Professional Documents
Culture Documents
COMPUTERISED
ENVIRONMENT AC412
CLASS NOTES
AUGUST 1, 2018
GREAT ZIMBABWE UNIVERSITY
B. MUTEMBWA
Introduction
This module aims to provide both basic and advanced knowledge in computer
auditing and its application in organisations which make use of related information
technology. At the end of the course the student should be able to audit in an
information technology environment and apply audit technics that are specific to
the evidence.
The use of the computer in a business eases some operations and at the same time
processing of transactions. This includes the use of third party entities that may have
The use of the computer affects the identification, collection, processing, storage and
The use of the computer also impacts on the entity’s internal control systems with
both positive and negative implications for the entity and the auditor.
1
Computers are becoming more complex, they are becoming faster, smaller with
The use of computers does not eliminate the need for internal control systems that
2
The audit approach is substantially the same in a computerised
engagement considerations
planning activities
In using the work of a specialist, the auditor must ensure that the
Engagement conditions
3
In planning the audit of computerised environments, the auditor considers
procedures.
Volume of transactions,
Intended changes;
systems
information.
Audit Approach
This approach treats the computer system and programmes as a black box and
relies on review and comparison of the input and output documents. The rationale
behind this approach is that if the source documents are valid, accurate and
5
complete, and the output produced by the computer system because of processing
these source documents, is correct, then the processing functions of the computer
system are being performed correctly. The way these processing functions are
The audit is performed by selecting a sample of transactions that have already been
processed and then tracing these transactions from their point of origin as source
Additional requirements for the adoption of this approach are that control is
reduced.
6
apart from the more trivial applications, computer systems generally involve
system controls and potential errors within the system are ignored,
no use is made of the most powerful and valuable audit tool, namely, the
computer.
This approach is concerned with testing the computer system and controls
some of which will contain errors which the system’s programme controls
In this way the auditor tests whether controls are working as expected e.g. if a
the auditor has some evidence that the system is working (and vice versa).
7
audit costs may increase due to the level of investment in technology and
expertise required,
the auditor is required to take stricter precautions due to the increased risk of
procedures
client’s files and using audit software (programmes which help the auditor to
do what he must do) to read, sort, compare and analyse data on the file, very
The idea behind using the computer to automate the audit is to make it a
more effective and efficient audit by harnessing the power of the computer.
use is made of the power, speed and versatility of the computer which results
Disadvantages
tendency for the audit team to audit without thinking about what they are
doing.
8
Combined Audit Approach
In most of reasonably sized audits, where the client has a computerised accounting
Auditing is about getting the mix of tests of controls and substantive testing right,
based on the strength of the organisation’s controls and the ease/efficiency with
some of the procedures which the auditor carries out, may be unaffected by whether
current assets.
The overriding objective is to achieve the most effective and efficient way of getting
Audit Strategy
Audit Plan
Advantages
Accuracy of entry
Disadvantages
and stored.
10
The users have a good opportunity for good control over completeness and
Shadow processing
The copy of the master file is updated continually with online entry and real-
time processing
At the same time the computer system automatically creates batch files for
Shadow processing offers the benefits of both real-time processing and batch
Transactions are entered directly into the system from online terminals. All
transactions are processed as they are entered. The master file is updated
The transactions are stored in a transaction file. The fields in the master file are
periodically updated from the transaction files. This method is suitable in processing
transactions that occur in large numbers but at given times during a processing cycle
of debtors.
11
- Micro-frames (personal computer systems)
specific task within a cycle of the accounting system, e.g. taking an order
For example, control procedures and policies to ensure that staff are
whilst a control procedure which requires that the foreman authorise all
12
- Automated controls and manual controls
that provide the basis for carrying out internal control across the
tone at the top regarding the importance of internal control and expected
standards of conduct.
13
5.1.1.2 commitment to competence
objectivity.
itself.
14
5.1.1.4 IT management’s philosophy and operating style
management.
Their actions set the tone of the department and as they lead, so
access to the data centre or spends half the day “surfing the
internet”, can expect employees to start doing the same and worse,
before long!
responsibility
and
15
responsibilities assigned to IT personnel which should be
documented.
qualifications
performance, benefits
computerised systems.
This often means that most of the following aspects of the system will
o the system design may not suit user requirements properly (e.g.
16
o important financial reporting requirements are not incorporated
analyst/ programmer.
o the information transferred from the old system to the new may
Standards
management.
Project approval
17
o A feasibility study should be carried out, culminating in either:
proposal,
Project management
personnel.
committee.
User requirements
18
o Business analysts should carefully determine and document
Testing
tests).
19
o The system should also be tested as a whole to ensure that
(systems tests).
acceptance tests).
Final approval
o The project team should then obtain final approval from the
procedures.
Training
staff.
exercise.
Conversion
20
o Controls are necessary at this stage to ensure that
selected:
limited period,
or
Post-implementation review
reference),
Documentation
o the project itself and all the activities which took place in the
21
o documentation relating to the system itself, must also be
specifications, etc.
user basically gets what the package offers, nothing more and
nothing less.
This means that from the company’s perspective, the emphasis will
o lower cost
and users can see what the package “can do”. Sample
22
o technical support (by phone or over the internet) is usually
ongoing basis.
software:
determine:
user needs
23
technical support and reliability of the supplier
o software
operating as intended
manuals, etc, will come from the supplier but the planning
24
modifications could be made negating the effect of the strong
approved by:
changes) and
systems development)
programme)
25
o changes should be tested by the programmer and an
techniques
internal audit and they should sign the change control form if
they approve
documented
26
through a workstation/terminal) can result in the destruction of data,
efficiently.
o hardware,
system itself)
application or module
o within an application)
o data files/databases,
o utilities,
o communication channels.
27
A security policy addresses the security standards which
28
unless the logs are regularly and frequently reviewed and
printer.
In medium and large entities, the IT Department may have its own
maintenance personnel
department
29
not be able to gain access through the locked door (must
“buzz”)
business.
e.g. thumbprint
30
Logical access control also plays a big part in controlling access at
controls.
termination or transfer.
31
After a set number of failed attempts, access will not be
name backwards,
ID.
Time-out facilities which automatically log out the user from the
32
Automatic logging, review and follow up of access and access
violations.
unique password and sends it to the user’s cell phone for that user
devious means), will not have the genuine user’s physical cell
phone and therefore will not receive the necessary once off
password. The genuine user will also be alerted to the fact that
33
The auditor will evaluate whether assessing IT risk is an integral part of
the risk committee meets regularly but is available to deal with the threat of
threat relating to IT which could disrupt operations including fraud and theft
the data centre (and obviously the building in which it is housed), should
be placed away from obvious hazards e.g. river banks, main traffic areas,
the facility should be located within a secure area within a building i.e. no
34
fire and flood use:
and data.
disaster occurs.
the plan should address priorities i.e. the order in which files or
35
backup strategies
be lost or damaged,
off-site,
facilities,
kept off-site.
System software controls the use of the hardware and the use of
on the system.
36
The evaluation of system software is very much the domain of the
provides the interface with the user, e.g. how the user
other
compilers
etc.
37
Operating controls are the policies and procedures which should be in
place to work with the system software controls to make sure the
Controls include:
o updated
hardware malfunction
for users
usage guidelines
o doing)
5.3 Documentation
38
Sound documentation policies are essential, because
controls,
personnel.
procedures,
o security procedures/policy,
o user training,
39
This documentation should be promptly updated for any changes
personnel
Application controls
users associated with a specific task, for example, the payroll cycle. Other
examples include making sales, placing orders with suppliers and receiving or
paying money.
transactions which have occurred, and have been authorised (valid, accurate
The stages through which a transaction flows through the system can be
input.
balances, e.g. the debtors masterfile will contain the debtors name, address,
contact details, credit balance, and the amount owed by the debtor.
40
The masterfile is a very important part of producing reliable information and
on the computer.
and
preventing errors from entering the system is far better than detecting them
later.
However, systems are not perfect so, whilst the focus of application controls
will be on prevention of errors, a good system will also have strong detection
controls.
controls for correcting errors which have been identified by the detection
controls.
41
UNDERSTANDING CONTROL ACTIVITIES IN A COMPUTERISED ACCOUNTING
SYSTEM
Control activities are the policies and procedures that help ensure that
o Segregation of duties
o Isolation of responsibilities
o Custody
o Access controls
o Performance reviews.
Segregation of duties
individuals.
This facilitates the checking of one employee’s work by another employee and
employees out of the system and enables the control procedures relating to
42
Segregation of duties in a computerised environment is achieved primarily by
controlling access which employees have to the system itself, the applications on
This is achieved by setting up user profiles on the system for each employee
which detail exactly what that employee must be given access to and what he
can do when he has access, e.g. read a file, write to a file, make an enquiry,
Isolation of responsibility
(or employees) responsible for each function or procedure and requiring that
programming the computer to produce a log of who did what and when they
did it.
responsibility.
be carried out far more effectively and efficiently than in a manual system.
43
The system can be programmed not to proceed if certain conditions or
discount.
have not been met such as transaction limits, where two persons must
authorise etc.
Custody
assets particularly the company’s cash in the bank and other assets held in
serious trouble.
44
A company does not have application controls (both user and automated) in
place to prevent and detect certain invalid actions, the asset is under serious
threat.
For example:
o cash in the bank, the company does not have physical control over the
cash but must control unauthorized removals from its bank account. In
controls) and reconciling the company’s cash book with the bank
cheque book) and authorizing and releasing the funds (the equivalent
of signing a cheque).
Masterfile management.
Access Control
Access control should thus include physical security over remote terminals,
Without access controls, an unauthorized user could access the system, with
Access violations can have extremely serious consequences for the business
such as: _
o destruction of data
o theft of data
manager
particular users,
restricted to
o particular users on the “least privilege” basis e.g. sales order entry is
46
Comparisons and Reconciliations
rates could be checked against the original authority for the change.
Performance reviews
These control activities include, inter alia, reviews and analysis of actual
The huge advantage which a computerised system has is its ability to produce
for differences.
47
CONTROL TECHNIQUES IN A COMPUTERISED ENVIRONMENT
Batching
carried out on a batch of transactions with the intention of making sure that all
transactions in the batch were subjected to the activity and the activity was
carried out accurately and that no invalid transactions were added to the
batch.
Batching is simply the process of grouping similar transactions for data entry.
batching can be used at the input stage, processing stage or output stage. A
batch control sheet should be prepared and attached to each batch. The
o spaces for signatures of all people who deal with the batch, e.g.
to transposition errors),
for a batch, e.g. if a clock card is entered (keyed in) twice, the control
48
o Batch entry, batch processing/update
Screen aids are all the features, procedures or controls which are built into the
information accurately and completely, and to link the user’s access privileges
Only options that are relevant to a particular user should be available to that
user.
Users responsible for updating payroll must not have the “delete employee”
mandatory fields
shading of fields
Programme checks are controls which are built into the application software,
processed.
49
At the input stage errors are rife, the quality of the information depends on the
o Existence/validity checks
debtors masterfile.
50
o Reasonableness and limit checks
limit checks detect when a field entered does not satisfy a limit
40 hours.
inventory item is 100 units, and a clerk enters 1000, the screen
o Dependency checks
If the status is only B+ then the credit limit will not be acceptable.
o Format checks
numeric.
51
size checks detect when the field does not conform to pre-set
for that field, e.g. a minus sign (-) could not be entered in a
o Check digits.
the computer will come up with the same check digit which was
incorrectly entered.
o Sequence checks
52
detect gaps or duplications in a sequence of numbers as they
being keyed in, a sequence check will alert the user if there is a
completely.
gaps, e.g. after processing credit notes, the computer may identify
is repeated but in reverse and answers matched 3x6 = 18; 18÷6 = 3).
53
o accuracy test. Where amounts are allocated to columns and the
columns are independently cast (added up), the totals of the columns
can be cross cast (added across) and compared to the total amount
allocated
e.g. a matching control may match clock cards processed with the
card information.
o The computer will also carry out reconciliations of control and other
o control totals, e.g. record counts, hash totals from input are compared
opening balance on debtors (30 April) plus the total of May sales
54
Output includes reports, checks, documents, and other printed or
controls.
of output.
prepared, the names of individuals who are to receive the report, and the
date of distribution.
The types of logs and reports that may be produced by a computer are
virtually unlimited.
assurance that computer processing is valid, accurate and complete and that
They also require review and follow up, so unless personnel are allocated to
55
o run-to-run balancing reports, which provide evidence that the
validity.
activity concerning that resource e.g. names of users, usage times and
duration of usage.
For example:
masterfile, or
or
56
o the addition of an unapproved supplier to the creditors masterfile
important.
The objective will be that * only valid (authorized) amendments are made to
masterfiles:
and completely
- Substantive procedures
57
8. Electronic Business Transactions; E-Commerce.
Entities are communicating with each other using IT than ever before.
telecommunications networks.
and organizations that occur without paper documents, using computers and
telecommunication networks.
Value added networks (VANs). These are service providers responsible for
Components of an EDI
Documentation
Trading partners
transactions
58
Service providers (VANs)
Banks
partners.
the bank
Advantages of EFTs
59
Master file changes
Execution of payments
(a) Validity
Division of duties
EFTs
60
(b) Completeness
reconciliations of;
(c) Accuracy
o Fermat checks
o Screen tests
o Dependency testing
o Limit testing
o Reasonability testing
o Check digits
o Control totals
o Validity/Existence testing
1. Problem areas
61
Absence or insufficient supporting documentation
Automatic transactions
- Plan the audit properly in terms of the nature, extent and timing
of audit procedures.
concern.
o Inspection of documents
62
Live processing
Analytical procedures
procedures.
Risks
o Security risks
hackers imposting.
63
No central management of the internet
abnormalities,
intruders
susceptible to compromise.
o Privacy risks
information
o Accounting risks
64
Possibility of the use of inappropriate accounting
policies
the entity.
liabilities
jurisdictions
on some jurisdictions
o Outsourcing
o Certification
adequately certified
65
o Authenticity
o Confidentiality
intended parties
o Credit cards
o Non-repudiation
be identified appropriately
phones.
trading
66
o Privacy policy
must be protected.
o Assurance logs
o Firewalls
computer network
outgoing data
67
These are designed to:
Validate input
transactions
order placing
- Audit implications
- Audit procedures
environment
Dynamic Auditing 9th edition (2009) B Marx et al, LexisNexis, Durban, South
Africa
Auditing notes for south African students (2010) 7th edition, Jackson and Stent,
68
Appendix
Assertions
A - Accuracy
C - Completeness
C - Classification
A - Allocation
C - Cut-off
O - Ownership
V - Valuation
E - Existence
I - Inspect documents
C - Confirm
O - Observe
R - Recalculate
R - Reperform
69
I - Insect assets
A - Analytical procedures
A - Actual vs budgeted
F - Financial vs non-financial
Use of CAATs
S - Summary
C - Compare
Use CAATS to compare total debtors amount in financial statements with the value
70