Auditing in Computerized Environment

Computer Auditing
 Types of Computer System
o Information technology (IT) is integral to modern accounting and management
information systems.
o It is, therefore, imperative that auditors should be fully aware of the impact of
IT on the audit of a client’s financial statements, both in the context of how it
is used by a client to gather, process and report financial information in its
financial statements, and how the auditor can use IT in the process of auditing
the financial statements.
o Types of Computer system
 Hardware (i.e. CPU, monitor, printers, zip drive, scanners)
 Software (Operating systems, database, application software etc.
 The transmission media (i.e. wires, optical fiber cables and microwave
links)
 Network devices (i.e. modems, gateways etc)
Approaches to Auditing in a CIS Environment
 Auditing Around the Computer
o It is the type of auditing done in a traditional method.
o The auditor summarizes the input data and ignores the computer’s processing
but ensures the correctness of the output data generated by the computer, this
approach is generally referred to as “auditing around the computer”. This
methodology was primarily focused on ensuring that source documentation
was correctly processed and this was verified by checking the output
documentation to the source documentation
 Auditing Through the Computer
o Due to the “real time” computer environments, there may only be a limited
amount of source documentation or paperwork hence the auditor may employ
an approach known as “auditing through the computer”. In this approach, the
reliability and accuracy of the results are analyzed through the computer.
o This involves the auditor to perform tests on the information technology
controls to evaluate their effectiveness like Compliance test, Test Packs,
Reprocessing.
 Auditing with the Computer
o The utilization of computer by the auditor for some audit work and he uses
some general software for the purpose of calculating depreciation, printing
letters, and duplicate checking and files comparison.
Characteristics of CIS Environment
 High speed and Automatic initiation/execution of transactions.
 Uniform processing of transaction, hence low clerical error.
 Ease of Access to Data and Computer programs.
 Systems generated transactions.
  Vulnerability of data and program storage media.
 Consistency in work
 Lack of visible transaction trail
Internal control in CIS Environment
 Internal controls in ICT/ CIS Environment. They are classified into:
o General Control
o Application Control
General controls
 Controls over general environment in which the system is developed, maintained and
operated. They include:
o Complete review, testing and approval of the system and programs before they
become fully operational.
o Competence of staff to implement the system
o Authorization of any changes in the system by responsible official.
o Segregation of duties so that different staffs perform the duties of system
development, programming and data entry.
o Access control- only authorized personnel should have access of hardware,
programs and data files.
o Stand by facilities for use in case of a temporary computer failure.
o Back-up facilities to avoid loss of data.
Application Control
 Application controls classified into:
o Input controls
o Processing controls
o Output controls
 The main aim is to ensure Validity, completeness and accuracy of accounting data.
 Controls within a computer application to ensure- completeness, accuracy of input,
processing and validity of the resulting accounting entries.
 They can be done for specific areas of the system for example, control over sales,
payroll, control over inventory and etc.
Input controls
 The main aim of input controls is to reduce errors in the data entered in the system for
processing.
 Input controls include checking and ensuring that:
o Input data are authorized by the appropriate official.
o Data represent valid record of actual transaction
o Correctly classified for the purpose of accounting.
 Input control-examples (Sequence checks)
o Transactions that are serially numbered should be in sequence and checked by
the programs If sales invoice are serially numbered – for example 010 to 0200;
 then if invoice numbered 14 recorded before 12 then the system should reject
invoice number 14 until number 12 is posted.
Processing controls
 Processing controls, There are divided into mechanical and programmed controls.
o Programmed control are done during the system development to ensure that
only data related to a particular transaction is processed and not otherwise.
Output Controls
 Controls relating to input and processing itself with the final objective of ensuring that
the output:
o Relates precisely to the original input.
o Represents the outcome of a valid and tested program of instructions. (e.g.,
digit check, reasonableness checks)
o Output reports are only accessed by the authorized personnel.
o Output reports checked by someone as to their reasonableness.
Computer-Assisted Audit Tools And Techniques (CAATs)
 CAATs is a growing field within the IT audit profession. CAATs is the practice of
using computers to automate the IT audit processes.
 CAATs normally includes using basic office productivity software such as
spreadsheet, word processors and text editing programs and more advanced software
packages involving use statistical analysis and business intelligence tools such as
spreadsheets (e.g. Excel), databases (e.g. Access), statistical analysis (e.g. SAS),
generalized audit software (e.g. ACL, Arbutus, EAS), business intelligence (e.g.
Crystal Reports and Business Objects), etc.
 CAATs can refer to any computer program utilized to improve the audit process.
 The nature of computer-based accounting systems is such that auditors may use the
audit client company’s computer, or their own, as an audit tool, to assist them in their
audit procedures.
Audit Process for Computerized Accounting System
 The audit process for a computerized accounting system involves the following five
major steps
o Conducting Preliminary Survey:
 This is a preliminary work to plan how the audit should be conducted.
The auditors gather information about the computerized accounting
system that is relevant to the audit plan. This includes an understanding
of how the computerized accounting functions are organized,
identification of the computer software used, understanding accounting
application processed by computer and identification applicable
controls.
o Reviewing and Assessing Internal Controls:
 There are two types of controls namely general controls and
application controls.
  General Controls
o General controls are those that cover the organization,
management and processing within the computer
environment.
o They should be tested prior to application controls,
because if they are found to be ineffective, the auditor
will not be able to rely on application controls. General
controls include proper segregation of duties, file
backup, use of labels, access control, etc.
 Application Controls
o Application controls relate to specific tasks performed
by the system. They include input controls, processing
controls, and output controls. They should provide
reasonable assurance that the initiating, recording,
processing and reporting of data are properly
performed.
o Compliance Testing
 Compliance testing is performed to determine whether the controls
actually exist and function as intended. This can be performed by
comparing the results to predetermined results or by processing
dummy transactions.
o Substantive Testing:
 This is performed to determine whether the data is real.
 Substantive tests are tests of transactions and balances and analytical
procedures designed to substantiate the assertions.
 Auditors must obtain and evaluate evidence concerning management’s
assertions about the financial statements.
 The auditor must obtain sufficient competent evidential matter to
provide a basis for an opinion regarding the financial statements under
audit. If sufficient competent evidence cannot be obtained then an
opinion cannot be issued.
o Audit Reporting:
 The audit report will contain detailed information on various aspects of
their findings in the process of audit in a computerized environment.