Chapter 7 AUDITING IN A COMPUTERIZED ENVIRONMENT with the rapid development in technology in recent years, computer information systems (CIS) have become feasible, perhaps essential, for use even in small scale business Operations. Almost all entities now use computers to some extent in their accounting systems. This widespread use of computers has offered new opportunities for professional accountants and has also created some challenging problems to auditors. Regardless of the extent of computerization or the methods of data processing being used, the responsibility for the establishment and implementation of appropriate internal control systems rests with management and those charged with governance. The auditor's responsibility is to obtain an understanding of the entity’s internal control system to be able to assess control risk and determine the nature, timing and extent of tests to be performed. * Characteristics of Computer Information Systems (CIS) Computer information systems have essential characteristics that distinguish them from manual processing systems. Lack of visible transaction. trails In a manual system, it is normally possible to follow a transaction through the system by examining source documents, entity’s records, and financial reports. In a CIS environment, data can be entered directly into the computer system without supporting documents, Furthermore, records and files may not be printed and can not be read without using the computer, The absence of these 241visible documents supporting the processing of transactions the examination of evidence more difficult Consistency of Performance CIS performs functions exactly as programmed. If the compute programmed to perform a specific data processing task, it will n get tired of performing the assigned task in exactly the manner, Because of this capability of the computer to p; transactions uniformly, clerical errors that are normally associ with manual processing are eliminated. On the other han incorrect program could be very devastating because it will res consistently erroneous data processing. Ease of Access to Data and Computer Programs In a CIS environment, ‘data and computer programs ma) accessed and altered by unauthorized persons leaving no vi evidence. It is important, therefore, that appropriate control: incorporated to the system to limit the access to data files programs only to authorized personnel. Concentration of duties ties is an essential chamcteristic of as internal control system. However, because of the ability © computer to process data efficiently, there are functions th: normally segregated in manual processing that are combined | CIS environment. Proper segregation of du As a particular example, in manual processing the functol recording cash disbursements is incompatible with the respons! for reconciling disbursements. Since one of these functions as a check upon the other, assigning both functions t employee would enable that employee to commit and 0! errors or irregularities. A properly programmed computer, © 242other hand, has no tendency or motivation to commit irregularities or conceal its errors, Hence, wi f hat appears to be an incompatible combination of functions may ne be combined in a CIS environment without weakening the internal control provided appropriate compensating controls are put in place. Systems generated transactions Certain transactions may be initiated by the CIS itself without the need for an input document. For example, interest may be calculated and charged automatically to customers’ account balances on the basis of pre-authorized terms contained in a computer program. Vulnerability of data and program storage media In a manual system, the records are written in ink on substantial paper. The only way to lose the information is to lose or to destroy the physical records. The situation is completely different in a CIS environment. The information on the computer can be easily chatted, leaving no trace of the original content. This change could happen inadvertently and huge amount of information can be quickly lost. * Internal Control in a CIS Environment Many of thé control procedures used in’ manual processing also apply in a CIS environment. Examples of such control procedures include authorization of tmnsactions, . proper segregation of dutes, and independent checking. The elements of internal control are the same; the computer just changes the methods by which these elements ate implemented. 243”A variety of controls are performed to check accuracy, completeness and authorization of transactions. When computer processing is used in, significant accounting applications, internal control procedures can be classified into two types: general and application controls. General Controls General controls are those control policies’ and procedures that relate to the overall computer information system. These controls include: 1. Organizational controls Just as in a manual system, there should be a written plan of the organization, with clear assignment of authority and responsibility. In a CIS environment, the plan of an organization for an entity’s computer system should include segregation between the user and CIS department, and segregation of duties within the CIS department. a. Segregation between the CIS department and user departments. CIS department must be independent of all departments within the entity that provide input data or that use output generated by the CIS. The function of CIS department is to process transactions. However, no transaction will be processed unless it is initiated by the user department. Therefore, all changes 1° computer files must be initiated and authorized by the usef department. 244&. Segregation of duties within the CIS department Functions within the CIS department should be properly segregated for good organizational controls, The entity’s organizational structure should provide for definite lines of authority and responsibility within the CIS department. A sample of an organizational structure within the CIS department is presented below: CIS Director Systems Operations Other development Functions Systems Analyst Computer Operator Programmer Control Group Data Entry Operator Position Primary Responsibilities CIS Director Exercises control over the CIS operation. Systems Analyst Designs new systems, evaluates and improves existing systems, and prepares specifications for programmers. Programmer ‘Guided by the specifications of the systems analyst, the Programmer writes a program, tests and debugs such Programs, and prepares the computer Operating 245instructions. Computer Operator Using the program and detailed operating instrug prepared by the programmer, computer oper operates the computer to process transactions. Data Enty Prepares and verifies input data for processing, Operator Libranian Maintains custody of systems documentation, progr and files. Control Group Reviews all input procedures, monitors comp processing, follows-up data processing ertors, re the reasonableness of output, and distributes output authorized personnel. Optimal segregation of duties dictates that each of the above tasks be assigned to different employees. However, soi entities may not have enough resources to maintain a large Cl department. In small entities, with limited number of personnel, there ar some functions that may be ‘combined. But as a minimum, functions of systems development and computer operation must be segregated. Systems analyst and programmer shot not be allowed to use the programs they developed, and should not be allowed to operate the computer. Also, compute operators who run the progtam should not participate ptogram design. A number of computer related frauds resulted when these functions are combined. Systems development and documentation controls Software development as well as changes thereof must B approved by the appropriate level of management and the ust department. To ensure that computer programs are func! 246as designed, the program must be t 8 s ested needed, by the user and CIS deca sment' ed and modified, if Moreover, adequate systems documentation must be made in order to, facilitate the use of the program as well as changes that may be introduced later into the system. 7 Access Controls Every computer system should have adequate security controls to protect equipment, files and programs. Access to the computer should be limited only to operators and other authorized employees. Additionally, appropriate controls such as the use of passwords. must be adopted in order to limit access to data files and programs only to authorized personnel. Data recovery controls One of the chamcteristics of the CIS is the vulnembility of files and programs. Computer files can be easily lost and the lost of these files can be disastrous to an entity. The survival of an entity affected by such disaster depends on its ability to recover the files ona timely basis. ‘A data recovery control provides for the maintenance of back- up files and off-site storage procedures. Computer files should be copied daily to tape OF disks and secured off-site. In the event of disruption, reconstruction of files is achieved by updating the most recent back-up with subsequent transacton data. When magnetic tapes are used, a common practice In file retention called Grand-fathes, “father, son practice requires an entity to keep the two most recent generation of master files and transaction files in order to permit reconstruction of master files if needed. 2475. Monitoring controls Monitoring controls are are working effectively as planned. These include peri evaluation of the adequacy and effectiveness of the overall operations conducted by persons within or outside the entity, Application Controls The processing of transaction involves three stages: the in processing, and output stage. The input stage involves capturing a mass of data; the processing stage involves converting the mass raw data into useful information; and output stage invo! preparation of information in a form useful to those who wish use it. To ensure that all relevant data are captured as input to system, and to ensure that the data are accurately processed duri their conversion into meaningful financial information, controls other mechanisms must be incorporated into the system. Application controls are those policies and procedures that relate specific use of the system. These are designed to provide reasonal assurance that all transactions are authorized, and that they processed completely, accurately and on a timely basis. The include 1. Controls over input A large number of errors in a computer system ate caused inaccurate or incomplete data entry. Input controls designed to provide reasonable assurance that data submi for processing are complete, properly authorized + accurately translated into machine readable form. Examples of input controls include: Key venfication This requires data to be entered twice (usually by diffe operators) to provide assurance that there are no-key ¢ errors committed. 248Field check This ensures that the input data agree with the required field format. For example, all SSS number must contain ten digits. An input of an employee’s SSS number with more or less than ten digits will be rejected by the computer. Validity check Information entered a compared with valid information in the master file to determine the authenticity of the input. For example, the employees’ master file may contain two valid codes to indicate the employee’s gender “1” for male and “2” for female. A code of “3” is considered invalid and will be rejected by the computer, “ Seif-checking digit This is a mathematically calculated digit which is usually added to a document number to detect common transpositional errors in data submitted for processing, Limit check Limit check or reasonable check is designed to ensure that data submitted for processing do not exceed a pre-determined limit ora reasonable amount. Control totals These are totals computed based on the data submitted for Control totals ensure the completeness of data before and after they are processed, These controls include financial totals, hash totals and record counts in example, wing data regarding the entity’s disbursements processing. assume the follo for the day. 249Voucher No. 141 P 15,000 cher No. 142 Voucher No. 143 P 5,000 Financial total = P 40,000 (P 15,000 + P20,000 + P5,000) Hash total = 426 (141 + 142 + 143) Record count = 3 2. Controls over processing Processing controls are designed to provide reasona assurance that input data are processed accurately, and th data are not lost, added, excluded, duplicated or impropel changed. Almost all of the input controls that were mention earlier are also part of the processing controls because's incorporated in the client's compu controls: are usually sactions. program to detect errots in processing of tran: 3. Controls over output Output controls are designed to provide reasonable assur that the results of processing are complete, accurate and t these outputs are distributed only to authorized personnel: 250A person who knows what an output should Jook like must review the CIS output for reasonableness. Control totals are compared with those computed prior to processing to ensure completeness of information. Finally, CIS outputs must be restricted only to authorized employees who will be using such outputs. The effectiveness of the general CIS controls is essential to the effectiveness of CIS application controls. Thus, it,ymay be more efficient to review the design of the gencral controls first before reviewing the application controls. Test of Control in a CIS environment Like manual processing environment, test of control in a CIS environment involves evaluating the client’s internal\control policies and procedures to determine if they are functioningsas_ intended. Regardless of the nature of the client’s data processing system, auditors must perform tests of controls if they intend to rely on the client’s internal control. The auditor’s objectives and scope of the audit do not change ina GIS environment. However, the use of the computer changes the processing and storage of financial information and may affect the organization and procedures employed by the entity to achieve adequate internal control. Accordingly, the methods employed by the auditor in testing the control may also be affected. Testing the reliability of general controls may include observing client’s personnel in performing their duties; inspecting program documentation; and observing the security measures in force. In testing application controls, the auditor may either: 1. Audit around the computer; or 2. Use Computer-Assisted Audit Techniques 251£2 Auditing Around the Computer Auditing around the computer is similar to testing contro} manual control structure in that it involves examination” documents and reports to determine the reliability of the syst ‘ When using this approach, the auditor ignores the client’s i Processing procedures, focusing solely on the input documents a the CIS output. Input data are simply reconciled with the output verify the accuracy of processing. Auditing around the computer j based on the assumption that if the input reconciles with the output, then the computer program must have processed the transaction accurately. Hence, the auditor obtains knowledge about the reliability of the system without directly examining the , Computer program of the system. Auditing around the computer can be used only if there are visible input documents and detailed output that will enable the auditor to trace individual transactions back and forth. This is also known as “black box approach” because it does not permit direct ‘assessment of actual processing of transactions. t2 Computer Assisted Audit Techniques (CAATS) When computerized accounting systems perform tasks for which no visible evidence is available, it may be impracticable for the auditor to test manually. Such is usually the case when the: entity uses advanced CIS. Consequently, auditor will have to audit directly the client’s computer program using CAATs. This is also called “white box approach” CAATs are computer programs and data which the auditor uses 3 part of the audit procedures to process data of audit significance contained in an entity’s information systems. Some of the commonly used CAATs include test data, integrated test facility and parallel simulation. 2521. Test data The test data technique is primarily designed to test the effectiveness of the internal control procedures which are incorporated in the client’s computer program. The objective of the test data technique is to determine whether the client’s computer programs can correctly handle valid and invalid conditions as they atise. To accomplish this objective the auditor prepares test data (fictitious transactions) that consist of valid and invalid conditions. The auditor enters the test data into the system and have the data processed by the entity’s computer program. Since the auditor is the one who creates the test data, the auditor knows what the output should look like assuming the client's computer program is functioning effectively. The auditor then compares the processing results ‘with his predetermined output. If the output generated by the client’s program is the same as the auditor’s expected output, the auditor may conclude that the client’s program is reliable. TEST DATA Auditor's Test Data using client's Processed program ee eg Auditor’s Expected Output Compare Ourpur Manually 2532. Integrated test facility (ITF) ata technique is that the auditor A disadvantage of the test d hat the program tested is the does not have an assurance © same program used by the chent throughout the accounting period. In order to overcome this disadvantage, the test dag, technique can be extended to an integrated test facility (ITF), the auditor creates dummy or fictitious ropriate unit for testing within the cauty’s computer system. Unlike test data which is nin independently of the client’s data, an ITF. integrates the processing of test data with the actual processing of ordinary transactions without management being aware of the testing process. The resultant output, relating to the dummy unit, is then compared with the predetermined results to evaluate the reliability of the client’s program. When using ITF, employee or other app’ By processing test data simultaneously with client's data, [TF provides assurance that the program tested by the auditor is the same program used by the client in the processing of transactionsINTEGRATED TEST FACILITY Auditor's Client’s data Test Data -+——___-_| Processed using client’s program Compare Auditor's Output Manually Expected [es Output When using ITF, the auditor must be alert to the danger of contaminating the client’s master files, Thus, care must be taken to reverse or eliminate the effects of all audit test transactions in order to avoid contamination of client’s computer files. 3. Parallel simulation In contrast to the test data and ITF techniques, which require the auditor to create test inputs (data) and process these data using the client's computer program; parallel simulation tequires the auditor write a program that simulates key features or processes of the program under review. The simulated program is then used to reprocess transactions that Were previously processed by the client’s program. 255The auditor compares the results, obtained ftom, simulation with the client’s output to be able to d conclusion about the reliability of the client’s program the PARALLEL SIMULATION Client’s Data Client's Data Processed Processed using client's using auditor's program program Output Parallel simulation can be accomplished by using generalized audit software or purpose written programs. Generalized audit software consists of generally availble computer packages which have been designed to perform common audit tasks such as performing or verifying calculations, summarizing and totaling files, and reporting in a format specified by the auditor. Purpose-written Programs, on the other hand, are designed to perfoan audit tasks in specific circumstances. These programs may be developed by the auditor, the entity being audited oF an outside programmer hired by the auditor. 25611 Other CAATs Highly complicated computerized systems sometimes do not retain permanent audit trails and would require capturing of audit data as transactions are processed. Under this scenario, the CAATS available to the auditor may include: 1. Snapshots This technique involves taking a picture of a transaction as it flows through the computer systems. Audit’software routines are embedded at different points in the processing logic to capture the images of the transaction as it progresses through the various stages of processing. Such a technique permits an auditor to track data and evaluate the computer processes applied to the data, - 2, Systems control audit review files (SCARF) This involves embedding audit software modules within an application system to provide continuous monitoring of the systems transactions. The information is collected into a special computer file that the auditor can examine. 257