Para 3.22.15 — MSO (Audit)
Original Rule Text
3.22.15 Compliance testing of controls in computer systems and programmes is difficult and complicated as their operation is automatic, invisible and not fully evidenced since the exceptions alone are normally evidenced. Detailed manual testing of these controls is rarely cost effective; however, a possible alternative approach would be to resort to CAATs. For example, either test data or audit software may be used to test a control designed to ensure that payments exceeding a certain value are not made. Audit software can be used in this context to interrogate the entire payments file to identify payments in excess of the specified value. If no such cases are revealed, the auditor has some assurance that no such payment was made. This is a negative assurance since it is possible that no invalid data was in fact presented to the system and, therefore, the control in question was never invoked. However, if the interrogation is applied to the entire year's transactions, it achieves the main audit objective in that no excess payments will have been made in the period. Even when test packs or interrogation techniques are used, the auditor should examine the procedures for dealing with exception or error reports in order to ensure that invalid transactions are corrected and re-input for processing.
# Audit techniques
What This Means
Testing controls in computerised systems is difficult because they operate automatically and invisibly — only exceptions are normally recorded. Manual testing is rarely cost-effective, so auditors should use Computer Assisted Audit Techniques (CAATs) instead. For example, audit software can interrogate an entire payments file to check whether any payment exceeds a prescribed limit, providing assurance across the full year's transactions. Even with CAATs, auditors must verify that error reports are properly handled and corrections are re-processed.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Key Points
- 1Computer controls are automatic and invisible, making manual testing difficult
- 2Only exceptions are normally evidenced in computerised systems
- 3CAATs (test data, audit software) are the practical alternative to manual testing
- 4Audit software can interrogate entire data files for 100% coverage
- 5Exception and error reports must be examined for proper follow-up
- 6Invalid transactions must be corrected and re-input for processing
Practical Example
The auditor needs to verify that no salary payment exceeding Rs 2.5 lakh per month was made without additional approval. Instead of manually checking 12,000 monthly payslips, they use audit software to scan the entire year's salary file. The software flags 8 payments above the threshold — 6 had proper approval on file, but 2 were processed without authorisation, totalling Rs 7.3 lakh in irregular payments.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Frequently Asked Questions
What is 'negative assurance' in IT audit?▼
Why must error reports be examined even when using CAATs?▼
What is a test pack or test deck?▼
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.