In the United States, Statements on Auditing Standards provide guidance to

external auditors on generally accepted auditing standards (abbreviated as GAAS)

in regards to auditing a non-public company[1] and issuing a report. They are
promulgated by the Auditing Standards Board of the American Institute of Certified
Public Accountants (AICPA), which holds all copyright on the Standards. They are
commonly abbreviated as "SAS" followed by their respective number and title.

Audit around the computer means that processing done by the computer system needs not to be
audited as auditor expects that sufficient appropriate audit evidence can be obtained by
reconciling inputs with outputs. In simple words evidence is drawn and conclusions are reached
without considering how inputs are being processed to provide outputs. Sometimes it also means
conducting audit without the use of computer system. However, former is widely understood
meaning of the phrase. Now a days audit around the computer is considered as an auditing
approach. It is more often known as black box audit approach
Most often this approach is used either because:

processing done by the computer is too simple e.g. casting, sorting etc

auditor is already aware of the softwares reliability. This is the case with most of off-theshelf software used by client without any in-house alteration and thus need not to be
checked.

auditor has no mean to gain understanding of the computer system and thus resorts with
this approach. This situation can arise out of circumstances including:
o lack of appropriate system documentation
o auditor lacks expertise or skills to understand or use the computer system for
auditing purposes.
o auditor is not given access to computer system at the level required

Audit around the computer approach is used in situations when auditor is of the opinion that
computer system is reliable and often comparison of inputs i.e. source documents to outputs i.e.
financial reports is done which in auditors judgement is enough. In other auditor will not
assess whether required controls are in place and if they are working operating effectively
while inputs are processed. Due to the same reason, relying too much on this approach is not
recommended for important aspects of the audit especially where assessed risk is high as this
may result in ineffective audit and ultimately inappropriate audit opinion being expressed by the
auditor.
Advantages:
data validation checks

Audit trail
consistency in accounting
more control over journal entries
easy identification of errors
Increased quality of information
accounting packages often include useful management reports
possibility of creating custom made reports
ability to maintain a complex set of accounts. ie multiple debtors.creditors various
revenue account. and to map them for management accounts or financial
statement presentation.
Remote access, you can work from home or overseas!
quicker audits = lower audit fee
PC training
accounting packages usually come with remote support

Disadvantages
as with any computer system: Rubbish in , rubbish out! if personal have not been
trained they'll mess it up!
Require disaster recovery systems
continual updating and IT maintenance
Computer technology changes frequently
hackers
viruses
confidentiality of information can be compromised
if access to the master files is not protected the files could be corrupted, changed,
erased.
off the shelf packages may not be suitable
custom made packages are expensive

The difference(s); Traditional auditing is associated with conducting tests to issue an opinion
on the truth and fairness of the financial statements of the company being audited.
These tests include tests on the internal controls that the company uses to produce figures in the
financial statements, tests on the amount balances of the accounts, and tests on the overall
posting system of its accounts.
On to information system (IS) auditing.
Many people mistakenly assume that IS=IT, which it's definitely not.
It's a common misconception that anything with the phrase INFORMATION SYSTEM is
equivalent to INFORMATION TECHNOLOGY.
In brief, information system is the system of how the information flows within a company, and it
may be made up of sub-systems such as the purchase system, the sales system, the capital
expenditure system, etc.
0 Comments

Request Deletion

Answer added by: Emad mostafa mohamed, CMA General Audit Coordinator 2 years ago
RBA is an audit process that explains how risk concepts are integrated into the strategies and
approaches used for management systems.
RBA provides: A mechanism for understanding the specific risks which may influence the
achievement of the company objectives; A description of existing measures and proposed
strategies for managing specific risks; and A mechanism for monitoring, performing internal
auditing, and reporting practices and procedures RBA changes the way internal auditors think
and talk about risk.
Instead of focusing on history, audit reports address the present and the organization's level of
preparedness to deal with the future.
Internal audit reports "complete the loop" between assurance of control in current operational
plans and input to risk assessment for the strategic plan.
RBA places an emphasis on risk-based internal audit reports rather than on traditional controlsbased reports.
0 Comments
1
Request Deletion

Answer added by: Almutaz Bakry Sidahmed Certified Internal auditor CIA & CCSA in internal
control & risk management with transferable Iqama 2 years ago
There are many differences between traditional audit and Risk-based auditing, if we talk about
the audit plan: Traditional Audit focus on audit cycle (time duration, when last audit ocurred),
focus on deficiencies in controls, and cases of non-compliance with policies and procedure
manual which may be outdated sometimes.
Where as in Risk-based auditing the audit plan is based on the assessment of the Risks which
impact the overal company objectives, the audit plan includes projects to identify and assess risk
responses that management relying upon to manage those risks.
Risk-based Auditing provides an in-depth understanding of the business unit operations through
Risk assessment workshops and with the participation of the unit managers and key staff,
provides assurance that Important risks are being managed properly, and more efficient use of IA
resources by concentrating on Risky units / areas.
Where as in traditional auditing an understanding of Business Unit operations is built through
time consuming process mapping exercises and might rely on outdated P & P manuals and audit
staff spead all over the company trying to cover the audit universe whichsome times extend to
more than one years
0 Comments
1
Request Deletion


Answer added by: Wa'el 2 years ago
I have replied to a similar question before .Here is what I said then: IIA defines risk based
internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall
risk management framework.
RBIA allows internal audit to provide assurance to the board that risk management processes are
managing risks effectively, in relation to the risk appetite.
By following RBIA internal audit should be able to conclude that:1.Management has identified,
assessed and responded to risks above and below the risk appetite2.The responses to risks are
effective but not excessive in managing inherent risks within the risk appetite3.Where residual
risks are not in line with the risk appetite, action is being taken to remedy that4.Risk
management processes, including the effectiveness of responses and the completion of actions,
are being monitored by management to ensure they continue to operate effectively5.Risks,
responses and actions are being properly classified and reported.
This enables internal audit to provide the board with assurance that it needs on three areas:1.Risk
management processes, both their design and how well they are working2.Management of those
risks classified as 'key', including the effectiveness of the controls and other responses to
them3.Complete, accurate and appropriate reporting and classification of risks To those who are
intereste, I can share an excellent presentation by Grant Thornton on the subject.The presentation
is in both Arabic And English and it discuses the following issues: - Definition of risk based
internal audit - Risk based internal audit requirments - Tradittional approach vs.
Risk based approach -Risk based audit stages
0 Comments
1
Request Deletion

Answer added by: Ziad 2 years ago

one requires feed-forward controls (Risk based audit)..
and the other requires feedback controls (Traditional Audit) which in other words depends on the
historical audit data and not the risk assessment designed to identify critical areas.