Module 4

4.1 Audit Approaches for CIS environment

The Black Box Approach

 Auditing aoround the computer

 Concetrates on input and output and ignores how computer process the data transactions

 If input matches the output, the auditor simply assumes that the processing of transaction must have been
correct

 Advantages:

› Make more comparisons if done manually

› Ease of comprehension (no need to understand the application program)

 Disadvantages:

› Auditor not having directly tested the control, cannot make assetions about the underlying process

› More complex computer systems intermediate printout may not be available for making the needed
comparisons

White Box Approach

 Unlike Black box, processing and controls are also subjected to audit

 To help the auditor to gain access to processes, ocmputer audit software may be used
  These softwares may include:

› Interactive inquiry facilities to interrogate files

› Facilities to analyze computer security logs for unusual usage of the computer

› The ability to compare source and object program codes in order to detect dissimilarties

› The facility to execute and observe the computer treatment of “live transaction” by moving through the
processing as it occurs

› The generation of test data

› The actual controls and the higher level control will be evaluated and then subjected to compliance
testing and substantive testing before an audit report is produced

 In order to follow this approach, the auditor needs to have sufficient knowledge of computers plan, direct-
supervise and review the work performed

 The areas covered in an audit will concentrate on the following controls:

› Input controls

› Processing controls

› Storage controls

› Output control

› Data transission control

 The auditor also need to:

› Assess whether the system has adequate controls over the prevention of unauthorized access to
computer and computerized database

› Assess segregation of duties between staff functions that involves in transaction processing and the
computerized system and ensuring that adequate supervision of personnel is administered

 The process of auditing is not straight forward but involves application of knowledge and expertise to differing
ciscumstances

 The auditors need not only have adequate knowledge regarding information requirement and computer data but
also must be exposed to system analysis and design so as to facilitate post implementation audit.

Effects of computers on internal controls

 Segregation of Duties- there are functions that are considered as incompatible in manual system but was
carried out with same person in a computerized system. In a small computerized environment, this will be more
difficult especially in determining whether incompatible function have been performed by the system users

 Delegation of authority and responsibility- a clean line of authority and responsibility might be difficult to
establish because some resources are shared among multiple users. It may eliminate redundancy of data but
results to multiple users that might violate the integrity of the data. Tracing who is responsible for corrupting
data will also be difficult
  Competent and Trustworthy personnel- skilled, competent, well-trained and experienced in formation system
personnel have been in short supply which forced many organization to compromise on their choice of staff

 System of Authorization- authorization procedures are embedded within a computer program which makes it
difficult to assess whether the authority assigned to individual persons is constant with managements policies.

 Adequate Documents and records- in computerized system, document support might not be necessary to
initiate, execute and record some transactions thus losing some audit trail. This wont be a problem to auditors if
the system is well-designed to maintain a record of all events and that they can easily be accessed.

 Physical control over assets and records- information system assets and records are distinct to computerized
information system, this assets and records can be easily destroyed through abuse or disaster thus back-up
must be present

 Adequate Management Supervision- supervisory controls must be built into the computer system. Because
many activities are electronically controlled, managers must periodically access the audit trail of employees and
examine it for unauthorized actions

 Independent Checks on performance- independent checks on the performance of programs often have little
value thus the control emphasis must be on ensuring the accuracy of program code

 Comparing recorded accountability with assets- count and recorded asset may not reconcile and that
irregularities may not be discovered because segregation of duties are not practiced in computer system

Effects of computers on Auditing

 Objective- to provide an independent opinion as to the fairness of Financial statements of an entity.

 To achieve that objective, an auditor needs to collect and evaluate evidences

 Effects on the collection and evaluation of evidence:

› Changes to evidence collection

› Changes to evidence evaluation

Changes to evidence collection

 Collecting evidence in computerized system is more diverse and complex than in manual system

 Test of controls become more crucial because of technicality

 Some Substantive Tests applicable in manual system may no longer be applicable on computerized system
(Inquiry, Inspection, observation, reperformance, analytical procedures, and etc.)

Changes to evidence evaluation

 Test of controls- how would you know if the controls are effective ?

 Auditors need to understand:

› Whether a control is functioning reliably or multi-functioning

› Traceability of control strength and weaknesses through the system (a single data may be used by
multiple users)
  Start with the computer program

Auditing in a CIS Environment

 The use of computers changes the processing, storage, retrieval and communication of financial information
that affects accounting the internal control system employed by the entity.

 The auditor should consider the effect of the factors:

› The extent of use of computers for preparing accounting information

› Efficacy of internal controls over input, processing , analysis and reporting undertaken in the CIS
installation

› Te impact of computerization on the audit trail that could othewise be expected to exists in a manual
system

 Skill and Competence- an auditor should have sufficient knowledge of the CIS to plan, direct, supervise, control
and review the work performed (experts)

 Planning- the auditor should obtain understanding of the significance and complexity of the CIS activities and
the availability of the data for use in the audit. Auditor’s understanding would include:

› CIS infrastructure including the changes since last audit

› Significance and complexity of computerized processing in each significant accounting application

› Determination of the organizational structure of the client

› Determination of extent of availabilty of data by reference to source documents, computer files and
other evidential matter.

 Risk- auditor should assess whether CIS may influence the assessment of inherent and control risks. The
nature of the risks and the internal control system include the following:

› Lack of transaction trails- detection risk increases

› Uniform processing of transactions- inherent risk decreases

› Lack of segregation of duties- risk increases

› Potential for errors and irregularities- risk increases

› Initiation or execution of transactions- risk increases

› Dependence of other controls over computer processing

› Increased management supervision- risk decreases

› Use of computer assisted audit techniques (CAATs)

 Risk Assessment – assessment of inherent and control risk for material financial statement assertions

 Risk may result from deficiencies in:

Program development and maintenance
 › System software support

› Operations

› Physical CIS security

› Control over access to specialized utility programs

 These deficiencies would tend to have negative impact on all application systems creating errors and fraudulent
activities

 Documentation- the auditor should document the audit plan, the nature, timing and extent of audit procedures,
and the conclusions drawn from the evidence obtained. (evidence must be sufficient and appropriate)