usually a customer account, an individual
transaction, or a line item on a transaction. The
following items need further explanation when
using nonstatistical sampling:
 Identifying individually significant items
 Determining the sample size
 Selecting sample items
 Calculating the sample results
Identifying individually significant items. The
auditor determines which items should be
tested and which items should be subjected to
sampling. The items that will be tested
individually are items that may contain potential
misstatements that individually exceed the
tolerable misstatement. These items are tested
100% because the auditor is not willing to accept
any sampling risk.
Determining the sample size. The formula used
by auditor based on AICPA Audit Guide, audit
sampling is
𝑃𝐵
𝑆= 𝐴𝐹
𝑇𝑀
PB = Population book value
TM = Tolerable Misstatement
AF = Assurance factor
Selecting sample items. When using
nonstatistical sampling, the auditor may use
some form of random sampling or systematic
selection method including the haphazard
sampling.
Calculating the sample results. The AICAP Guide,
Audit sampling described to accept the methods
of projecting the amount of misstatement found
in the nonstatistical sample. These methods are:
 Ratio method (ratio estimation)
 Average difference method (difference
estimation)
CHAPTER 11
AUDITING IN A COMPUTERIZED SYSTEMS
ENVIRONMENT
THE COMPUTER ENVIRONMENT
INTRODUCTION TO AN ELECTRONIC DATA
PROCESSING SYSTEM
Before considering the impact of IT on the work
of the certified public accountant, some
understanding of the nature of a computer and
capabilities is needed.
Hardware
A computer is a machine that can be
programmed to accept data (input), process it to
useful information (output), and store it away (in
a secondary storage device) for safekeeping or
later reuse. The processing of input to output is
directed by the software but performed by the
hardware. To function, a computer system
requires four main aspects of data handling:
input, processing, output, and storage. The
hardware responsible for these four areas is as
follows:
 Input devices accept data or commands
in a form that the computer can use; they
send the data or commands to the
processing unit.
 The processor (CPU) has electronic
circuitry that manipulates input data
into the information people want.
 Output devices show people the
processed data – information – in
understandable and usable form.
 Storage (secondary storage) which
consists of secondary storage devices
such as disk.
Software
The software really makes the computer useful.
Generally, it is categorized as systems software
or application software.
 System software (operating system) is
the underlying software found on all
computers. It serves as intermediary
software between the application
software and hardware. Some important
tasks of an operating system are
managing the computer’s resources
(CPU, disk drives, printers) and running
the applications software.
 Application software may be either
custom or packaged.
UNIQUE CHARACTERISTICS OF SPECIFIC EDP
SYSTEMS
Computer information systems differ as to their
characteristics. A system, regardless of its size,
may possess the following elements:
 Batch processing
 Online capabilities
  Database storage
 Computer networks
 End user computing
Batch processing
It is a common EDP system. The input data are
gathered and processed periodically in discreet
groups. While batch computer systems do not
provide up-to-the-minute information, they are
often more efficient than other types of systems.
Online Capabilities
It allows users to have direct (online) access to
the data stored in the system. When an online
system in use, individual transactions may be
entered directly from the originators at remote
locations. The transactions may be held in a
transaction file and later posted to the records
as a batch, or real-time processing may be used.
In online, real time (OLRT) systems, transactions
are processed immediately, and all accounting
records are updated instantaneously.
The use of OLRT system results in a significant
changes in internal control. Original source
documents my be available to support input to
the computer and the overall amount of the hard
copy audit trail may substantially reduced.
Essential controls should be programmed into
the computer.
Database storage
In a database system, separate application files
(master files) are replaced with integrated
databases that are shared by many users and
application programs. It eliminates much of data
redundancy, and since database is normally
stored on a direct access device, the system
responds quickly to users’ requests for
information.
It is essential that the database be secured
against improper access or alteration.
Organizations that use database systems often
create a data administrator function, with
responsibility for implementing and
maintaining central databased and controlling
access to the data.
Computer Networks
Networks of computers linked together through
telecommunication links enable companies to
communicate information back and forth
between geographically dispersed business
locations.
Networks that span a large geographical area are
called wide are network (WANs). Local are
network (LAN) is a communication network that
allows resources, data, and program sharing
within limited geographical area.
Networking enables companies to implement
distributed data processing, in which
information and programs are shared by large
number of users.
Computer security should be established at each
location to ensure that the data can be changed
or accessed by authorized personnel.
End User computing
The user departments are responsible for the
development and execution of certain computer
application when a company implements end
user computing. A user department both
generated and uses its own information. The
information systems department is generally
not involved in these applications.
Computer security should be established at each
location to prevent unauthorized access to the
company’s data.
IMPACT OF COMPUTERS ON ACCOUNTING
SYSTEMS
The use of computers in business information
systems has fundamental effects on the nature
of business transacted, the procedures followed,
the risks incurred, and the methods of
mitigating those risks. These effects flow from
the characteristics that distinguish computer-
based from manual processing.
 Consistency of performance
 Concentration of duties
 Systems generated transactions
 Documents are not maintained in
readable form
 Reports can be generated easily
Consistency of performance
If the computer is programmed to perform
specific task, it will run consistently so long as
failures do not occur.
Concentration of duties
Incompatible duties are frequently combined
within the system provided there are
compensating controls that are put in place.
Systems generated transactions
There are programs that automatically compute
certain transaction without the need for an input
document.
Documents are not maintained in readable form
Data can be entered into the system without
supporting documents. For example, in an
electronic data interchange (EDI) system a
purchase transaction may be automatically
initiated by the client’s computer by sending an
electronic message (purchase order) directly to a
supplier’s computer system. Invoicing and
payment for the purchase may also be processed
electronically.
Reports can be generated easily
In online, real-time systems, transactions are
processed immediately and all accounting
records are updated instantaneously.
COMPUTER FRAUD
Computer fraud is rampant, as the use of
computers becomes part of our daily lives, with
greater and greater frequency. The definition of
what constitutes computer fraud becomes even
more complex with the ingenuity of people who
intend to deceive, mispresent, destroy, steal
information, or cause harm to others by
accessing information through deceptive and
illegal means. More and more people across the
globe are becoming comfortable with the online
purchasing process. But as more people start
buying things online, computer fraud is
becoming a much larger problem than anyone
could have guessed. Just as you have to be
careful when you’re walking down the street, or in
your own home when you lock up at night, you’ve
got to be careful of the many examples of
computer fraud that will make their way onto
your computer.
Today’s fraudsters aren’t just bored teenagers
anymore. The online criminals of today are
skilled computer experts who know how to
manipulate your computer into giving them the
information they need for their computer fraud
schemes. And the worst part is that you can have
crucial information stolen from you without ever
knowing what had happened.
Frauds have typically relied on techniques
(malicious code) unique to computers such as
Virus, Trojan horse, Worm, Bomb and Trap door.
Virus
Virus infects programs already in existence by
inserting new code. The primary purpose of a
virus is to reproduce. It may also have a
secondary function such as destroying data,
when the target program is executed, the virus
infects another program. The secondary viral
function is then performed at some later time,
perhaps using a bomb as a trigger.
Characteristics of a virus include replication,
requires a host program as a carrier, activated by
external action, and replication limited to
system.
Trojan Horse
A trojan horse is a program that performs a
useful (normal) function, but also performs an
unexpected action – a form of virus (attack or
trap door).
Worm
A worm differs from a virus in that it reproduces
on its own, rather than requiring a program host.
Characteristics of a worm include replication,
does not require a host (self-contained)
activated by creating a process (needs a
multitasking system), and replication occurs
across communication links for network worms.
Bomb
A logic bomb goes off when the program being
normally arrives at a prespecified event (e.g., a
financial calculation exceeds a certain peso
amount). A time bomb goes off at a prespecified
time.
Trap Door
A trap door allows a user to gain more access to
more system functions that are normally
available. These access privileges can be
obtained through a keyboard sequence or
system condition (e.g., an aborted system start-
up). Once the access is obtained, the user can
then manipulate, change, or destroy data.
Auditors should be alert to the potential for these
types of techniques used in fraud when
evaluating control risk for clients using
computerized systems.
INTERNAL CONTROL IN THE COMPUTER
INFORMATION SYSTEM
AUDITOR’S RESPONSIBILITIES
Management has the responsibility to maintain
controls that provide reasonable assurance that