2. AUDITING IN A COMPUTER
ENVIRONMENT
INTRODUCTION.
In recent years, there has been
development in the use of computers as a
means of keeping the accounting records
and producing financial information.
This trend has brought about significant
changes in the way the organisations
process, store data, and disseminate
information.
3. AUDITING IN A COMPUTER
ENVIRONMENT
INTRODUCTION.
Hence a significant effect on internal control
systems employed by the entity.
This International Standard on Auditing (ISA 315)
require the auditor to understand the entity and
its Environment, including the entity’s internal
control in order to assess the Risks of material
misstatement in the financial statements.
4. AUDITING IN A COMPUTER
ENVIRONMENT
INTRODUCTION.
In a Computerized environment it is
expected that the auditor should satisfy
himself that the controls are adequate
enough to produce accurate and complete
financial statements.
5. AUDITING IN A COMPUTER
ENVIRONMENT
In planning the portions of audit which may be
affected by the clients environment the auditor
should obtain an understanding of significance
and complexity of computerised information
system activities and the availability of data for
use in the audit.
6. AUDITING IN A COMPUTER
ENVIRONMENT
Computerised environment
includes the following:
• Hardware (i.e. CPU, monitor, printers, zip drive,
scanners
• Software (Operating systems, database,
application software etc.
• The transmission media (i.e. wires, optical fiber
cables and microwave links)
• Network devices (i.e. modems, gateways etc)
7. AUDITING IN A COMPUTER
ENVIRONMENT
Risk aspect to consider in Computer
Systems.
Hardware-The computer may be stolen or
damaged
Unauthorized access-possibility for unauthorized
users to obtain information held on file.
System breakdown-there may be a loss of data for
example if there is power failure.
Corrupt files.
8. AUDITING IN A COMPUTER
ENVIRONMENT
Further challenges:
1. Evidence collection - challenge
– Collecting evidence on the reliability of a
computer system is often more complex than
collecting evidence on the reliability of a manual
system
– Hence Auditors have to run through computer
system themselves using Computer Assisted
Audit Techniques (CAATS) if they are to collect
the necessary evidence
9. AUDITING IN A COMPUTER
ENVIRONMENT
2. Changes to Evidence Evaluation - challenge
– Paper documents are inherently more
reliable because alterations are generally
apparent or may be uncovered by forensic
analysis. By comparison, electronic
documents in their uncontrolled state are
highly vulnerable to forgery and
unauthorised change.
10. AUDITING IN A COMPUTER
ENVIRONMENT
3. Skill competence – challenge
– The ISA makes it clear that auditors should
have sufficient knowledge of the
computerised information system to perform
such audit effectively. These skills are very
limited especially in developing country like
Tanzania
11. AUDITING IN A COMPUTER
ENVIRONMENT
4. Risks in a network environment -
challenges
– Threats to accountability - In a manual system, a
person has to be physically present to handle a
paper document. It is not the same in a networked
computer system. In a network environment, an
electronic document may be created, accessed,
read, amended, deleted or replaced from anywhere
at anytime and the true identity of the person
responsible may not be known.
– Ease of amendment - Computer software and data
are stored and transmitted in an intangible form.
They can be amended without any trace.
12. AUDITING IN A COMPUTER
ENVIRONMENT
– Ease of duplication - Computer files
can be easily copied and made
indistinguishable from the original. It is
particularly important to prevent and to
detect the duplication of electronic
records which have financial value.
13. AUDITING IN A COMPUTER
ENVIRONMENT
– Internet risks - When an entity uses a private
network for e-business, transactions are
transmitted between trading partners through
a value added network with access only to the
network’s trading partners. In contrast if e-
business is transacted over the Internet,
which is a public network, the information
being transmitted is vulnerable to being
intercepted, altered, lost, diverted or replaced.
14. AUDITING IN A COMPUTER
ENVIRONMENT
Internet Risks.
– Due to the open nature of the Internet, an
organisation’s network that is connected to
the Internet is also vulnerable to unauthorised
access, computer viruses and denial-of-
service attacks. These vulnerabilities put the
authenticity of audit evidence at risk.
15. AUDITING IN A COMPUTER
ENVIRONMENT
Other challenges.
• Lack of segregation of duties commonly in the past every
transaction would probably be reviewed and processed
by several people which is not the case in CIS.
• The potential for fraud and error as result of system or
program faults. Once a fault is in a system, the system
processes incorrectly for ever as no human intervention
or review may be included in the controls or the fault
may simply not be visible as processing is not
transparent e.g. use of wrong price for the sale of
commodities or using a wrong wage-rate while paying
wages and salaries to the employees
16. AUDITING IN A COMPUTER
ENVIRONMENT
Internal controls in ICT Environment.
They are classified into:
• General Control
• Application Control
17. AUDITING IN A COMPUTER
ENVIRONMENT
General controls.
Controls over general environment in which
the system is developed, maintained and
operated. They include:
• Complete review, testing and approval of
the system and programs before they
become fully operational.
• Competence of staff to implement the
system
18. AUDITING IN A COMPUTER
ENVIRONMENT
• Authorization of any changes in the
system by responsible official.
• Segregation of duties so that different
staffs perform the duties of system
development, programming and data
entry.
• Access control- only authorized personnel
should have access of hardware,
programs and data files.
19. AUDITING IN A COMPUTER
ENVIRONMENT
• Stand by facilities for use in case of a
temporary computer failure
• Back-up facilities to avoid loss of data.
20. AUDITING IN A COMPUTER
ENVIRONMENT
Application controls classified into:
a) Input controls
b) Processing controls
c) Output controls.
The main aim is to ensure Validity,
completeness and accuracy of
accounting data.
21. AUDITING IN A COMPUTER
ENVIRONMENT
Application Control.
Controls within a computer application to
ensure- completeness, accuracy of input,
processing and validity of the resulting
accounting entries. They can be done foe
specific areas of the system for example,
control over sales, payroll, control over
inventory and etc.
22. AUDITING IN A COMPUTER
ENVIRONMENT
Input controls
The main aim of input controls is to reduce errors
in the data entered in the system for processing.
Input controls include checking and ensuring
that:
• Input data are authorized by the appropriate
official.
• Data represent valid record of actual transaction
• Correctly classified for the purpose of
accounting.
23. AUDITING IN A COMPUTER
ENVIRONMENT
Input control-examples
Sequence checks.
Transactions that are serially numbered should be
in sequence and checked by the programs
If sales invoice are serially numbered for example
010 to 0200; then if invoice numbered 14
recorded before 12 then the system should
reject invoice number 14 until number 12 is
posted.
24. AUDITING IN A COMPUTER
ENVIRONMENT
Batch control
Group together the sum of either sales
invoice, purchase invoice or whatever,
them there totals should be obtained
manually then compare with computer
own generated totals.Any difference
means an error to be traced and
corrected.
25. AUDITING IN A COMPUTER
ENVIRONMENT
Digits check
Ascertaining the validity of number digit.
Reasonableness checks
Input data should be checked to ensure data
items are within pre-defined limits.
For example on a payroll system, overtime
hours recorded per day should fall within a
certain range, let say 2hrs-8hrs.
26. AUDITING IN A COMPUTER
ENVIRONMENT
• Checking of data items should be done as the
item are entered and users requested to correct
mistakes before being allowed to enter further
data items.
• Transactions should not be allowed to proceed
to further stages of processing unless they have
been totally verified for accuracy or if key data
items are missing.
27. AUDITING IN A COMPUTER
ENVIRONMENT
• All transactions should contain a unique
reference number to aid tracking.
• Sensitive data items should be subjected to
independent verification by another user.
28. AUDITING IN A COMPUTER
ENVIRONMENT
Processing controls
There are divided into mechanical and
programmed controls.
Programmed control are done during the
system development to ensure that only
data related to a particular transaction is
processed and not otherwise.
29. AUDITING IN A COMPUTER
ENVIRONMENT
Output Controls
Controls relating to input and processing
itself with the final objective of ensuring
that the output:
• Relates precisely to the original input.
• Represents the outcome of a valid and
tested program of instructions. (eg, digit
check, reasonableness checks)
30. AUDITING IN A COMPUTER
ENVIRONMENT
• Output reports are only accessed by the
authorized personnel.
• Output reports checked by someone as to
their reasonableness.
31. AUDITING IN A COMPUTER
ENVIRONMENT
Approaches for Computer Audit.
The basic approaches for computer audit
are:
a) Around the computer
b) Through the computer
32. AUDITING IN A COMPUTER
ENVIRONMENT
Auditing around the computer.
Under this approach the computer is treated as a
Black Box and only input and output documents
are reviewed. The controls and procedures used
in processing the data are not considered
important and the auditor ignores the programs
that causes the transformation of the input data
into output data.Instead,the auditor selects and
test inputs against appropriate outputs and vice
versa.
33. AUDITING IN A COMPUTER
ENVIRONMENT
If they matched and proved to be accurate
and valid, then it is assumed that the
system of control is operating properly.
34. AUDITING IN A COMPUTER
ENVIRONMENT
Advantages.
i. Simple and straight forward approach
which can be easily understood by
anyone.
ii. Extensive knowledge of the computer
and data processing is not required for
the auditor
iii. Cost of audit resources is generally low.
35. AUDITING IN A COMPUTER
ENVIRONMENT
Disadvantages.
i. Ignores the system of controls and
hence fails to recognize pontential errors
or weakness with the system
ii. Represents the after-fact rather than
preventive auditing
iii. Amounts of auditing in nature of post
mortem rather than preventive auditing.
36. AUDITING IN A COMPUTER
ENVIRONMENT
iv. The auditor fails to utilize the full potential
of the computer to assist him.
v. Increasing of printing expenses because
of enormous print-out requirements (lot of
data) of the auditor.
37. AUDITING IN A COMPUTER
ENVIRONMENT
Auditing through the computer.
In this approach computer is treated as a
white box. Auditing through the computer
implies that the auditor makes use of the
computer in carrying out his audit.Under
this approch, auditor can test the
processing and control systems.
38. AUDITING IN A COMPUTER
ENVIRONMENT
This technique requires two basic tasks:
• The review and verification of source
documents and
• The actual testing of the computer
program logic and program controls.
39. AUDITING IN A COMPUTER
ENVIRONMENT
Advantages.
i. Utilizes the computer as a tool for
performing auditing functions.
ii. Forces the auditor to get more involved
in the system, there by increasing his
ability to perform more complex audit.
iii. Test results are readily identifiable and
can be used as measures of internal
processing reliability
40. AUDITING IN A COMPUTER
ENVIRONMENT
iv. Increases service to clients because
controls and operations are checked by
the auditor
v. Provide effective test processing logic and
program controls.
41. AUDITING IN A COMPUTER
ENVIRONMENT
Disadvantages.
i. Requires more computer time.
ii. It is very expensive.
iii. It requires extensive knowledge of
computer and data processing by the
auditor.
42. AUDITING IN A COMPUTER
ENVIRONMENT
Audit Trail.
It is the means by which an individual transaction
can be traced sequentially through the system
from source to completion and its loss will mean
that normal audit techniques will break-down. In
order that audit trail to be provided, every
transaction on a file should contains a unique
reference back to the original source of input.
Loss of audit trail may be due to lack of trace
reference or sudden break down of computer
hardware with all information destroyed.
43. AUDITING IN A COMPUTER
ENVIRONMENT
Computer assisted Audit Techniques
(CAATs)
CAATs are any automated audit techniques
and they are important tools for the auditor
in performing audits in computer
environment. There are two main types:
1.Audit software
2.Test packs
44. AUDITING IN A COMPUTER
ENVIRONMENT
1.Audit software.
This consist of a set of instructions or
programs that an audit uses to extract and
examine client’s file.
There are two categories
• Generalized programs (by manufacturer)
• Specialized/Purpose-written programs (by
auditor or outside programmer)
45. AUDITING IN A COMPUTER
ENVIRONMENT
2.Test packs.
They consist of test data which is processed
in the same manner as actual data.
The auditor in this case prepares a test data
and submits it for processing by the client
computer program.The data include both
valid and invalid transactions.They are
designed to represent realistic operating
conditions.
46. AUDITING IN A COMPUTER
ENVIRONMENT
The main aim of test packs is to test
whether the clients system will be able to
detect errors, or invalid transactions
included.The resulting of computer
processing are compared with
predetermined results.
It is very important to ensure that the progra
being tested is the one which the client is
using and has been in use throughout the
year.
47. AUDITING IN A COMPUTER
ENVIRONMENT
Uses of CAATs.
1.In Substantive testing.Test of details of
transactions and balances
2.Analytical review procedures to identify
unusual fluctuations or items
3.Compiance test of Electronic data
processing-e.g the use of test data to test
the functioning of a programme.
48. AUDITING IN A COMPUTER
ENVIRONMENT
Considerations in the use of CAATs.
1.Computer knowledge, expertise and
experience of the auditor.
2.Availability of CAATs and suitable
computer facilities.
3.Timing
4.Impracticability of manual tests.