Professional Documents
Culture Documents
Concetrates on input and output and ignores how computer process the data transactions
If input matches the output, the auditor simply assumes that the processing of transaction must have been
correct
Advantages:
Disadvantages:
› Auditor not having directly tested the control, cannot make assetions about the underlying process
› More complex computer systems intermediate printout may not be available for making the needed
comparisons
Unlike Black box, processing and controls are also subjected to audit
To help the auditor to gain access to processes, ocmputer audit software may be used
These softwares may include:
› Facilities to analyze computer security logs for unusual usage of the computer
› The ability to compare source and object program codes in order to detect dissimilarties
› The facility to execute and observe the computer treatment of “live transaction” by moving through the
processing as it occurs
› The actual controls and the higher level control will be evaluated and then subjected to compliance
testing and substantive testing before an audit report is produced
In order to follow this approach, the auditor needs to have sufficient knowledge of computers plan, direct-
supervise and review the work performed
› Input controls
› Processing controls
› Storage controls
› Output control
› Assess whether the system has adequate controls over the prevention of unauthorized access to
computer and computerized database
› Assess segregation of duties between staff functions that involves in transaction processing and the
computerized system and ensuring that adequate supervision of personnel is administered
The process of auditing is not straight forward but involves application of knowledge and expertise to differing
ciscumstances
The auditors need not only have adequate knowledge regarding information requirement and computer data but
also must be exposed to system analysis and design so as to facilitate post implementation audit.
Segregation of Duties- there are functions that are considered as incompatible in manual system but was
carried out with same person in a computerized system. In a small computerized environment, this will be more
difficult especially in determining whether incompatible function have been performed by the system users
Delegation of authority and responsibility- a clean line of authority and responsibility might be difficult to
establish because some resources are shared among multiple users. It may eliminate redundancy of data but
results to multiple users that might violate the integrity of the data. Tracing who is responsible for corrupting
data will also be difficult
Competent and Trustworthy personnel- skilled, competent, well-trained and experienced in formation system
personnel have been in short supply which forced many organization to compromise on their choice of staff
System of Authorization- authorization procedures are embedded within a computer program which makes it
difficult to assess whether the authority assigned to individual persons is constant with managements policies.
Adequate Documents and records- in computerized system, document support might not be necessary to
initiate, execute and record some transactions thus losing some audit trail. This wont be a problem to auditors if
the system is well-designed to maintain a record of all events and that they can easily be accessed.
Physical control over assets and records- information system assets and records are distinct to computerized
information system, this assets and records can be easily destroyed through abuse or disaster thus back-up
must be present
Adequate Management Supervision- supervisory controls must be built into the computer system. Because
many activities are electronically controlled, managers must periodically access the audit trail of employees and
examine it for unauthorized actions
Independent Checks on performance- independent checks on the performance of programs often have little
value thus the control emphasis must be on ensuring the accuracy of program code
Comparing recorded accountability with assets- count and recorded asset may not reconcile and that
irregularities may not be discovered because segregation of duties are not practiced in computer system
Collecting evidence in computerized system is more diverse and complex than in manual system
Some Substantive Tests applicable in manual system may no longer be applicable on computerized system
(Inquiry, Inspection, observation, reperformance, analytical procedures, and etc.)
Test of controls- how would you know if the controls are effective ?
› Traceability of control strength and weaknesses through the system (a single data may be used by
multiple users)
Start with the computer program
The use of computers changes the processing, storage, retrieval and communication of financial information
that affects accounting the internal control system employed by the entity.
› Efficacy of internal controls over input, processing , analysis and reporting undertaken in the CIS
installation
› Te impact of computerization on the audit trail that could othewise be expected to exists in a manual
system
Skill and Competence- an auditor should have sufficient knowledge of the CIS to plan, direct, supervise, control
and review the work performed (experts)
Planning- the auditor should obtain understanding of the significance and complexity of the CIS activities and
the availability of the data for use in the audit. Auditor’s understanding would include:
› Determination of extent of availabilty of data by reference to source documents, computer files and
other evidential matter.
Risk- auditor should assess whether CIS may influence the assessment of inherent and control risks. The
nature of the risks and the internal control system include the following:
Risk Assessment – assessment of inherent and control risk for material financial statement assertions
› Operations
These deficiencies would tend to have negative impact on all application systems creating errors and fraudulent
activities
Documentation- the auditor should document the audit plan, the nature, timing and extent of audit procedures,
and the conclusions drawn from the evidence obtained. (evidence must be sufficient and appropriate)