AUDITING IN A

COMPUTERISED
ENVIRONMENT AC412
CLASS NOTES

AUGUST 1, 2018
GREAT ZIMBABWE UNIVERSITY
B. MUTEMBWA
Introduction

This module aims to provide both basic and advanced knowledge in computer

auditing and its application in organisations which make use of related information

technology. At the end of the course the student should be able to audit in an

information technology environment and apply audit technics that are specific to

various applications under these circumstances.

Computers have revolutionised all aspects of life. Computers have affected

businesses in many ways. Computerisation has affected the organisation, control,

and flow of information in business entities. Auditing in a computerised environment

is not fundamentally different from auditing in manual accounting systems. However,

there are fundamental changes to methods of evidence collection and evaluation of

the evidence.

The use of the computer in a business eases some operations and at the same time

increase some risks.

A computerised environment exists when a computer, of any size, is used in the

processing of transactions. This includes the use of third party entities that may have

computerised environments such as accounting bureaux.

The use of the computer affects the identification, collection, processing, storage and

communication of accounting information.

The use of the computer also impacts on the entity’s internal control systems with

both positive and negative implications for the entity and the auditor.

1
Computers are becoming more complex, they are becoming faster, smaller with

powerful processing capabilities.

The use of computers does not eliminate the need for internal control systems that

apply in manual systems but to enhance and consolidate them.

Characteristics and considerations in a computerised environment

1. Impact of an information technology environment on the audit process

2
  The audit approach is substantially the same in a computerised

environment and in a manual system. Audit procedures must be

followed according to International Standards on Auditing (ISAs).

 A computerised environment will influence the nature, extent and

timing of audit procedures (procedures to understand the accounting

and internal control systems, evaluation of risk (inherent and control),

design and performance of tests of control and substantive procedures.

 When the environment is computerised, the auditor has the following

additional considerations in respect of

 engagement considerations

 planning activities

1.1 Engagement considerations

Prior to accepting an engagement, the auditor should consider whether he

has the necessary competences and resources necessary to carry out an

effective audit of the entity whose environment is computerised.

Where the auditor does not possess sufficient competencies, he may

make use of computer audit specialists.

In using the work of a specialist, the auditor must ensure that the

provisions of ISA 620 have been complied with, such as:

 Consideration of whether reliance is justified,

 Engagement conditions

 Procedures to review the work

1.2 Planning activities

3
 In planning the audit of computerised environments, the auditor considers

and takes a number of issues

1.2.1 Gain knowledge of the computer environment and processing

 The auditor must obtain a sufficient level of the knowledge of the

business and its environment.

 Auditor should gain knowledge of the accounting systems being

used by the entity,

 In a computerised environment, auditor must understand the impact

of such environment on transactions, events and the audit

procedures.

 The auditor to consider:

o The entity’s use of and attitude to IT

o The industry uses of IT

o Systems changes (including intended changes)

1.2.2 Gain an understanding of the accounting and internal control system

(a) Auditor must understand:

 The organisational structure

 Extent to which the computer is used in each financial application

 Complexity of computer processing:

 Volume of transactions,

 Complex processing performed by the computer

 Electronic data interchange

 Hardware and software used

 Processing methods in use

 Where data processing takes place;

4
  The manual and computer controls in place;

 The extent of the audit trails;

 Intended changes;

 Need or scope for CAATs

 Extend of entity’s dependence on computer system (going concern)

(b)The importance of understanding accounting and internal control

systems

 Identify the effect of the computerised system on material flows of

information.

 Provisional assessment of control risk;

 To consider appropriate audit approach;

 Consider the need for the specialist;

 To consider if CAATs are appropriate

(c) Consider the risks of the system

The auditor should consider the risk of the computer environment on

the inherent and control risks

2. A combined audit approach in an IT environment

Audit Approach

Auditing around the computer

This approach treats the computer system and programmes as a black box and

relies on review and comparison of the input and output documents. The rationale

behind this approach is that if the source documents are valid, accurate and

5
complete, and the output produced by the computer system because of processing

these source documents, is correct, then the processing functions of the computer

system are being performed correctly. The way these processing functions are

performed is deemed to be of little consequence. This approach assumes that the

computer-generated output can be traced back and compared to the input.

The audit is performed by selecting a sample of transactions that have already been

processed and then tracing these transactions from their point of origin as source

documents to the output documents or records produced by the computer system.

This approach is only feasible if the computer system under consideration is a

simple, batch-oriented system with no significant controls or automated/integrated

functions built into the system.

Additional requirements for the adoption of this approach are that control is

maintained by segregation of duties, independent checks and management

supervision together with the maintenance of a clear audit trail.

Advantages of auditing around the computer:

 there is no risk of corruption of the client’s data by the auditor,

 the auditor requires little or no knowledge of computer technology,

 there is minimal disruption of the client's IT function,

 the costs associated with technology and computer expertise may be

reduced.

The disadvantages of auditing around the computer

6
  apart from the more trivial applications, computer systems generally involve

volumes of data and transactions which render manual testing ineffective,

 system controls and potential errors within the system are ignored,

 no use is made of the most powerful and valuable audit tool, namely, the

computer.

Auditing through the computer (test of controls approach)

 This approach is concerned with testing the computer system and controls

which are built into the system.

 Simplistically this is achieved by the auditor sending transactions (test data),

some of which will contain errors which the system’s programme controls

should detect, through the system.

 In this way the auditor tests whether controls are working as expected e.g. if a

transaction which the auditor knows is incorrect is picked up by the system,

the auditor has some evidence that the system is working (and vice versa).

Advantages of auditing through the computer

can be used effectively and efficiently to audit a highly sophisticated computer

system which processes huge volumes of data and relies extensively on

computerised controls, e.g. banks.

Disadvantages of auditing through the computer

 the auditor is required to have a high level of technical computer knowledge,

7
  audit costs may increase due to the level of investment in technology and

expertise required,

 the auditor is required to take stricter precautions due to the increased risk of

corruption of the client's data and master files.

Auditing with the computer (substantive testing)

 This means using the computer to assist in the performance of audit

procedures

 Using this approach for substantive testing, involves gaining access to a

client’s files and using audit software (programmes which help the auditor to

do what he must do) to read, sort, compare and analyse data on the file, very

quickly and extensively.

 The idea behind using the computer to automate the audit is to make it a

more effective and efficient audit by harnessing the power of the computer.

Advantage of auditing with the computer

 use is made of the power, speed and versatility of the computer which results

in a more economical and efficient audit.

Disadvantages

 costs/licence fees of audit hardware and software

 the audit team requires training on how to use the software

 tendency for the audit team to audit without thinking about what they are

doing.

8
Combined Audit Approach

The auditor is not restricted to one of the three approaches.

In most of reasonably sized audits, where the client has a computerised accounting

system, the audit approach will be a mixture of the above approaches.

Auditing is about getting the mix of tests of controls and substantive testing right,

based on the strength of the organisation’s controls and the ease/efficiency with

which substantive testing may be achieved.

some of the procedures which the auditor carries out, may be unaffected by whether

the client is computerised or not e.g., scrutiny of minutes, or inspection of non-

current assets.

The overriding objective is to achieve the most effective and efficient way of getting

the audit done.

Audit Strategy

Audit Plan

3. Understanding different computer environments.

- On line computer system

A computer system where data is captured via a remote point or a terminal

as the transaction occurs and the data is processed immediately.

Characteristics of online systems

 Online entry (direct) of data

 Use of validation to authorise input

 Online access to the system by users

9
  Absence of traditional visible trails

Advantages

 Files are up to date

 Accuracy of entry

 The risk of non-recording of transactions is small

 The system is fast

Disadvantages

 Absence of visible entry and audit trails

 Higher risk of unauthorised access to the system and data

 Higher risk of unauthorised processing on the system

 Higher risk of unauthorised changes to data

Types of online systems

Online entry with real time processing

 Transactions are entered via terminals, automatically authorised, processed

and stored.

 The master file is updated immediately.

Online entry with batch processing

 Transactions are authorised, and entered immediately into the system,

 The transactions are updated at regular or given time periods in batches.

 Updating is not immediate.

10
  The users have a good opportunity for good control over completeness and

accuracy of data using batch totals and clear audit trails.

Shadow processing

 The system has two parallel processing systems running simultaneously.

 The copy of the master file is updated continually with online entry and real-

time processing

 At the same time the computer system automatically creates batch files for

transactions used to update the original file at designated time periods.

 Shadow processing offers the benefits of both real-time processing and batch

processing and security of the original master file.

Online input, real time processing and interactive output

Transactions are entered directly into the system from online terminals. All

transactions are processed as they are entered. The master file is updated

immediately. Requests of information are handled interactively. Users have direct

access to the system.

Batch processing systems

The transactions are stored in a transaction file. The fields in the master file are

periodically updated from the transaction files. This method is suitable in processing

transactions that occur in large numbers but at given times during a processing cycle

like weekly wages, monthly payments to suppliers or monthly outstanding balances

of debtors.

11
 - Micro-frames (personal computer systems)

- Data base systems

- Distributed processing systems (Networks)

4. Risks in computer Environment.

- Access, Input, Transfer, processing, Output, Continuity and General

5. Controls in an Information Technology Environment.

 Controls in a computerised environment are categorised as either

general controls or application controls.

 General controls are those which establish an overall framework of

control for computer activities.

 They are controls which should be in place before any processing of

transactions gets underway and they span across all applications.

 In contrast, application controls are controls which are relevant to a

specific task within a cycle of the accounting system, e.g. taking an order

from a customer, filling the order, and preparing the invoice.

 For example, control procedures and policies to ensure that staff are

competent and trustworthy, would be regarded as general controls,

whilst a control procedure which requires that the foreman authorise all

overtime worked, would be an application control (payroll cycle).

12
 - Automated controls and manual controls

5.1 General Controls

5.1.1 Control environment

The control environment is the set of standards, processes, and structures

that provide the basis for carrying out internal control across the

organization. The board of directors and senior management establish the

tone at the top regarding the importance of internal control and expected

standards of conduct.

5.1.1.1 communication and enforcement of integrity and ethical values

 Ethical IT governance must be cultivated and promoted and should

align with the ethical culture of the organization.

 a strongly ethical culture is important in an IT department, particularly

as IT personnel will have access to confidential and sensitive

information and may also have the opportunity to cause disruption to

operations and destruction and unauthorized alteration of data.

 IT management should communicate a code of ethical behaviour,

comply with it themselves, and take strong remedial action, which

may include dismissal, where integrity and ethical behaviour have

been lacking. The potential damage (risk) of engaging or retaining

individuals who lack integrity is considerable.

13
5.1.1.2 commitment to competence

The demands of many of the jobs in an IT department with regard to skills

and knowledge as well as the ability to handle pressure can be

considerable * IT management should be committed to matching these

attributes to an individual’s job description. Again, the consequences of an

individual not being able to do his job could be immense. Performance

reviews and regular discussions with employees as well as ongoing

training demonstrate a commitment to competence.

5.1.1.3 participation by those charged with governance

 IT governance is the overall responsibility of the board and it should

provide the required leadership and direction to ensure that the IT

achieves, sustains and enhances the company’s strategic

objectivity.

 IT governance is not an isolated discipline * there should be defined

mechanisms for the IT department to communicate with the board

and report regularly to it * the board should appoint an IT steering

committee to assist is the governance of IT.

 A steering committee is a group of people knowledgeable about

computers, to whom major issues are referred, e.g. policies, future

strategy, IT risk, acquisitions of hardware and software * the IT

department should not be a “separate entity” answerable only to

itself.

14
5.1.1.4 IT management’s philosophy and operating style

 as with the company’s overall control environment, this comes

down to the attitudes, control awareness and actions of the IT

management.

 Their actions set the tone of the department and as they lead, so

will the employees follow.

 Their management philosophy and management style must

demonstrate, communicate and enforce sound control.

 For example, an IT manager who shares his PIN code to gain

access to the data centre or spends half the day “surfing the

internet”, can expect employees to start doing the same and worse,

before long!

5.1.1.5 organizational structure, assignment of authority and

responsibility

 the organisational structure should achieve two major objectives:

o it should establish clear reporting lines/levels of authority,

and

o it should lay the foundation for segregation of duties so

that, if possible, no staff perform incompatible functions

o overall the functions of supervision, execution and review

within the department should be segregated as far as

possible with clear job descriptions, levels of authority and

15
 responsibilities assigned to IT personnel which should be

documented.

5.1.1.6 human resource policies and practice

 The entity should have in place, policies and procedures to:

 recruit the right people: interviews, background checks, minimum

qualifications

 train and maintain competence: training courses, workshops, seminars

 determine fair remuneration: industry norms, appraisals of

performance, benefits

 develop and promote: training, educating, guidance, career paths

 counsel: suitably qualified, human resource personnel.

5.1.2 systems development and implementation controls.

 Systems development has to do with significant changes relating to

computerised systems.

 This often means that most of the following aspects of the system will

be new or significantly changed: hardware, software, communication

devices, personnel procedures, documentation, control procedures.

 If system development is not properly done the following might occur:

o costs of development may get out of control,

o the system design may not suit user requirements properly (e.g.

important information which is required is not available or is hard

for the user to find)

o programmes within the system may contain errors and bugs,

16
 o important financial reporting requirements are not incorporated

into the system or are incorrectly understood by the business

analyst/ programmer.

o the new system may not incorporate enough controls to ensure

the integrity of its programmes and data, e.g. the design of

access privileges may give employees write access to files they

should not have any access to.

o an excellently designed system may be rendered virtually

useless because no-one knows how to use it.

o the information transferred from the old system to the new may

be erroneous, invalid or incomplete

5.1.2.1 in-house development

 Standards

o All systems development should be carried out in

accordance with pre-defined standards which have been set

for each of the phases described below according to ISO

9000 series of standards.

o Compliance with these standards should be strictly

monitored and any deviations thoroughly followed up by

management.

 Project approval

o Projects for systems development may arise out of user

requests or as a result of strategic planning.

17
 o A feasibility study should be carried out, culminating in either:

 a system specification for an in-house development

proposal,

 a proposal which involves the purchase of off-the-

shelf software (packaged software),

 rejection of the project.

o The feasibility study should include a cost/benefit analysis

which lists and puts a money value to:

 Project management

o A project team should be formed by the steering committee

to manage the project and should include IT and appropriate

user personnel, including accounting and internal audit

personnel.

o The development project should be planned in stages, each

stage detailing the specific tasks which must be completed.

o Responsibility for each specific task must be allocated to

appropriate staff members.

o Deadlines should be set for completion of each stage and

each specific task.

o Progress should be monitored at regular intervals to identify

any problems which may affect achievement of goals set -

critical path analysis may be useful here.

o Regular progress reports should be submitted to the steering

committee.

 User requirements

18
 o Business analysts should carefully determine and document

all user requirements relating to the system e.g. input,

procedures, calculations, output, reports, financial reporting

requirements, audit trails.

o Special care should be taken to consult both internal and

external auditors as to their requirements and their

recommendations concerning internal controls e.g. access

controls, validation checks.

o Management of each user department should sign their

approval of the specifications recorded to satisfy the needs

of their individual departments.

 Systems specifications and programming

o Programme specifications should be clearly documented.

o Programming should take place in accordance with standard

programming conventions and procedures e.g. for coding,

flow charting, programme routines and job control routines.

o Programmers should carry out all programme development

in a development environment and should have no access to

the live environment.

 Testing

o Programme coding of individual programmes should be

tested by the programmers using standard debugging

procedures like programme code checking and running the

programme with test data (programme tests and string

tests).

19
 o The system should also be tested as a whole to ensure that

all programmes are integrating properly - this would normally

be done by business analysts in a test environment

(systems tests).

o The system should also be tested on an output level by

management, users and auditors to establish whether the

system is satisfying the requirements of its users (user

acceptance tests).

 Final approval

o Results of the above testing should be reviewed by all

involved to ensure that necessary changes have been made

and errors corrected.

o The project team should then obtain final approval from the

board, users, internal

o audit and IT personnel before going ahead with conversion

procedures.

 Training

o A formal programme should be devised setting out in detail

all personnel to be trained, dates and times for their training

and allocating responsibility for training to specific, capable

staff.

o User procedure manuals and updated, clearly defined job

descriptions should be compiled and used in the training

exercise.

 Conversion

20
 o Controls are necessary at this stage to ensure that

programmes and information taken onto the new system are

complete, accurate and valid:

o conversion method: the conversion method must be

selected:

 parallel processing of the old and new systems for a

limited period,

 or

 immediate shut-down of the old system on

implementation of the new system, or

 conversion of the entire system at one time or

 phasing in different aspects over a set period.

 Post-implementation review

o Users, IT personnel and auditors should review the system

after implementation to determine whether:

o the system is operating as intended (all bugs resolved),

o the systems development exercise was effective, (for future

reference),

o all aspects of the new system are adequately documented in

accordance with predetermined standards of documentation.

 Documentation

o the project itself and all the activities which took place in the

planning and execution of the project should be documented.

21
 o documentation relating to the system itself, must also be

prepared, e.g. systems analysis, flowcharts, programming

specifications, etc.

o documentation should be backed up on an ongoing basis

and stored offsite.

5.1.2.2 packaged software

 Another option for an entity is to purchase packaged software as

opposed to developing the software itself (in-house).

 Purchased packages are designed to meet the generic

requirements for lots of users with similar needs and although

current packages contain hundreds of features and capabilities, the

user basically gets what the package offers, nothing more and

nothing less.

 This means that from the company’s perspective, the emphasis will

be deciding whether the package offers features and capabilities

which match with what the company’s users want.

 Advantages of packaged software

o lower cost

o the entire software development project is completed far

quicker because development and testing have been done

on the software by the developers

o the package can be demonstrated up front, so IT personnel

and users can see what the package “can do”. Sample

reports can be examined, and the computer capabilities

required by the software can be determined and tested

22
 o technical support (by phone or over the internet) is usually

available from individuals who are very skilled and

knowledgeable about the specific package, and

comprehensive manuals are supplied

o software companies usually upgrade the packages on an

ongoing basis.

 Disadvantages of packaged software

 the package may not meet the company’s requirements

exactly excellent software developed overseas may, for

example, not satisfy South African tax or financial reporting

requirements (many of these packages do offer SA versions)

 changes can’t be made by a purchaser of the software.

 controls for the acquisition and implementation of packaged

software:

o project management – the entire exercise should be run as a

project by a team appointed by the steering committee

o project approval – a feasibility study must still be conducted to

determine:

 user needs

 specifications (capabilities, functions, controls, ease of

use) of packages available in the market

 costs and benefits (costs will include costs of the

package itself, running it, appointing and training staff,

purchasing additional hardware, etc)

23
  technical support and reliability of the supplier

approval for the package chosen should be obtained

from users, internal audit and the steering committee,

and authorization for its purchase should be obtained

from the CIO and the board.

o training – all affected IT personnel and users should be

trained in the use of the new

o software

o conversion – moving data onto the new system should be

controlled as explained under in–house development

o post implementation review – again IT personnel, users,

internal audit, should review the new software several

months after implementation to determine whether it is

operating as intended

o documentation – the systems documentation, user

manuals, etc, will come from the supplier but the planning

and execution of the project itself should be documented.

5.1.2.3 programme change controls

 There is virtually always an on-going need to modify applications to

meet changes in user requirements, improve ways of presenting

information and so on.

 These modifications require changes to the application programme

and if such changes are not carefully controlled, unauthorised

24
 modifications could be made negating the effect of the strong

controls which were implemented when developing the system.

 The controls which should be in place, are:

o programme change standards like those for systems

development must be adhered to requests for programme

changes should be documented on prenumbered, pre-

printed change control forms and listed in a register

o programme change requests should be evaluated and

approved by:

 the user department (application changes)

 the IT manager (CIO) (application and systems

changes) and

 steering committee for more major changes

o programme changes should be effected by programmers -

not operators or users (in some systems programme

changes can be made by a user from his workstation, this

system would have to be carefully controlled primarily by

written approvals, access controls, logging by the computer

and review thereof)

o any major change should be managed as a mini project (see

systems development)

o changes should be made to a development programme not

the production programme (i.e. to a copy of the live

programme)

25
 o changes should be tested by the programmer and an

independent (senior) programmer using standard debugging

techniques

o programme changes should be discussed with users and

internal audit and they should sign the change control form if

they approve

o all documentation affected by the change should be updated

and the entire change exercise itself should also be

documented

o the amended programme should be copied to the live

environment by an independent technical administrator, and

all programme changes should automatically be logged by

the computer the IT manager should review the log of

programme changes and reconcile it to the programme

change forms and register.

5.1.3 Access control

 The consequences of unauthorized access to a system can be

disastrous for a company; uncontrolled physical access to the

hardware has resulted in the theft of, or damage to, expensive

equipment and the data which will be stored on the hardware.

 Unauthorised logical access (which really means gaining

unauthorized access to data, and programmes electronically stored

26
 through a workstation/terminal) can result in the destruction of data,

the manipulation of data or the theft of data and programmes.

 computer security is a huge and very complex topic which exercises

the minds of the best and brightest.

 Many companies are permanently under siege from “hackers” trying

to break into their systems, sometimes with very malicious intent

and at other times “just for the challenge”, or so they say.

 All these preventative measures must consider the important fact

that authorized employees must still have access to the hardware,

programmes and data they require to do their jobs effectively and

efficiently.

 Access to all aspects of the system must be controlled:

o hardware,

o computer functions at system level, (accessing the computer

system itself)

o computer functions at application level, (accessing a specific

application or module

o within an application)

o data files/databases,

o utilities,

o documentation (electronic or hard copy),

o communication channels.

5.1.4 Security policy

27
 A security policy addresses the security standards which

management need to achieve to maintain the integrity of the

company’s hardware and software.

 Once management have decided what it is they want to achieve,

they can go about implementing the policy.

 The policy should be documented and should be based on

principles rather than detailed procedures.

 Important principles include:

o Least privilege - employees should be given access to only

those aspects of the system which are necessary for the

proper performance of their duties.

o Fail safe - this principle requires that wherever possible, if a

control “fails”, whatever is being protected by that control,

should remain “safe”, e.g. if logical access control software

malfunctions, the system should shut down completely,

rather than allowing uncontrolled access. The same principle

will apply to physical controls.

o Defence in depth - this means that protection is not left up to

one control only, but rather to a combination of controls

o Logging - adherence to this principle, requires that the

computer’s ability to log (record) activity which takes place

on it, should be extensively incorporated, e.g. unsuccessful

attempts to access the system should be logged and

followed up. Logging is not an effective control activity,

28
 unless the logs are regularly and frequently reviewed and

follow up action taken where control violations are identified.

5.1.5 Physical access control

 A large company will have extensive equipment, e.g. CPU, servers,

secondary storage devices, etc, which will normally be housed in a

data centre. It will also have hundreds of microcomputers, printers,

etc, in user departments on LANs and WANs.

 A smaller company could just have a small number of

microcomputers (which could be “stand alone” or networked) and a

printer.

 Unauthorised access has devastating consequences for both large

and small entities.

 In medium and large entities, the IT Department may have its own

offices (or in some cases its own building).

 Access to offices and the IT block must be properly regulated.

 To put the following physical controls may be desirable:

o visitors from outside the company to the IT building should:

 be required to have an official appointment to visit IT

personnel working in the IT department, e.g. external

maintenance personnel

 on arrival, be cleared at the entrance to the company’s

premises e.g. by a phone call to the IT department

 be given an ID tag and possibly escorted to the

department

29
  not be able to gain access through the locked door (must

“buzz”)

 wait in reception (or be met at the door) for whoever they

have come to see

 be escorted out of the department at the end of their

business.

o company personnel other than IT personnel

 there should be no need for other personnel to enter the

data centre and access to the

 IT department should be controlled in a practical manner

as there will be contact between the IT department staff

and users on a regular basis.

o physical entry to the data centre (dedicated room)

 only individuals who need access to the data centre

should be able to gain entry

 access points should be limited to one

 access should be through a door which is locked other

than when people are entering or exiting, i.e. not propped

open by a wastepaper basket for people to come and go

 the locking device should be de-activated only by swipe

card, entry of a PIN number, scanning of biometric data,

e.g. thumbprint

 entry/exit point may be under closed circuit TV

5.1.6 Logical access controls

30
 Logical access control also plays a big part in controlling access at

application level but is dealt with under general controls because

before any transaction processing takes place, access controls

must be implemented as part of the general controls framework.

Logical control access is also covered in the section on application

controls.

 Logical access control can be implemented through the access

control software and other programmes such as:

o identification of users and computer resources

o authentication of users and computer resources

o Authentication of the user by unique passwords, including the

use of one-time passwords.

o Controls over passwords:

 passwords should be unique to each individual (group

passwords should not be used).

 passwords should consist of at least six characters, be

random not obvious, and a mix of letters, numbers,

upper/lower case and symbols.

 passwords/user-IDs for terminated or transferred

personnel should be removed/disabled at the time of

termination or transfer.

 passwords should be changed regularly

 system allows a limited number of attempts for an

employee to enter his existing password.

31
  After a set number of failed attempts, access will not be

granted until a new password has been registered.

 the first time a new employee accesses the system, he

should be prompted to change his initial password.

 passwords should not be displayed on PCs at any time,

be printed on any reports or logged in transaction logs.

 password files should be subject to strict access controls

to protect them from unauthorised read and write access,

Encryption of password files is essential.

 personnel should be prohibited from disclosing their

passwords to others and

 Personnel to be subjected to disciplinary measures

should they disclose their passwords.

 passwords should be changed if confidentiality has been

violated, or violation is expected.

 passwords should not be obvious, e.g. birthdays, names,

name backwards,

 common words, and should not be the same as the user

ID.

5.1.7 Supplementary access controls

 Automatic account lock-out, in the event of an access violation e.g.

incorrect password entered more than three times.

 Time-out facilities which automatically log out the user from the

system, if a period of more than (say) three minutes expires during

which there has been no activity.

32
  Automatic logging, review and follow up of access and access

violations.

 Encryption of confidential and critical information.

 Sensitive functions and facilities can be afforded extra protection by

requiring two or more passwords in order to gain access.

 Additional one-off passwords can be given to supplement an

existing user ID and password to protect sensitive transactions such

as a transfer out of a bank account. For example, when a user

wants to make the transfer the system automatically generates a

unique password and sends it to the user’s cell phone for that user

to enter. The assumption is that somebody trying to use another

person’s user ID and password (which they have obtained by

devious means), will not have the genuine user’s physical cell

phone and therefore will not receive the necessary once off

password. The genuine user will also be alerted to the fact that

someone is trying to transfer money out of their account.

5.1.8 Continuity of operations

 These controls are aimed at protecting computer facilities from natural

disasters (e.g. flooding or fire), as well as from acts of destruction, attack

or abuse by unauthorised people. Poor controls result in “down time” and

disruption to normal processing.

5.1.9 Risk assessment

 The dependence by large companies on their IT systems is huge and

failure to assess and address IT risk threatens the continuity of operations.

33
  The auditor will evaluate whether assessing IT risk is an integral part of

the company’s risk assessment procedures and that there is an

appropriate level of experience and knowledge with regard to IT risk on the

risk assessment committee

 the risk committee meets regularly but is available to deal with the threat of

 unexpected IT risk on an ongoing basis

 the risk assessment committee recognizes and assesses all types of

threat relating to IT which could disrupt operations including fraud and theft

perpetrated through the IT system and physical and infrastructure

damage, hacking and viruses and non-compliance with IT laws, rules,

standards and best practice

 accepted risk assessment protocols (ways of doing things) are followed

 assessments are documented and reported to the board

 responses to risks are recorded, implemented and monitored.

5.1.10 Physical security

 These controls are designed to protect facilities against natural and

environmental hazards and attack or abuse by unauthorised people.

 The following pertain more specifically to the data centre

 physical location (site selection)

 the data centre (and obviously the building in which it is housed), should

be placed away from obvious hazards e.g. river banks, main traffic areas,

the factory, stores of hazardous materials

 the facility should be located within a secure area within a building i.e. no

outside walls and windows

 there should be a secure door and access control devices

34
  fire and flood use:

o automatic gas release (e.g. CO2), smoke detectors, fire

extinguishers, no smoking allowed

o situated above ground level and away from water mains

o raised flooring in the data centre.

 power surges use;

o uninterrupted power supply equipment and backup generators,

 heat and humidity;

o air-conditioning preferably on its own electrical circuit

5.1.11 Disaster recovery

 These are controls implemented to minimise disruption as a result of some

disaster which prevents processing and/or destroys/corrupts programmes

and data.

 a disaster recovery plan is a written document which lists the procedures

which should be carried out by each employee in the event of a disaster,

 the plan should be widely available so that there is no frantic searching if a

disaster occurs.

 the plan should address priorities i.e. the order in which files or

programmes should be reconstructed, with the most important being

allocated the highest priority, as well as where backup data, programmes,

hardware etc may be obtained,

 the plan should be tested,

 the plan should detail alternative processing arrangements which have

been agreed upon in the event of a disaster, e.g. using a bureau

35
  backup strategies

o backups are copies of all or parts of files, databases, programmes

taken to assist in reconstructing systems or information, should they

be lost or damaged,

o back up of all significant accounting and operational data and

programme files should be carried out frequently and regularly,

o at least three generations of backups should be maintained

(grandfather, father, son)

 the most recently backed up information should be stored

off-site,

 all back up should be maintained in fireproof safes and on-

site backups should be stored away from the computer

facilities,

 critical data and programmes can be copied in real time to a

“mirror site”, so that it is possible to switch processing to the

mirror site in the event of a disaster.

 copies of all user and operations documentation should be

kept off-site.

5.2 system software and operating controls

 System software controls the use of the hardware and the use of

the application and end-user software, as well as other resources

on the system.

36
 The evaluation of system software is very much the domain of the

computer audit specialist with good technical knowledge.

 Systems software includes:

o Operating system software which

 controls the use of the hardware

 tests critical components of the hardware and software

where the computer is started

 controls the input and output of data

 monitors the activities of the computer and keeps track of

each programme and the users of the system

 provides the interface with the user, e.g. how the user

communicates with the computer

o Network management software

 enables computer systems to communicate with each

other

o Database management software

 enables the user to create, maintain and use data files in

an efficient and effective manner

o System development software

 used to develop new software, e.g. assemblers,

compilers

o System support programmes

 such as anti-virus software, data compression software,

etc.

37
  Operating controls are the policies and procedures which should be in

place to work with the system software controls to make sure the

computer system (the hardware and software), is working properly,

 Controls include:

o Operating policies and procedures which are fully documented,

regularly reviewed and

o updated

o System software which maintains a log of activity on the system

detailing all activity which had taken place, including

 hardware malfunction

 intervention by personnel during processing

 Skilled technicians who can resolve operating problems

for users

 Adherence to international system software control

protocols (how things are properly done)

o Follow up on access violations, attempted violations

o Follow up of potential virus infection

o Adherence to manufacturers’ equipment, maintenance and

usage guidelines

o Strict supervision and review of IT employees (IT manager

needs to know what his staff are

o doing)

5.3 Documentation

38
  Sound documentation policies are essential, because

documentation can be critically important in:

o improving overall operating efficiency,

o providing audit evidence in respect of computer related

controls,

o improving communication at all levels,

o avoiding undue reliance on key personnel,

o training of users when systems are initially implemented.

 all aspects of the computer system should be clearly documented,

 access to documentation should be restricted to authorised

personnel.

5.3.1 Documentation standards

 As for all other aspects of the computer environment, pre-

determined standards should exist for documentation and

adherence thereto should be enforced.

 These standards should require at least:

o general systems descriptions,

o detailed descriptions of programme logic,

o operator and user instructions including error recovery

procedures,

o back-up and disaster recovery procedures,

o security procedures/policy,

o user training,

o implementation and conversion of new systems.

39
  This documentation should be promptly updated for any changes

and responsibility for this task should be allocated to specific

individuals (isolation of responsibility).

 Back-up copies of all documentation should be stored off-site.

 Access to documentation should be restricted to authorised

personnel

Application controls

 An application is a set of procedures and programmes designed to satisfy all

users associated with a specific task, for example, the payroll cycle. Other

examples include making sales, placing orders with suppliers and receiving or

paying money.

 An application control therefore is any control within an application which

contributes to the accurate and complete recording and processing of

transactions which have occurred, and have been authorised (valid, accurate

and complete information).

 The stages through which a transaction flows through the system can be

described as input, processing and output and application controls can be

described in terms of these activities, e.g. an application control relating to

input.

 In addition to implementing controls over input, processing and output,

controls must be implemented over masterfiles.

 A masterfile is a file which is used to store only standing information and

balances, e.g. the debtors masterfile will contain the debtors name, address,

contact details, credit balance, and the amount owed by the debtor.

40
 The masterfile is a very important part of producing reliable information and

must be strictly controlled.

 The objective of controls in a computerised accounting environment is

generally regarded as being centred around the occurrence, authorisation,

accuracy and completeness of data and information processed by and stored

on the computer.

o occurrence and authorisation are concerned with ensuring that

transactions and data:

 are not fictitious (they have occurred) or fraudulent in nature,

and

 are in accordance with the activities of the business and have

been properly authorised by management.

o accuracy is concerned with minimising errors by ensuring that data and

transactions are correctly captured, processed and allocated.

o completeness is concerned with ensuring that data and transactions

are not omitted or incomplete.

 preventing errors from entering the system is far better than detecting them

later.

 However, systems are not perfect so, whilst the focus of application controls

will be on prevention of errors, a good system will also have strong detection

controls.

 If errors are detected, they must be corrected so there will be correction

controls for correcting errors which have been identified by the detection

controls.

41
UNDERSTANDING CONTROL ACTIVITIES IN A COMPUTERISED ACCOUNTING

SYSTEM

 Control activities are the policies and procedures that help ensure that

management’s directives are carried out and implemented to address risks

identified in the risk assessment process.

 These control activities are:

o Segregation of duties

o Isolation of responsibilities

o Approval and authorisation

o Custody

o Access controls

o Comparison and reconciliation

o Performance reviews.

Segregation of duties

 Segregation of duties is achieved by assigning incompatible functions to different

individuals.

 This facilitates the checking of one employee’s work by another employee and

prevents an employee from covering up errors, unauthorized actions and

misappropriations, e.g. theft.

 Potentially, computerisation is a danger to segregation of duties as it takes

employees out of the system and enables the control procedures relating to

authorising, executing, custody and recording to be performed by one employee

and his computer.

42
 Segregation of duties in a computerised environment is achieved primarily by

controlling access which employees have to the system itself, the applications on

it, and the modules or functions within the application.

 This is achieved by setting up user profiles on the system for each employee

which detail exactly what that employee must be given access to and what he

can do when he has access, e.g. read a file, write to a file, make an enquiry,

authorise a transaction, etc

 The access to programmes and files granted to an employee is based on the

user’s functional responsibility.

Isolation of responsibility

 isolation of responsibilities is usually achieved by making a specific employee

(or employees) responsible for each function or procedure and requiring that

the employee sign the document relevant to the procedure he is performing,

to acknowledge (take responsibility for) having carried out the procedure.

 A computerised system can enhance isolation of responsibility by

programming the computer to produce a log of who did what and when they

did it.

 If the log is properly followed up it becomes an effective way of isolating

responsibility.

Approval and authorisation

 Approval and authorisation can be a (manual) user procedure, e.g. signing a

document, or an automated (programmed) control as discussed below.

 In a computerised system the authorization and approval of a transaction can

be carried out far more effectively and efficiently than in a manual system.

43
 The system can be programmed not to proceed if certain conditions or

controls have not been satisfied.

 For example, a system can be programmed to allow a user to grant up to 10%

discount.

 Another example is when processing may not continue if certain conditions

have not been met such as transaction limits, where two persons must

authorise etc.

 The point is that a computerised system is very effective at preventing

unauthorized transactions from taking place.

 However, these kinds of controls can be overridden, but overrides must be

logged (isolation of responsibility) by the computer and should be followed up.

 One potential risk regarding approval/authorization in a computerised

system is that the initiation and execution of transactions may be automatic

with no visible or actual authorization of the transaction, e.g. interest rates on

predetermined levels, programmed payments/bank transfers.

Custody

 Application controls play an important role in the custody of the company’s

assets particularly the company’s cash in the bank and other assets held in

electronic form such as the debtor’s masterfile.

 All information on the database should be considered as an “asset” which

needs to be strictly controlled as without its information, a company is in

serious trouble.

44
  A company does not have application controls (both user and automated) in

place to prevent and detect certain invalid actions, the asset is under serious

threat.

 For example:

o cash in the bank, the company does not have physical control over the

cash but must control unauthorized removals from its bank account. In

a manual system, this will be done by controlling the company cheque

book itself, limiting signing powers to senior officials (preventive

controls) and reconciling the company’s cash book with the bank

statement (detective controls).

o In a computerised payment system, e.g. EFT for the payment of

creditors and employees, far stricter application controls must be

implemented over access to the EFT facility (the equivalent of the

cheque book) and authorizing and releasing the funds (the equivalent

of signing a cheque).

o In terms of debtors, there should be strict control on the debtor

Masterfile management.

o Additions, editing, deletions and viewing of debtor information need to

be strictly controlled to prevent fraudulent activities and error.

Access Control

 Access control should thus include physical security over remote terminals,

authorization controls that limit access to only authorized information,

45
 firewalls, user identification controls such as passwords, and data

communication controls such as encryption of data.

 Without access controls, an unauthorized user could access the system, with

a resulting loss of assets or compromising data reliability.

 Access violations can have extremely serious consequences for the business

such as: _

o destruction of data

o theft of data

o improper changes to data

o recording of unauthorized or non-existent transactions

 Access to applications can be restricted to particular terminals, e.g. the ability

to affect an EFT transfer can be restricted to the terminal of the financial

manager

 Access is restricted in terms of user profiles/access tables at both systems

level and applications level, for example:

o at systems level, access to a particular application may be restricted to

particular users,

o at application level, access to specific programme functions may be

restricted to

o particular users on the “least privilege” basis e.g. sales order entry is

limited to telesales operator.

o PC time out facilities and automatic shutdown in the face of access

violation will prevent continued attempts to access the system, as well

as the threat of employees leaving their terminals unattended.

46
Comparisons and Reconciliations

 A reconciliation is a comparison of two different sets of recorded information

or of recorded information and a physical asset.

 In a manual system this is done by employees laboriously comparing the two

sets of information to identify differences.

 In a computerised system this reconciliation can be completed accurately,

comprehensively and in no time at all.

 Before authorizing the payment of wages, the paymaster or accountant could

review the reconciliation and tie it up to other sources of information.

 For example, an amount in the reconciliation which relates to changes in pay

rates could be checked against the original authority for the change.

Performance reviews

 These control activities include, inter alia, reviews and analysis of actual

performance versus budgets, forecasts and prior period performance as well

as relating different sets of data to one another.

 The huge advantage which a computerised system has is its ability to produce

numerous useful reports, including comparisons, reconciliations and reasons

for differences.

47
CONTROL TECHNIQUES IN A COMPUTERISED ENVIRONMENT

Batching

 Batching is a technique which assists in controlling an activity which will be

carried out on a batch of transactions with the intention of making sure that all

transactions in the batch were subjected to the activity and the activity was

carried out accurately and that no invalid transactions were added to the

batch.

 Batching is simply the process of grouping similar transactions for data entry.

 batching can be used at the input stage, processing stage or output stage. A

batch control sheet should be prepared and attached to each batch. The

batch control sheet should contain:

o a unique batch number e.g. batch 3 of 6, week ending 31/7/01

o control totals for the batch

o identification of transaction type e.g. invoices

o spaces for signatures of all people who deal with the batch, e.g.

prepared by: ..., checked by …, reviewed by ….

 Batching assists with the following

o identifying data transcription errors (e.g. incorrect values keyed in due

to transposition errors),

o detection of data captured into incorrect field locations,

o detection of invalid (e.g. duplicate) or omitted transactions or records

for a batch, e.g. if a clock card is entered (keyed in) twice, the control

totals will not balance.

 Common batch-based systems:

48
 o Batch entry, batch processing/update

o On-line entry, batch processing/update

o On-line entry, real-time processing/update

Screen aids and related features

 Screen aids are all the features, procedures or controls which are built into the

application software and reflected on the screen to assist a user to capture

information accurately and completely, and to link the user’s access privileges

to the screen in front of him.

 Only options that are relevant to a particular user should be available to that

user.

 Users responsible for updating payroll must not have the “delete employee”

option on their screens.

 Important screen aids include:

 minimum keying in of information.

 screen should be formatted in terms of what hardcopy would look like

 extensive use of screen dialogue and prompts

 mandatory fields

 shading of fields

Programme checks - input and processing

 Programme checks are controls which are built into the application software,

with the intention of validating/editing information/data which is entered or

processed.

49
 At the input stage errors are rife, the quality of the information depends on the

input of the data.

 There is therefore need for the validation of data,

 The following are common programme checks at input:

o Existence/validity checks

 validation checks validate data keyed in against the masterfile

e.g. a customer’s account number will be checked against the

debtors masterfile.

 matching checks are described in different ways, but

essentially, they amount to input being matched against data

that is already in the database e.g. checking input information

against data on a masterfile is a form of matching, as is

matching a biometric characteristic of an employee (thumbprint)

against the employee masterfile. The computer may also match

the details of an invoice received from a supplier to the

corresponding GRN held in a suspense file on the system.

 data approval/authorisation checks test input against a pre-

set condition e.g. to make a sale on credit, a liquor store

requires that a customer’s identity number be entered on a

computer-generated invoice. If the customer is under 18 (which

the identity number will indicate), a sales invoice cannot be

generated. (The sale is not authorised). Another example would

be where the credit limit on a debtors account can only be 30 or

60 days. An attempt to enter 120 days in the credit terms field

would not be approved.

50
o Reasonableness and limit checks

 limit checks detect when a field entered does not satisfy a limit

which has been set, e.g. the normal hours worked by an

employee in a week cannot be entered at a quantity greater than

40 hours.

 reasonableness checks for the data being entered to be

accepted, it must fall within reasonable limits when compared to

other data, e.g. if a normal order from a customer for an

inventory item is 100 units, and a clerk enters 1000, the screen

will display a message querying the entry of 1000, although

there is no limit on the quantity ordered. (The computer does an

“instant” check on the quantity that the client normally orders).

o Dependency checks

 An entry in a field will only be accepted depending on what has

been entered in another field, e.g. the acceptability of entering a

credit limit of $100 000 on a debtors account will depend on the

status allocated to the debtor. If the debtor’s credit status rating

is A+ (very good) the credit limit of R100 000 will be acceptable.

If the status is only B+ then the credit limit will not be acceptable.

o Format checks

 alpha-numeric checks prevent/detect numeric fields which

have been entered as alphabetics and vice versa, e.g. when

entering an employee’s identity number, all digits must be

numeric.

51
  size checks detect when the field does not conform to pre-set

size limits, e.g. an identity number entered must have 13 digits.

 mandatory field/missing data checks detect blanks where

none should exist, if a quantity is not entered in a quantity field

on an internal sales order, data capture cannot continue. (This is

also discussed under screen aids.)

 valid character and sign check. The letters, digits or signs

entered in a field are checked against valid characters or signs

for that field, e.g. a minus sign (-) could not be entered in a

quantity order field.

o Check digits.

 A check digit is a redundant (extra) character added to an

account number, part number etc.

 The character is generated by manipulating the other numerical

characters in the account number.

 When the account number is keyed in, the computer performs

the same manipulation on the numerical characters in the

account number and if it has been entered (keyed in) correctly,

the computer will come up with the same check digit which was

added to the account number originally.

 If it does not match, the computer sends a screen message to

inform the operator that the account number has been

incorrectly entered.

 They cannot be used on financial fields.

o Sequence checks

52
  detect gaps or duplications in a sequence of numbers as they

are entered, e.g. if numbered masterfile amendment forms are

being keyed in, a sequence check will alert the user if there is a

gap or duplication in the numerical series.

Programme controls - processing

 Processing controls that ensure proper processing of transactions

 Processing controls assist in ensuring that data is processed accurately and

completely.

 The processing controls include:

 Programme edit checks

o sequence test. The sequence of documents processed is checked for

gaps, e.g. after processing credit notes, the computer may identify

missing credit note numbers.

o arithmetic accuracy check e.g. reverse multiplication, (multiplication

is repeated but in reverse and answers matched 3x6 = 18; 18÷6 = 3).

o reasonableness/consistency/range tests. After processing of a

transaction has taken place, the result is compared by the computer

itself to other information for reasonableness

o limit test identifies amounts which fall outside a predetermined limit

after processing, e.g. credit sales to a customer have pushed the

debtor’s balance owing beyond the customer’s credit limit.

53
 o accuracy test. Where amounts are allocated to columns and the

columns are independently cast (added up), the totals of the columns

can be cross cast (added across) and compared to the total amount

allocated

o matching in the context of processing is about comparing data which

has been processed, against data which is already in the database,

e.g. a matching control may match clock cards processed with the

employee masterfile to identify employees for whom there was no clock

card information.

 Programme reconciliation checks

o The computer will also carry out reconciliations of control and other

totals in one form or another, based on the principle that if pre-

processing totals and post-processing totals can be reconciled, we can

be more confident that processing was valid, accurate and complete.

o control totals, e.g. record counts, hash totals from input are compared

to record count and hash totals after processing.

o run-to-run totals. A final balance arrived at after processing is

compared to the opening balance and individual totals of transactions

e.g. the closing balance on debtors (31 May) is compared to the

opening balance on debtors (30 April) plus the total of May sales

(debits) less the total of May receipts (credits).

Programme controls – Output

54
  Output includes reports, checks, documents, and other printed or

displayed (on terminal screens) information.

 Controls over output from computer systems are important application

controls.

 The main concern here is that computer output may be distributed or

displayed to unauthorized users.

 A number of controls should be present to minimize the unauthorized use

of output.

 A report distribution log should contain a schedule of when reports are

prepared, the names of individuals who are to receive the report, and the

date of distribution.

Logs and reports

 The types of logs and reports that may be produced by a computer are

virtually unlimited.

 These may be used as detective or monitoring controls to provide additional

assurance that computer processing is valid, accurate and complete and that

computer usage is authorised and productive.

 They also require review and follow up, so unless personnel are allocated to

do so, the logs and reports themselves are worthless.

 Types of logs and reports used may include:

o audit trails, provide listings of transactions and summaries and lists of

tables or factors used in processing.

55
 o run-to-run balancing reports, which provide evidence that the

opening balances which have been updated by a series of transactions

have resulted in correctly calculated closing balances.

o override reports, which provide a record of computer controls which

have been overridden by employees using supervisory or management

privileges. Abuse of such privileges is a threat to the objective of

validity.

o exception reports, which provide a summary listing of any activities,

conditions or transactions which fall outside of parameters which have

been set for control purposes,

o activity reports, which provide a record for a particular resource, of all

activity concerning that resource e.g. names of users, usage times and

duration of usage.

o access/access violation reports, particularly important in relation to

sensitive applications such as electronic funds transfer and payroll.

Master file Amendments

 Masterfiles contain very important data and unauthorised amendments may

cause loss to the entity.

 For example:

o unauthorized increases to employees’ pay rates in the employee

masterfile, or

o unauthorized increases to debtors’ credit limits in the debtors masterfile

or

56
 o the addition of an unapproved supplier to the creditors masterfile

o If the quantity field in the inventory masterfile is not protected from

unauthorized amendment, a theft of inventory could be covered up by

reducing the quantity field in the inventory masterfile.

 Therefore, the application controls over masterfile amendments are very

important.

 The objective will be that * only valid (authorized) amendments are made to

masterfiles:

o the details of the amendment are captured and processed accurately

and completely

o all masterfile amendments are captured and processed.

6. Audit process in an IT environment.

- Planning activities, Risks and Audit approach

- Combined (Controls-based) audit approach in an IT environment

- Evaluation of controls – Test of controls

- Substantive procedures

- Computer-assisted audit techniques (CAATS)

- Use and control of personal computers in the audit process

7. Specific audit and control considerations.

- Online, Micro-frames and Data base systems

57
8. Electronic Business Transactions; E-Commerce.

Electronic business refers to the use of IT to conduct business between

buyers and sellers.

Entities are communicating with each other using IT than ever before.

Electronic data interchange. The transmission of business transactions over

telecommunications networks.

Electronic (Internet) commerce. Business transactions between individuals

and organizations that occur without paper documents, using computers and

telecommunication networks.

Value added networks (VANs). These are service providers responsible for

the maintenance of data communication network between trading partners.

VANs receive, store and transmit messages between trading partners.

Components of an EDI

 Documentation

o All relevant information is in electronic format created via a

terminal or automatically by computer system

 Trading partners

o These are the parties involved in paperless business

transactions

58
  Service providers (VANs)

o These provide facilities that enable EDI transactions

 Banks

o These facilitate and control the transfer of funds between trading

partners.

- Audit and control implications in Electronic Data Interchange (EDI) and

Electronic Funds Transfer (EFT) systems

- Electronic funds transfer

It is a method of funds transfer that is affected;

o Directly via a terminal

o Through the capture of data in a file for subsequent processing by

the bank

Advantages of EFTs

o Improved cash and treasury management

o Stricter control of funds

o Cost savings in terms of user preparation of cheques, service fees

o Improved security and control due to reduced handling of cash.

Controls over EFT transactions

 The normal application controls necessary to ensure validity,

completeness and accuracy apply

 In addition, the following controls are necessary;

59
 Master file changes

 Controls to ensure that master file changes are valid,

complete and accurate.

 All master file changes to be appropriately authorised.

 Unauthorised master file changes may result in fictitious

suppliers, customers or inventory.

 Execution of payments

(a) Validity

o Strict access controls to be effected.

o Limit EFTs to one terminal

o Use multilevel passwords

o Register terminals with the bank

o Terminal should shut down after several

unsuccessful attempts to effect a transfer.

o Log all security breaches

 Division of duties

o For example, cash book clerks should not effect

EFTs

 Record EFTs through a suspense account

 Use a separate bank account for EFTs

 Limit EFTs to particular times or days

 Bank should first acknowledge EFT requests, which

should be reviewed by management

 Have regular bank reconciliations

60
 (b) Completeness

 To ensure completeness of EFTs there has to be

reconciliations of;

o Lists of transfers supplied by the bank and those

supplied by the system

o The bank accounts and statements

(c) Accuracy

 Train personnel in the use of EFTs

 Use edit checks or tests:

o Fermat checks

o Screen tests

o Dependency testing

o Limit testing

o Reasonability testing

o Check digits

o Control totals

o Validity/Existence testing

o Field size testing

Auditing in an Electronic Data Interchange EDI Environment

1. Problem areas

61
  Absence or insufficient supporting documentation

 Automatic transactions

 Large numbers of transactions

 High risk of unauthorised access to data

 Auditor should, therefore;

- Plan the audit properly in terms of the nature, extent and timing

of audit procedures.

- Use the system-based audit to test controls

2. Audit approach and audit procedures

 Auditor should obtain an understanding of the business

 Auditor to understand risks inherent in the entity’s EFT.

 Consider impact of EFTs on the operations including going

concern.

 Evaluate the levels of skill required to audit EFTs

 Use a systems-based approach to:

o Test functioning of system through tests of control

o Apply substantive procedures to support EFT balances

 Possible tests of control could incorporate:

o Inspection of documents

o Observation of client procedures

o Tests of control through:

 System walk through tests

 Examination of the coding of programmes

62
  Live processing

 Use of test data

o Tests should be throughout the year to ensure that they

functioned effectively throughout the period.

 Possible substantive procedures could incorporate;

o In respect of income statement;

 Analytical procedures

 Detailed substantive procedures on balances

o In respect of Statement of financial position;

 Perform detailed substantive procedures

 Test effectiveness of tests of control to determine

nature, extent and timing of substantive

procedures.

3. Auditing in an Internet environment.

 The internet is a system of public computer networks on which

users communicate with one another and exchange data.

 Benefits of internet include;

o Ability to exchange information

o Cost-effective execution of business transactions

o Marketing, advertising through websites

 Risks

o Security risks

 Internet protocols carrying no identity leading to

hackers imposting.

 Networks not designed with security in mind

63
  No central management of the internet

 Inadequate and inappropriate systems to detect

abnormalities,

 Errors going unnoticed

 Risks related to remote transactions initiated by

the users, customers, suppliers, employees and

intruders

 Poor internet security management

 Payments, such as EFTs and credit cards

susceptible to compromise.

 Failure of encryption-based security

o Privacy risks

 The risk of the invasion of privacy increases

o Business continuity risks

 System breakdowns may occur

 Online trading interruptions hindering operations

o Payment via credit cards

 Possibility of hacking of customer’s credit card

information

 Claims against company where customer

information leaks to third parties

 Risk of bad debts due to inability to check credit

worthiness of credit card holders.

o Accounting risks

64
  Possibility of the use of inappropriate accounting

policies

 Recognition of revenue could pose a challenge to

the entity.

 Exact dates and cut-off may be problem

o Taxation and regulation

 Inadequate mechanisms for recognition of taxation

liabilities

 Failure to comply with regulation of other

jurisdictions

 Poor enforceability of contracts

 Legality of particular activities may be questionable

on some jurisdictions

 Risk of money laundering

 Violation of intellectual property.

o Outsourcing

 Sometimes entities depend on service

organisations such as internet service providers

(ISPs) and other hosting agencies.

 Entity may have inadequate monitoring

mechanisms for the service providers.

 Controls in internet-based systems

o Certification

 Websites and trading partners should be

adequately certified

65
o Authenticity

 Information received should be identical in form

and content to what is transmitted

o Confidentiality

 Information and data to be accessible only to the

intended parties

o Credit cards

 There should be secure electronic transmission

(SET) to validate credit card transactions

o Non-repudiation

 Verification and time stamping of receipt to

establish precisely who sent a business

communication and when it was sent.

 Invoices created should be legally binding

 Logging of all transactions

o Identification and authentication

 Identification – all internet address codes should

be identified appropriately

 Confirmation – there need for time stamping and

digital signatures, requests for customer

confirmations through emails or SMSs on mobile

phones.

 Registrations – all users should be duly registered

and receive/generate a unique password before

trading

66
o Privacy policy

 Private information of customers and suppliers

must be protected.

 There should be effective cooperation agreements

between transacting parties (buyers and sellers)

o Assurance logs

 Assurance logs on a website indicate that an

independent agency has certified the entity as

satisfying e-commerce standards.

 Independent agencies perform regular audits in

terms of integrity of transactions, privacy aspects,

security of data, etc.

o Firewalls

 These assist in providing additional security to

online trading and communication.

 Firewalls are a combination of hardware and

software designed to:

 Separate the internet from the internal

computer network

 Controlling traffic to and from the internet

 Controlling acceptability of incoming and

outgoing data

 Logging internet activity

 Using encryption facilities

o Controls relating to transaction integrity

67
  These are designed to:

 Validate input

 Prevent duplication or omission of

transactions

 Distinguish between customer browsing and

order placing

4. Use of experts in auditing - outsourcing.

- Audit implications

- Audit procedures

5. Audit perspectives, implications and controls in a data warehousing

environment

Dynamic Auditing 9th edition (2009) B Marx et al, LexisNexis, Durban, South

Africa

Other reference books

Auditing notes for south African students (2010) 7th edition, Jackson and Stent,

LexisNexis, Durban, South Africa

68
Appendix

Assertions

A - Accuracy

C - Completeness

C - Classification

A - Allocation

C - Cut-off

O - Ownership

V - Valuation

E - Existence

R - Rights and obligations

Substantive procedures (Tests of details)

I - Inspect documents

C - Confirm

O - Observe

R - Recalculate

R - Reperform

69
 I - Insect assets

A - Analytical procedures

C - Compare with industry

R - Related accounts (comparison)

A - Actual vs budgeted

F - Financial vs non-financial

T - Time (current vs previous)

Use of CAATs

C - Casting and calculations

I - Investigation and analysis

S - Selection of samples, items

S - Summary

C - Compare

Sample audit procedure (Showing What, How and Why)

Use CAATS to compare total debtors amount in financial statements with the value

in the debtors masterfiles to confirm accuracy/completeness of the trade debtors

70