AUDITING: A RISK

ANALYSIS APPROACH
5th edition

Larry F. Konrath

Electronic Presentation
by Harold O. Wilson
Chapter 8
 KEY CONCEPTS OVERVIEW
• Computer Based Information Systems
(CBIS) impact on firm policies &
procedures, and on auditing (controls
& testing)
• CBIS are unique (hardware, processing,
files, storage, scope, especially in global
e-commerce)
• CBIS Controls (General controls,
Application controls, User controls)
 KEY CONCEPTS OVERVIEW
• Auditors audit “around” the computer
and/or “through” the computer
• Audit risks in CBIS scenarios escalate
each year (due to direct data inputs,
minimal hard-copy, internal storage)
• Applications of computer assisted testing,
changes in evidence gathering
 LEARNING
OBJECTIVES
• Differentiate auditing “around” vs.
“through” the computer
• Identify various types of CBIS
• Define major CBIS accounting controls
• Develop an approach to assessing control
risk in CBIS accounting applications
• Evaluate/manage audit risk factors in
CBIS accounting applications
 COMPUTER BASED
INFORMATION SYSTEMS
• Personal Computers—commonplace
• Wide Area Networks(WAN) & Local Area
Networks (LAN)--end-user sharing
• Database Management Systems (DBMS)--
integrated collections of stored data
• Internet and Intranet applications
• Artificial Intelligence (sequenced decision rules)
programs using Knowledge Engineers and
Knowledge Bases (embedded cases)
 A note on technology
Information processing systems have
encouraged “continuous auditing” throughout
a client’s fiscal year. Computer systems and
personnel (and changes) tend to obscure (or
destroy) “audit trails” traditionally “traced” by
auditors.

Auditor ingenuity is continuously

challenged!
 FAQ?

What are major impacts of CBIS advances

on auditing and assurance services?

Trends in computer use impact two aspects of

audit risk, but not audit objectives:
• Assessing control risk (need for CBIS control)
• Managing detection risk (verifying
transaction data processed by CBIS, and
balance data stored in CBIS)
 Questions arise as to CBIS effectiveness,
confidentiality, control.
Vulnerability “to computers” increases risks.
There are major concerns over privacy,
access codes, internet security, etc.
Internal control becomes a very broad
concept, given current technology.
 A consistent truism:

Optimal segregation of
functions exists when
collusion is necessary
in order to circumvent
controls.
 IMPACTS ON AUDITING
• Changes in the audit trail
– Less documentation, but more consistency
– Less hard-copy available, but better data access
• Combining of functions
– Computerized “checking,” transaction logs
– Less segmentation of details, and/or people
• Auditing “around the black box”
vs. “through the white box”
 FAQ?

What is the “audit trail?”

The documents & records (evidence of

executed transactions) that allow “tracing”
transactions through the accounting cycle in
the accounting and information system.

Auditing “around” the computer is to

pretend it’s just a super-sized typewriter!
 Auditing “through” the
white box
• Direct testing--processes auditor’s known
data properly, completely, etc.
•Auditor observes the control functions in
action (e.g., check digits, limit tests).
•Gives evidence of an underlying process.

•BUT, is the evidence only about today and

“the usual” data? Is it playing client?
 Observations on auditing with,
around, or through computers
• The difficulty: After-the-fact testing of
data, computers, & applications may or
may not replicate what happened during
the period under audit.
• The responsibility: Auditors must develop
confidence in the controls and in
input & outputs while performing
other auditing techniques as well.
 TYPES OF CBIS
• Centralized vs. Distributed (DDP) systems
• OLRT vs. Batch processing systems
• Multi-user (DBMS) vs. flat file systems
• Interactive vs. stand alone system
• Various degrees of networking, geographic
separations, e-commerce functions,
volumes/types of transactions, etc., and
focus on end users’ needs.
 ELECTRONIC COMMERCE
SYSTEMS
• Scope:
– Merchandise and securities markets
– Bookkeeping and tax services
– Consulting and teaching
• Risk concerns (control over inputs):
– Access by customers and employees (complex!)
– Data security concerns (EDI)
– Internet involvement (an ultimate “one-
write” system)
Remember: The Auditor’s initial
concern is transaction cycles!
All firms have …
• Sales
• Cash In
• Cash Out
• Purchases
• Payrolls
AND documentation should underlie the
debits and the credits to these accounts!
 CBIS CONTROLS:
1. General Controls
• Control procedures that are interactive
with two or more control objectives.
• Relate to the organizational structure of
the CBIS function (safeguarding data
files & programs, documentation, etc.).
• Relate to all (or many) computerized
accounting activities.
• Of major concern to auditors.
• CBIS should be separate from user
departments, and not initiate transactions.
• CBIS Manger reports to top management.
• Other Personnel: System Analysts (design &
modify system to meet user needs),
Programmers, Computer Operators &
Programmers, Librarian (custody over
files, programs, control access), Data
Control Group (similar to internal audit)
• CBIS testing precedes going on line.
• Increased dependence on computers
prompts all user groups to participate
in design & development of CBIS
• Documentation includes objectives, access
controls (approvals, authorizations),
flowcharts, and instructions.
• Procedural controls include protocols, data
encryption, telecommunications,
network monitoring software, etc.
 CBIS CONTROLS:
2. Application Controls
• Control procedures that are designed to
achieve specific control objectives.
• Relate to individual computerized
accounting applications.
• Organized into input controls, processing
controls, output controls.
• There are application controls for sales,
cash receipts, cash disbursements,
purchases, and payrolls.
• Input controls: accuracy & completeness
(editing, audit trails, transaction logs,
e.g., reasonableness tests, test digits)
• Processing controls (headers, footers,
record counts, echo checks)
• Output controls (verifications, proper
distribution to authorized recipients)
 CBIS CONTROLS:
3. User Controls
• Control procedures that are established by
departments other than Data Processing,
whose transactions are computer
processed.
• Relates to ensuring accuracy of data
processing (e.g., approvals of inputs,
review of outputs).
• Techniques include control totals, hash
totals, comparative summaries.
• Auditors often evaluate a mix of CBIS
and user controls.
• If CBIS controls are weak, auditors
default to evaluating user controls as
possible compensating controls.
• Audit focus on User controls may be save
audit time in some cases, since
evaluating complex CBIS controls
may contribute little to audit objectives.
 AUDIT TECHNIQUES
for testing CBIS controls
• Develop the audit program for needed
substantive testing in CBIS environments:
– Review the CBIS and identify areas for
specific testing of controls
– Study the system and program documentation
– Make tests
– Evaluate the control risk
 AUDIT TECHNIQUES
for testing CBIS controls
• Auditor considerations:
– Organization of the CBIS functions
– Flowcharts (inputs, outputs, controls, sequences)
– Access to files, programs, hardware
– Modification processes
– Back files, disaster recovery plans
– Data Control Group functions
 AUDIT TECHNIQUES
for testing CBIS controls
• Auditor concerns in evaluating & testing
General Controls:
– Possible manipulation of data, misreporting
– Lack of documentation, physical safeguards
– Access controls (passwords, security levels, etc.)
– Improper system design, “unauditable” data
– Organizational controls (e.g., debugging, exception
reports, etc.)
 AUDIT TECHNIQUES
for testing CBIS controls
• Auditor concerns--General Controls:
– Extent of internal auditor involvement
– Authorization issues
– Data protection (antivirus software, backups,
e-commerce security, network monitoring,
protocol controls)
– Assurance that programs designed and intended
to be used are, in fact, the programs in use.
 FAQ?
Would auditor involvement in the design of
the client’s CBIS and its controls, be an
advantage or disadvantage in audit practice?

It’s controversial. Many believe

that such would seriously
compromise …
 COMPUTER ASSISTED
Audit Techniques (CAAT)
• “Test Data” (hypothetical answers & errors)
used with the client’s computer:
“Would their computer find…?”
• “Tagging & Tracing” technique
• Systems Control Audit Review File
(SCARF) – using specific control points
• BCSE (for large clients!)
 CAAT…
• Parallel Simulation – an automated
version of auditing around the
computer, e.g., “Client’s software
or data” used with CPA’s
computer or software (known
reliability).
• “Mixing” such factors, “surprise
audit,” may be effective or may be
inadvisable; maybe dangerous.
 CAAT…
• Artificial Intelligence & Expert Systems
(AI/XS): Software packages based on
decision rules, knowledge base systems
(KBS), and expertise in defined
domains.
• Expert System Shells: Software prompting
effective “transference” of expertise
to the less experienced, by utilizing a
critical sequence of input variables.
 • Expert Systems Shells: software dependent
on which knowledge base underlies the XS--
being used in grant insurance coverage,
predicting fraud or bankruptcy, solving tax
cases, aid in forensic accounting cases (e.g.,
kiting), and designing audit programs.
• Neural network: computer system designed
to replicate the functioning of the human
brain, i.e., simulated learning via cases.
AI/XS “conclusions” are often linked to probabilities.
 FAQ?
Would the auditor’s use of “artificial
data” introduced into the client’s
normal “live data” processing (ITF
approach) be effective? …efficient?
…wise?
Very controversial! Many
pitfalls may exist here for the
auditor. Can you list a few?
 CBIS &
Audit Risk Implications
• Audit trail modifications may occur as
OLRT inputs are “shotgunned once” to
every location to use such input data.
• Hard-copy may be replaced by DBMS.
• Temporary vs. long-term retention policies
may become “fuzzy” policies.
• Similar concerns prompt initial assessments
of control risk at very high levels!
 Suggestions
• Systems & changes--well-documented &
adequately approved.
• Transaction logs adequately detailed.
• Passwords & encryption tightly controlled,
changed, voided. [When someone is fired,
the path to the doorway should disallow
returning by his/her desk.]
 Suggestions
• Input editing (e.g., debits must equal
credits, reasonableness) updated often.
• Backups & History Logs—detailed, required.
• The OLRT, DDP, and EDI world leads to
“automatic initiations;” thus, compensating
controls are vital.
• “Exception Reports” (errors, unusual ratios)
Internal Control Weaknesses &
Exceptions to Procedures
An “exception” is not
automatically a “cause”
of an error, misstatement,
or fraud! People could be
fast, accurate, competent
and honest anyway.
AUDITOR MANAGEMENT
of DETECTION RISK
•Involvement with CBIS design, audit trails
•Computer specialists on their staffs
•A mindset for potential computer fraud and
management fraud
•Experience in tradeoffs: control risks vs.
detection risks, interim vs. FYE testing
•“Continuous auditing” relationships
CRITICAL TERMS REVIEW

• Application controls • Completeness test

• Auditing around • Computer editing
• Auditing through • Conditioned
• BCSE telecommunications
• Batch processing • Continuous auditing
• CBIS Manager • Data control group
• Centralized data • Design phase auditing
processing • Distributed data
• Check digit processing
CRITICAL TERMS REVIEW
• Encryption • KBS
• Echo check • Neural networks
• Expert systems • OLRT system
• Expert systems shell • Output controls
• Fiber optics • Parallel simulation
• Flat file system • Processing controls
• General controls • Systems analysts
• Input controls • SCARF
• DBMS • User controls
End of Chapter 8