Para 3.22.18 — MSO (Audit)
Original Rule Text
3.22.18 The employment of a particular computer audit technique employed depends on:
(i) the type of application system under review;
(ii) the extent of testing required;
(iii) the availability of resources in terms of computer facilities and the level of EDP skills among the audit staff; and
(iv) volume of data and availability of printed information.
Where the volume of data is small and adequate printed information is available to carry out a meaningful clerical audit, it will not be necessary to employ computer techniques, which are costly and time consuming. To elaborate further, the auditor should break up his project of application system audit into three stages. In the first stage, he will carry out the examination of audit trails, intermediate printouts as required, system logs and operational controls. If the auditor feels, as a result of audit in the first stage, that the adequacy of controls requires further verification, he can resort to compliance testing in the second stage using the test deck method and integrated test facilities with resident audit programs. If the compliance testing exposes some control weaknesses, substantive testing may be resorted to in the third and final stage using retrieval software packages that are available commercially or simulation techniques with audit software.
What This Means
The choice of computer audit technique depends on the type of system being reviewed, extent of testing needed, availability of computer facilities and EDP skills among audit staff, and volume of data. When data volume is small and adequate printouts are available, manual audit suffices. For larger systems, audit should progress in three stages: first examine audit trails and printouts, then perform compliance testing if needed, and finally resort to substantive testing with retrieval software if control weaknesses are found.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Key Points
- 1Choice of technique depends on system type, testing scope, skills, and data volume
- 2Small data volumes with adequate printouts may not need computer techniques
- 3Stage 1: Examine audit trails, printouts, system logs, and operational controls
- 4Stage 2: Compliance testing using test decks and integrated test facilities
- 5Stage 3: Substantive testing using retrieval software or simulation
- 6Each stage is triggered only if the previous stage reveals concerns
Practical Example
Auditing a small municipality's computerised water billing system (5,000 connections), the auditor starts with Stage 1: reviewing monthly printouts and system logs. Everything appears normal. However, a spot check reveals that 50 connections show zero consumption for 6 consecutive months. In Stage 2, the auditor uses test data to check the meter-reading input control and finds it accepts zero readings without a flag. In Stage 3, retrieval software extracts all zero-reading accounts, revealing Rs 3 lakh in unbilled water usage — some accounts belong to municipal councillors.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Frequently Asked Questions
Why not always use the most advanced computer audit techniques?▼
What is the test deck method?▼
What is retrieval software?▼
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.