 400, Risk Assessment and Internal Control, the auditor has to deal with issues related to the client's use of computer information systems. The standards of ISA 401 “Audit in the conditions of computer information systems”, as well as the recommendations set out in:
PMAP 1008 "Risk assessment and internal control system - characteristics of CIS and related issues";
PMAP 1001 "CIS environment - autonomous microcomputers";
PMAP 1002 - "CIS environment - interactive computer systems";
PMAP 1003 "CIS environment - database systems".
PMAP 1008 describes the features of the influence of the organizational structure and nature of CIS data processing on the risks of the control system (Table 7.3).
Table 7.3. Impact of CIS characteristics on the client's internal control system
Untitled Document
Characteristics of CIS |
Influence taken into account in risk assessment of controls |
Organizational structure (concentration of functions, knowledge, programs and data) |
Data processing personnel may have unrestricted and uncontrolled access to software, make unauthorized changes to programs and data, and combine functions that are usually separated in traditional accounting methods. |
Nature of data processing |
|
| Absence primary documents |
Data can be entered without accompanying documents and written authorization for the operation |
No visual traces of operations |
Data exists only in computer files; it is impossible to trace the stages of the operation |
No visual result |
The results of processing are not always printed, which makes it difficult to control the correctness of the registration of the operation in accounting |
Structural and procedural aspects |
|
Execution sequence |
Greater reliability of data processing results in case of introduction of all operations and circumstances into the system; the negative impact of an ill-adjusted program with systematic errors |
Programmed control procedures |
The presence of these procedures allows you to: limit the circle of persons who have access to the system (password); analyze reports of exceptions and errors printed on paper; organize random check of printed data |
One-time data update |
A single data entry can update all information about a transaction (for example, the processing of documents for the shipment of products may automatically change the data on sales, customer debts, inventory levels). Entry errors can result in a reporting change that is not always automatically corrected when the error is corrected. |
| Operation generation |
Operations initiated by the CIS based on the algorithm embedded in the program may not be confirmed by visual incoming documentation |
| Vulnerability of data storage and programs |
Storage media can be lost, intentionally or accidentally destroyed, etc. |
The internal control over computer processing of data includes general and application controls of the CIS, which the auditor should test in order to determine the effectiveness of the internal control system and the amount of work to be done.
The general controls of CIS, aimed at providing assurance that the overall objectives of internal control are being achieved, include the following:
Organizational and managerial control, providing for policies and procedures, as well as the separation of incompatible functions;
Control over the development and operation of the system of applied programs;
Computer control;
Software control, program status and data entry;
Taking measures to protect data, restore it and out-of-system processing in case of failures.
CIS application controls establish specific control procedures for accounting programs in order to ensure the completeness, accuracy and timeliness of data processing. These are the following procedures:
Control over the legitimacy, completeness and correctness of entering operations;
Control of the correctness of the formation of computer files and ensuring their proper processing;
Monitoring the accuracy of the results, the timeliness of their provision and restricting access to them by persons who do not have the appropriate authority.
PMAP 1001 describes the impact of microcomputers used as stand-alone workstations on accounting, internal control, and audit procedures.
Internal control in a microcomputer environment can be organized using the following actions:
Introduction of procedures for issuing permits and guidelines for the use of microcomputers (establishing requirements for staff training and segregation of duties, permissions for access to programs and data, procedures for preventing unauthorized copying, requirements for the format of reports and means of controlling their distribution, etc.) ;
Ensuring the physical safety of equipment, as well as built-in and autonomous storage media (storing microcomputers in a safe; using an alarm when the computer is turned off or moved, entering passwords, creating backups, etc.);
Organization of the safety of programs and data (use of passwords for different levels users, secret file names, cryptography and other means);
Control and support of software integrity.
The influence of microcomputers on the accounting and internal control system is due to the increased risk of controls due to the impossibility of separating functions compared to other CIS. The auditor may use the following approaches to verify a client using microcomputers:
Assess the risk of the control system as high and focus on substantive procedures;
Use computer auditing methods involving proven client software or own programs;
Pre-test the controls that you intend to trust and build the test on that basis.
The PMAP provides a list of control procedures that the auditor may consider if he intends to use the last of the approaches described above:
Separation of functions and rotation of duties between employees;
Reconciliation of balances in the system and control accounts in the general ledger;
Periodic management control over the procedure for processing information and reports on the work of users of the system;
Placement of the microcomputer within the visibility zone of the person controlling access to it;
Use of locks and passwords;
Restriction of access to software utilities of different levels of users;
Checking functions, power, controls application programs before purchase;
Adequate testing of programs before the start of operation;
Regular evaluation of the compliance of the program with the needs of the user.
Guidance on audit procedures when a client uses interactive computer systems is given in PMAP 1002. Interactive computer systems are systems that provide users with direct access to data and programs through a terminal (based on servers, mini-computers or microcomputers that are part of a network environment). These systems allow users who are geographically remote from the places of direct action to carry out operations for the shipment of goods, withdraw money from a bank account, etc., receive operational information about the current state of assets, and update the main files.
Statement 1002 classifies interactive computer systems based on the functions they perform as follows:
1. Interactive/real-time processing: Transactions are entered into the terminal device, verified, and used to promptly update terminal-related computer files (for example, crediting cash directly to customer accounts).
2. Interactive mode/processing of data groups: unlike the previous mode, transactions after verification are added to files containing other transactions entered during the period after which the main file is updated (for example, accounting entries are stored in certain files and used monthly to update the main ledger file).
3. Interactive mode/memorandum file update (and further processing): a combination of the previous two modes, where separate operations immediately update the information of the memorandum file, on the basis of which requests are then made. The same operations are added to the operations file for later validation and updating of the main file based on data groups.
4. Online help mode: users of terminal devices can only get help about basic files (for example, about the customer's credit status).
5. Processing read/download data online: the data of the main file is transferred to the smart device of the terminal for further processing by the user (for example, downloading data related to the branch office from the file of the head office to the terminal device of the branch to prepare financial reports; after processing, the data can be downloaded to the head office computer).
The risk of fraud or error in the use of interactive computer systems is reduced in the following cases:
Data entry takes place at or near the origin of operations;
Invalid transactions are corrected and re-entered immediately;
The personnel introducing operations have knowledge of their nature;
Operations are processed immediately after they are entered.
The risk of distortion in interactive systems increases for the following reasons:
Interactive devices of the terminal are located in various rooms;
Unauthorized (including remote) users are given the opportunity to access files, modify operations or balances, computer programs;
Failures in the operation of telecommunication systems are possible.
The actions of auditors when checking a client using interactive computer systems are divided into the following stages:
At the planning stage:
Inclusion in the group of specialists with technical skills in working with these systems and related controls;
Determining the risk of controls, taking into account the impact on them of interactive computer systems;
When executing procedures simultaneously with interactive processing:
Checking the conformity of the means of control over the operation of programs by entering test operations or using audit software;
After processing operations:
Verification of compliance of controls with established requirements (authorization, completeness, accuracy);
Verification of operations and processing of their results on the merits;
Reprocessing operations.
PMAP 1003 describes the impact of databases on the client's accounting and internal control system. Database systems consist of a database and a database management system (DBMS). Database systems are characterized by data sharing and data independence. The DBMS writes data once, and it can be used by different application programs. To track the location of information in the database, the DBMS uses the so-called data dictionary. A dedicated group of persons is in charge of data administration, i.e. coordinating the use and definition of data, maintaining its integrity, security, accuracy and completeness.
Internal control in a database environment is characterized by the use of the following tools:
A standard approach to the development and support of application programs;
Identification of specific data users;
Restriction of access to the database;
The distribution of duties and responsibilities for the development, implementation and operation of databases between technical, design, administrative staff and users.
The following factors contribute to improving the reliability of accounting and internal control systems when using databases:
One-time recording and updating of data, unlike CIS, where data is stored in different files and updated at different times by different programs;
Using the security and control tools included in the DBMS;
The presence of separate control functions - report generators and query languages used to identify inconsistencies in the data.
When planning an audit, the auditor should take into account the presence or absence of the above characteristics and factors in order to make a decision on evaluating the effectiveness of the client's internal control system. Audit procedures may include the use of DBMS functions to generate test data, check the integrity of the database, provide access to the audit software database. If the auditor decides not to rely on controls in the database system, he should attempt to achieve his objective by substantive testing of significant accounting programs that use the database.
PMAP 1009 "Audit methods using computers" provides for the use computer technology as an audit tool.
Audit software can be represented by:
A software package designed to read computer files, select information, perform calculations, create data files and print reports;
Special purpose programs developed by the auditor, subject or external programmer to perform audit tasks in specific conditions;
Utility programs that are used by the subject to sort, create, and print files; for the same purposes they can be used by the auditor.
When conducting audit procedures using the test data method, operations are entered into the computer system of the subject, the results obtained are compared with predetermined data.
In addition, computer-assisted audit methods can be used when conducting:
Detailed tests of operations and balances;
Analytical review procedures;
Verification of the effectiveness of common and applied CIS controls.
In the planning process for deciding whether to use computer-assisted auditing (MAC) methods, the following should be considered:
Knowledge, skills and experience of an auditor with a computer;
Technical capabilities, efficiency and feasibility of using MAC;
The period of storage of files with verified operations in the computer system of the subject.
If the auditor decides to use the MAC, he should:
Establish goals for the application of the MAC;
Determine the content of the subject's files and the order of access to them;
Select business transactions to be tested;
Determine the procedures to be applied to the data and the requirements for the results obtained;
Appoint auditors and specialists in computer data processing;
Refine the assessment of costs and benefits associated with the use of MAC;
Ensure control and documentation of the process of using MAC;
Organize administrative work;
After applying MAC, evaluate the results.
The auditor must control the use of the MAC in order to ensure that the work is consistent with the audit objectives and to prevent manipulation by the subject's employees. Control procedures may include:
Participation in the development and testing of computer programs;
Checking to ensure that programs conform to established specifications;
Familiarization with the instructions for the operating system (with the help of the subject's specialists) in order to determine the possibility of installing programs in the subject's computer system;
Approbation of the audit software on test files before its launch;
Ensuring that the correct files are used;
Analysis of control information in order to verify the correct operation of the audit software;
Taking security measures to protect against manipulation of subject data files.
When conducting control procedures, the presence of an auditor in the computer department is not required. However, the auditor can expand the possibilities of control, being directly on the site of the procedures.
In a small business computing environment, the auditor needs to consider the following aspects:
General control of CIS may not be carried out at the proper level. This will increase the scope of detailed tests and procedures. policy review;
When processing small amounts of data, the use of the MAC may be less effective than the traditional methods of the auditor;
Insufficient technical equipment of the inspected subject may create obstacles for the use of MAC. However, the auditor should consider working with the subject's files using other suitable computer technology.
PMAP 1005 "Peculiarities of auditing small enterprises" determines the degree of influence of the main characteristics of small enterprises on the application of International Standards on Auditing. A small business is understood here as any entity, the ownership and management of which is concentrated within a narrow circle of persons (often one individual) and to which one or more of the following characteristics apply:
Limited number of activities and sources of income;
Simplified accounting system;
Limited internal controls and the ability of management to circumvent such controls.
The guidance provided in PMAP 1005 only supplements the provisions contained in the relevant ISAs, but does not replace them. Below is the main content of the PMAP recommendations with an indication of the commented International Auditing Standards.
ISA 210, Audit Engagement Terms: The owner-manager's obligations and responsibilities for the financial statements should be clearly defined, especially when the accounts are prepared by a service organization. Due to the shortcomings inherent in small businesses, the auditor may not always be able to obtain the necessary evidence to express an opinion on the statements. He may then, depending on the circumstances and national law:
Do not agree to an audit;
Refuse to conduct an audit even after the conclusion of an agreement;
Express a conditionally positive opinion or refuse to express an opinion.
ISA 220 Audit Quality Control: When auditing small businesses, assignment and delegation of authority may not be an issue, as all work is usually performed by a single auditor.
ISA 230 "Documentation": in small enterprises, the most effective is the reflection in the working documents of document flow schemes or a description of the accounting system.
ISA 240 Fraud and Error: If the owner is also the manager of a small business, this can enhance overall control and reduce the risk of fraud and error. At the same time, management gains the ability to bypass control systems. In assessing the role of the owner-manager, the auditor should consider the following:
The owner-manager has incentives to misrepresent financial statements and the corresponding opportunities;
Making a distinction by the owner-manager between transactions made for personal purposes and business operations of a small enterprise;
Compliance with the lifestyle of the owner-manager and the level of his remuneration;
Frequent change of professional consultants;
The presence of pressure on the auditor to conduct an audit in an unreasonably short time; repeated postponement of the start date of the audit to a later time.
ISA 250, Accounting for Laws and Regulations in an Audit of Financial Statements: Legal and normative base, regulating the activities of small enterprises, as a rule, is less complex compared to large entities.
ISA 300 Planning: When auditing small businesses, planning can be done either during a meeting with the owner-manager or after gaining access to the entity's records. You can start planning immediately after a previous audit with the help of a prepared statement that lists issues identified during a completed audit. In addition, it is not possible to compile separately overall plan and an audit program, and combine them into one document.
ISA 310 Business Knowledge: When auditing small businesses, it is not appropriate to consider all of the factors listed in the appendix to ISA 310 that are considered when studying a client's business.
ISA 320 “Audit Materiality”: To determine the level of materiality in the audit of small enterprises, the auditor, in the event of a lack of balance at the beginning of the audit, may use the trial balance for the current year or the client’s reporting data for the previous period, taking into account circumstances that occurred during the audited period. You can use indicators of materiality for past periods. It is recommended to set a range of significance level values instead of a strict indicator. In this case, values that exceed the upper limit of the range will be considered significant, and those that do not reach the lower limit will be considered insignificant.
ISA 400, Risk Assessment and Internal Control: The inherent risk of a small business may increase as a result of concentration of ownership and control. The risk of the control system is often assessed as high, in particular due to the impossibility of segregation of duties. In some cases, this shortcoming is compensated by the exercise of managerial control by the owner-manager, but at the same time, the possibility of abuse by management may increase.
ISA 401, Auditing in a Computer Information System Environment: Accounting systems in small businesses are often installed on stand-alone microcomputers. The use of computer systems in small organizations reduces the risk of the control system. At the same time, due to insufficient staff, it is possible to combine the functions of users, increasing this risk. The use of a computer by the auditor with small amounts of data should be recognized as ineffective.
ISA 500 Audit Evidence: When auditing small businesses, there are problems obtaining sufficient evidence related to the possible obstruction of the owner-manager from recording individual transactions in the accounting and the likelihood of the absence of internal control procedures that document the completeness of accounting for transactions. At the same time, it is not always necessary to proceed from the premise of the inefficiency of the means of internal control of the completeness of data on sales volumes, since the number of activities of small enterprises is limited and, therefore, it is possible to establish control over the quantitative indicators of shipment (vacation).
ISA 520 Analytical Procedures: Analytical procedures at the planning stage of an audit of small entities may be limited due to:
Established deadlines for processing transaction data;
Lack of interim or monthly financial information at the time of planning.
In these cases, you can analyze general ledger key figures or other accounting data.
When using analytical procedures during substantive testing, simple forecasting models can be effective: for example, based on the number of employees with fixed salaries, it is possible to calculate the approximate labor cost for the period without resorting to a detailed check of the payroll.
ISA 530 “Audit sampling and other sampling procedures: given the small size of the population of data in small enterprises, it is sometimes advisable to check the entire population or 100% of objects selected in a certain way (for example, transactions with amounts exceeding the level established by the auditor).
ISA 550 Related Parties: Transactions with related parties are feature many small businesses run by an owner-manager. The auditor should be aware that the owner-manager is not always familiar with the term “related party”, so to avoid confusion when receiving management's statements, the meaning of this definition should be clarified. Related parties are easier to detect if the auditor of the small entity is also the auditor of other entities related to the entity.
ISA 560 “Following Events”: the identification of subsequent events in the audit of small enterprises is difficult for long periods of reporting approval, slow updating of data, and the lack of minutes of directors' meetings. In these cases, the procedures for obtaining information about subsequent events may be limited to inquiries to the name of the owner-manager and checking bank statements. It is not necessary for the auditor to pay special attention to the time interval between the meeting at which the financial statements are approved and the annual general meeting if the meeting is held immediately after the meeting.
ISA 570, Going Concern Assumption: For small businesses, the most likely risk factors are:
Risk of withdrawal of support from banks and other creditors;
Risk of losing a major client;
The risk of dismissal of the main employee;
Risk of loss of the right to carry out activities;
Dependence on the funds of the owner-manager and the intention of the owner regarding their withdrawal.
ISA 580, Management Representations: The auditor is encouraged to obtain representations from the owner-manager in order to avoid possible misunderstanding of his responsibility for the completeness and content of the information contained in the financial statements.
ISA 700, Auditor's Report on the Financial Statements: The auditor should be satisfied that the owner-manager acknowledges his responsibility for the preparation and content of the financial statements as of the date the auditor's report is signed.
SA 720, Other Information in Audited Financial Statements: Examples of other information for a small business are an income statement prepared for tax purposes and a management report.
If the legislation of any countries allows auditors to provide accounting services to their clients (assistance in maintaining, advising on accounting policies, assistance in preparing financial statements), then the second part of PMAP 1005, devoted to compliance with ISAs when conducting an audit, is applicable in these countries. and simultaneous provision of accounting services. At the same time, special attention is paid to compliance with the following ethical requirements:
public practitioner professional accountant should not act as an employee involved in the conduct of the operations of the enterprise;
Employees assigned to prepare accounting records should not participate in the review of such records;
The provision of services does not relieve the auditor of the need to collect relevant and sufficient evidence.
When the auditor assists in the preparation of financial statements, the engagement letter should include:
Responsibility of owners-managers for financial reporting;
Differences between the services provided and the audit;
Transfer conditions working documentation an auditor at the request of the client and the fact that this cannot replace the accounting documentation of a small enterprise.
By providing accounting services to the owner-manager, the auditor can obtain information about his personal financial situation and lifestyle, which will improve the quality of the fraud risk assessment. The auditor's knowledge of financial reporting regulations will help the owner-manager ensure compliance with legal requirements. Planning should be based on knowledge gained from the provision of related services. As a result of the provision of accounting services, the following aspects can be determined:
Internal controls to be assessed and tested;
Necessary evidence that can be obtained when providing other services;
Possible analytical procedures;
Validity of estimated values;
Related parties.
Appropriate steps should be taken by the auditor to recognize the owner-manager's responsibility for applying the going concern assumption, even if the auditor himself prepares the necessary estimates and forecasts.
The auditor should build relationships with the client in accordance with legal requirements and professional ethical principles, taking into account the internal procedures and practices of the auditor.
The legal side of the relationship can be partly resolved through a letter of engagement, which is intended to facilitate understanding by the client's management of the terms of the agreement, and receiving statements from management provides confirmation of this understanding. During the audit, the following issues may be discussed with management:
Business understanding;
General audit plan;
Changes occurring in the audit when new laws or professional standards are introduced;
Information on the basis of which audit risk is determined;
Information received from the management of the client or staff;
The results of observations and proposals that have arisen in determining the effectiveness of management;
Unverified information that, in the auditor's opinion, may be misleading to interested users of the client's financial statements.
At the end of the audit, it may be necessary to discuss:
Practical difficulties that arose during the verification of this client;
Disagreements with management regarding financial reporting;
Making adjustments to the reporting;
Problems related to accounting policies and disclosure of information in financial statements that require modification of the opinion;
Identified violations of the requirements of laws and regulations;
Compliance with the going concern assumption;
Discussions with the client's management should be recorded in the auditor's working papers (include in the auditor's documentation if the communication is in writing). At the end of the audit, a personal meeting with the client's management is expected: the board of directors, the audit committee, etc.
Particular attention is paid to the auditor's communication with the client's management on issues related to internal control. The auditor should promptly notify the client's management of deficiencies in the accounting and internal control systems identified during the audit. The auditor is also required when drawing up a report on internal control issues:
Do not include language that would conflict with the opinion expressed in the conclusion;
Indicate the purpose of checking accounting and internal control systems - only determining the scope of audit procedures;
Explain that the written information reflects only those shortcomings of the above-mentioned systems that were discovered during the audit, and not all possible or available for this entity;
Limit the audience of this message to the scope of the client manual.
After sending the message, the auditor checks the implementation of his proposals or finds out the reasons for their non-compliance. You can ask the management of the client to respond in writing to the comments, in which case the answer can be reflected in the auditor's report. If previous years' proposals were not accepted, the auditor repeats or refers to them.
The auditor should be aware that contacts with management cannot relieve the auditor from considering the effect of the matters under discussion on the financial statements or the auditor's report and do not replace the need to write an explanatory paragraph or disclaimers.
Considering the growing role of protection environment for governments and individual enterprises, the Committee on International Auditing Practices has issued PMAP 1010 “Regarding Environmental Issues in the Audit of Financial Statements”. Environmental aspects can have a significant impact on the financial statements of clients that:
Work in an industry subject to environmental risk (chemical, oil and gas, pharmaceutical, metallurgical, mining, utilities);
Carry out activities controlled by the relevant law enforcement agencies for compliance with environmental requirements;
Use in the production process substances, from the use of which legislation or public organizations recommend to refuse;
Should take measures to prevent, eliminate or correct harm caused to the environment;
Participate in litigation relating to environmental issues.
The impact of environmental issues on the client's reporting can be expressed in:
Depreciation of assets;
Calculation of penalties;
Necessity or voluntary acceptance of the costs of improving the environment;
Contingent liabilities for environmentally related expenses;
Failure to comply with the going concern assumption.
When gaining knowledge of the client's business, the auditor should pay attention not only to the issues mentioned above, but also to other factors:
Subject's dependence on environmental laws;
Ownership of sites whose ecological balance was violated by previous owners;
Carrying out economic activities that have a negative impact on customers, employees, population, soil, water, air.
The auditor should warn the client that the purpose of the audit is not to detect all possible violations of environmental regulations. The need for special procedures is determined by the auditor. If he does not have sufficient competence to carry out such procedures, then an appropriate specialist (lawyer, engineer, environmental specialist) should be invited.
When evaluating inherent risk, the auditor should consider the impact of the risk of misstatement of the financial statements due to environmental aspects (so-called environmental risk). This type of risk consists of the following factors:
Risk of additional costs due to compliance with environmental requirements;
Cost risk due to non-compliance with environmental laws and regulations;
The impact of the environmental requirements of the clients of the audited enterprise and their possible reaction to the environmental policy pursued by this enterprise.
Evidence of environmental risk may include:
Reports prepared by environmentalists or internal auditors that indicate significant environmental issues;
Violations of environmental laws reflected in correspondence with environmental authorities;
Inclusion of the client in the official register for the elimination of soil pollution;
Media materials reflecting the subject's environmental policy;
Facts of purchasing goods (services) related to environmental issues;
Payment of fines as a result of violation of environmental laws, as well as high fees transferred to lawyers or environmental consultants.
In the process of determining the risk of controls, the auditor considers the form of organization of control of environmental issues adopted by the entity. These forms may vary depending on the degree of environmental risk inherent in the activities of the client. For the auditor, the very form of environmental control is not particularly important, the means of this control are important when planning the audit, if environmental issues can really have a significant impact on financial statements.
1. What information may require interbank confirmation procedures?
2. How should the auditor's request be formulated when conducting interbank confirmation procedures?
3. What are the duties and responsibilities of the bank's management in the organization of internal control?
4. What aspects are checked by the banking supervisor and what methods are used?
5. What is the specificity of checking banks by external auditors?
6. What is the difference between the interests of an inspector for banking supervision and a bank auditor?
7. What information of the supervisory authority may be of interest to the auditor of the bank?
9. What information received from the auditor may be useful to the bank inspector?
10. In what directions and under what conditions can the functions of the bank's auditor be expanded?
11. What factors should the auditor consider when accepting an audit engagement for an international bank?
12. What are banking risks?
13. What circumstances are taken into account when assessing materiality in the process of planning an audit of an international bank?
14. What circumstances form the auditor's opinion on the internal control system of an international bank?
15. What is the impact of CIS on the client's internal control system?
16. What are common CIS controls?
17. What procedures act as applied means of control of CIS?
19. What approaches to checking a client using microcomputers are recommended for an auditor?
20. What are the features of using interactive computer systems?
21. How are interactive computer systems classified?
22. What circumstances can reduce the risk of fraud or error in the use of interactive computer systems?
23. What factors increase the risk of distortion when using interactive modes?
25. What characterizes internal control in terms of using databases?
26. What factors increase the reliability of internal control when using databases?
27. What can be audit software?
28. When carrying out what procedures computer methods of audit can be used?
29. How can the auditor control the use of computer-based audit methods?
30. What aspects are taken into account by the auditor when conducting an audit of a small business using computer tools?
31. What is understood as a small business in the Regulations on International Auditing Practice?
32. What circumstances are taken into account when determining the risk of fraud or error in a small business?
33. What circumstances can be used by an auditor of a small enterprise acting simultaneously as an accountant?
34. What issues are discussed by the auditor during contacts with the client's management?
35. What is the impact of environmental aspects on the activities of the audited entities?
36. What is the environmental risk?
- 45.31 KbMINISTRY OF EDUCATION AND SCIENCE OF THE RUSSIAN FEDERATION
FSBEI HPE "OREL STATE INS TITUT OF ECONOMICS AND TRADE"
Essay on the course: "International Auditing Standards"
on the topic: "Regulations on international audit practice"
Performed:
Student of FUiIT group 51 of the Criminal Code
Malyshko N.V.
Checked:
Professor, Doctor of Economics
Suvorova S.P.
Introduction…………………………………………………………………………..3
- Relationships between Banking Supervisors and External Auditors…………………………………………………………………………..5
- Features of audit evidence when auditing in a computer environment………………………………………………………………………………….9
- Conclusion………………………………………………………………..15
- References…………………………………………………………….16
Introduction
In the process of reforming the accounting system in Russia, problems arose in the transition of domestic accounting practices to international accounting and reporting standards.
As a result, there was a need for knowledge of international auditing standards and provisions on international auditing practice. The development of audit in our country, the adoption federal law"On Auditing" necessitated a revision of the existing rules (standards) to transform them into regulations federal level.
In addition, the legislation provides for the possibility of accreditation of professional audit associations by the body regulating audit activity in Russia, subject to the development of internal rules (standards) by these associations.
International Auditing Standards (ISA) and Regulations on International Auditing Practice (PMAP) are of interest to Russian accountants due to several circumstances.
Firstly, many of the domestic enterprises oriented to foreign investors are already experiencing the need for an audit in accordance with ISA. Accountants of such organizations need to be aware of the obligations of the parties and the most significant features of international audit technologies.
Secondly, it should be emphasized that it is international regulatory documents that form the basis for the development of domestic federal rules (standards) for auditing, as evidenced by the existing Russian standards, which practically reproduce the provisions of several ISAs.
Familiarization with the set of provisions on international auditing practice (in the format of a brief analytical review) will allow domestic accountants to get a holistic picture of what rules will determine their relationship with auditors as the Russian reform of accounting and auditing advances and new internationally-oriented federal rules (standards) of audit activity.
International Auditing Standards cover a wide range of issues governing audit procedures and the relationship of auditors with management and accountants of client companies.
The purpose of the work: to conduct a brief description of the provisions of international audit practice.
- Interbank confirmation procedures.
Instructions on interbank confirmation procedures for external independent auditors, as well as such bank employees as internal auditors and inspectors, are reflected in the Regulations on International Audit Practice (hereinafter referred to as PMAP) No. 1000 “Interbank Confirmation Procedures”. PMAP has no Russian counterpart. It states that when auditing the financial statements of banks, special attention is paid to the request for confirmation directly from other banks of information about account balances and other amounts appearing on the balance sheet, as well as other information that may not be reflected in the balance sheet itself, but disclosed in the notes to the accounts. It is noted that off-balance sheet items requiring confirmation include items such as guarantees, forward commitments to buy or sell, commitments to repurchase options, set-off agreements.
Audit evidence comes directly from an independent source and provides greater assurance of this type of credibility than that obtained solely from the bank's own accounts.
In Russia, the Central Bank of the Russian Federation is responsible for auditing standards for banking audit. Standardization of the work of auditors in this direction is at an early stage.
- Relationships between banking supervisors and external auditors.
Requirements for the relationship between external auditors and bodies supervising the work of banks are established by PMAP No. 1004 “Relationships between banking supervision bodies and external auditors”.
In many aspects, the interests of the inspector and the auditor are similar, although the objects of their attention may differ. The inspector is primarily interested in the stability of the bank in terms of protecting the interests of depositors, and therefore he checks its present and future viability, using financial statements to assess the development of its activities. The auditor is primarily interested in reporting the financial position of the bank and the results of its operations, and therefore also considers the bank's ability to continue as a going concern to confirm the assumption about this, on the basis of which the financial statements are prepared.
This ISA has no Russian counterpart.
- Audit of international commercial banks.
The requirements for the audit of international banks are set out in PMAP No. 1006 "Audit of International Commercial Banks". It also has no Russian counterpart. It reflects the description of the objectives and the process of the audit, the definition of the conditions of the audit assignment, work planning. PMAP No. 1006 obliges the auditor, when evaluating the effectiveness of specific control procedures, to consider the environment in which internal control operates:
- Organizational structure of the bank and methods of delegation of powers and responsibilities;
- The quality of management control;
- The scope and effectiveness of the internal audit system;
- Qualification of key personnel;
- The degree of supervisory control by the supervisory authorities.
- International standards for computer technology audit.
On the basis of ISA No. 401 "Audit in the conditions of computer information systems", a domestic analogue "Audit in the conditions of computer data processing" was developed, on the basis of PMAP No. 1009 "Audit methods using computers" - the corresponding Russian audit standard "Conducting an audit using computers", based on PMAP No. 1008 “Risk assessment and internal control system - characteristics of a computer information system (hereinafter referred to as CIS) and related issues” - “Risk assessment and internal control. Characteristics and accounting of the environment of computer and information systems.
Domestic analogues have not yet been developed for PMAP No. 1001 "CIS environment - autonomous microcomputers", PMAP No. 1002 "CIS environment - interactive computer systems", PMAP No. 1003 "CIS environment - systems without data".
The created Russian rules (standards) differ from international ones:
- Russian rules are focused on more progressive approaches to computerization, since they were created much later than international standards.
- they take into account the specifics of Russian accounting and auditing, legal support and taxation.
- have the necessary references to previously created rules (standards), which shows the continuity of the basic principles and methods of audit, and also indicates that these standards are focused on more effective achievement of the audit goal and a description of the features of the implementation of the basic principles and methods of audit in modern conditions.
Computer audit involves the use of computers and modern information technologies. The main work in this regard can be considered audits of financial statements with the preparation of an audit opinion, as well as the provision of audit-related services.
General information about the components of a computer audit, the basic concepts and approaches to its organization can be obtained on the basis of: ISA No. 401 "Audit in the conditions of computer information systems" (the domestic equivalent is "Audit in the conditions of computer data processing") and on the basis of PMAP No. 1009 " Risk Assessment and Internal Control System - Characteristics of CIS and Related Issues" (domestic equivalent - "Auditing with the help of computers"). These two standards are directly related, although the first is more relevant to the economic entity, and the second - directly to auditors and audit organizations.
In an audit organization, computers can be used to automate its management work and conduct an audit of economic entities. At the same time, the concept of “use of computers for auditing” is very general and may include a number of areas of use (types of work performed):
- simple calculations, printing standard forms audit documents, questionnaires, questionnaires, etc.;
- organization of the regulatory legal reference base in in electronic format(systems such as "Garant", "Code", "Consultant Plus");
- verification of individual sections of accounting (calculations for fixed assets, inventories, etc.);
- a comprehensive check of all sections and accounts of accounting, personnel work, economic analysis.
Additional procedures that must be followed when conducting an audit in a computer information system (CIS) environment are disclosed by ISA No. 401. For the purposes of this ISA, CIS conditions exist when an entity uses a computer of any model or size to process financial information relevant to an audit, whether the computer is used by that entity or by a third party. In such cases, the auditor should consider how the CIS affects the audit. At the same time, the overall purpose and scope of the audit in the CIS environment do not change, however, its application may affect:
- The procedures followed by the auditor in the process of obtaining a sufficient understanding of the accounting and internal control systems;
- An analysis of inherent and control risk, whereby the auditor conducts a risk assessment;
- The auditor's design and implementation of tests of controls and substantive procedures necessary to achieve the audit objectives.
The Russian analogue of ISA No. 401 is the Rule (standard) of audit activity "Audit in the conditions of computer data processing".
In general, the specified RSA is identical in content to its international counterpart.
- Features of audit evidence in the audit in a computer environment.
The issues of studying and accounting and reporting systems and related internal control systems in the case of electronic data processing are considered by ISA No. 1008 “Risk assessment and internal control. Characteristics and accounting of the environment of computer and information systems. It reflects the most common characteristics of an electronic data processing process, including factors affecting its organizational structure, the nature of data processing, and the procedures applied in accounting and reporting systems and internal control systems.
PMAP No. 1008 is an addition to the international audit standard No. 401 "Audit in the conditions of computer information systems". It deals with the study and evaluation of the accounting and reporting system and related internal control systems in the case of electronic data processing.
Short description
In the process of reforming the accounting system in Russia, problems arose in the transition of domestic accounting practices to international accounting and reporting standards.
As a result, there was a need for knowledge of international auditing standards and provisions on international auditing practice. The development of audit in our country, the adoption of the Federal Law "On Auditing" necessitated a revision of the existing rules (standards) to transform them into regulatory documents at the federal level.
In addition, the legislation provides for the possibility of accreditation of professional audit associations by the body regulating audit activity in Russia, subject to the development of internal rules (standards) by these associations.
Content
Introduction…………………………………………………………………………..3
Interbank Confirmation Procedures………………………………5
Relationships between Banking Supervisors and External Auditors…………………………………………………………………………..5
International standards for computer technology audit ... .6
International standards for computer technology audit ... .7
Features of audit evidence when auditing in a computer environment…………………………………………………………………………………….9
Accounting for environmental issues in the audit of financial statements…..11
Peculiarities of the audit of small enterprises……………………………………………………13
Audit of derivative financial instruments……………………….14
Conclusion………………………………………………………………..15
References………………………………………………………….16
1. Provisions clarifying the use of computer information systems in the course of an audit
Regulations on International Auditing Practice (PMAP), dedicated to computer technology in the audit, are conventionally divided into two groups:
reflecting the features of the computer information systems of the subject (this group includes PMAP 1001--1003, 1008);
characterizing computers as a means of performing audit procedures (PMAP 1009).
PMAP 1001-1003 are issued as appendices to ISA 400 "Risk Assessment and Internal Control System", but are not part of it. Below is the content of PMAP 1001, 1002, 1003 and 1008.
aim PMAP 1001 "CIS environment - autonomous microcomputers" is to assist the auditor in meeting the requirements of ISA 400 and PMAP 1008 by describing microcomputer systems used as stand-alone workstations.
Microcomputers in PMAP terminology is personal computers, or PC. Microcomputers can be used as a means of processing accounting entries and preparation of financial statements. Therefore, there is a need for certain internal controls and audit procedures in relation to PC systems.
The microcomputer can be used in various configurations. Therefore, PMAP 1001 highlights the following main configurations:
an independent workstation used by one user or several users in turn, who can work with one or different programs;
local network of microcomputers, i.e. when several microcomputers are combined through the use of special programs and communication lines;
connected system, i.e. workstation connected to a central computer.
A computer information system (CIS) environment that uses microcomputers is less complex than a centrally controlled CIS environment. In this regard, in the environment of microcomputers, internal control can be significantly weakened:
- a) application programs can be easily developed by users;
- b)because the data is processed by a computer, users of such financial information may, without reasonable grounds, place undue reliance on it;
- c) since microcomputers are targeted at individual end users, the accuracy and reliability of the information produced will depend on internal controls established by management or the user.
The impact of the PC on the accounting system and related internal control mechanisms depend on:
on the degree of use of microcomputers in accounting;
the type and significance of processed financial transactions;
- * the nature of the files and programs used. Key Factors in CIS Controls are:
- 1) General CIS controls - segregation of duties, including:
data entry into the system;
computer management;
modifying programs or distributing output data;
operating system modification.
2)CIS application controls:
systems for registering transactions and reconciling data by group;
direct observation;
* reconciliation of accounts or balances by section, etc.
To ensure effective internal control of CIS, an independent unit can be created.
The PC environment also has an impact on audit procedures: since management may find it inappropriate to implement appropriate controls in a microcomputer environment, the auditor is often right to assume that the risk of controls in such systems is high. Therefore, the auditor may focus his efforts on substantive reviews at or near the end of the year. Computer audit methods may include:
- 1) use of client software (databases, spreadsheets, software products);
- 210 Chapter 7practice
- 2) use of the auditor's own software (for example, to include transactions or balances in data files for comparison with control entries or account balances in the general ledger).
If microcomputer systems process a large number of transactions, it is more appropriate to conduct audit work on these data on a preliminary date.
IN PMAP1002 "CIS environment -- interactive computer systems" the results of the influence of interactive computer systems on the accounting system and related internal controls are described, A well as audit procedures. Interactive computer systems are computer systems that provide users with direct access to data and programs through a terminal.
Interactive computer systems can also affect internal controls:
initial data may not be available for all input operations;
processing results may be too generalized;
interactive computer systems may not be designed to provide printed reports, and editing of reports may be hindered by messages on the display.
PMAP 1002 highlights the following aspects of the impact of interactive computer systems on audit procedures:
authorization, completeness and accuracy of online operations;
record integrity And processing in connection with interactive access to the system by many users And programmers;
changes in the performance of audit procedures, including computer-assisted audit methods.
In connection with these factors, the auditor may perform specific procedures at all stages of the audit:
1) at the planning stage - include professionals with technical skills in the audit team; preliminarily determine the impact of the interactive system on audit procedures during the risk assessment process;
Simultaneous with interactive processing -- audit procedures may include verifying the conformity of controls over interactive applications;
after interactive processing of information, the conformity of the means of control over operations is checked for authorization, completeness and accuracy; verification of transactions on the merits instead of tests of controls; reprocessing of transactions in the form of procedures on the merits or for compliance.
New interactive accounting applications can be reviewed before rather than after they are installed. This will give the auditor an opportunity to test additional features and provide sufficient time to develop and test audit procedures before they are performed.
PMAP 1003 "CIS environment -- database systems" describes the impact of the database on the accounting system, associated internal control system and audit procedures.
Database systems consist of two main components: a database and a database management system (DBMS).
Database-- is a collection of data that is used by a number of users for various purposes.
The software that is used to create, maintain and operate a database is called DBMS software.
If the data system is used by a single user, it is not considered a database for the purposes of PMAP 1003.
Database systems have two important characteristics:
data sharing (by many users and in different programs);
data independence from application programs (the database is written once for use by different programs).
These characteristics require the use of a data dictionary and the establishment of a data administration unit, i.e. coordination of the database by a group of persons.
A data dictionary is a specific piece of software for keeping track of the location of data in a database; it also serves as a means of storing standardized documentation and database environment definitions in applications.
Administration tasks typically include the following:
defining the structure of the database;
ensuring the integrity, security and completeness of data;
coordinating computer operations;
control over the results of the system;
providing administrative support;
ensuring the existence of an adequate connection between databases, coordination of their functions, consistency of data in different databases.
The effectiveness of internal controls depends to a large extent on the nature of database administration tasks and how they are performed. Because of the sharing of databases, common CIS controls typically have more impact on databases than application controls. Characteristics of common means of control of CIS in database systems are presented in Table. 7.7.
The impact of the database system on the accounting system and related errors generally depends on:
*on the degree of use of databases in accounting programs;
the type and significance of processed financial transactions;
nature of databases, DBMS, administration tasks;
common CIS controls, which are especially important in a database environment.
Databases usually provide more reliability than none. However, the use of database systems can both increase and decrease the risk of fraud and error. To increase the reliability of data contribute to:
greater data consistency;
data integrity, which can be improved through the use of recovery, editing and confirmation procedures, security and control tools built into the DBMS;
other DBMS functions, such as functions report generator(for generating comparison reports) and query languages(to identify inconsistencies in the data).
The risk of fraud and error can be increased if database systems are used without appropriate controls.
Audit procedures are mainly affected by the extent to which database data is used in the accounting system. Where significant accounting programs share a common database, PMAP 1003 recommends the use of the following audit procedures:
- 1) when planning an audit, consider the impact of the following factors on audit risk:
- a) DBMS And significant accounting applications;
- b) standards and procedures for developing and maintaining application programs that use the database;
- c) job responsibilities, standards and procedures for databases;
- d) procedures to ensure the integrity, security and completeness of data;
- e) the availability of audit tools in the DBMS;
Review how controls are used in the database system and then decide whether to rely on those controls and what compliance tests to perform.
When the auditor decides to perform compliance tests, audit procedures may include:
- a) generating test data;
- b) providing an audit "trace" of operations;
- c) checking the integrity of databases;
- d) providing access to the database or a copy of its necessary parts;
- e) obtaining the information necessary For audit;
to check whether it will help to achieve the goal of the check by performing an additional substantive check of all significant accounting programs using the database;
It may be more efficient to test new accounting programs not after, but before installing them.
A computer information systems (CIS) environment exists when an entity uses a computer of any model or size to process financial information relevant to the audit, whether the computer is used by that entity or by a third party.
PMAP 1008 "Risk assessment and internal control system - characteristics of CIS and related issues" prepared as a supplement to ISA 400, but PMAP 1008 is not part of ISA.
In accordance with this PMAP, in the CIS environment, the subject must determine:
- A) organizational structure, which has the following characteristics: concentration of functions and knowledge (reduction in the number of maintenance personnel and, accordingly, the risk of unauthorized changes to the system), concentration of programs and data (data can only exist in a machine-readable form on one or several computers, which can increase the likelihood of unauthorized access);
- b) CIS management procedures.
The nature of data processing in the CIS may have its own specifics in the absence of internal controls:
lack of primary documents;
lack of a visual trace of the operation;
lack of visual result;
free access to data And computer programs. The above leads to a decrease in the reliability of CIS data.
Internal control over computer processing of data includes two types of procedures according to the way they are performed:
- 1)procedures carried out by manual processing;
- 2) procedures built into computer programs. Weaknesses in common controls can prevent testing of certain CIS application controls. However, manual procedures used by the user may be effective tool control at the level of application programs.
Computer Based Audit Methods (MAC)-- Techniques in which the computer is used as an auditing tool.
Recommendations on the use of MAC in the audit provides PMAP 1009 "Audit methods using computers". However, as defined in ISA 401 Auditing in a Computer Information Systems Environment, the overall objectives and scope of an audit do not change when an audit is conducted in the computer information systems environment.
If tests are used during the normal transaction processing cycle, the auditor should ensure that the test records are deleted at the end of the test.
MAC can be used when performing various audit procedures, including the following:
*detailed tests of transactions and balances (eg using audit software to test transactions on a computer file);
analytical review procedures (eg use of audit software to detect unusual changes or items);
verification of compliance with common CIS controls (for example, the use of test data to verify procedures for accessing software libraries);
verification of the conformity of the applied controls of the CIS (for example, the use of test data to verify the functioning of a programmed procedure).
When planning an audit, the auditor should consider an appropriate combination of non-computerized and computerized audit techniques. When deciding whether to use MAC, the following should be considered:
knowledge, skills and experience of the auditor with a computer (the level of knowledge depends on the complexity and nature of the MAC and accounting system subject);
the ability to use MAC and the availability of appropriate computer devices (the auditor may plan to use other computer devices if the use of MAC is not economically feasible or feasible, for example, due to incompatibility of accounting and audit programs. Assistance from a subject specialist may also be required);
inappropriate use of manual tests (if there is no visual evidence, manual tests may not be possible, for example, when purchase orders are entered into the system online);
- 4) efficiency and effectiveness (they can be improved by using MAC, for example, to test a large number of operations, if it is possible to print a report on non-standard operations, etc.);
- 5) the time factor, the influence of which on the use of M A C is reflected by the following recommendations of PMAP 1009:
- *certain computer files, such as business transaction detail files, are often stored on a computer for only a short period of time and may not be available in machine-readable form when the auditor needs them. As a result, the auditor must take action so that the files he needs are retained, or he will need to change the timing of the work for which these data are needed;
- *when audit time is limited, the use of MAC may be more in line with the audit schedule than manual procedures.
basic steps, which the auditor needs to take when using the MAC, include:
* setting goals for the application of the IAC;
determining the content of the subject's files and the order of access to them;
determination of the types of business transactions subject to testing;
defining the procedures to be applied to the data;
definition of requirements in relation to the results obtained;
appointment of auditors and specialists in computer data processing who can take part in the development and application of the MAC;
refinement of cost-benefit estimates;
ensuring that MAC use is properly controlled and documented;
organization administrative work, including necessary qualifications and computer devices;
application of MAC;
*evaluation of results.
MAC usage should audited to ensure compliance with audit objectives and to avoid improper manipulation of the MAC by the subject. The procedures carried out by the auditor to control over the application of audit programs, may include:
participation in the development and testing of computer programs;
verification of program coding to ensure compliance with detailed program specifications;
asking the subject's computer system specialists to review the operating system manual and verify that the programs can be installed on the subject's computer system;
testing audit software on small test files before running it on master data files;
ensuring that the correct files are used, for example through external evidence (subject control summary data);
obtaining evidence that the audit software is operating as intended, for example, by analyzing output and control information;
taking appropriate security measures to protect against manipulation of the subject's data files.
The presence of an auditor when using the MAC is not mandatory, but may be useful as an opportunity to control the process.
For control over the application of test data programs and the d i tor must perform the following procedures:
control over the sequence of presentation of test data when they go through several processing cycles;
performing tests with a small amount of test data before presenting the main audit test data;
forecasting the results of test data and comparing them with actual test results, in relation to individual business transactions and in general;
confirmation that the current version of the programs was used for data processing;
providing sufficient confidence that the programs used to process the test data were used by the subject during the entire audited period.
If the auditor seeks the assistance of specialists from the subject, he should have reasonable assurance that these specialists do not improperly influence the results of the MAC.
Technical papers related to the use of the MAC should be kept separate from other audit working papers. However, these documents must comply with ISA 230 Documentation. The general principles described in PMAP 1009, applicable in a small business computing environment where the auditor must consider the following:
- a) the level of general control may be low, therefore, it is impossible to rely on the internal control system in this case, and a large role should be given to detailed tests of balances and transactions, as well as analytical review procedures;
- b) when small amounts of data are processed, the use of non-computerized methods may be more economical;
- c) you may not receive sufficient technical assistance from the subject.
Also, be aware that certain packaged programs may not run on smaller computers, limiting the auditor's choice of MAK. However, subject files can be copied and processed on another (suitable) computer.
2. Provisions governing the communication of the auditor with banks
Regulation on audit practice PMAP 1000 "Interbank Confirmation Procedures" designed to provide practical assistance to external independent auditors, as well as bank employees - internal auditors and inspectors - in connection with interbank confirmation procedures. This statement was prepared by the CMAP jointly with the Committee on Banking Regulation and Supervisory Practice of the Group of Ten Industrialized Countries and Switzerland in November 1983, and published in February 1984. The statement does not have the force of an international auditing standard.
An important step in auditing the financial statements of banks and related information is to request confirmation from other banks regarding account balances and other amounts that appear on the balance sheet, as well as other information that is not reflected in the balance sheet, but disclosed in the notes to the financial statements. .
These usually require confirmation. off-balance sheet items How:
guarantees;
forward commitments to buy and sell;
obligation to repurchase options;
offset agreements. This type of audit evidence is of great value,
since the data comes directly from an independent source and provides greater confidence in the authenticity compared to the bank's own accounts.
The bank confirmation requirement arises from the need for the bank's management and its auditors to confirm the financial and business relationships between:
bank and other banks in the same country;
bank and other banks in other countries;
the bank and its non-bank customers. Interbank relationships are similar to relationships
between a bank and a non-bank customer. But in some interbank relationships, there may be peculiarities, for example, in connection with contingent liabilities, forward transactions, set-off agreements. Therefore, PMAP 1000 establishes provisions to assist banks and their auditors in obtaining independent confirmation of financial and business relationships with other banks.
The procedures described below are not suitable for use as routine interbank confirmation procedures carried out in the course of day-to-day commercial transactions between banks.
The auditor must decide which bank or banks to request confirmation from, taking into account issues such as the size of balances, the volume of activity, the degree of reliability of internal controls, and the level of materiality in the context of financial reporting. Confirmation requests should be prepared in such a way as to obtain the relevant required information.
Requests for confirmation of individual transactions can be:
- a) either an element of the bank's internal control system;
- b) or a means of confirming the amounts in the financial statements of the bank on any date. Therefore, requests should be made taking into account the purpose of the information.
The auditor must determine which from below way to confirm other bank balances or other information:
indicate the amount and other information and ask for confirmation of their accuracy and completeness;
request a breakdown of the amounts of balances and other information, which can then be compared with the records of the bank being checked.
It is a departure from common practice to request that a response be sent only if the information provided in the request is incorrect or incomplete.
The auditor should determine the appropriate address for submitting the request, such as a department such as internal audit, the inspectorate, or another specialized department designated by the confirming bank as responsible for responding to requests for confirmation.
The request should, if possible, be prepared in the language of the confirming bank or in the language commonly used for business correspondence.
It is the auditor's responsibility to control the content of confirmation requests and their distribution. The request must be authorized by the requesting bank. Answers should
be sent directly to the auditor (for convenience, a self-addressed envelope should be attached to the request).
the request must be clear and concise;
not all information requiring confirmation is usually needed at the same time. Therefore, letters of inquiry concerning various aspects of interbank relations may be sent several times during the year.
PMAP 1000 also includes as an appendix a glossary of the main terms used in the Regulations: collateral, contingent liabilities, mortgage, offset, option, repurchase (repurchase) agreement, custody services, credit line/reserve loan. This list is not exhaustive in describing all requests for interbank confirmations. The definitions are given as they are commonly used in banking practice, although their application may vary.
Target PMAP 1004 "Interaction of inspectors for banking supervision and external auditors" -- provide a better understanding of the nature of the functions of bank auditors and inspectors. Misconceptions about such features can lead one party to rely on the other party's results. The measures proposed in the Regulation should be considered as additional, and not replacing existing ones. The provision is not binding.
In many ways, bank inspectors and external auditors face the same problems; their role is increasingly defined as complementary. Therefore, PMAP 1004 addresses the responsibilities of the bank's management, the functions of inspectors and auditors, as well as a mechanism for more effective coordination of the work of inspectors. And external auditors of the bank.
The main ones are the following Bank management responsibilities:
security professional competence specialists, availability And the functioning of appropriate control systems, due diligence in the conduct of bank operations, compliance with laws and regulations, the necessary protection of shareholders, depositors and other creditors;
responsibility for the preparation of financial statements in accordance with local laws applicable to banks;
responsibility for organizing an internal audit unit in the bank, corresponding to its size and nature of operations.
Banking supervisors can perform a variety of functions:
the usual function, defined by law, is to protect the interests of bank depositors;
along with this, there may be broader responsibilities to ensure the soundness and stability of the banking system;
in some countries, supervision may also be carried out to enforce monetary and exchange rate policy.
Regulation 1004 mainly deals with the prudential aspect of the role of the inspector. Prudential Supervision commonly referred to as oversight financial activities bank, carried out by central banks and other official bodies. In order to obtain and retain a banking license, an entity must comply with certain prudential requirements. Common to most systems are the following requirements(although more detailed criteria are often presented):
- a) persons exercising control and management of the bank must be honest, trustworthy and have appropriate qualifications and experience;
- b) the bank must have sufficient capital to cover the risks inherent in the business, taking into account its nature and size;
- c) the bank must have sufficient liquidity in case of an outflow of funds.
Accurate and prudential asset valuation is of great importance to inspectors as it directly affects the determination net assets bank and the amount of share capital. The inspectors also attach great importance to the organizational structure of banks, the operation of effective information systems and control systems for risk management.
Methods that ensure the performance of supervisory functions are not the same in different countries, but two main methods are most widely used:
on-site checks. They require the involvement of significant resources and, as a rule, affect a limited part of the operations of the organization;
collection and analysis of regular reports and other statistical data. This method requires lower costs, which are shared between banks and the supervisor more evenly. Examining the reports (which usually include a balance sheet and income statement) enables the inspector to monitor the bank more regularly and in a timely manner than with on-site inspections. However, reports have the following limitations:
- a) their form is common to the banking system, and therefore may not reflect the specifics of a particular bank;
- b) the quality of the report depends on the quality of the internal information system of the bank and the accuracy of filling out the report;
- c) experience is required to form an opinion on the results of the bank on its report.
Basic the purpose of the audit of the bank the external auditor is the expression of an opinion on whether the published financial statements of the bank reflect "true and fair" the financial position and results of its activities for the reporting period. However, the user should not consider the auditor's opinion as a guarantee of the bank's future viability or as an opinion on the efficiency with which the bank's management conducts its affairs, since this is not the purpose of the audit.
When conducting an audit of a bank, an independent auditor recognizes that in connection with some aspects of the bank's activities, special problems may arise:
- a) banks hold significant funds, the physical security of which must be ensured. Therefore, banks must develop formal operating procedures, rigid systems of internal controls, and clearly limit the powers of individuals;
- b) banks carry out a large number of diverse operations, which requires complex accounting and internal control systems, as well as electronic data processing;
- c) if the activity is carried out through a network of branches and branches, this entails the decentralization of management and makes it difficult to apply uniform operating methods;
- d) banks conduct "off-balance sheet" operations that are not directly related to the transfer of funds. Such transactions may not need to be reflected in the accounts, so they are difficult to verify;
- e) since the activities of banks are regulated government bodies their requirements may have an impact on generally accepted accounting and auditing practices in the industry.
As a basis for their investigation, the auditor conducts tests and evaluations of internal control systems. The external auditor evaluates the work of the internal audit function to assess the extent to which this data can be used in determining the nature, timing and extent of the external auditor's own procedures.
The auditor relies on his judgment:
when deciding on the nature, timing and extent of audit procedures;
evaluating the results of these procedures;
*assessing the reasonableness of the judgments and estimates used by management in preparing the financial statements.
The auditor plans the audit, evaluates the materiality And audit risk, conducts audit procedures. When the auditor discovers an error that is material to the financial statements, he requires management to adjust the financial statements. If management refuses to do so, the auditor expresses a conditional positive or negative opinion on the financial statements.
As an additional but not required part of their work, the auditor often writes for management written report, which traditionally contains comments on deficiencies in internal control, other errors and omissions that the auditor drew attention to during the audit, but which do not entail a modification of the auditor's report. In some countries, the auditor also provides management or supervisory authorities (as required by law or contract) detailed report on specific issues, such as:
deciphering the balance of accounts or the composition of the loan portfolio;
liquidity indicators and profit;
standards;
the adequacy of internal control systems;
analysis of banking risks;
compliance with the law and the requirements of supervisory authorities.
In many aspects, the interests of the auditor and the inspector are similar, although the objects of their attention may differ, which is reflected in Table. 7.13. Therefore, in many areas, the results of the work of the inspector and auditor can be effectively used by both parties, provided that the inspector and auditor understand the goals and characteristics of each other's work. In dealing with management, inspectors and auditors should be aware of the benefits to both parties that can be gained from being aware of each other's work. Therefore, it is advisable to record the results of contacts of this kind in writing so that they are part of the bank's documentation, to which both the auditor and the inspector can have access.
If the auditor or inspector becomes aware of information that he considers necessary for the other party, the bank management should be present at their contact, or at least they should be aware of such contacts. In exceptional cases, direct contacts between the auditor and the inspector are allowed (for example, if the presence of the bank's management jeopardizes the purpose of the contacts).
In a number of countries, the auditor (in accordance with the law or at the request of the inspector) prepares special reports to assist the inspector. Such reports may contain an opinion on:
whether requirements for regulations or other prudential requirements are met;
whether the licensing conditions were met;
whether the operations of the bank, which came to the attention of the auditor, are carried out in accordance with the laws;
whether accounting and internal control systems are adequate.
When requesting an auditor to expand his or her supervisory functions, it is essential that well-defined conditions are met, possibly under national law:
* the auditor does not assume the duties of the inspector, but only assists him in the formation of his judgment;
between the auditor and his client, the usual relationship should be ensured;
the auditor should take into account the possibility of conflicts and resolve this problem before starting work;
regulatory requirements for necessary information should be specific and clearly articulated (if possible in quantitative terms);
tasks performed by the auditor at the request of the inspector should be within the technical and practical competence of the auditor;
the auditor's assignment for the inspector should be of a rational basis (i.e., be ancillary to his main audit work and can be completed more economically or quickly than the inspector);
measures must be taken to ensure confidentiality.
Target PMAP 1006 "Au d and t of international commercial banks"-- provide auditors with additional guidance by detailing and clarifying the application of ISAs in the context of an audit of international commercial banks.
international commercial bank(hereinafter - ICB) is a commercial bank that has operating offices in countries other than its country of registration, or whose activities go beyond national borders. PMAP 1006 is devoted to recommendations in the banking sector, it does not reflect the features of checking activities that are not unique to banks.
The audit of the IBC is carried out according to the same separate stages as provided for in the ISA. However, when auditing the IBC, specific issues arise that require consideration for the following reasons: * the special nature of the risks associated with banking operations;
the scale of banking operations and the resulting significant risks that may arise over a short period;
high dependence on computerized transaction processing systems;
the impact of regulations in various jurisdictions;
continuous development of new products and improvement of banking practices, which may not be accompanied by the simultaneous development of accounting principles And audit practice.
When compiling letters of engagement The auditor should, in addition to the general matters set out in ISA 210 Terms of the Audit Engagement, consider including the following matters:
1) the use of special accounting principles or regulations, with special reference to:
to any requirements of legislative and regulatory acts applicable to banks;
decisions of banking supervisory authorities, other control bodies and relevant professional accounting organizations;
industry practice;
2) the nature of any relationship between the auditor And control bodies providing for the provision of special reporting.
Acquisition of knowledge about the client requires the auditor to understand:
economic and control environment on territory countries where the bank operates;
market conditions in each sector of the bank's operation;
*products And services provided by the bank. Banking related risks can be divided into two large groups:
risks associated with banking products and services,
operational risks.
When auditing in a CIS environment, the auditor should pay particular attention to the following circumstances:
- * use of CIS to calculate and account for almost all interest income and expenses;
- *use of CIS to determine the currency and trading position on securities, as well as for calculating profits and losses on them;
- *significant dependence on the accounts produced in CIS.
Factors that encourage the auditor to rely on banks' internal controls also often require the auditor to use the work of internal audit. This is especially relevant in relation to MKB, whose branches are geographically dispersed.
PMAP 1 0 0 6 highlights the following significant areas that are not obvious, but requiring the attention of the auditor:
- *transactions that have a low level of commission income or profit as a percentage of the main risk of potential losses;
- *transactions that are not required by law to be disclosed in the financial statements (for example, guarantees, letters of comfort, letters of credit, swaps, options).
It is also noted in the Regulation that in the case of the ICD, there is secondary purpose of internal controls compared to the objectives listed in ISA 400, Risk Assessment and Internal Control. This goal is the proper performance of fiduciary duties. The internal control exercised by the bank for this purpose is to make sure:
in the proper performance of all duties in connection with fiduciary relationships;
safety and proper accounting of all assets held by the bank and resulting from fiduciary relationships.
A bank's internal control system has an inherent limitation: in the course of banking operations, transactions may be so large and important to the financial statements of the MKB that the use of the results of internal control testing cannot replace the actual verification of the documentation underlying such transactions.
In determining the nature, timing and extent of substantive reviews, the auditor should consider the factors that affect banking risks:
- 1) in relation to the risks associated with banking products and services, the auditor must decide whether:
- *actual verification, confirmation and reconciliation of freely traded articles at the end of the year;
- *special testing of individually significant residues by checking primary documentation and confirmations from third parties;
- * verification of transactions and events that occurred after the end of the reporting year and indicate a decrease in the value of assets at the end of the year;
- 2) in relation to factors that affect operational risks, the auditor should decide whether it is necessary:
performing tests before the end of the year in order to complete the audit in a timely manner;
application of computerized audit methods;
using statistical sampling techniques when there are a large number of similar accounts or transactions;
*use of analytical review methods to detect conditions of particular interest for the audit, etc.
The auditor may consider the following procedures to be particularly important when examining bank accounts:
analytical procedures (especially in relation to interest income and expenses, analysis of ratios, trends, deviations, review of the content of reports);
inspections (especially in areas such as bullion and precious metals, securities, loan agreements, agreements for the sale and repurchase of assets, guarantees);
PMAP 1006 contains list and description of audit objectives and especially important issues requiring attention on certain items of financial statements (bars, balances on accounts in other banks, transactions with securities, etc.).
In expressing an opinion on the financial statements of the ICD, the auditor should:
follow special forms, use appropriate terminology and accounting principles, as defined by law, regulatory bodies, professional organizations and current industry practices;
make sure that the accounts of foreign branches and subsidiaries included in the consolidated financial statements of MKB have been adjusted to bring them into line with the accounting principles on which the bank presents its reports. This is especially true for banks due to the large number of countries in which subsidiaries and branches are located, as well as due to the fact that in many countries local legislation establishes special principles accounting, applied primarily to banks;
if the existence of hidden reserves Not indicated V financial statements and this is permitted by local law, refer to this circumstance in your auditor's report (it is advisable to do this by referring to the relevant regulations or acts that allow the creation of hidden reserves). Annexes to PMAP 1006 provide examples of checklists for evaluating the internal control system, financial ratios for evaluating the performance of an MKB, and substantive audit procedures for assessing loan loss allowance.
3. Features of the audit of small enterprises
PMAP 1005 "Features of the audit of small enterprises" designed to provide practical assistance to auditors in applying ISAs in the process of auditing the financial statements of small businesses. The Committee on International Auditing Practices notes that the audit of small businesses has some peculiarities. However, PMAP 1005 does not establish new requirements for the audit of small businesses. The purpose of PMAP 1005 is to review the main characteristics of small enterprises and determine the degree of their impact on the application of ISAs.
In this regard, PMAP 1005 includes the following sections:
main characteristics of small enterprises;
guidelines for the application of ISAs in the process of auditing small businesses;
Characteristics of small enterprises. The audit of a small enterprise differs from the audit of a large organization in the simplified documentation and less complex nature of the audit, which allows the use of a limited number of employees in audits.
For the purposes of PMAP 1005 small enterprise any subject is called:
- a) the right of ownership and management of which is concentrated within a narrow circle of persons (often one person);
- b) to which one or more of the following characteristics may apply:
limited number of sources of income;
simplified accounting system, limited internal controls, combined with the ability for management to circumvent such controls. This list of features is not exhaustive. For the purposes of PMAP 1005, small businesses are generally considered to have certain traits (a) as well as some characteristics (b).
According to the provisions of the IFAC Code of Ethics, auditors are allowed to provide accounting services to clients at subject to the principle of independence.
4. Other issues addressed in the provisions of international audit practice
Environmental issues are becoming important to an increasing number of entities and, under certain circumstances, can have a significant impact on financial statements. These matters may require additional consideration by the auditor. Statement 1010, Accounting for Environmental Issues in the Audit of Financial Statements provides practical guidance to the auditor, although it is not an ISA. PMAP 1010 describes:
Key considerations in an audit of financial statements related to environmental matters.
Examples of the possible impact of environmental issues on financial reporting.
business knowledge (ISA 310);
risk assessments and internal control systems (ISA 400);
consideration of laws and regulations (ISA 250);
other substantive procedures (ISA 620 and some others).
The appendices to this Regulation provide sample questions that may be considered by the auditor when gaining knowledge of the client's business, control environment, and control procedures from an environmental perspective. It also describes the substantive procedures used by the auditor to detect material misstatements of fact in the financial statements relating to environmental matters.
This Regulation does not establish any new principles or procedures. Its purpose is to assist auditors and disseminate good practice by providing guidance on the application of ISAs in cases where environmental issues are important to an entity's financial reporting. PMAP 1010 does not provide advice on auditing the financial statements of insurance entities in connection with insurance policy claims when ecological problems affect the holders of such policies. 250 Chapter 7. Provisions on international audit practice
IN purposes of this Regulation term "environmental issues" means the following:
attempts to prevent, reduce or eliminate harm to the environment, or engage in the conservation of renewable and non-renewable resources;
consequences of violation of laws and regulations on environmental protection;
consequences of environmental harm caused to other persons or natural resources;
consequences of vicarious liability established by law (for example, liability for damage caused by previous owners).
PMAP 1010 contains the main examples of environmental issues, that could affect the financial statements:
the introduction of environmental laws and regulations may lead to the depreciation of assets and, as a result, the need to reduce their carrying value;
non-compliance with environmental laws, such as the disposal of emissions and wastes, or retroactive changes in legislation, may require the assessment of amounts for corrective actions, payment of compensation and payment of legal costs;
some facilities, such as mining, chemicals, or waste disposal, may have environmental liabilities as a direct by-product of their core business;
constructive obligations arising from voluntary action (for example, the subject may detect soil contamination and, without legal obligations, decide to eliminate the contamination, caring for their reputation and improving relations with the community);
an entity may be required to disclose in the notes the existence of contingent liabilities if costs relating to environmental matters cannot be measured reliably;
in extreme cases, non-compliance with certain environmental laws and regulations may affect the duration of an entity's operations on the going concern basis and therefore the disclosures and basis for financial reporting.
ISA 310, Business Knowledge, requires sufficient knowledge of the client's business in all audits. Any entity may be exposed to significant environmental risk if it:
highly dependent on environmental laws and regulations;
owns plots infested by previous owners (substitutive liability) or holds a lien over such plots;
engages in business activities that may contaminate soil, water, air, or involve the use of hazardous substances, the production or treatment of hazardous waste, or may have a negative impact on customers, employees, the population living near the company's buildings.
environmental risk-- the risk of material misstatement of the financial statements due to environmental issues.
The relationship between environmental issues and the audit risk model is disclosed through certain aspects of ISA 400 Risk Assessment and Internal Control. Thus, environmental risks at the level of financial reporting include:
the risk of costs associated with compliance with laws or contractual requirements;
the risk of non-compliance with environmental laws and regulations;
the possible impact of the specific environmental requirements of the entity's customers and their possible response to the entity's environmental behavior.
If the auditor believes that environmental risk is an important component in the assessment of inherent risk, when developing an audit program, he should relate the assessment made to significant account balances and classes of transactions at the assertion level (ISA 400, § 11). Examples of environmental risk at the level of account balances and classes of transactions are:
the extent to which the account balance is based on estimates in the field of environmental issues (eg an estimate of the environmental reserve for the removal of contaminated land and the cleanup of a future construction site);
the extent to which the account balance is affected by unusual or non-routine transactions related to environmental issues.
When, in the auditor's opinion, environmental matters may materially affect the entity's financial statements, the auditor should obtain an understanding of the entity's policies and significant procedures. V regarding the monitoring and control of such matters (environmental controls of the subject).
When evaluating the control environment, the auditor takes into account the main provisions of ISA 400 (§ 19). To evaluate the control environment, it may be necessary to take into account the following: factors related to environmental issues:
functioning of the board of directors V links to environmental controls;
leadership philosophy and management style on environmental issues, V including voluntary reporting on environmental issues (which prepared separately from the financial statements);
organizational structure of the subject and methods for solving environmental issues;
management control system, including internal audit, "environmental audit", personnel policy, procedures and segregation of duties.
If the auditor decides that he needs to gain an understanding of environmental controls, he may check the procedures and policies:
to monitor environmental compliance politicians subject, as well as laws and regulations on ecology;
maintaining an appropriate environmental information system, which may include records of, for example, actual emissions and hazardous waste, environmental performance of products, results of law enforcement inspections, occurrence and consequences of accidents, etc.;
reconciliation of environmental information with related financial information, such as the actual amount of waste versus the cost of removing it;
identifying potential environmental issues and related With these contingent liabilities that affect the entity.
In accordance with SA 250 Considering Laws and Regulations in an Audit of Financial Statements, the entity's management is responsible for ensuring that it operates in accordance with laws and regulations. To get a general idea of the relevant laws and regulations The environmental auditor usually:
*uses knowledge about the client's business;
conducts management surveys on the entity's policies and procedures for compliance with environmental laws and regulations;
conducts management surveys on environmental laws and regulations that are expected to have a significant impact on the entity's operations;
discusses with management the policies and procedures adopted to identify, evaluate and account for litigation, claims and accrued penalties.
Changes in environmental legislation may:
have a significant impact on the entity's operations (for example, a change in noise regulations may hinder the future use of machinery and equipment);
give rise to obligations relating to past events that were not regulated by law at the time (for example, the adoption of more stringent standards under which the enterprise will be responsible for waste from past years, although they did not contradict the practice that existed in those years).
PMAP 1010 has a section "Substantive Procedures" which provides guidance on substantive procedures, including ISA 620, Using the work of an examiner, and ISA 610, Reviewing the work of internal audit. The auditor assesses the level of inherent risk and the risk of the control system, taking into account environmental issues. Substantive procedures involve obtaining evidence by interviewing both management responsible for financial reporting and key personnel responsible for environmental matters. The auditor considers the need to obtain audit evidence supporting any assertions on environmental matters, both within and outside the client organization. Examples of substantive procedures that may be performed by the auditor to detect a material misstatement in financial statements related to environmental matters are given in Appendix 2 to PMAP 1010.
The use of professional judgment may be important because of certain difficulties associated with recognizing and measuring the effects of environmental matters in financial statements, for example:
* significant time elapses between an event that caused environmental damage and the detection of such an event;
estimates may not have established historical practice or vary significantly due to the number and nature of assumptions;
regulations on environmental protection are being improved and their interpretation may be complex or ambiguous;
obligations may not arise from legal or contractual obligations.
The auditor during the audit may discover evidence of risk that V financial statements there is a material misstatement due to environmental issues. Examples of such circumstances include:
availability of reports prepared by environmental specialists, internal auditors or environmental auditors that indicate significant environmental issues;
violation of laws and regulations on environmental protection, mentioned in the correspondence or reports of regulatory authorities;
inclusion of the name of the subject in the official register or schedule for the elimination of soil and water pollution;
Chapter 7 of the Regulation on International Auditing Practice
7.1. Provisions clarifying the use of computer information systems in the course of an audit
7.1.1. Features of the audit in the environment of computer information systems
Regulations on International Auditing Practice (PMAP) devoted to computer technologies in audit are conditionally divided into two groups:
1) reflecting the features of the computer information systems of the subject (this group includes PMAP 1001-1003, 1008);
2) characterizing computers as a means of performing audit procedures (PMAP 1009).
PMAP 1001-1003 are issued as appendices to ISA 400 "Risk Assessment and Internal Control System", but are not part of it. Below is the content of PMAP 1001, 1002, 1003 and 1008.
The purpose of PMAP 1001 "CIS environment - stand-alone microcomputers" is to assist the auditor in meeting the requirements of ISA 400 and PMAP 1008 by describing microcomputer systems used as stand-alone workstations.
Microcomputers in PMAP terminology are personal computers, or PCs. Microcomputers can be used as a means of processing accounting entries and preparing financial statements. Therefore, there is a need for certain internal controls and audit procedures in relation to PC systems.
The microcomputer can be used in various configurations. Therefore, PMAP 1001 distinguishes the following main configurations:
208 Chapter 7. Provisions on international audit practice
1) an independent workstation used by one user or several users in turn, who can work with one or different programs;
2) local network of microcomputers, i.e. when several microcomputers are combined through the use of special programs and communication lines;
3) connected system, i.e. workstation connected to a central computer.
A computer information system (CIS) environment that uses microcomputers is less complex than a centrally controlled CIS environment. In this regard, in the environment of microcomputers, internal control can be significantly weakened:
a) application programs can be easily developed by users;
b) because the data is processed by a computer, users of such financial information may, without reasonable grounds, place undue reliance on it;
c) since microcomputers are targeted at individual end users, the accuracy and reliability of the information produced will depend on internal controls established by management or the user.
PMAP 1001 lists security and control procedures that can enhance the overall level of internal control. The grouping of the main procedures is presented in Table. 7.1.
The impact of the PC on the accounting system and related internal control mechanisms depend on:
From the degree of use of microcomputers in accounting;
The type and significance of processed financial transactions;
The nature of the files and programs used.
The key factors of CIS controls are:
1) General CIS controls - segregation of duties, including:
Entering data into the system;
Computer management;
Modifying programs or distributing imprint;
Operating system modification.
2) CIS applied controls:
Systems for registering transactions and reconciling data by groups;
Direct observation;
7.1 Provisions explaining the use... 209
Table 7.1. Security and control procedures that enhance the overall level of internal control in the microcomputer environment
|
Procedure |
|
|
Management permission to use microcomputers |
Introduction and enforcement of instructions for the use and control of autonomous microcomputers |
|
Physical security equipment |
Restricting access to idle PCs through door locks and other security measures after business hours |
|
Physical security embedded and offline media |
Assigning Responsibility for Offline Media to Employees Whose Responsibilities include Software Storage |
|
Security of programs and data |
Installing means in application programs to ensure that data is processed and read only by permission and to prevent data deletion (passwords, cryptography, hidden files, etc.) |
|
Software and Information Integrity |
Format and region validation, and cross-validation of results. Adequate written documentation for application programs. Separation of places of use and storage of copies of programs |
|
Hardware, software and data support |
Support is the entity's plans to gain access to similar hardware, software, and data in the event of failure, loss, or breakage of the original. |
Reconciliation of accounts or balances by section, etc.
To ensure effective internal control of CIS, an independent unit can be created.
The PC environment also has an impact on audit procedures: so
As management may not consider it appropriate to implement appropriate controls in a microcomputer environment, the auditor is often right to assume that the risk of controls in such systems is high. Therefore, the auditor may focus his efforts on substantive reviews at or near the end of the year. Computer audit methods may include:
1) use of client software (databases, spreadsheets, software products);
210 Chapter 7. Provisions on international audit practice
2) use of the auditor's own software (for example, to include transactions or balances in data files for comparison with control entries or account balances in the general ledger).
If microcomputer systems process a large number of transactions, it is more appropriate to conduct audit work on these data on a preliminary date.
In table. 7.2 are examples of control procedures that the auditor can analyze if he intends to rely on internal control over accounting for the State Customs Committee.
Table 7.2. Examples of control procedures that the auditor may consider to rely on internal control of the microcomputer system
PMAP1002 "CIS environment - interactive computer systems" describes the results of the impact of interactive computer systems on the accounting system and related internal controls, as well as audit procedures. Interactive computer systems - computer systems that provide
7.1 Provisions explaining the use... 211
give users direct access to data and programs through a terminal.
Such systems can be based on: a) computers
"main frame" (servers); b) minicomputers; or c) microcomputers that are part of a network environment. PMAP 1002 describes various types of terminal devices (Table 7.3).
Terminals at their location can be local (directly connected to the computer via cable) and remote (requiring the use of telecommunications).
Table 7.3. Types of terminal devices
Interactive computer systems are classified according to the methods of entering information into the system, the methods of its processing and the time the user receives the results (Table 7.4).
Interactive computer systems have the following main characteristics that are significant to the auditor:
When data is entered online, it is usually validated immediately;
Users can have interactive access to the system, allowing them to perform various functions;
The system can be designed in such a way that it does not provide supporting documents for all
212 Chapter 7. Provisions on international audit practice
Table 7.4. Classification of interactive computer systems
|
System type |
Description |
|
|
Interactive/real-time processing |
Individual operations are entered into the terminal device, checked and used to immediately update the associated computer files |
Receipt of client's cash funds credited directly to his account |
|
Interactive mode / processing of data groups |
The transaction is entered into the terminal device, grouped and added to the file of transactions entered during the period |
Ledger entries are entered in the journal entry file, but the main general ledger file is updated monthly |
|
Online mode / update of the memorandum file (and further processing) |
Combines interactive/real-time processing and interactive/group data processing |
Withdrawal of money through an ATM, when the amount is reconciled with the balance of the client's account in the memorandum file and is immediately reflected in the client's account |
|
Online help mode |
Get help on core files that are updated by other systems |
Inquiry about the credit status of a specific customer before accepting an order |
|
Processing read/download data online |
Transferring the data of the main file to the smart device of the terminal for further processing by the user |
Head office data for 1 branch office can be downloaded to the branch terminal device la and return after processing to the head office |
transactions entered into the system, but this information can be obtained additionally;
Programmers may have access to an interactive system, allowing them to develop new programs and modify existing ones.
The means of internal control of interactive computer systems are divided into two groups: general tools and applied tools. The list of specific procedures for these two groups is presented in PMAP 1002 and summarized in Table. 7.5 of this manual.
The impact of interactive computer systems on the accounting system and associated risks depends on:
From the degree of use of computer systems for processing accounting applications;
7.1 Provisions explaining the use... 213
The type and significance of financial transactions processed;
The nature of the files and programs used in applications.
Table 7.5. Means of internal control of interactive computer systems
|
List of controls |
|
|
General funds |
|
|
Access controls |
Restricting access to programs and data |
|
Password control |
Setting and maintaining passwords for authorized users |
|
Control over the improvement and maintenance of systems |
Inclusion in the system in the course of its improvement of means of control over application programs (passwords, confirmation procedures, etc.) |
|
Programming controls |
Prevent or detect inappropriate changes to computer programs |
|
Activity logs |
Reports designed to create an audit "trace" for each interactive operation (reflecting the source of the operation and its elements) |
|
Applied Tools |
|
|
Authorization prior to processing |
Permission to carry out the operation |
|
Terminal device editing, validity tests, and other validation tests |
Programs that daily check the completeness, accuracy and validity of the input data and processing results |
|
Assignment procedures to the proper period |
Ensuring the processing of transactions in the relevant reporting period |
|
File Control |
Procedures for interactive processing using the correct data files |
|
Master file control |
Changes to core files are controlled by procedures, operation data |
|
Mapping |
The process of establishing control over the totals of data transmitted for processing through terminal devices in an interactive mode, and comparing control totals |
214 Chapter 7. Provisions on international audit practice
Factors that increase and reduce the risk of fraud and errors in interactive systems are listed in Table. 7.6.
Interactive computer systems can also affect internal controls:
Initial data may not be available for all input transactions;
Processing results may be too general;
Interactive computer systems may not be designed to provide printed reports, and editing of reports may be hindered by messages on the display.
Table 7.6. Growth factors and risk reduction of fraud and errors in interactive systems
|
Cases of reduced risk of fraud Cases of increased risk and errors of fraud and errors |
|
|
Data entry is done on site [of the origin of the operation or near |
Terminal devices are located in different premises of the subject |
|
Invalid transactions are corrected and re-entered immediately |
Ability for unauthorized users to modify transactions or balances, computer programs, remote access to data and programs |
|
Data entry is performed by persons who [understand the nature of the operation |
Interactive processing interrupted |
|
| Transactions are processed immediately online |
Access to data and programs online via telecommunications |
PMAP 1002 highlights the following aspects of the impact of interactive computer systems on audit procedures:
Authorization, completeness and accuracy of online operations;
Integrity of records and processing due to interactive access to the system by many users and programmers;
Changes in the performance of audit procedures, including computer-assisted audit methods.
In connection with these factors, the auditor may perform specific procedures at all stages of the audit:
1) at the planning stage - include in the audit team
professionals with technical skills; pre-determine
7.1. Provisions explaining the use... 215
pour in the process of assessing the risk of the impact of the interactive system on audit procedures;
2) simultaneous with interactive processing - audit procedures may include verification of the conformity of controls over interactive applications;
3) after the interactive processing of information, the compliance of the means of control over transactions is checked for authorization, completeness and accuracy; verification of transactions on the merits instead of tests of controls; reprocessing of transactions in the form of procedures on the merits or for compliance.
New interactive accounting applications can be reviewed before rather than after they are installed. This will give the auditor an opportunity to test additional features and provide sufficient time to develop and test audit procedures before they are performed.
PMAP 1003 "CIS environment - database systems" describes the impact of the database on the accounting system, the associated internal control system and audit procedures.
Database systems consist of two main components:
databases and database management systems (DBMS).
A database is a collection of data that is used by a number of users for various purposes.
The software that is used to create, maintain and operate a database is called DBMS software.
If the data system is used by a single user, it is not considered a database for the purposes of PMAP 1003.
Database systems have two important characteristics:
Data sharing (by many users and in different programs);
Independence of data from application programs (the database is written once for use by different programs).
These characteristics require the use of a data dictionary and the establishment of a data administration unit, i.e. coordination of the database by a group of persons.
A data dictionary is a specific piece of software for keeping track of the location of data in a database; it also serves as a means of storing standardized documentation and database environment definitions in applications.
Administration tasks typically include the following:
216 Chapter 7. Provisions on international audit practice
Definition of the database structure;
Ensuring the integrity, security and completeness of data;
Coordination of computer operations;
Monitoring the results of the system;
Providing administrative support;
Ensuring the existence of an adequate connection between databases, coordination of their functions, consistency of data in different databases.
The effectiveness of internal controls depends to a large extent on the nature of database administration tasks and how they are performed. Because of the sharing of databases, common CIS controls typically have more impact on databases than application controls. Characteristics of common means of control of CIS in database systems are presented in Table. 7.7.
The impact of the database system on the accounting system and related errors generally depends on:
From the degree of use of databases in accounting programs;
Type and value of processed financial transactions;
The nature of databases, DBMS, administration tasks;
General CIS controls that are especially important in a database environment.
Databases usually provide more reliability than none. However, the use of database systems can both increase and decrease the risk of fraud and error. To increase the reliability of data contribute to:
Greater data consistency;
Data integrity, which can be improved through the use of recovery, editing and confirmation procedures, security and control tools built into the DBMS;
Other DBMS features, such as report generator features (for creating mapping reports) and query languages (for identifying inconsistencies in data).
The risk of fraud and error can be increased if database systems are used without appropriate controls.
Audit procedures are mainly affected by the extent to which database data is used in the accounting system. Where significant accounting programs use a common database, PMAP 1003 recommends the use of the following audit procedures:
7.1. Provisions explaining the use... 217
Table 7.7. Characteristics of common CIS controls
in database systems
|
Groups of General Controls |
Characteristic |
|
Standard Approach to Application Development and Support |
1. Following an orderly, step-by-step approach to be followed by all persons developing and modifying programs 2. Analyze the impact of new and existing operations on the database when modification is needed |
|
Data Ownership |
1. Make one database user responsible for defining access and security rules 2. Identification of specific data users |
|
Database access |
1. Restricting access by using passwords (for people, terminals and programs) |
|
Segregation of duties |
Responsibility for performing various operations necessary for the development, implementation and operation of the database is shared between technical, design, administrative staff and users |
1) when planning an audit, consider the impact of the following factors on audit risk:
a) DBMS and significant accounting applications;
b) standards and procedures for developing and maintaining applications that use the database;
c) job responsibilities, standards and procedures for databases;
d) procedures to ensure the integrity, security and completeness of data;
e) availability of audit facilities in the DBMS;
2) check how controls are used in the database system and then decide whether to rely on those controls and what compliance tests to perform;
3) When the auditor decides to perform compliance tests, audit procedures may include:
a) generating test data;
218 Chapter 7. Provisions on international audit practice
b) providing an audit trail of transactions;
c) checking the integrity of databases;
d) providing access to the database or a copy of its necessary parts;
g) obtaining information necessary for the audit;
4) to check whether the implementation of an additional substantive check of all significant accounting programs using the database will help achieve the goal of the check;
5) it may be more efficient to test new accounting programs not after, but before installing them.
A computer information systems (CIS) environment exists when an entity uses a computer of any model or size to process financial information relevant to the audit, whether the computer is used by that entity or by a third party.
Table 7.8. Structural and procedural characteristics of CIS
Aspects of CIS application
Positive characteristics of CIS
Negative characteristics of CIS
Sequence - I More reliable due to the complexity of the execution of the programmed ™ by functions sequence of actions
Possibility of incorrect processing due to insufficient testing of the program
Programmed control procedures
One-time data update
Allows you to incorporate internal control procedures I into computer programs J
Automatic update of data throughout the system when
Wrong wiring can lead to errors in
in various compa- one-time introduction in-
personal financial accounts
computer files and databases
Operations generated by systems
Vulnerability of data storage and programs
formations
Some operations can be initiated by the CIS itself without incoming documents and permissions (based on the algorithms embedded in the program)
Portable storage media can be stolen, lost, intentionally or accidentally destroyed
7.1 Provisions explaining the use... 219
Table 7.9. Types of CIS controls
|
Comparison sign |
General controls |
Applied Controls |
|
Establishment of a structure of general control over the activities of the CIS and ensuring sufficient confidence in the achievement of the main objectives of internal control |
Establishing specific control procedures for accounting applications to provide reasonable assurance that all transactions are authorized, recorded and processed in a complete, accurate and timely manner |
|
|
List of controls |
Organizational and managerial control Control over the development and operation of the system of applied programs Computer control Software control Control over data entry and programs |
Input control 1 Control over processing and computer data files Results control |
|
Other protective measures Off-system backup of data and computer programs; Recovery procedures in case of theft, loss, destruction; Ensuring that operations are handled outside the system in the event of a massive outage |
Overview of applied controls, i.e. The auditor may test the following controls: Manual user control; Control over input data (using a combination of computer and manual methods); Programmable control procedures (using computerized audit methods: test data, reprocessing of data on operations, verification of application program coding) |
PMAP 1008 "Risk Assessment and Internal Control System - Characteristics of CIS and Related Matters" was prepared as an addendum to ISA 400, but PMA P 1008 is not part of ISA.
220 Chapter 7. Provisions on international audit practice
In accordance with this PMAP, in the CI C environment, the subject must determine:
a) an organizational structure that has the following characteristics: concentration of functions and knowledge (reduction in the number of maintenance personnel and, accordingly, the risk of unauthorized changes to the system), concentration of programs and data (data can only exist in machine-readable form on one or more computers, which can increase the likelihood of unauthorized access );
b) CIS management procedures.
The nature of data processing in CI C may have its own specifics in the absence of internal controls:
Lack of primary documents;
No visual trace of the operation;
Lack of visual result;
Free access to data and computer programs. The above leads to a decrease in data reliability.
Improving CIs affects their structural and procedural characteristics, which differ from those inherent in manual data processing, which is reflected in Table. 7.8.
Internal control over computer processing of data includes two types of procedures according to the way they are performed:
1) procedures carried out by manual processing;
2) procedures built into computer programs. Internal control procedures are also divided into general and applied ones (Table 7.9).
Weaknesses in common controls can prevent testing of certain CIS application controls. However, manual procedures used by the user can be an effective means of control at the application level.
7.1.2. Audit Methods Using Computers
Computer-assisted audit methods (MACs) are techniques in which a computer is used as an audit tool.
Recommendations for the use of MAC in auditing are provided by PMAP 1009 “Audit Methods Using Computers”. At the same time, as defined in ISA 401 "Audit in the conditions of computer information systems", the general objectives and scope of the audit do not change.
7.1 Provisions explaining the use... 221
nyayutsya, when the audit is carried out in the field of computer information systems.
The regulation describes two of the most common types of MAC: audit software and test data used for audit purposes. The main features of these MACs are presented in Table. 7.10.
Table 7.10. Description of audit methods using computers
|
Components |
Description |
|
|
Audit software consists of computer programs used by the auditor as part of audit procedures. |
Software package |
Generic computer programs designed to perform data processing functions, including reading computer files, extracting information, performing calculations, creating data files, and printing reports in a form specified by the auditor |
|
Special Purpose Programs |
Computer programs designed to perform audit tasks in specific settings |
|
|
Utility programs |
Used by the subject to perform common functions data processing (sorting, creating and printing files). Not normally intended for audit purposes |
|
|
Test data is used in audit procedures by entering data into the subject's computer and comparing the results with predetermined results. |
Testing specific controls in computer programs |
Testing interactive password, data access control |
|
Selection of control operations |
Control transactions are selected from previously processed business transactions or created by the auditor to test certain characteristics of the processing process carried out computer system subject |
|
|
Built-in test subsystems |
Control operations are used in built-in subsystems with a simulation module (for example, a department or an employee) through which they pass during the normal processing cycle |
222 Chapter 7. Provisions on international audit practice
If tests are used during the normal transaction processing cycle, the auditor should ensure that the test records are deleted at the end of the test.
MACs can be used in a variety of audit procedures, including the following:
Detailed tests of transactions and balances (for example, using audit software to test transactions on a computer file);
Analytical review procedures (eg use of audit software to detect unusual changes or items);
Verification of compliance with common CIS controls (for example, the use of test data to verify procedures for accessing software libraries);
Validation of the compliance of the CIS application controls (for example, the use of test data to verify the functioning of a programmed procedure).
When planning an audit, the auditor should consider an appropriate combination of non-computerized and computerized audit techniques. When deciding whether to use MAC, the following should be considered:
1) knowledge, skills and experience of the auditor with a computer (the level of knowledge depends on the complexity and nature of the MAC and the accounting system of the subject);
2) the ability to use the MAC and the availability of appropriate computer devices (the auditor may plan to use other computer devices if the use of the MAC is not economically feasible or feasible, for example, due to incompatibility between accounting and audit programs. Assistance from a subject specialist may also be required);
3) the impracticality of using manual tests (if there is no visual evidence, manual tests may not be possible, for example, when purchase orders are entered into the system online);
4) efficiency and effectiveness (they can be improved by using MAC, for example, to test a large number of operations, if it is possible to print a report on non-standard operations, etc.);
5) the time factor, the influence of which on the use of MAC
Certain computer files, such as business transaction files, are often
7.1. Provisions explaining the use... 223
are stored on a computer for only a short period of time and may not be available in machine-readable form when the auditor needs them. As a result, the auditor must take action so that the files he needs are retained, or he will need to change the timing of the work for which these data are needed;
When audit time is limited, the use of the MAC may be more in line with the audit schedule than manual procedures.
The main steps an auditor needs to take when using a MAC include:
Establishment of goals for the application of the MAC;
Determining the content of the subject's files and the order of access to them;
Determining the types of business transactions to be tested;
Determining the procedures to be applied to the data;
Determining the requirements for the results obtained;
Popular
- Business plan for a mobile coffee shop on wheels with calculations
- Is it profitable to engage in a car wash business by renting a room, and what you need to know?
- Is it profitable to engage in a car wash business by renting a room, and what you need to know?
- Work on the Internet without deception - only real vacancies and ways to earn money
- What professions are now in demand and highly paid?
- The most profitable professions in Russia 5 of the best professions
- How to make money on YouTube - detailed instructions for beginners How to make money with YouTube
- How to open a construction company: a successful start without large investments
- Self-service laundry business plan
- How much does it cost to open a self-service car wash from scratch?