AUDITING IN A COMPUTERIZED

ENVIRONMENT
 REPORTERS

Shem

Claire

Ireen
INTRO

With the rapid development in technology in recent years,

computer information systems (CIS) have become feasible,
perhaps essential, for use even in small scale business operations.
Almost all entities now use computers to some extent in their
accounting systems. This widespread use of computers has
offered new opportunities for professional accountants and has
also created some challenging problems to auditors.
INTRO

Regardless of the extent of computerization or the methods of

data processing being used, the responsibility for the
establishment and implementation of appropriate internal control
system rests with management and those charged with
governance. The auditor's responsibility is to obtain an
understanding of the entity's internal control system to be able to
assess control risk and determine the nature, timing, and extent of
tests to be performed.
 Ease of Access to
Lack of Visible Consistency of Data and Concentration of
Transaction Trails Performance Computer Duties
Programs

Vulnerability of
Systems Generated
data and program
Transactions
storage media

CHARACTERISTICS OF COMPUTERIZED INFORMATION SYSTEMS (CIS)

 - In manual system, it is normally
possible to follow a transaction though
the system by examining source
documents, entity's records, and financial 1. LACK OF
reports. In a CIS environment, data can
VISIBLE
he entered directly into the computer
system without supporting documents. - TRANSACTION
The absence of these visible documents, TRAILS
supporting the processing of transactions,
makes the examination of evidence more
difficult.
  - CIS performs functions exactly as
programmed. If the computer is
programmed to perform a specific data
2. processing task, it will never get tired
CONSISTENCY of performing the assigned task in
OF exactly the same manner. - Because of
PERFORMANCE this capability of the computer to
process transactions uniformly, clerical
errors that are normally associated with
manual processing are eliminated.
  - In a CIS environment, data and
3. EASE OF ACCESS
computer programs may be accessed
TO DATA AND and altered by unauthorized persons
COMPUTER leaving no visible evidence. It is
important, therefore, that appropriate
PROGRAMS controls are incorporated to the system
to limit to access to data files and
programs only to authorized personnel.
 - Proper segregation of duties is an
4. essential characteristic of a sound
CONCENTRATIO internal control system. However,
because of the ability of the computer
N OF DUTIES
to process data efficiently, there are
functions that are normally
segregated in manual processing that
are combined in a CIS environment.
5. SYSTEMS GENERATED TRANSACTIONS

- Certain transactions may be initiated by the CIS

itself within the need for an input document.
  - In a manual system, the records are written in
6. VULNERABILITY ink on substantial paper. The only way to lose
OF DATA AND the information is to lose or destroy the
physical records. The situation is completely
PROGRAM different in a CUE environment. The
information on the computer can be easily
STORAGE MEDIA changed, leaving no trace of the original
content. This change could be happen
inadvertently and huge amount of information
can be quickly lost.
INTERNAL
CONTROL IN A
CIS
ENVIRONMEN
T
  Many of the control procedures used in
INTERNAL manual processing also apply in a CIS
environment.
CONTROL IN A CIS  When computer processing is used in
ENVIRONMENT significant accounting applications,
internal control procedures can be
classified into two types:

General and
Application controls.
GENERAL CONTROLS

General controls are those control policies and procedures that to

the overall computer information system. These controls incl.
 Organizational Control
 Systems Development and Documentation Controls
 Access Controls
 Data Recovery Controls
 Monitoring Controls
GENERAL CONTROLS - ORGANIZATIONAL CONTROLS

In a CIS environment, the plan of an organization for

an entity's computer system should include
segregation between the user and CIS department,
and segregation of duties within the CIS
department.
  a. Segregation between the CIS department and user
departments.
CIS department must be independent of all departments within
the entity that provide input data or that use output generated
by the CIS. The function of CIS department is to process
GENERAL CONTROLS transactions. However, no transaction will be processed unless
it is initiated by the user department. Therefore, all changes in
- ORGANIZATIONAL computer files must be initiated and authorized by the user
CONTROLS department
 b. Segregation of duties within the CIS department
Functions within the CIS department should be properly
segregated for good organizational controls. The entity's
organizational structure should provide for definite lines of
authority and responsibility within the CIS department.
 CIS DIRECTOR

Systems Computer
Development Other Functions
Operations

Systems Analyst Computer

Librarian
Operator

Programmer Data Entry

Control Group
Operator
Position Primary Responsibilities

CIS Director Exercises control over the CIS operation.

Systems Analyst Designs new systems, evaluates and improves existing

systems, and prepares specifications for programmers.

Programmer Guided by the specifications of the systems analyst, the

programmer writes a program, tests and debugs such
programs, and prepares the computer operating
instructions.

Computer Operator Using the program and detailed operating instructions

prepared by the programmer, computer operator operates
the computer to process transactions.
Position Primary Responsibilities

Data Entry Operator Prepares and verifies input data for processing

Librarian Maintains custody of systems documentation, programs and files.

Control Group Reviews all input procedures, monitors processing, follows-up data processing
errors the reasonableness of output, and distributes on authorized personnel.
GENERAL CONTROLS - SYSTEMS DEVELOPMENT AND
DOCUMENTATION CONTROLS

Software development as well as

changes thereof must be approved by
the appropriate level of management
and the user department. To ensure
that computer programs are
functioning as designed, the program
must be tested and modified, if
needed, by the user and CIS
department.
Moreover, adequate systems
documentation must be made in order
to facilitate the use of the program as
well as changes that may be
introduced later into the system.
GENERAL CONTROLS - ACCESS CONTROLS

 Every computer system should have

adequate security contes to protect
equipment, files, and programs.
Access to the computer should be
limited only to operators and other
authorized employees. Additionally,
appropriate controls, such as the
use of passwords, must be adopted
in order to limit access to data files
and programs only to authorized
personnel.
GENERAL CONTROLS - DATA RECOVERY CONTROLS

A data recovery control provides for the maintenance of

back-up files and off-site storage procedures. Computer
files should be copied daily to tape or disks and secured
off-site. In the event of disruption, reconstruction of files is
achieved by updating the most recent back-up with
subsequent transaction data.
 Monitoring controls are
designed to ensure that CIS
GENERAL
controls are working effectively
CONTROLS - as planned. These include
MONITORING periodic evaluation of the
CONTROLS adequacy and effectiveness of
the overall CIS operations,
conducted by persons within or
outside the entity.
APPLICATION CONTROLS -

Application controls are those policies and

procedures that relate to specific use of the
system. These are designed to provide
reasonable assurance that all transactions are
authorized, and that they are processed
completely, accurately and in a timely manner.
 APPLICATION CONTROLS - CONTROLS OVER INPUT

A large number of errors in a computer system are caused by inaccurate or incomplete data entry.
Input controls are designed to provide reasonable assurance that data submitted for processing are
complete, properly authorized, and accurately translated into machine readable form.
Examples of input controls include:
 Key verification
This requires data to be entered twice (usually by different operators) to provide assurance that there
are no key entry errors committed
 Field check
This ensures that the input data agree with the required field format. For example, all SSS number
must contain ten digits. An input of an employee's SSS number with more or less than ten digits will
be rejected by the computer.
 Validity check
Information entered are compared with valid information in the master file to determine the authenticity of
the input. For example, the employees' master file may contain two valid codes to indicate the employee's
gender "1" for male and "2" for female. A code of "3" is considered invalid and will be rejected by the
computer.
 Self-checking digit
This is a mathematically calculated digit which is usually added to a document number to detect common
transpositional errors in data submitted for processing.
 Limit check
Limit check or reasonable check is designed to ensure that data submitted for processing do not exceed a
pre-determined limit or a reasonable amount.
 Control totals
These are totals computed based on the data submitted for processing. Control totals ensure the
completeness of data before and after they are processed. These controls include financial totals, hash
totals, and record counts.
 Processing controls are designed to
provide reasonable assurance that
APPLICATION input data are processed accurately,
CONTROLS - and that are not lost, added, excluded,
CONTROLS duplicated or improperly changed.
OVER Almost all of the input controls that
were mentioned earlier are also part
PROCESSING of the processing controls because
controls are usually incorporated in
the client's comp program to detect
errors in processing of transactions.
APPLICATION CONTROLS - CONTROLS OVER OUTPUT

 Output controls are designed to provide reasonable assurance that the

results of processing are complete, accurate and that these outputs are
distributed only to authorized personnel
 Control totals are compared with those computed prior to processing to
ensure completeness of information. Finally, CIS outputs must be
restricted only to authorized employees who will be using such outputs.
The effectiveness of the general CIS controls is essential to the
effectiveness of CIS application controls. Thus, it may be more efficient to
review the design of the general controls first, before reviewing the
application controls.
TEST OF CONTROLS IN A
CIS ENVIRONMENT
  Like manual processing environment, test of control in a CIS
environment involves evaluating the client's internal control
policies and procedures to determine if they are functioning
as intended. Regardless of the nature of the client's data
TEST OF processing system, auditors must perform tests of controls
if they intend to rely on the client's internal control.
CONTROLS IN A  Testing the reliability of general controls may include
CIS observing client's personnel in performing their duties;
inspecting program documentation; and observing the
ENVIRONMENT security measures in force. In testing application controls,
the auditor may either:
1. Audit around the computer; or
2. Use Computer-Assisted Audit Techniques.
AUDITING AROUND THE COMPUTER

 Auditing around the computer is like testing control in a manual control

structure in that it involves examination of documents and reports to
determine the reliability of the system. When using this approach, the auditor
ignores the client's data processing procedures, focusing solely on the input
documents and the CIS output. Input data are simply reconciled with the
output to verify the accuracy of processing.
 Auditing around the computer can be used only if there are visible input
documents and detailed output that will enable the auditor trace individual
transactions back and forth. This is also known "black box approach" because
it does not permit direct assessment of actual processing of transactions.
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)

 When computerized accounting systems perform tasks for which no visible

evidence is available, it may be impracticable for the auditor to test manually.
Such is usually the case when the entity uses advanced CIS. Consequently,
auditor will have to audit directly the client's computer program using CAATs.
This is also called "white box approach”
 CAATs are computer programs and data which the auditor uses as part of the
audit procedures to process data of audit significance contained in an entity's
information systems. Some of the commonly used CAATs include test data,
integrated test facility and parallel simulation
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)

 1. Test data
The test data technique is primarily designed to test the effectiveness of the internal control
procedures which are incorporated in the client's computer program. The objective of the test
data technique is to determine whether the client's computer programs can correctly handle
valid and invalid conditions as they arise.
To accomplish this objective, the auditor prepares test data (fictitious transactions) that consist
of valid and invalid conditions. The auditor enters the test data into the system and have the
data processed by the entity's computer program. Because the auditor is the one who creates
the test data, the auditor knows what the output should look like, assuming the client's computer
program is functioning effectively. The auditor then compares the processing results with his
predetermined output. If the output generated by the client's program is the same as the
auditor's expected output, the auditor may conclude that the client's program is reliable.
TEST DATA

Auditor’s Test
Data

Proceed using
Client’s
Program

Auditor’s
Compare
Output Expected
Manually
Output
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)

 2. Integrated test facility (ITF)

When using ITF, the auditor creates dummy or fictitious employee or other
appropriate unit for testing within entity's computer system. Unlike test data,
which is run independently of the client's data, an ITF integrates the processing
of test data with the actual processing of ordinary transactions without
management being aware of the testing process. The resultant output, relating
to the dummy unit, is then compared with the predetermined results to evaluate
the reliability of the client's program.
INTEGRATED TEST FACILITY

Auditor’s Text Data Client’s Data

Proceed Using
Client’s Program

Auditor’s Expected
Output Compare Manually
Output
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)

 3. Parallel simulation
In contrast to the test data and ITF techniques, which require the auditor to
create test inputs (data) and process these data using the client's computer
program; parallel simulation requires the auditor to write a program that
simulates key features or processes of the program under review. The simulated
program is then used to reprocess transactions that were previously processed
by the client's program.
PARALLEL SIMULATION

Client’s Data
Client’s Data

Proceed Using
Proceed Using Auditor’s
Client’s Program Program

Compare
Output Output
Manually
OTHER CAATS

 1. Snapshots
This technique involves taking a picture of a transaction as it flows through the computer
systems. Audit software routines are embedded at different points in the processing logic
to capture the images of the transaction as it progresses through the various stages of
processing. Such a technique allows an auditor to track data and evaluate the computer
processes applied to the data.
 2. Systems control audit review files (SCARF)
This involves embedding audit software modules within an application system to provide
continuous monitoring of the systems transactions. The information is collected into a
special computer file that the auditor can examine.
THANK YOU