香港注册会计师考师审计笔记6
Lecture Topic – IT environments – Computer systems
Lecture References
Auditing, HKIAAT 2006 edition Ch. 24-27
Modern Auditing & Assurance Service, 2nd Edition Ch
HKICPA Member’s Handbook: PN1001/1002
______________________________________________________________________________ 1Introduction
This topic describes the effects of an on-line computer system and stand alone PC on the accounting system and related internal controls and on audit procedures.
2On-Line Computer Systems
On-line computer systems are computer systems that enable users to access data and programs directly through terminal devices. Such systems may comprise mainframe computers, minicomputers or a network of connected PCs. When the entity uses an on-line computer system, the technology is likely to be complex and linked with the entity's strategic business plans. The audit team may require special IT skills to make enquiries and to understand the implications of the responses obtained.1 The auditors may need to consider using the work of an expert (see SAS 520 "Using the work of an expert").
On-line systems allow users to directly initiate various functions such as:
(a)entering transactions (for example, sales transactions in a retail store, cash
withdrawals in a bank and shipment of goods in a plant);
(b)making enquiries (for example, current customer account status or balance
information);
(c)requesting reports (for example, a list of inventory items with negative "on hand"
quantities);
(d)updating master-files (for example, setting up new customer accounts and
changing general ledger codes); and
(e)electronic commerce activities (for example, placing orders and paying for goods
over the Internet).
On-line computer systems use many different types of terminal devices. The functions they perform vary widely, and depend on their logic, transmission, storage and basic processing capabilities. Types of terminal devices are:
(a)general purpose terminals, such as:
basic keyboard and screen - used for entering data without any validation within the terminal and for displaying data from the computer system on the
screen. For example, in entering a sales order, the main computer validates
the product code and the terminal screen displays the result of the validation;
intelligent terminal - used for the functions of the basic keyboard and screen with the additional functions of validating data within the terminal,
maintaining transaction logs and performing other local processing. In the
above sales order example, the intelligent terminal verifies the correct
number of characters in the product code and the main computer verifies the
existence of the product code in the master-file;
PCs - used for all of the functions of an intelligent terminal with additional local processing and storage capabilities. Continuing the above example, the
PC may perform all the verifications of the product code;
(b)special purpose terminals, such as:
point-of-sale devices - used to record sales transactions as they occur and to transmit them to the main computer. On-line cash registers and optical
scanners used in the retail trade are typical point-of-sale devices;
automated teller machines - used to initiate, validate, record, transmit and complete various banking transactions. Depending on the design of the
system, certain of these functions are performed by the automated teller
machine and others are performed on-line by the main computer;
hand-held wireless devices for entering data from remote locations;
voice response systems - used to allow user interaction with the computer over a telecommunications network based on verbal instructions issued by
the computer. The customer communicates using a tone-generating device,
which is often the keypad on the customer's telephone. Common applications
include telephone banking and bill payment systems.
Terminal devices may be found either locally or at remote sites. Local terminal devices are connected directly to the computer through cables, whereas remote terminal devices require the use of telecommunications to link them to the computer. In some cases, however, even local terminals may be connected using telecommunications links or wireless communication links. Terminal devices may be accessed by many users, for different purposes, in different locations, all at the same time. Users such as customers or suppliers may be within the entity or outside. In such cases, application software and data are kept on-line to meet users' needs. These systems also require other software, such as access control software and software that monitors on-line terminal devices.
Increased sharing of system resources through LANs and WANs has led to the growth of distributed online processing. Client/Server systems have resulted in applications being split, so that processing can be performed across several machines. In a client/server environment, the processing of data takes place on the server and the desktop computer (client).
Employees, business partners, customers and other third parties may obtain access to an organization's on-line applications by using the Internet or other remote access services.
External parties may access the organization's applications through electronic data interchange (EDI) or other electronic commerce applications.
In addition to the users of these systems, programmers may use the on-line capabilities to develop new programs and maintain existing programs. Computer supplier personnel may also have on-line access to provide maintenance and support services.
2.1Types of On-Line Computer Systems
On-line computer systems may be classified according to how information is entered into the system, how it is processed and when the results are available to the user. On-line computer systems functions are classified as follows:
(a)on-line/real-time processing;
(b)on-line/batch processing;
(c)on-line/memo update (and subsequent processing);
(d)on-line/inquiry; and
(e)on-line downloading/uploading processing.
On-Line/Real-Time Processing
In an on-line/real-time processing system, individual transactions are entered at terminal devices, validated and used to update related computer files immediately.
An example is the application of cash receipts directly to customers' accounts. The
results of such processing are then available immediately for inquiries or reports.
On-Line/Batch Processing
In a system with on-line input and batch processing, individual transactions are entered at a terminal device, subjected to certain validation checks and added to a
transaction file that contains other transactions entered during the period. Later,
during a subsequent processing cycle, the transaction file may be validated further
and then used to update the relevant master-file. For example, journal entries may
be entered and validated on-line and kept on a transaction file, with the general
ledger master-file being updated on a monthly basis. Inquiries of, or reports
generated from, the master-file will not include transactions entered after the last
master-file update.
On-Line/Memo Update (and Subsequent Processing)
On-line input with memo update processing, also known as shadow update, combines on-line/real time processing and on-line/batch processing. Individual
transactions immediately update a memo file containing information that has been
extracted from the most recent version of the master-file. Inquiries are made from
this memo file. These same transactions are added to a transaction file for
subsequent validation and updating of the master-file on a batch basis. For example,
the withdrawal of cash through an automated teller machine is checked against the
customer's balance on the memo file, and is then immediately posted to the
customer's account on that file to reduce the balance by the amount of the
withdrawal. From the user's perspective, this system will seem no different from
on-line/real time processing since the results of data entered are available
immediately. However, the transactions have not been subjected to complete
validation before the master-file update.
On-Line/Inquiry
On-line inquiry restricts users at terminal devices to making inquiries of master-files. In such systems, the master-files are updated by other systems, usually
on a batch basis. For example, the user may inquire of the credit status of a
particular customer before accepting an order from that customer.
On-Line Downloading/Uploading Processing
On-line downloading refers to the transfer of data from a master-file to an intelligent terminal device for further processing by the user. For example, data at
the head office representing transactions of a branch may be downloaded to a
terminal device at the branch for further processing and preparation of branch
financial reports. The results of this processing and other locally processed data
may then be uploaded to the head office computer.
2.2Characteristics of On-Line Computer Systems
The characteristics of on-line computer systems may apply to many of the types of on-line systems discussed in the previous section. The most significant characteristics relate to on-line data entry and validation, on-line access to the system by users, possible lack of visible transaction trail and potential access to the system by non-users, including programmers and other third parties (for example, through e-mail and the Internet). The particular characteristics of a specific on-line system will depend on the design of that system.
When data are entered on-line, they are usually subject to immediate validation checks.
Data failing this validation are not accepted and a message may be displayed on the terminal screen, providing the user with the ability to correct the data and re-enter the valid data immediately. For example, if the user enters an invalid inventory part number, an error message is displayed, allowing the user to re-enter a valid part number.
Users may have on-line access to the system that enables them to perform various functions (for example, to enter transactions and to read, change or delete programs and data files through the terminal devices). Unlimited access to all of these functions in a particular application is undesirable because it provides the user with the potential ability to make unauthorized changes to the data and programs. Unlimited access precludes segregation of duties and allows users access to all stages of processing and recording a transaction. The extent of this access depends on things such as the design of the particular application and the implementation of software designed to control access to the system.
An on-line computer system may be designed not to provide supporting documents for all transactions entered into the system. Such a system must be able to provide details of the transactions on request or by transaction logs or other means. Examples of these types of systems include orders received by a telephone operator who enters them on-line without written purchase orders, and cash withdrawals from automated teller machines.
Programmers may have on-line access to the system that enables them to develop new programs and modify existing programs. Unrestricted access provides the programmer with the potential to make unauthorized changes to programs and obtain unauthorized access to other parts of the system and would represent a serious control weakness. The extent of this access depends on the requirements of the system. For example, in some systems, programmers ordinarily have access only to programs maintained in a separate program development and maintenance library. Programmers may, however, be authorized to change the operational programs in emergencies that require changes to programs kept online. In such cases, formal control procedures would be followed after the emergency to ensure appropriate authorization and documentation of the changes.
2.3Internal Control in an On-Line Computer System
Applications in an on-line environment may have greater exposure to unauthorized access and update. An entity's security infrastructure plays an important part in ensuring the integrity of the information produced. The auditors, therefore, consider the security infrastructure before examining the general and application controls. The entity may need to establish suitable general controls to mitigate the risks of viruses, unauthorized access and the potential destruction of audit trails. Hence access controls are particularly important to on-line processing.
These controls may include the use of passwords and specialized access control software, such as on-line monitors, that maintains control over the menus, authorization tables, passwords, files and programs that users are permitted to access. They may also include physical controls such as the use of key locks on terminal devices, locked computer rooms and inactivity timeouts.
Other important aspects of control in an on-line computer system include:
(a)controls over passwords: procedures for the assignment and maintenance of
passwords to restrict access to authorized users;
(b)system development and maintenance controls: additional procedures to ensure that
controls essential to on-line applications, such as passwords, access controls, on-line
data validation and recovery procedures, are included in the system during its
development and maintenance; the controls are also designed to ensure that changes
to systems operate as expected and are made in the correct manner;
(c)programming controls;
(d)transaction logs; and
(e)firewalls.
Certain application controls are particularly important to on-line processing. These include the following:
(a)Pre-processing authorization. Authorization to initiate a transaction, for example, by
using a bank card together with a personal identification number before being able to
make a cash withdrawal through an automated teller machine.
(b)Terminal device edit, reasonableness and other validation tests. Programmed routines
that check the input data and processing results for completeness, accuracy and
reasonableness. These routines include sequence, limit, range and reasonableness
checks and may be performed on an intelligent terminal device or on the central
computer.
(c)Input error reporting and handling. Procedures to ensure that all input errors are
properly reported, identified and rejected from further processing, corrected and
resubmitted for processing in a timely manner. These procedures will generally
comprise a mix of both manual and automated routines.
(d)Cut-off procedures. Procedures that ensure transactions are processed in the proper
accounting period. These are particularly necessary in systems that have a continuous
flow of transactions. For example, in on-line systems where terminal devices in
various locations record sales orders and shipments, there is a need to coordinate the
actual shipment of goods, inventory release and invoice processing.
(e)File controls. Procedures that ensure the correct data files are used for on-line
processing.
(f)Master file controls. Changes to master-files are controlled by procedures similar to
those used for controlling other input transaction data. More stringent enforcement of
these control procedures may be necessary because master file data may have a
pervasive effect on processing results.
(g)Balancing. The process of establishing control totals over data being submitted for
processing through the on-line terminal devices and comparing the control totals
during and after processing to ensure that complete and accurate data are transferred
to each processing phase. These balancing controls are important to monitoring
completeness and accuracy controls in a real-time processing environment. They
should be included in the automated program routines whenever possible.
(h)Control may be established by an independent function that generally:
i.receives all data for processing;
ii.ensures that all data are authorized and recorded;
iii.follows up all errors detected during processing;
iv.verifies the proper distribution of output; and
v.restricts physical access to application programs and data.
Separate controls are ordinarily required over master file and transaction data.
2.4Effect of On-Line Computer Systems on the Accounting System and Related Internal
Controls
The effect of an on-line computer system on the accounting system and the associated risks will generally depend on:
(a)the extent to which the on-line system is being used to process accounting
applications;
(b)the type and significance of financial transactions being processed; and
(c)the nature of files and programs the applications use.
The entity's security infrastructure plays an important part in controlling the effect of the risks created by the entity's use of an on-line environment.
Factors such as the following may reduce the risk of errors occurring because of the entity's use of online systems:
a)Performing data entry at or near the point where transactions originate reduces the
risk that the transactions will not be recorded.
b)Immediate correction and re-entering of invalid transactions reduces the risk that
such transactions will not be corrected and resubmitted quickly.
c)Data entry performed by individuals who understand the nature of the transactions
involved may be less prone to error than when performed by individuals unfamiliar
with the nature of the transactions.
d)Processing transactions immediately reduces the risk that they will be processed in
the wrong accounting period.
e)Authentication and authorization carried out at or near the point where transactions
originate reduces the risk of impersonation or other unauthorized access to or
manipulation of data.
The risk of errors in on-line computer systems may be increased for the following reasons:
(a)Locating terminal devices throughout the entity increases the opportunity for
unauthorized use of a terminal device and the entry of unauthorized transactions.
(b)On-line terminal devices may provide easier opportunity for unauthorized uses
such as:
i.Modification of previously entered transactions or balances;
ii.Modification of computer programs; or
iii.Access to data and programs from remote locations.
(c)If on-line processing is interrupted for any reason, for example, due to faulty
telecommunications, there may be a greater chance that transactions or files may
be lost and that the recovery may not be accurate and complete.
(d)On-line access to data and programs from remote sites through
telecommunications may provide greater opportunity for access to data and
programs by unauthorized persons. Organizations that have links to the Internet
require greater controls, such as firewalls, to manage the risk of unauthorized
access to data and programs.
(e)The use of electronic commerce and EDI for the exchange of documents between
two organizations results in the loss of traditional paper audit trails, including
invoices and purchase orders.
The characteristics of on-line computer systems illustrate some of the considerations influencing the effectiveness of controls in on-line computer systems. Such characteristics may have the following consequences:
(a)there may not be printed source documents for every input transaction;
(b)results of processing may be highly summarized; for example, only totals from
individual on-line data entry devices can be traced to subsequent processing;
(c)the on-line computer system may not be designed to provide printed reports; for
example, edit reports may be replaced by edit messages displayed on a terminal
device screen;
(d)on-line computer systems running real-time processes pose particular difficulties
for auditors as it can be difficult to achieve a clear cut-off of data. It can also be
difficult in some IT environments to stop real-time processing long enough to
obtain copies of data files or to run important reports for audit purposes at period
end; and
(e)in the event that real time systems have to be restored, it is difficult to ensure that
all of the data is properly reinstated and, importantly, that all systems integration
interfaces and data feeds are reset to the date and time of the back-up data.
2.5Effect of On-Line Computer Systems on Audit Procedures
If those controls are deemed satisfactory, the auditors will place greater reliance on internal controls in the system when determining the nature timing and extent of audit procedures. The characteristics of on-line computer systems may make it more effective for the auditors to perform a pre-implementation review of new on-line accounting applications rather than to review the applications after installation. To be fully effective, the review may need to extend to other applications that provide data for those accounting applications; the auditors may also test that the new system operates and is implemented as designed. The pre-implementation review may provide the auditors with an opportunity to request additional functions, such as detailed transaction listings, or controls within the application design. It may also provide the auditors with sufficient time to develop and test audit procedures in advance of the system's use. In contrast, when the entity adopts a policy of continuous systems' upgrading, the change management procedures adopted may be critical to the on-going effectiveness of the controls in place. The auditors may therefore examine the change management procedures rather than perform pre-implementation reviews.
The following matters are of particular importance to the auditors in an on-line computer system:
authorization, completeness and accuracy of on-line transactions through the implementation of appropriate controls at the time when the transaction is accepted
for processing;
integrity of records and processing, due to many users and programmers having on-line access to the system; and
necessary changes in the performance of audit procedures, including the use of CAATs, due to matters such as:
(a)the need for audit teams with technical skills in on-line computer systems;
(b)the effect of the on-line computer system on the timing of audit procedures;
(c)the lack of visible transaction trails;
(d)procedures carried out during the audit planning stage;
(e)audit procedures performed concurrently with on-line processing; and
(f)procedures performed after processing has taken place.
Procedures carried out during the planning stage may include the following: the participation on the audit team of individuals with technical proficiency in on-line computer systems and related controls;
identification of any new remote access facilities; and
preliminary determination, during the risk assessment process, of the impact of the system on the audit procedures.
Audit procedures performed concurrently with on-line processing may include tests of the controls over the on-line applications. For example, this may be by means of entering test transactions through the online terminal devices or by the use of audit software. These tests may be used either to confirm the auditors'understanding of the system or to test controls such as passwords and other access controls. Where the entity permits access through the Internet, audit procedures can include tests of firewalls and other authorization and access controls, as well as tests of transaction processing. To avoid the inadvertent corruption of client records, the auditors review concurrent procedures with appropriate client personnel and obtains approval before conducting the tests.
Procedures performed after processing has taken place may include the following:
tests of controls over transactions logged by the on-line system for authorization, completeness and accuracy;
substantive procedures covering transactions and processing results rather than tests of control, where the former may be more cost-effective or where the system is not
well-designed or controlled; and
reprocessing transactions as either a test of control or a substantive procedure.
3Stand-Alone PCs
PCs can be used to process accounting transactions and produce reports that are essential to the preparation of financial statements. The PC may constitute the entire computer-based accounting system or merely a part of it.
Generally, information technology (IT) environments in which stand-alone PCs are used are somewhat different from other IT environments. Certain controls and security measures that are used for large computer systems may not be practicable for PCs. In contrast, certain types of internal controls become more important because of the characteristics of stand-alone PCs and the environments in which they are used.
Stand-alone PCs can be operated by a single user or many users at different times accessing the same or different programs on the same computer. The user of a stand-alone PC that processes accounting applications performs many functions (for example, entering data and operating application programs). While typically not knowledgeable about programming, users may often use third-party or off-the-shelf software packages such as electronic spreadsheets or database applications.
The organizational structure within which a stand-alone PC is used is important in assessing risks and the extent of the controls required to mitigate those risks. For example monitoring controls employed by management may be the only effective controls for a purchased software package used by a small business on a stand-alone PC apart from whatever controls are incorporated in the package itself. In contrast, the effectiveness of controls relating to a stand-alone PC used within a larger organization may depend on an organizational structure that clearly segregates responsibilities and restricts the use of the stand-alone PC to specific functions.
The control considerations and the characteristics of the hardware and software are different when a PC is linked to other computers. Such situations often lead to increased risks. This PN does not address the auditors'consideration of network security and controls. This PN is however relevant for PCs that are linked to another computer, but can also be used as stand-alone workstations. Many PCs may be used interchangeably as part of a network or in stand-alone mode. When dealing with such PCs, the auditors consider the additional risks encountered by access through a network as well as the guidance in this
3.1Internal Control in Stand-Alone PC Environments
PCs are oriented to individual end-users. The degree of accuracy and reliability of financial information they produce will depend, in part, on the internal controls that the user adopts either voluntarily or because management has prescribed them. The control procedures implemented relate to the complexity of the business environment in which the PC operates. Ordinarily, the stand-alone PC environment is less structured than a centrally controlled IT environment. In the former, users with only basic data processing skills can implement application programs relatively quickly, triggering issues such as the adequacy of systems'documentation or access control procedures. Such users may not regard controls over the application implementation process (for example, adequate
documentation) and operations (for example, access control procedures) as important or cost-effective. In such circumstances, because the financial information is processed on a computer, users may tend to place unwarranted reliance on it.
In a typical stand-alone PC environment, the level of general controls is lower than what would be found in a large-scale computing environment. Nevertheless, selected security and control procedures can help improve the overall level of internal control.
Organizational Policies and Procedures
As part of the acquisition of an understanding of the control environment, and hence the IT environment for stand-alone PCs, the auditors consider the
organizational structure of the entity and, in particular, the allocation of
responsibilities for data processing. Effective policies and procedures for the
acquisition, implementation, operation and maintenance of stand-alone PCs can
enhance the overall control environment. A failure to implement such policies may
lead to the entity using out of date programs and to errors in the data and the
information derived from them, and may lead to an increased risk of fraud. Such
policies and procedures include the following:
acquisition, implementation and documentation standards;
user training;
security, back-up and storage guidelines;
password management;
personal usage policies;
software acquisition and usage standards;
data protection standards;
program maintenance and technical support;
an appropriate level of segregation of duties and responsibilities; and
virus protection.
Physical Protection – Equipment
Because of their physical characteristics, stand-alone PCs and their storage media are susceptible to theft, physical damage, unauthorized access or misuse. They can
be physically protected by:
locking them in a protective room, cabinet or shell;
using an alarm system that is activated if the PC is disconnected or moved from its location;
fastening the PC to a table;
policies outlining the proper procedures to follow when traveling with a laptop or using it off premises;
encryption of key files;
installing a locking mechanism to control access to the on/off switch. This may not prevent PC theft, but may be effective in controlling unauthorized
use; and
implementing environmental controls to prevent damages from natural disasters, such as fire, floods, etc.
Physical Protection - Removable and Non-Removable Media
PC programs and data can be stored on removable or non-removable storage media.
For example, diskettes and CDs can be removed physically from the stand-alone
PC, while hard disks are normally contained in the PC or in a stand-alone unit
attached to it. In addition, the interior components (including the hard drive) of
many PCs, in particular laptops, are easily accessible. When many individuals use a
particular PC, storage media are more likely to be misplaced, altered without
authorization or destroyed.
It is the user's responsibility to protect removable storage media by, for example, keeping current backups of such media in a fireproof container, either on site, off
site, or both. This applies equally to operating systems, application programs and
data.
Program and Data Security
When PCs are accessible to many users, there is a risk that the operating system, programs and data may be altered without authorization, or that users may install
their own versions of programs giving rise to potential software licensing liabilities.
The degree of control and security features present in a PC operating system vary.
Although some operating systems contain sophisticated built-in security features,
those used on stand-alone PCs generally do not. Nevertheless, there are techniques
to help ensure data are processed and read as authorized and that accidental
destruction of data is minimized. The following techniques can limit access to
programs and data to authorized personnel:
using passwords;
implementing an access control package;
using of removable storage media;
using hidden directories and files; and
using encryption.
An effective control technique is to use profiles and passwords, which control the level of access granted to a user. For example, a user may be given a profile
protected by a password that allows data entry only, and a stand-alone PC might be
configured to require a password before it can be "bootedup."
In some instances an access control package can provide effective control over the access to and use of operating systems, programs and data. For example, only a
specific user may have access to the password file or be allowed to install programs.
Such packages can also regularly examine programs on the PC to detect whether
unauthorized programs or versions of programs are being used.
The use of removable storage media for critical and sensitive programs and data can provide enhanced protection by being kept off-line and under independent control
until required. For example, salary data in a payroll system may be kept off-line and
used only when required for payroll processing.
Removing programs and data from PCs with removable storage media (for example, diskettes, CDs and cartridges) is one effective way to keep them secure. The media
are then placed in the custody of the file librarians or the users responsible for the
data or programs.
Encryption is a technique that is generally used when sensitive data are transmitted over communication lines, but it can also be used on data stored on a stand-alone
PC.
Continuity of Operations
In a PC environment, management typically relies on the user to ensure the continued availability of the systems in the event of a failure, loss or destruction of
the equipment, operating system, programs or data. This will entail:
the user retaining copies of the operating systems, programs and data, with at least one copy stored at a secure location away from the PC; and
access being available to alternative equipment within a reasonable time given the use and importance of the underlying system.
3.2The Effect of Stand-Alone PCs on the Accounting System and Related Internal Controls
The effect of PCs on the accounting system and the associated risks will generally depend on:
the extent to which the PC is being used to process accounting applications;
the type and significance of financial transactions being processed; and
the nature of programs and data used in the applications.
Below is a summary of some of the key considerations and their effects on both general and application controls.
General Controls - Segregation of Duties
In a PC environment, users can generally perform two or more of the following functions in the accounting system:
initiating source documents;
authorizing source documents;
entering data into the system;
processing data that have been entered;
changing programs and data;
using or distributing output; and
modifying the operating systems.
In other IT environments, such functions would generally be segregated through appropriate general controls. This lack of segregation of functions in a PC
environment may allow errors to go undetected and permit the perpetration and
concealment of fraud.
Application Controls
The existence and use of appropriate access controls over programs and data, combined with controls over input, processing and output of data may, in
coordination with management policies, compensate for some of the weaknesses in
general controls in PC environments. Effective controls include the following:
programmed control procedures, such as limit checks;
a system of transaction logs and batch balancing, including follow up and
resolution of any exceptions;
direct supervision, for example, a review of reports; and
a reconciliation of record counts or hash totals.
Control may be established by an independent function that generally:
receives all data for processing;
ensures that all data are authorized and recorded;
follows up all errors detected during processing;
verifies the proper distribution of output; and
restricts physical access to application programs and data.
Separate controls are ordinarily required over master file and transaction data.
3.3The Effect of a Stand-Alone PC Environment on Audit Procedures
In a stand-alone PC environment, it may not be practicable or cost-effective for management to implement sufficient controls to reduce the risks of undetected errors to a minimum level. In this situation, after obtaining the understanding of the accounting system and control environment required by SAS 300 "Audit risk assessments and accounting and internal control systems", the auditors may find it more cost-effective not to make a further review of general controls or application controls, but to concentrate audit efforts on substantive procedures. This may entail more extensive physical examination and confirmation of assets, more tests of transactions, larger sample sizes and greater use of computer-assisted audit techniques (see PN 1009 "Computer-assisted audit techniques").
Where the level of general controls appears adequate, the auditors may decide to adopt a different approach. For example, an entity processing a large number of sales transactions on a stand-alone PC may establish control procedures that reduce control risk.
Stand-alone PCs are frequently encountered in small entities. Based on a preliminary review of controls, the audit plan might include testing the controls the auditors intend to rely on.
3.4Possible problems associated with using a stand-alone PCs in small entity
1.The reduction in the cost of small computers in recent years may lead the company to
believe that controls are not needed or may be implemented at low cost. The auditor must encourage his client to appreciate that it is the value of the data not the cost of the computer that should dictate the time and money spent implementing control.
2.There is normally only a limited division of duties in a stand-alone PCs. The same person
may be responsible for preparation of input data, computer operations and distribution of output. It is important to implement clerical application controls outside the computer department to counter the limited segregation of duties with it.
3.The client may be a first-time computer user and may not implement a wide range of
application controls. In any case the system may not be fully documented and the supplier of
a package may not be prepared to release full details. The auditor may need to rely largely
on substantive testing to obtain adequate audit evidence.
4.There may be unrestricted access to terminals of data. This should be controlled by (i)
nominating specified personnel to use terminals; (ii) physical access restrictions; (iii) password protection; (iv) proper supervision by senior officials; and (v) user logs to record the use of terminals and attempts to gain unauthorized access.
5.Many small systems operate on a real-time basis. Controls may include detailed editing of
transactions, the maintenance of transaction logs and control accounts and full review of output by officials outside the computer department. The auditor should check that editing and authorization extend to changes in standing data as well as routine transactions.
6.There are dangers of errors or loss of data on the conversion to a new small computer system.
The conversion process should be fully documented and controls such as maintaining record counts and control totals should be used. If possible the auditor should become involved prior to and during the conversion process.
7.There are dangers that program changes are made that are unauthorized or badly designed
by the client’s staff. In addition the client’s staff may neglect other managerial duties in spending time attempting to program the computer. The client should attempt to segregate operations staff from programmers. It is often cost-effective for the client to employ a consultant to design and amend programs. The existing software can be protected by being etched onto silicon chips to form ‘read-only memory’. The object programs may be held in machine code only and so are much more difficult for staff to amend. Back-up versions of programs should be maintained.
8.There is finally a general problem that such systems may not provide visible audit trail. The
auditor may wish to use audit interrogation packages but these were traditionally designed for mainframe and may not function on some small systems. The writing of a one-off program may not be cost-effective. The use of a manufacturer’s own enquiry programs may not cost-effective unless the portfolio of clients using that type of equipment is large. The result is that a substantive-based approach is likely to dominate this type of audit until computer-assisted techniques which are reasonable priced and which can be applied to a wide range of small systems become available.
2018年注册会计师审计笔记整理资料:审计计划
https://www.360docs.net/doc/ec12684924.html, 2018年注册会计师审计笔记整理资料:审计计划 2018年注册会计师考试在10月开考,离考试还有一段时间,在最后这几个月里,考生要好好备考,争取一次性通过考试!小编整理了一些注册会计考试的相关资料,希望对备考生有所帮助!最后祝愿所有考生都能顺利通过考试! 审计计划 第二章审计计划 第一部分本章考情分析 1.本章是审计基本原理的重要内容,初步业务活动、总体审计策略、具体审计计划和重要性的基本概念较难理解,重要性是注册会计师审计理论的基石,它们贯穿于注册会计师审计的全过程。本章是一个分值较高且稳定的章,不仅考客观题,也可以考简答题,更重要的是只要考审计报告的综合题就会涉及到重要性原则的应用来判断审计意见。本章考试分值5分左右。 2.2017年教材主要变化:第一节初步业务活动”删除“法律法规规定的财务报告编制基础”。 第二部分本章精讲 第一节初步业务活动 一、初步业务活动的目的和内容 第一节初步业务活动 二、审计的前提条件
https://www.360docs.net/doc/ec12684924.html, 【例题1·单选题】为确定审计的前提条件是否存在,下列各项中,注册会计师应当执行的工作有()。 A.确定被审计是否存在违反法律法规行为 B.确定被审计单位的内部控制是否有效 C.确定管理层在编制财务报表时采用的财务报告编制基础是否可接受的 D.确定管理层是否认可并理解其与财务报表相关的责任 答案:CD 解析:为确定审计的前提条件是否存在,注册会计师应当执行以下工作:(1)确定管理层在编制财务报表时采用的财务报告编制基础是否是可接受的(选项C正确);(2)就管理层认可并理解其责任与管理层达成一致意见,即审计业务能不能承接(选项D正确)。选项A、B不正确,二者均属于注册会计师承接审计业务委托后的相关工作,与注册会计师“确定审计的前提条件是否存在”不相关。 三、审计业务约定书 审计业务约定书是指①会计师事务所与被审计单位(注严格来说应为委托人)签订的,用以记录和确认②审计业务的委托与受托关系、审计目标和范围、双方的责任以及报告的格式等事项的③书面协议(本质为合同)。 (一)审计业务约定书的基本内容
注册会计师考试审计备考试题及答案3
注册会计师考试审计备考试题及答案3 (一) 一、单项选择题 1、有关注册会计师在审计报告中提及专家的工作,下列说法中,正确的是( )。 A、如果注册会计师能够对专家的工作获取充分、适当的审计证据,可在无保留意见的审计报告中提及专家的工作 B、如果注册会计师确定专家的工作不足以实现审计目的,可在无保留意见的审计报告中提及专家的工作 C、注册会计师不应在无保留意见的审计报告中提及专家的工作,除非法律法规另有规定 D、如果注册会计师决定明确自身与专家各自对审计报告的责任,应当在无保留意见的审计报告中提及专家的工作 2、下列有关专家的胜任能力、专业素质和客观性的说法中,不正确的是( )。 A、专家的胜任能力、专业素质和客观性,对评价专家的工作是否适合审计目的具有重大影响 B、在某些情况下,针对外部专家已知的、与被审计单位存在的任何利益或关系,注册会计师从外部专家获取书面声明可能是适当的 C、注册会计师应当评价专家是否具有实现审计目的所必需的胜任能力,专业素质和客观性 D、在评价外部专家的客观性时,注册会计师应根据具体情况考虑是否需要询问可能对外部专家客观性产生不利影响的利益和关系 3、下列有关注册会计师利用专家工作的说法中不正确的是( )。 A、在计划利用专家工作时,对专家的专业胜任能力和客观性进行评价,并考虑专家的工作范围是否可以满足审计的需要 B、如果项目组成员从未接触过所涉及的事项,通常需要考虑利用专家的工作
C、如果预期可以获取的其他审计证据的数量较多且质量较高,能够解决注册会计师遇到的相关问题,注册会计师就不会利用专家 D、如果所涉及事项性质特殊、复杂程度高,且对财务报表的影响重大,注册会计师通常要从职业谨慎的角度出发,考虑利用专家的工作 4、注册会计师在评价专家的工作是否足以实现审计目的时,下列各项中,不属于评价内容的是( )。 A、专家是否熟悉适用的财务报告编制基础的相关规定 B、专家的工作结果或结论的相关性和合理性,以及与其他审计证据的一致性 C、专家使用的重要假设和方法在具体情况下的相关性和合理性 D、专家使用的重要的原始数据的相关性、完整性和准确性 5、下列有关利用专家工作的说法中,不正确的是( )。 A、专家在工作过程中用到的原始数据是从被审计单位内部获得的 B、专家在工作过程中需要用到大量的原始数据,原始数据是否适合所涉及项目的具体情况直接关系到专家工作的恰当性 C、注册会计师应当实施相应的审计程序,评价专家工作涉及使用重要的原始数据的相关性、完整性和准确性 D、当专家的工作涉及使用对专家工作具有重要影响的原始数据时,注册会计师可以通过复核数据的完整性和内在一致性来测试这些数据 6、下列关于专家的说法中,正确的是( )。 A、只要是注册会计师的专家,就需要受会计师事务所的质量控制政策和程序的约束 B、在审计过程中,注册会计师利用的外部专家也属于项目组成员 C、项目组可以信赖会计师事务所的质量控制制度,除非会计师事务所或者其他机构或人员提供的信息表明其不可信赖 D、内部专家不需要遵守相关的职业道德要求 7、关于利用专家工作,下列说法中正确的是( )。
2009年4月自考审计学试题及答案
2009年4月全国自考审计学真题参考答案 一、单项选择题(BDBBA,BCCAC,ACADB,CDCBD) 1. 注册会计师审计的产生主要是由于() A.财产所有权与管理权分离 B.财产所有权与经营权分离 C.提高企业管理水平的需要 D.遵守《公司法》的需要 2.下列情况中,对注册会计师执行审计业务的独立性影响最大的是() A.注册会计师的母亲退休前担任被审计单位工会的文艺干事 B.注册会计师的配偶现在是被审计单位开户银行的业务骨干 C.注册会计师的一位朋友拥有被审计单位的股票 D.注册会计师的妹妹大学毕业后在被审计单位担任现金出纳 3.在资产负债表中列作长期负债的各项负债,在一年内不会到期,这属于管理当局的哪项认 定() A.估价或分摊 B.表达与披露 C.权利和义务 D.存在或发生 4.根据审计证据充分性的要求,注册会计师可以收集到较多的实质性测试证据的情况是() A.业务性质比较简单 B.被审计单位面临亏损的压力 C.内部控制比较健全 D.被审计单位是会计师事务所的常年客户 5.注册会计师采用系统选样法从6 000张凭证中选取300张作为样本,确定随机起点凭证编号 为35号,则抽取的第5张凭证的编号应为() A.115号 B.135号 C.195号 D.235号 6.下列有关审计证据可靠性的表述,注册会计师认同的是() A.书面证据与实物证据相比是一种辅助证据,可靠性较弱 B.内部证据在外部流转并获得其他单位承认,则具有较强的可靠性 C.被审计单位管理当局声明书,有助于审计结论的形成,具有较强的可靠性 D.环境证据比口头证据重要,属于基本证据,可靠性较强 7.部门经理对审计工作底稿的复核,称为()
香港注册会计师考师审计笔记试卷_Sep1999
SECTION A: SHORT ANSWER QUESTIONS (Total: 30 marks) Short Question 1 James Wong, a CPA with several years experience, has been selected by his firm to be the in-charge auditor of a continuing client. James will supervise three junior auditors, and be responsible for all phases of the audit. The client has a 31 December year end. James intends to do audit planning in September and conduct interim control tests in October. (a) What are the most important uses of the results of the October control tests? (b) What are the issues involved in performing procedures prior to the end of the year? (3 marks) Short Question 2 In auditing the XYZ company cash accounts, you are instructed to obtain bank statements with twelve monthly bank reconciliations, and an independently obtained bank confirmation. Explain the possible uses of both of these types of evidence and indicate whether each constitutes a control test or a substantive procedure. (3 marks) Short Question 3 The use of automated processes in accounting systems have both the potential for increasing as well as decreasing the possibility of errors and irregularities. Discuss briefly reasons why computerised accounting may increase the possibility of errors and irregularities, and reasons why computerised accounting may decrease the possibility of errors. (3 marks) Short Question 4 The PQR Company hired a new accounting controller to replace the former controller who retired in August. The new controller has experience in the industry, but is not yet familiar with the PQR Company procedures. As the long-time auditor for PQR, you evaluate internal control during October and November. (a) How will having a new controller change your perception of control risk? (b) What actions will you as the auditor need to take as a result of this change in a key client employee? (3 marks) Short Question 5 In your audit of the XYZ Company Ltd., you substantively tested the accounts receivable balance by sending out positive confirmations for approximately 30% of the total accounts receivable balance. Upon their return from customers of XYZ, some of the confirmations revealed certain discrepancies.
注册会计师考试审计练习题含答案
注册会计师考试审计练习题含答案 注册会计师考试科目为《会计》、《审计》、《财务成本管理》、《经济法》、《税法》、《战略与风险管理》。下面小编整理了2017注册会计师考试审计练习题含答案,欢迎大家测试! 单项选择题 (一)ABC会计师事务所负责审计甲公司2010年度财务报表,并于2011年4月1日出具了审计报告,ABC会计师事务所于2011年6月1日遇到下列与法律责任有关的事项,请代为作出正确的专业判断。 1.利害关系人以ABC会计师事务所出具了不实报告并致其遭受损失为由,向人民法院提起民事侵权赔偿诉讼。下列审计报告中,人民法院不将其界定为不实报告的是()。 A.ABC会计师事务所违反法律法规的规定出具的具有虚假记载的审计报告 B.ABC会计师事务所出具的与甲公司预期的形式和内容不同的审计报告 C.ABC会计师事务所违反执业准则的规定出具的具有重大遗漏的审计报告 D.ABC会计师事务所违反诚信公允原则出具的具有误导性陈述的审计报告 【答案】B 2.人民法院受理了利害关系人提起的诉讼,初步判断ABC
会计师事务所承担相应的责任。下列有关赔偿责任的说法中正确的是()。 A.如果利害关系人存在过错,应当减轻ABC会计师事务所的赔偿责任 B.ABC会计师事务所应当对所有使用了其不实审计报告的机构或人员承担赔偿责任 C.ABC会计师事务所承担的赔偿责任应以其收取的审计费用为限 D.ABC会计师事务所应当对与甲公司发生交易的利害关系人承担第一责任 【答案】A 3.人民法院在审理过程中确定了归责原则,下列有关归责原则的说法中正确的是()。 A.如果ABC会计师事务所能够证明自己没有过错,也应承担一定的赔偿责任 B.如果ABC会计师事务所能够证明利害关系人的损失是由审计报告以外因素引起的,可以推定不实报告与损失不存在因果关系 C.如果甲公司故意编制虚假财务报表,ABC会计师事务所不必承担责任 D.如果甲公司的无意行为导致财务报表存在错报,ABC会计师事务所不必承担责任
2020年4月自考审计试题及答案
2018年4月高等教育自学考试全国统一命题考试; 审计学试卷 本试卷共7页,满分l00分,考试时间l50分钟。 考生答题注意事项: 1.本卷所有试题必须在答题卡上作答。答在试卷上无效,试卷空白处和背面均可作草稿纸。 2.第一部分为选择题。必须对应试卷上的题号使用2B铅笔将“答题卡”的相应代码涂黑。 3.第二部分为非选择题。必须注明大、小题号,使用0.5毫米黑色字迹签字笔作答。 4.合理安排答题空间,超出答题区域无效。 第一部分选择题(共40分) 一、单项选择题(本大题共20小题,每小题l分,共20分) 在每小题列出的四个备选项中只有一个是符合题目要求的,请将其选出并将“答题卡”的相应代码涂黑。错涂、多涂或未涂均无分。 1、对于注册会计师的欺诈行为,法院可判其() A、没有过失 B、民事责任和刑事责任 C、只有民事责任 D、只有刑事责任 答案:B 考点:第三章《注册会计师执业准则体系与法律责任》注册会计师法律责任的种类。P92 解析:一般来说,违约和过失可能使注册会计师负民事责任和行政责任,欺诈可能会使注册会计师负民事责任和刑事责任。这三种责任可以单处,也可并处。 2、财务报表审计、经营审计和合规性审计的分类依据是() A、审计主体 B、审计目的和内容 C、审计实施的时间 D、审计实施的方式 答案:B 考点:第一章《审计概论》审计的分类P50
解析:按审计的目的和内容分类,可以将审计分为财务报表审计、经营审计、合规性审计三类。 3、注船会计师审计方法的调整,主要是随着() A、审计对象的变化 B、审计目标的变化 C、审计环境的变化 D、审计责任的变化 答案:C 考点: 解析: 4、无法实施函证的应收账款,审计人员可以实施的最为有效的替代审计程序 是() A、进行销售业务的截止性测试 B、扩大控制测试的范围 C、审查与销售有关的凭证及文件 D、执行分析程序 答案:C 考点:第七章《销售与收款循环审计》函证P174 解析:通常,注册会计师不可能对所有应收账款进行函证,因此,对未函证的应收账款,注册会计师应抽查有关原始凭证,如销售合同、销售订单、销售发票副本、发运凭证及回款单据等,以验证与其相关的应收账款的真实性。 5、注册会计师的配偶在被审计单位所从事工作将严重损害独立性的是 A、总工程师 B、统计 C、出纳 D、营销总监 答案:C 考点:第二章《注册会计师职业道德》威胁独立性的情形 P63 解析:可能威胁独立性的情形包括经济利益、自我评价、关联关系和外界压力等。出纳因关联关系威胁独立性。出纳是能够对鉴证业务产生直接重大影响的员工。 6、中国注册会计师执业准则中不包括() A、中国注册会计师职业道德准则 B、中国注册会计师业务准则 C、中国注册会计师审计准则 D、会计师事务所质量控制准则 答案:A 考点:第三章《注册会计师执业准则体系与法律责任》执业准则体系框架P77-78 解析:中国注册会计师执业准则与注册会计师执业道德准则并列。
2018年注册会计师审计笔记(超详细表格版)
第一章注册会计师审计职业特点 审计发展16世纪意大利,第三方对合伙企业进行查账公证 1844-20世纪初英国,审计法规化,股份有限公司差错防弊,账目详细审计保证资产安全完整20世纪初美国,银行关注债务人信用状况,进行详细审计,关注资产负债表 1929-1933年经济危机,法律规定必须审计,强调利润表,进行制度基础审计 二战之后,强调全部财报,进行风险导向审计 我国审计北洋政府第一部注会法规——1949计划经济不审计——1980外资审计——1994注册会计师法——2006国际审计准则趋同 审计系统化过程:客观的获取和评价有关经济活动与经济事项认定的证据,以证实认定与标准的符合程度 审计种类财报审计,经营审计(评价经营活动效率效果的内审),合规性审计(政府审计) 审计方法账项基础审计(凭证账簿详查)-制度基础审计(内审与抽样)-风险导向审计 财务报告编制 基础 (鉴证标准)1.在财务报表审计中,财务报告编制基础即是标准。 2.针对中国境内上市公司财务报表审计业务,财务报告编制基础通常是通用目的编制基础,主要是指会计准则和会计制度。 3.适当的标准应当具备下列所有特征; 相关性、完整性、可靠性、中立性、可理解性【考】2 基本观点审计可以改善财务报表的质量和内涵,但不对如何利用信息提供建议。审计可以除管理层的其他预期使用者对财务报表信赖的程度。 审计的基础是独立性和专业性。 审计要素三方关系{当三方关系变成两方关系时,该业务不构成审计业务} 财务报表 财务报表编制基础[标准] 审计证据 审计报告【考】 【2015新变化】鉴证对象信息(钱包、载体、财报)VS鉴证对象(里面的钱、内容、) 第二章注册会计师的法律责任 审计风险财务报表存在重大错报,CPA发表不恰当审计意见的可能性审计失败CPA没有遵守审计准则的要求发表了错误的审计意见 法律责任认定违约【考】 过失(普通过失:没有完全遵循专业准则; 重大过失:起码的职业谨慎都没有)【考】欺诈(推定欺诈)【考】 法律责任种类行政责任:警告、暂停执业、罚款、吊销证书;警告、没收违法所得、罚款、暂停执业、撤销民事责任:赔偿 刑事责任:罚金、有期徒刑、限制人身自由 不实报告违反法律法规、执业准则和诚信公允原则,出具虚假记载、误导性陈述或重大遗漏的审计业务报告【考】 利害关系人合理信赖使用不实报告,从事股票债券等交易遭受损失【考】 利害关系人有过错减轻事务所赔偿责任【考】 当事人列置只起诉事务所,事务所与被审计单位一并诉讼;【考】 只起诉分支机构,事务所列为共同被告【考】 被审计单位出资人抽逃出资,列为第三人参加诉讼【考】 过错推定原则与举证责任倒事务所出具不实报告给利害关系人带来损失的,应当承担侵权赔偿责任,能证明自己没有过错的除外【考】
注册会计师考试审计重点内容导读
注册会计师考试审计重 点内容导读 Document number【SA80SAB-SAA9SYT-SAATC-SA6UT-SA18】
2007年注册会计师考试《审计》重点内容导读 第一章注册会计师审计概论 主要说明如下 2007年度审计科目考试大纲,按照2006年2月15日发布的注册会计师执业准则体系,在2006年度大纲的基础上作了较大调整,从2006年度的16章调整为22章。主要变化有: 1.新增了“风险评估”、“风险应对”、“财务报表审计中对舞弊的考虑”、“相关服务业务”等内容; 2.调整了“职业道德准则”、“审计抽样”、“审阅业务和其他鉴证业务”、“预测性财务信息的审核”等相关内容; 3.调整了审计各业务循环内部结构。 4.“(二十)特殊审计领域”、“(二十一)审阅业务和其他鉴证业务”、“(二十二)相关服务业务”仅作一般了解要求。 2007年教材中第4、9、10、11、21、22为新增章节。 第1、2、5章节变化较小,但有所删减。 大纲总体要求 为证明考生具有相关的知识和技能,考生需能够: 1.确定审计责任和审计目标; 2.计划审计工作; 3.掌握实施风险评估程序的基本原理; 4.掌握实施风险应对程序的基本原理; 5.熟悉审计循环的内控测试和实质性程序; 6.掌握审计抽样和其他选取测试项目的方法; 7.掌握形成审计意见和出具审计报告的基本原理; 8.掌握从事审阅业务、其他鉴证业务和相关服务业务的基本原理; 9.掌握职业道德规范、业务准则(包括审计准则、审阅准则、其他鉴证业务准则和相关服务准则)和质量控制准则; 10.掌握企业会计准则的相关知识。 第一章注册会计师审计概论 一、本章大纲 1.注册会计师审计的起源与发展 (1)西方注册会计师审计的起源与发展 ①注册会计师审计的起源 ②注册会计师审计的形成 ③注册会计师审计的发展 ④注册会计师审计发展历程的启示 (2)中国注册会计师审计的演进与发展 ①中国注册会计师审计的演进 ②中国注册会计师审计的发展 2.注册会计师审计的基本概念 (1)审计的概念 (2)审计的类别
2016年10月自考审计学答案及解析
2016年10月高等教育自学考试全国统一命题考试 审计学试卷 (课程代码:00160) 一、单项选择题(本大题共20小题,每小题1分,共20分)在每小题列出的四个备选项中只有一个选项是符合题目要求的,请将其代码填写在题后的括号内。错选、多选或未选均无分。 1.注册会计师在实施监盘程序时,发现被审计单位购进一批商品在账上没有反映,则管理当局违背的认定是() A.发生 B.完整性 C.权利和义务 D.计价或分摊 答案:B 章节:第五章《审计证据与审计工作底稿》 知识点:“获取审计证据时对认定的运用”,其中“与期末账户余额相关的认定”包括存在、权利和义务、完整性、计价和分摊。P124 解析:完整性:所有应当计录的资产、负债和所有者权益均以记录。(少记) 2.下列不属于证实客观事物的方法是() A.盘点法 B.鉴定法 C.观察法 D.核对法 答案:D 章节:第一章《审计概论》 知识点:“证实客观事物的方法” 解析:证实客观事物的方法有:盘点法、调节法、观察法、查询法、鉴定法。P53-54 3.下列有关审计监督体系的理解中,表述正确的是()
A.注册会计师审计意见旨在提高财务报表的可信赖度 B.内部审计是注册会计师审计的基础 C.政府审计是独立性最强的一种审计 D.财务报表的合法性是财务报表使用者最为关心的 答案:A 章节:第一章《审计概论》 知识点:注册会计师审计与政府审计、内部审计的的区别 解析:注册会计师是独立性最强的一种审计。P48-49 4.了解被审计单位及其环境一般() A.在承接客户和续约时进行 B.在进行审计计划时进行 C.在进行期中审计时进行 D.贯穿于整个审计过程的始终 答案:D 章节:第六章《重大错报风险的评估与应对》 知识点:了解被审计单位及其环境 解析:了解被审计单位及其环境是一个连续和动态地收集、更新与分析信息的过程,贯穿于整个审计过程的始终。P141 5.下列注册会计师审计收费规范的是() A.按利润总额的一定百分比收费 B.按营业收入的一定百分比收费 C.按上市成功与否收费 D.按审计资源的投入确定收费 答案:D 章节:第二章《注册会计师职业道德》 知识点:收费、佣金及业务招揽(收费考虑的因素、或有收费、佣金,重点把握不得-----)
注会审计学习心得
注会审计学习心得 我的复习方法是,每章先听一遍课,自己把重点难点归纳总结一遍,再把《应试指南》上的题做一遍,就算完成了第一轮的复习。差不多到7月中旬,第一轮复习结束,说实话,除了实际工作中碰到过的一些内容,其他的理论知识没能记住多少,对审计仍然有种云里雾里的感觉。7月中旬开始第二轮复习,我采用的方式是“看书+背诵”,或许有些学员会认为这时候开始背似乎太早了点,到考试的时候肯定会忘记,但我要说,考试真正考到背诵的其实很少,多数题目还是靠理解和灵活运用,我所说的背诵,目的不在于要一字一句记住书上的原文,而是通过背诵这样一种方式把重要的知识点连贯地串连起来,在脑中留下较为深刻的印象,将标准的审计语言变得能脱口而出。个人认为这一点很重要,因为在考试的时候时间还是较为紧张的,对于简答题和综合题,如果明知道答案,但无法在第一时间用标准的审计语言表达出来会是很吃亏的,而对重要知识点的背诵很好地解决了这一问题。应该说,第二阶段是整个复习过程中最枯燥最痛苦的一个阶段,但一定要坚持,一旦有所松懈或想要放弃,复习进度就会来不及,一切都前功尽弃。8月中旬第二轮复习基本结束,这时候对于审计已经有了大致的概念,对教材的思路已经有了较为深刻的认识,只是熟练度还不够,一些细节的把握还没到位。所以,第三阶段我采用的复习方式是把以前做错的题目再拿来重做一遍。差不多到8月底9月初,网校就会陆续推出模拟卷和考前串讲,对于模拟卷,我认为不宜做太多,3套就差不多了,做多了发现也只是大同小异,考前串讲值得认真听一下,把老师提到的知识点再在脑中过一遍,不清楚的再翻书复习一下,这个就是冲刺阶段了,在这一阶段,千万不能做一些很难很偏的题,否则会大大影响备考的信心。在考前一两天,建议把审计报告等必须要牢记的知识点再仔细背诵一遍,不要再做新题了,把之前做错的题再拿来温习一遍就可以了。 财务成本管理 总体上来说,财管的复习计划包括三轮。第一轮是5、6月的时候,将课本看了一遍,理解并记忆书上的知识点,记下看不懂的地方,带着问题听网校的课。我当时听的是徐经长老师的基础班,个人还是很崇拜徐老师的,自己看不懂的地方,基本上听过他的课都能弄懂了。同时,根据课件的笔记和自己的判断在课本上对重要的知识点做记录,争取将书本读薄。我看完一章书后,都会做相应章节的练习,并对做错的或不会做的题目做特别记录。第一轮复习的时间较长,断断续续地大约持续了两个月的时间。 第二轮是7、8月的时候,这一轮复习主要是温故而知新。我重新看了一遍书,看的重点是在第一轮复习时做过记录的地方,然后再将第一轮复习时碰到的错题重新做一遍,这一次还是做错的再做特别记录。 第三轮是9月的时候,这一轮复习是考试前的冲刺。还是要重新看一遍书,查缺补漏,加强对知识点的记忆。再将前两轮都做错的题目再做一次,正所谓事不过三,通常第三次都能做对的。在这一阶段,我还会将一些疑点在网上提问,我觉得这个功能还是非常有用的,老师解答问题的速度很快。另外,我还做了4、5套模拟题,都是掐着时间做的,尽量模拟考试的环境。 经过三轮复习,就差不多上考场了。当然,这是在复习时间较长的情况下的复习计划,如果时间不允许,也只能根据实际情况进行调整了。经过财管的备考,我归纳以下两点心得。 第一、 做题很重要。有些科目要多看书,有些科目要多做题,财管属于后者。看书看明白了,不代表会做题,只有踏踏实实地去做题,才能检验自己是否掌握了那些理论。而且做题做多了,才会有题感。多做题不是说不断地找新题目做,而是要把做过的题目弄明白,将错题做多几次,直到做对。 第二、 考试时要注意取舍。考试时间是很紧迫的,大部分人都是做不完题目的,所以要注意取舍。试卷在编排上没有从易到难的顺序,所以在考试中遇到很费时间且没把握的题目时要跳过,先攻下简单的题目。这个经
注册会计师考试《审计》真题及答案解析(2020年九月整理).doc
2017年注册会计师考试《审计》真题及答案 一、单项选择题 1.下列各项中,属于对控制的监督的是() A.授权与批准 B.业绩评价 C.内审部门定期评估控制的有效性 D.职权与责任的分配 【参考答案】C 2.下列有关了解被审计单位及其环境的说法中,正确的是()。 A.注册会计师无需在审计完成阶段了解被审计单位及其环境 B.对小型单位,注册会计师可以不了解被审计单位及其环境 C.注册会计师对被审计单位及其环境了解的程度,取决于会计师事务所的质量控制政策 D.注册会计师对被审计单位及其环境了解的程度,低于管理层为经营管理企业反对被审计单位人类环境需要了解程度 【参考答案】D 3.下列有关细节测试的样本规模的说法中,错误的是()。 A.误受风险与样本规模反向变动 B.误拒风险与样本规模同向变动 C.可容忍错报与样本规模反向变动 D.总体项目的变异性越低,通常样本规模越小 【参考答案】B 4.下列各项中,注册会计师应当以书面形式与治理层沟通的是()。 A.注册会计师识别出的舞弊风险 B.注册会计师确定的关键审计事项 C.注册会计师识别出的值得关注的内部控制缺陷 D.未更正错报 【参考答案】C 5.下列各项中,属于舞弊发生的首要条件的是()。 A.实施舞弊的动机或压力
B.实施舞弊的机会 C.为舞弊行为寻找借口的能力 D.治理层和管理层对舞弊行为的态度一 【参考答案】A 6.在审计集团财务报表时,下列工作类型中,不适用于重要组成部分的是()。 A.特定项目审计 B.财务信息审阅 C.财务信息审计 C.实施特定审计程序 【参考答案】B 7.下列各项审计程序中,注册会计师在实施控制测试和实质性程序时均可以采用的是() A.检查 B.分析程序 C.函证 D.重新执行 【参考答案】A 8.下列各项中,不属于鉴定业务的是() A.财务报表审计 B.财务报表审阅 C.预测性财务信息审核 D.对财务信息执行商定程序 【参考答案】D 9.下列审计程序中,通常不能应对管理层凌驾于控制之上的风险是() A.测试会计分录和其他调整 B.复核会计估计是否存在偏向 C.评价重大非常规交易的商业理由 D.获取有关重大关联方交易的管理层书面声明 【参考答案】D 10.下列有关前任注册会计师的沟通的说法中,正确的是()。
本科自考《审计学》重点复习资料
《审计学》复习资料 第一章审计概论 本章重要考点串讲 考点一审计的定义和特征 一、审计的定义 审计是由国家授权或接受委托的专职机构和人员,依照国家法规、审计准则和会计理论,远用专门的方法,对被审计单位的财政、财务收支、经营管理活动及相关资料的真实性、正确性、合规性、合法性、效益性进行审查和监督,评价经济责任,鉴证经济业务,用以维护财经法纪、改善经营管理、提高经济效益的一项独立性的经济监督活动。 二、审计的特征 审计的特征征集中体现在独立性和权威性方面。 考点二审计的分类和方法 一、审计的分类 (一)按审计的主体分类 审计主体,即审计的执行者,按审计主体分类,可以将审计分为政府审计、内部审计和注册会计师审计三类。 (二)按审计目的和内容分类 按审计的目的和内容分类,可以将审计分为财务报表审计、经营审计、合规性审计三类。 (三)按审计实施的时间分类 按审计与被审计经济业务发生的时间之间的关系,可以将审计分为事前审计、事中审计和事后审计三类。 (四)按审计执行的地点分类 按执行的地点分类,可以将审计分为报送审计和就地审计两类。 (五)按照审计所依据的基础和使用的技术分类 按照审计所依据的基础和使用的技术分类,审计可分为账项基础审计、制度基础审计、风险导向审计三类。 二、审计的方法 我国的审计方法体系由两大部分组成,即审查书面资料的方法和证实客观事物的方法。 (一)审查书面资料的方法 1、按审查书面资料的顺序划分,可分为顺查法和逆查法。 2、按审查书面资料的数量和范围划分,可分为抽查法和抽查法。 3、按审查书面资料的技术内容划分,可分为审阅法、核对法、分析法、复算法等。 (二)证实客观事物的方法 证实客观事物的方法是主要用于证实客观事物形态、性能、数量和价值的方法。目前,审计中常用的有盘点法、调节法、观察法、查询法和鉴定法。 考点三审计的职能和作用 一、审计的职能 (1)经济监督职能 (2)经济评价职能 (3)经济鉴证职能 二、审计的作用 (1)制约作用 (2)促进作用 (3)证明作用 本章典型试题串讲 [单选]审计最本质的特性是独立性。 [单选]依据我国1982年宪法,1983年在国务院设立的审计署。 [单选]我国第一家社会审计组织的创办人是谢霖。 [单选]注册会计师审计的产生主要是由于财产所有权与经营权分离。 [单选]国家审计、注册会计师审计、内部审计三者最大的区别体现在审计主体。 [单选]从审计独立性、有效性来讲,企业内部审计最有效的领导是董事会。 [单选]从方法论的角度,注册会计师以审计风险模型为基础进行的审计,称为风险基础审计。 [多选]审计的特征集中体现在独立性、权威性。 [多选]审计按照主本分类,可分为政府审计、内部审计、社会审计。 [多选]在选用审计方法时,应注意应与审计的特定目的上适应,应与被审计单位的具体条件和实际需要相适应,应与审计主体的性质和任务相适应等。 [多选]审计的职能主要有经济监督职能、经济评价职能、经济鉴证职能。 [名词]审计是由国家授权或接受委托的专职机构和人员,依照国家法规、审计准则和会计理论,运用专门的方法,对被审计单位的财政、财务收支、经营管理活动及其相关资料的真实性、正确性、合规性、合法性、效益性进行审查和监督,评价经济责任,鉴证经济业务,用以维护财经法纪、改善经营管理,提高经济效益的一项独立性的经济监督活动。 [名词]注册会计师审计又称民间审计、社会审计,是指由中国注册会计师协会审核批准成立的会计师事务所进行的审计。 [名词]审计方法是审计人员检查和分析审计对象、收集审计证据,并依据审计证据形成审计结论和意见,从而实现审计目标的各种专门手段的总称。 [名词]顺查法是按照会计核算的处理顺序依次进行检查核对的一种方法。顺查法主要适用于规模较小,业务量较少或内部控制制度较健全的单位,都可以采用这种方法。 [名词]查询法是审计人员对审计过程中的疑点问题,通过向有关人员询问和质疑等方式来证实客观事实或书面资料,取得审计证据的一种审计方法。查询法有面询和函询两种。 [名词]审计职能是指审计本身固有的内在功能。多数人认为审计具有经济监督的职能、经济评价的职能和经济鉴证的职能。
XXXX年最新注会审计学习笔记
第一章审计概述 ①、鉴证业务:审计、审阅、其他鉴证业务 ②、相关服务(非鉴证业务):税务代理、编报表、执行商定程序 (1)、审计业务的三方关系(注师、管理层、使用者) ①、标的业务没有责任方外“预期使用者”,不构成“审计业务” ②、与管理层治理层责任相关的(审计工作前提),要求,管理层认可下列责任 ③、管理层有责任“编报表、建立内控、为注师提供工作条件” (2)、财务报表、财务报表编制基础、审计报告(出非无保留意见情形) ①、有证据表明,财务报告整体存在重大错报(正向) ②、没有证据证明,财务报告整体不存在重大错报(反向)
①、内部信息、外部信息,信息的缺乏本身也构成审计证据(押题,实践化) ②、审计证据充分性、适当性的关联性(应当运用职业判断、保持职业怀疑) ③、同一认定(不同来源证据加以证明),可以考虑“成本”“有用性”关系 ①、对财务报表整体是否不存在由于舞弊或错误导致的重大错报获取合理保证,使得注师能够对财务报表是否在所有重大方面按照适用的财务报告编制基础编制发表审计意见 ②、按照审计准则的规定,根据审计结果对财务报表出具审计报告,并与管理层和治理层沟通 ①、评价通过遵守其他审计准则是否将获取“进一步相关证据” ②、扩大审计工作范围 ③、实施注册会计师认定的的其他必要程序 ①、发生(关注高估),发生的交易是真实的 ②、完整性(关注低估),发生的交易都计入了
③、准确,计算准确 ④、截止,接近财务报表日,本期特定收入计入下期 ⑤、分类,主营业务收入PK营业外收入(记混了) ①、存在,已记录的金额是存在的(虚构应收账款,应收账款/存在) ②、完整性,已存在的金额均记录(漏记应收账款,应收账款/完整性) ③、计价和分摊,恰当金额列表报表(漏提折旧、准备,固定资产/计价和分摊) ④、权利和义务,标的归被审计单位(保管存货入账,存货/权利和义务) 教材举例非常重要(解题直接指引) 1、遵守职业道德(专门学习,一般都要出个简答题会计师PK事务所)
2017年注会审计笔记
审计定义:财务报表不存在重大错报合理保证积极方式除管理层之外的预期使用者; 审计的目的:改善增强不涉及审计的基础是独立性和专业性; 财务报表审计目标:可接受的低积极方式高水平; 收集审计证据的程序:检查、观察、询问、函证、重新计算、重新执行、分析程序; 政府审计和注册会计师审计的区别:目标和对象不同标准不同经费和收入来源不同取证权限不同对发现问题的处理方式不同; 鉴证业务要素包括鉴证业务的三方关系人、鉴证对象(鉴证对象信息)、标准、证据和报告; 鉴证对象:针对财务报表审计的鉴证业务,鉴证对象是鉴证对象信息(比如,财务报表)所反映的内容(比如财务报表所反映的财务状况、经营业绩和现金流量); 标准的特征:相关完整可靠中立可理解; 证据的特征:性质上具有累积性实施审计程序获取的;包括从其他来源获取的信息;会计记录也是重要的审计证据来源;既包括支持和佐证也包括矛盾;信息的缺乏本身也构成; 责任方及预期使用者可能是同一方,也可能不是同一方; 注册会计师的责任:按照审计准则的规定,对财务报表发表审计意见是注册会计师的责任;通过签署审计报告确认其责任; 管理层和治理层(如适用)应当认可并理解其应当承担的下列责任:(1)按照适用的财务报告编制基础编制财务报表,并使其实现公允反映(如适用);(2)设计、执行和维护必要的内部控制,以使财务报表不存在由于舞弊或错误导致的重大错报;(3)向注册会计师提供必
要的工作条件,包括允许注册会计师接触及编制财务报表相关的所有信息(如记录、文件和其他事项),向注册会计师提供审计所需的其他信息,允许注册会计师在获取审计证据时不受限制地接触其认为必要的内部人员和其他相关人员。 注册会计师的审计意见主要是向除管理层之外的预期使用者提供,但客观上可能对管理层有用,因此,管理层也是预期使用者之一。可能是特定的;有重要和共同利益的;收件人应当尽可能地明确为所有的预期使用者; 总体目标:1. 是否不存在重大错报合理保证能够在所有重大方面编制2. 审计结果出具审计报告沟通 管理层的表达有明确的,也有隐含的 各类交易和事项:发生完整性准确性截止分类 期末账户余额:存在权利和义务完整性计价和分摊 列报和披露:发生以及权利和义务完整性分类和可理解性准确性和计价 职业怀疑提出的要求:质疑的理念保持警觉审慎评价客观评价职业怀疑的作用:识别和评估重大错报风险;进一步审计程序;评价审计证据;舞弊; 需要运用职业判断的重要领域:1.确定重要性,识别和评估重大错报风险;2.确定审计程序的性质、时间安排和范围;3.评价是否已获取充分、适当的审计证据以及是否还需执行更多的工作;4.评价管理层判断;5.得出结论;6. 识别、评估和应对不利的影响;
注册会计师考试审计试题与答案
注册会计师考试审计试题与答案 l D.由于超出被审计单位控制的情形导致审计范围受到限制【答案】AB 解析:无论是管理层施加的还是其他情况引起的审计范围受到限制,通常认为是不合理的变更业务理由,因此选项CD错误。 2.下列选取样本的方法中,可以在统计抽样中使用的有( )。 A.使用随机数表选样 B.随意选样 C.使用计算机辅助审计技术选样 D.系统选样 【答案】ACD 解析:选项B,随意选样虽然也可以选出代表性样本,但是其属于非随机基础选样方法,因而不能在统计抽样中使用。 3.为了确定审计的前提条件是否存在,注册会计师应当就管理层认可并理解其责任与管理层达成一致意见。下列有关管理层责任的说法中,正确的有( )。 A.管理层应当按照适用的财务报告编制基础编制财务报表,并使其实现公允反映 B.管理层应当设计、执行和维护必要的内部控制,以使财务报表不存在由于舞弊或错误导致的重大错报 C.管理层应当向注册会计师提供必要的工作条件,包括允许注册会计师接触与编制财务报表相关的所有信息 D.管理层应当允许注册会计师在获取审计证据时不受限制地接触其认为必要的内部人员和其他相关人员
【答案】ABCD 解析:四个选项均属于管理层的责任。 4.下列各项中,属于预防性控制的有( )。 A.负责业务收入和应收账款记账的财务人员不得经手货币资金 B.采购固定资产需要经适当级别的人员批准 C.会计主管每月末将银行账户余额与银行对账单进行核对,并编制银行存款余额调节表 D.管理层定期执行存货盘点,以确定永续盘存制的可靠性 【答案】AB 解析:选项CD属于检查性控制。 5.被审计单位2013年12月31日的银行存款余额调节表包括一笔“企业已付、银行未付”调节项,其内容为以支票支付赊购材料款。下列审计程序中,能为该调节项提供审计证据的有( )。 A.检查付款申请单是否经适当批准 B.就2013年12月31日相关供应商的应付账款余额实施函证 C.检查支票开具日期 D.检查2014年1月的银行对账单 【答案】BCD 解析:选项A,付款申请单即使被批准,也并不能表明该款项已通过支票支付,因此无法提供审计证据。
2011年7月自考-审计学-试题及答案
全国2011年7月高等教育自学考试 审计学试题 课程代码:00160 一、单项选择题(本大题共20小题,每小题1分,共20分)在每小题列出的四个备选项中只有一个选项是符合题目要求的,请将其代码填写在题后的括号内。错选、多选或未选均无分。 1.注册会计师与政府审计部门如果对同一事项进行审计,最终形成的审计结论可能存在差异。导致差异的最主要原因是( A ) A.审计的依据不同B.审计的独立性不同 C.审计的性质不同D.审计的方式不同 2.下列有关审计监督体系的理解表达,正确的是( C ) A.内部审计是注册会计师审计的基础 B.政府审计是独立性最强的一种审计 C.注册会计师审计意见旨在提高财务报表的可信赖程度 D.财务报表的合法性是财务报表使用者最为关心的 3.下列各项中,属于注册会计师违反职业道德规范行为的是( A ) A.注册会计师可以在一定范围内对其能力进行广告宣传,但没有诋毁同行 B.没有利用其知悉的客户信息为自己或他人谋取利益 C.按照业务约定和审计准则的要求完成年报审计工作 D.除有关法规允许的情形外,没有以或有收费形式为客户提供各种鉴证服务 4.会计师事务所不得为同一家上市公司同时提供年报审计和( C ) A.法律服务B.纳税申报 C.代编财务报表D.IT系统服务 5.我国会计师事务所和注册会计师不得对其能力进行广告宣传以招揽业务,原因不包括 ...( D )A.注册会计师的服务质量及能力无法由广告内容加以评估 B.广告可能威胁专业服务的精神 C.广告可能导致同行之间的不当竞争 D.广告可能对注册会计师进行丑化
6.下列类别,不属于 ...注册会计师针对列报相关的认定是( D ) A.分类和可理解性B.发生以及权利和义务 C.完整性、准确性和计价D.截止和分摊 7.下列选项中,不属于 ...鉴证业务中的三方关系是( C ) A.注册会计师B.责任方 C.委托人D.预期使用者 8.对被审计单位的应付账款,注册会计师应侧重审查其( B ) A.存在B.完整性 C.分类D.权利和义务 9.下列选项中,违反“权利和义务”认定的是( C ) A.将已发生的销售业务不登记入账B.将未曾发生的销售入账 C.未将已质押的存货披露D.长期待摊费用的摊销期限不恰当 10.注册会计师汇总错报时不应包括 ....( D ) A.对事实的错报B.推断误差 C.涉及主观决策的错报D.已调整错报 11.下列关于财务报表层次重大错报风险的说法,不正确 ...的是( C ) A.通常与控制环境有关 B.可能影响多项认定 C.直接界定于某类交易、账户余额、列报的具体认定 D.与财务报表整体存在广泛联系 12.注册会计师获取审计证据的要求是( A ) A.充分且适当B.不充分但适当 C.充分但不适当D.不充分不适当 13.在对资产存在性认定获取审计证据时,正确的测试方向是( B ) A.从支持性证据到会计记录B.从会计记录到支持性证据 C.从尚未记录的项目到财务报表D.从财务报表到尚未记录的项目 14.只有认为控制设计合理、能够防止或发现和纠正认定层次的重大错报,注册会计师才有必要进行( D ) A.细节测试B.实质性测试 C.了解内部控制D.控制测试 15.在下列获取的审计证据中,可靠性最强的通常是( B )