AUDITING COMPUTER

PROCESSING:
GENERAL CONCEPTS
 2 Comprehensive Evaluations for each Processing
System Application by Computer Auditor

1. Overall-evaluation based on Controls Tests, of

whether the controls for the system application are
operating effectively.
2. Overall-evaluation based on Substantive Tests, of
whether the system is processing data accurately.
Audit of Accounting Application
Integration of Parts of Integration of Type of
the System Test

Non processing of data through Testing of programs and

the system files
Auditing around the computer Performing various
types of test
Black box approach
separate tests, single test,
multiple tests
 Integration of Parts of System
The auditor can integrate information
from various parts of the computer system by
ignoring the separate existence of those parts.
Instead of testing programs and files separately,
the system is treated as an integrated unit or
single entry. In this view of the system, often
referred to as the “ black box approach:,
the computer is regarded as receiving input,
processing it, and producing output. The auditor
concentrates on the examination of input and
output.
Integration of Parts of System
• The auditor can make inferences about the existence and operating
effectiveness of controls for the computer system and the accuracy of
processing through it without processing any data through the system.

• Auditing Around the Computer- auditing computer system without

processing any data through system

• In this approach, the auditor may assess a low level of risk on controls
external to EDP called user controls. The auditor does not assess a low
level of risk on EDP controls.
Auditing without processing data
(4 segments of discussion)
1. The conditions that must exist so that the auditor can
use the technique.
2. Controls testing , including the objectives the auditor
will satisfy when using the technique and examples of
performing tests of controls without processing data.
3. Brief discussion of substantive testing using the
approach.
4. The factors the auditor must consider in deciding
whether to use the approach.
Conditions Necessary for Using the
Approach
In order to perform tests without processing data, the auditor
must be able to:

• Locate copies of the source documents for the transactions

and accounting reports resulting from the transactions.
• Read the source documents and accounting reports without
the aid of computer.
• Trace the transactions from the source documents to the
accounting reports and from the report back to the source.
Source documents and accounting reports must be available in a
readable form so that the auditor can audit without processing
data.
Example: Sales order prepared on order by a salesperson.
Auditor has no source document to read :
Phone orders entered directly into visual display units, with no hard copy file,

Example of readable output:

Detailed listing of accounts receivable subsidiary ledgers showing names, beginning
balances, debits and credits, and ending balances.

If content of subsidiary ledgers is available only on magnetic tape or disk, the auditor
cannot read the output without the help of computer.
Test of Control
Operating effectiveness of controls can be tested by the use of
technique of non-processing data. After obtaining an understanding of
internal control structure, the auditor may elect take one of 2 alternative
courses of action:
1. Assess a low level of risk on controls external to EDP after evaluating the
strengths and weaknesses of EDP controls or
2. Assess a low level of risk on controls external to EDP before evaluating
the strengths and weaknesses of EDP controls
 The computer auditor ‘s decision regarding the assessment of risk
EDP controls requires the completion of an understanding of the internal
control structure. This understanding is normally completed before the
auditor can decide which course of action to follow, or whether control tests
will even be performed.

One course of action will lead to design of control tests. (This will
happen if auditor concludes that strengths exist in the controls systems. The
auditor cannot audit around the computer . Test of programs and files will be
necessary.
Second course of action may not lead to design of EDP controls test.
( This maybe true because of two elections available to the auditor).
 Election to evaluate EDP Controls
The auditor may elect to forgo controls
testing

1 after assessing the 2 before assessing the

strengths and weaknesses strengths and weaknesses
in the EDP control system in the EDP control system

• Evaluation • If strong, go for

of user control testing
If EDP followed by ST
control
controls
are • Substantive • If weak, or decides
weak not to test strong
Test
controls, proceed to
• Or both ST
 Reasons not to assess a low
level of risk on adequate EDP
Control: Courses of action
If controls are
adequate but Effort required to
still not decide complete the controls
to assess a low testing exceeds the • Performing ST
level of risk reduction in effort that
would be achieved by • Examine User
such a low level of risk Control
assessment.
Various courses Perform test on these other controls,
of action Redundant because controls maintained by the users.
depending on other control procedures The auditor will design and perform
the reason for are in existence substantive tests after the operating
the decision. effectiveness of user controls has been
evaluated.
Election not to Evaluate EDP Controls

This election can be made regardless of whether

the EDP controls are adequate or weak. One
reason of the election is assessment of risk in
user controls. By electing to assess a low level or
risk in user controls initially, the auditor avoids
the process of having to determine whether EDP
controls are adequate or weak.
Reliance on Control external to EDP
Controls external to EDP can be assessed at low level
of risk only if:
1) There must be adequate controls external to EDP
2) There must be no incompatible assignments of
processing functions of processing functions within the
computer.
Objectives
• To perform testing of user controls
(The auditor will test for the incompatibility of assignments within the user
department and the functioning of controls reconciling input to the computer
and output from it.)
• To perform Substantive Tests based on the evaluation
of the operating effectiveness of user controls.
Example: Accounts Receivable
Before sending payments, sales, and miscellaneous debits and credits to data entry for
conversion to machine-readable form, the accounts receivable personnel generate
such control totals as the following:
• Financial totals on the dollar amount of debits and credits, including calculating the new
accounts receivable control account total after processing.
• Document or record counts on the total number of transactions to be processed and the total
number of accounts receivable subsidiary ledgers to be updated.

After processing, the A/R personnel reconcile the new total balance to the
beginning balance, determine that the total dollar amounts of debits and credits
agree with the total generated before processing, and ensure that the number of
transactions and subsidiary ledgers updated agree with the control totals. In
testing of these user controls, the auditor would ascertain that the reconciliations
and verifications were actually being made and would test a sample of them.
Example : Payroll Application
A payroll department calculate the gross payroll, estimates the
withholdings and deductions, and estimates the net payroll within some range as
financial control totals. It also generates a record count control total for the
number of payroll checks to be prepared. After the payroll has been prepared by
the computer, the payroll department compares the computer-calculated amounts
and number of checks printed with the manually prepared control totals. In the
testing of these user controls, the auditor would again ascertain whether the
comparisons were actually being performed and would test a sample of them to
ensure that they were being performed properly.
Substantive Test
The performance of the substantive tests on the computer
systems without processing any data through the system
involves examining computer printouts and source documents.
The auditor can trace from computer printouts to the source
documents or from the source documents to the printouts.
Factors to be considered in deciding whether to
use the approach
• Relatively low cost
• Ease of understanding
• Ease of application
Reasons why auditor may decide not to use the
approach of testing without processing of data.
1. The auditor may lack assurance that the computer output is
an accurate representation of the processing performed.
2. The amounts printed by the computer maybe fraudulent.
3. Fraud that should be detected by other controls may not be
detected because of other controls may not be detected
because of other adjustments or transfer made in the
system.
4. The ease with which the computer can be instructed to
calculate one thing and print another introduces a high level
of risk to auditing without processing data.
INTEGRATION OF TYPES OF TESTS
Various type of test:
1. The separate tests on each program in a series of
programs for a single application can be combined for
all programs for that application.
2. The separate tests on each file used in or resulting
from the processing for a single application can be
combined into an overall evaluation for all files used
in that application.
3. The separate test on program and files can be
combined into an overall evaluation.
4. The testing of programs and files can be combined into
a single test. This single test may enable the auditor to
perform:
a) A controls test of both programs and files at the
same time,
b) A substantive test of both programs and files at the
same time,
c) A dual purpose test of both programs and files at
the same time.
5. Multiple tests can be combined mixtures of controls an
substantive tests on both programs and files into an
overall evaluation of the system.
6. The separate tests performed on user, general and
application controls can be combined into an overall
evaluation.
 Series of Programs

PAYROLL APPLICATION

Maintenance Program processes addition, deletions and other changes

calculates gross payroll, withholdings and deductions along w/ the year to date
Update Program totals and prints the payroll checks and journals

prepares quarterly and annual payroll report for union, pension, profit-sharing and
Report Program government purposes
 Multiple Files

ORDER ENTRY APPLICATION

Accounts Receivable Master File accessed to determine whether the sum of the new
order, amount to be due for back orders and amounts
currently receivable exceed the credit limit
Inventory Back-order File
Programs and Files

Separate Test

Single Test

Multiple Test
User, General and Application Controls

User Control

General Control

Application Control
Processing of Actual Data
Combinations of Techniques for Testing

Technique for Testing Controls in

CONTROLS TESTING ILUSTRATION

ACCOUNTS RECEIVABLE
APPLICATION
 Input errors detected were  Credit limit field in each
corrected and resubmitted account contains a certain
 Output was reconciled amount
to input
 The balance due does not
 Output was distributed exceed the credit limit
to authorized personnel
 PAYROLL APPLICATION

 Using both the client’s  Pay rates on the

and the auditor’s system transaction file vs pay
rates of master file
SUBSTANTIVE TESTING ILUSTRATION

ACCOUNTS RECEIVABLE
APPLICATION
Foot
subsidiary
ledgers
Process AR
payment
transactions
Control
account
SUBSTANTIVE TESTING ILUSTRATION

PAYROLL APPLICATION

Foot
BALANCES
Process
PAYROLL
Control
account
REASONS FOR DECIDING TO USE A MIXTURE

• EFFECTIVENESS
• EFFICIENCY
Processing of Simulated Data
-Used to determine the operating
effectiveness of application controls and
the accuracy of processing results.
CONTROLS TESTING ILUSTRATION
ACCOUNTS RECEIVABLE
APPLICATION

SUBSTANTIVE TESTING ILUSTRATION

Sales order system

Dual-Purpose Testing
-combination of controls testing
and substantive testing.
PARALLEL SIMULATION:
CONTROLS : test input controls for compliance requirements
SUBSTANTIVE: compare account balance
GENERALIZED AUDIT SOFTWARE:
CONTROLS : examine particular field like credit limit
SUBSTANTIVE: foot , reconcile subsidiary with control
account
 Combining techniques for dual-purpose testing of computer systems
Program Tests File Tests
Controls Tests PARALLEL GENERALIZED
SIMULATION AUDIT SOFTWARE
Substantive Tests PARALLEL GENERALIZED
SIMULATION AUDIT SOFTWARE

NOTE! In performing combinations of tests , auditors should not

lose sight of the objectives they are trying to achieve.
In performing combinations of tests , auditors should not lose
sight of the objectives they are trying to achieve.