INFOTECH 3: AUDITING ACCOUNTING INFORMATION SYSTEM

INTRODUCTION

AUDITING AND EDP

AUDITING- a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic
actions and events to ascertain the degree of correspondence between those assertions and established criteria and
communicating the results thereof.

AUDITING

 SYSTEMATIC PROCESS
- It is a structured as a dynamic activity in a logical manner
 OBTAINING AND EVALUATING EVIDENCE
- Auditor is concerned about assertions relating to the reliability of the system of internal control and
the content of the files or outputs produced by computer processing
- He performs both compliance testing and substantive testing
 ASCERTAIN THE DEGREE OF CORRESPONDENCE BETWEEN THOSE ASSERTIONS AND ESTABLISHED CRITERIA
- It requires judgment on the auditor’s part as to what constitutes a non-compliance
 COMMUNICATING THE RESULTS
- To the client and other interested parties
- Preparation of the audit report

WHO SHALL PERFORM THE AUDIT?

- A person or persons having adequate technical training and proficiency as an auditor

IMPACT OF COMPUTERS ON THE ACCOUNTING AND AUDITING PROCESS

1) INTERNAL STORAGE
- With the representation of information in electronic form inside the computer, the auditor us no
longer able to observe the processing of data to determine if the proper procedure are being used
2) PROGRAMS CAN BE CHANGE WITHOUT THE AUDITOR’S KNOWLEDGE
- Such change can occur through a console intervention, or with codes that can modify themselves
which the program is running
3) ELIMINATION OF AUDIT TRAIL
- Partial elimination/disappearance of those documents, records, journals, ledgers and other
documents that enable the auditor to trace a transaction
4) MULTI-PROCESSING OR MULTI-PROCESSING
- With the ability of computer systems to process several applications simultaneously, files currently
being received can be modified during data processing by another program
5) REMOTE PROCESSING (TELE-PROCESSING)
- A major threat is the potential loss of assets from unauthorized access to programs and files
- Data might be lost during transmission
- Phishing- is the attempt to acquire sensitive information such as usernames, passwords, bank
accounts and credit card details for malicious reasons, by masquerading, as a trustworthy entity in an
electronic communication
6) SPEED, ON-LINE/REAL-TIME PROCESSING
- Since amount balances are updated immediately upon entering the system, it could mean that before
the auditor had finished reading and adding the balances, some of the balances may have already
changed
 7) MULTIPLE LOCATIONS
- Multi-processing, on-line/real-time system is compounded by processing in several locations
o Several flows and offices in a building
o Several buildings in a compound
o Several geographical locations
8) RAPID CHANGES: TECHNOLOGY, BUSINESS NEEDS

AUDITING APPROACHES

1) Auditing around the computer

2) Auditing with the computer
3) Auditing through computer

AUDITING STANDARDS AND COMPUTER AUDITING CONCEPTS

STANDARDS OF FIELDWORK

 COMPLIANCE TESTING
- The auditor must obtain sufficient understanding of the entry and its environment, including its
internal control
- To assess the risk of material misstatement of the financial statements whether due to error or
fraud , and
- To design the nature, timing, and extent of further audit procedures

INTERNAL CONTROL

- Comprises the plan of the organization and all of the methods and procedures adopted by a
business to:
OBJECTIVES OF INTERNAL CONTROL
 Safeguard its assets
 Check the accuracy and reliability of its accounting data
 Promote operational efficiency and effectiveness
 Encourage adherence to prescribed managerial policies

INTERNAL CONTROL SYSTEM

ADMINISTRATIVE CONTROLS ACCOUNTING CONTROLS

-the plan of the organization and the methods
and procedures to promote operational efficiency
and encourage adherence to prescribed managerial
policies
- the plan of the organization and the methods
and procedures used to safeguard assets and to
check the reliability of accounting data
- AIS controls:
>general control >application control

AIS CONTROL

1. GENERAL CONTROL – having pervasive effects

 If they are weak or absent, they negate the effects of the application method
 General Controls:

1) Organizational controls
2) Sound personnel practices
3) Standard operating procedures
4) System development controls
5) Documentation control
6) Hardware control
7) System software controls
8) System security control

 SUBSTANTIVE TESTING
- The auditor must obtain sufficient appropriate audit evidenced by performing audit procedures to
afford a reasonable basis for an opinion regarding the financial statements under audit
1) TEST OF DETAILS OF TRANSACTIONS AND BALANCES
- Complexities include automatic:
 Authorization of sales within certain limits
 Issuance of checks to vendors on due dates
2) ANALYTICAL REVIEW PROCEDURES
- Performed to detect unused relationships among financial information
- Review may include comparison of this years; amount with last years’ actual results with budget or
forecast; review of financial ratios
- Not significantly different from a manual or mechanical system

 DUAL-PURPOSE TESTING
- Both types of tests, compliance and substantive, and performed at the same time

WHO PERFORMS THE COMPUTER AUDITING TASK?

Demands as to the expertise placed on the auditor:

“if clients uses electronic processing in its accounting system, whether the application is simple or complex, the
auditor needs to understand the entire system sufficiently to enable him to identify and evaluate is essential
accounting control features.”

WHERE IN THE PROCESSING CYCLE THE AUDIT SHOULD BE PERFORMED?

Auditing the phases of processing

- Refer to the study and evaluation of internal control

Auditing the results of processing

- Refer to the collection of evidential matter; emphasis is on the direct test of amount balances

WHEN TO PERFORM THE PROCEDURES?

Auditing concurrently with processing

- Information is available to the auditor while program is running

Auditing after processing

- Audit procedures are performed after a computer program is finished

WHICH PART OF THE SYSTEM THE AUDIT SHOULD BE PERFORMED?

Auditing computer programs

Auditing computer files

Auditing computer systems

GENERAL CONTROLS

1. ORGANIZATIONAL CONTROLS (PLAN OF ORGANIZATION)

- Relate to the segregation of duties in order to reduce error or fraud:
(1) Segregation of EDP and user functions
(2) Segregation of function within EDP
(3) Segregation of functions among users

(1) Segregation of EDP and User Functions

a. Error detection, correction and resubmission
 System tests performed during systems development ensures the elimination of errors
 Where errors occur, generally they are converted and resubmitted at source
b. Segregation of incompatible functions
 Authorization
o As a general rule, EDP should not be permitted to authorize transactions; however,
some authorization functions are incorporated in the computer program
o Examples: materials reordering system, customer order processing
 Execution
o Steps in the transaction processing cycles and changes to master files are to be
performed by the users; today, execution is done automatically through instructions
in the program
o Examples: systems s-generated financial entries, automatic reversing entries
 Accountability
o EDP should not have custody of non-EDP assets
o Access is normally indirect, e.g., the computer program contains the instructions to
release inventory for shipment
(2) Segregation of functions within EDP
a. System development
 System analysis
 Application programming
 Systems programming
b. Operations
c. Data base administration
 Independent librarian function
(3) Segregation of functions among users

Compensatory Controls

- Generally manual controls, that are performed to compensate for the internal control weakness
arising from the non-segregation of duties
 Review and approval of purchasing department
 Review of exception lists from credit approval runs
 2. SOUND PERSONNEL PRACTICES
- Provide control over the quality of work by ensuring that personnel are competent and honest
- Provide policies that encourages compliance
(1) Hiring and Evaluation of Personnel
a. Hiring Test
 Mostly behavioral and personality tests
b. Background check
 Checking the character references, recommendations from previous employees, NBI and
police clearances
c. Fidelity bonds
(2) Personnel scheduling
- Irregularities maybe discovered during an employee’s absence
(3) Rotation of duties
- Enable the employee to master other tasks, thus, effectiveness is improved
- When a task is performed by another, opportunities for improvement can be identified
(4) Performance evaluation
- A tool to identify strengths and areas of improvement
- A food basis for rewards and remunerations
(5) Training and development
- Enhances employee performance and potential for more responsible roles
- CPE
(6) Career’s Path
- A tool to formalize target positions
- Helps identify training needs
- Encourages loyalty and dedication
(7) Rewards and Remuneration
- Induces employees to perform their best
(8) Formalization of Personnel Practices
- Conveys the company’s sincerity to its commitments
(9) Psychological Control
- Employees tend to display positive behavior if it goes with a reward or punishment as the case may
be

REVIEW AND TESTS OF COMPLIANCE- ORGANIZATIONAL CONTROLS

1. Review organization charts.

2. Review job description of EDP and users pertaining to error handling.
3. Interview management and operating staff to determine the degree of effectiveness of supervision.
4. Prepare a systems flowchart for each transaction processing cycle and review the segregation of duties.
5. Review pre-processing controls, such as prior approval of mater file change.
6. Review the audit program of internal auditors to determine the completeness and adequacy of their review and
tests of internal control.

REVIEW AND TESTS OF COMPLIANCE- SOUND PERSONNEL PRACTICES

1. Review hiring and evaluation procedures, for example, aptitude tests and background checks.
2. Review performance appraisals and its link to rewards and remuneration.
3. Review staff development programs and continuing professional education.
4. Review promotion policies and recent promotions, to ensure that movements post no threat to control.
5. Review staff turnover statistics and frequency of staff firing to ensure that the attitude of staff poses no undue
risk of control.
3. STANDARD OPERATING PROCEDURES
- Identify procedures that ensure high quality processing and limit the opportunity for errors, and
unauthorized use of files, programs and reports.
(1) Scheduling
- The operations of the computer should follow realistic schedules to allow for assembly and
preventive maintenance
(2) Machine Operations
- Include procedures for loading programs and storage devices
- Requirement that console error messages be responded to uniformly.
(3) Machine Performance
- Identification and correction of equipment snags help reduce the incidence of hardware-induced
errors
- Standards are set for elapsed time usage, maintenance time, expected downtimes and other
conditions.
- Periodic review of equipment maintenance and failure logs, and comparison of actual equipment
performance with standards
(4) Job-run procedures
- These procedures generally outline the sequence of the programs to ensure that the required
processes are performed in the correct order
- Examples: variance report preparation
 Update physical standards
 Input volume of production
 Enter actual quantities consumed
 Calculate variances
(5) Console log and personnel time record
- Should be prepared by the operating system to record to all operating and application system
activities, maintain an equipment utilization record and identify operator and user initiated actions
- It provides and important control over unauthorized system use
(6) Housekeeping
- Procedures relating to the use of supplies, storage of programs, and handling of files are designed to
reduce take risk of loss or destruction of programs and data
- It ensures that sensitive output does not fall into unauthorized hands
(7) File Control Standards
- Standards for the handling file are necessary to minimize opportunities for misuse, damage or loss
of files
- Standards include file names, retention dates reconstruction procedures and storage location
- The files are controlled by a librarian
(8) Adequate Supervision
- Control and review of operating activities which include periodic examination and comparison of
console logs, job records and personnel time records
(9) Emergency and Physical Security Procedures
- Plans and procedures to protect programs, files and equipment from fire, theft, natural disaster,
power failure, or failure of communication
- Emergency any physical security procedures should be written and included in the systems and
procedures manual
4. SYSTEM DEVELOPMENT CONTROLS
- The best time to build-in the application controls is during the development of a system
- It would be easier compared with doing the program revisions later in order to incorporate the
control
(1) System development methodology
a. SDLC
 Planning, analysis, design, development, and implementation
 Building-in of required application control
 Users’ training and users’ procedures manual
b. Post implementation optimization
 Was there an evaluation that the new system meets the business requirements?
c. Documentation
 Provides control over the prevention, detection and correction of errors
(2) Project management
- The system development methodology will be of little value if development projects are not
adequately manage
(3) Programming conventions and procedures
Conventions
- Refer to the agreed standards, for example, in the use of symbols, charts, texts, graphs or writing of
manuals
- Also pertains to the uniform procedures followed in order to ensure the same accurate results every
time a job is performed
- Flowcharting conventions
- Decision table conventions
- Coding conventions
- Standard glossary and standard abbreviation
- Standard program routines
- Debugging
- Auditing conventions
o Coding Conventions
a. Computer code or program code
 The set of instructions forming a computer program which is executed by a computer
b. Data code
 A number, letter, character, or any combination thereof used to represent a data element or
data item
Data coding conventions provide a common understanding of the meaning of the codes
o Significant digit code
o Sequence code
o Mnemonic code
o Last digit code
o Identifiers
o Check digit code
o Standard glossary and standard abbreviations
- Terms and abbreviations that are unique to a particular installation should be carefully defined
- Use of non-standard terms and abbreviations should be prohibited to make review of
documentation easer
o Standard program routines
- A substantive (also called procedure, function, routine, method, or subprogram) is a portion of code
within a larger program that performs specific task and is relatively independent of the remaining
code
- Any sequence of the code that is intended to be called and used repeatedly during the execution of
a program. This makes the program shorter and easier to write (and also to read when necessary)
 - The main sequence of logic in a program can branch off to a common routine when necessary.
When finished, the routine branches back to it
- A routine may also be useful in more than one program and save other programmers from having
to units code that can be shared
o Standard job control routines
- Provides the interface between the application program and the operating system
o Debugging
- Standard technique for debugging increases the chance that errors will be found and provided a trail
if program changes, thereby, reducing, the opportunity for unauthorized program change
o Auditing conventions
- The programming standards manual should include a list of required controls and audit features
(4) User, Accounting, and Audit Participation
- Assures that users’ requirements are met by the system
- Users participation represents commitment and approval
- Users recognize their responsibility and their dependence on the output
- Audit participation provides the opportunity to make suggestions regarding improvements in
internal control
(5) Technical, management, user, and auditor review and approval
- Review and approval ensures that the system has adequate controls and is acceptable to all
stakeholders

Technical Level

 Work outputs for each phase should be reviewed and approved by the systems and
programming supervisors before submission to users, auditors and management for
approval

Output level

 Requires that users, auditors and management review and approve the work output at the
end of each phase
(6) System testing
- An important control because it is the last opportunity to discover and correct problems before
implementation of the system
- Purpose:
 To ensure that the system will operate in conformance with the design specifications
 To determine whether the systems’ operations meets user requirements
 To test all application control if they will work as intended
 To verify that errors in input, processing and output will be detected
o Program tests
- Testing of the processing logic of the programs
o String tests
- Instead of a single program, they are applied to a string of logically related programs
o System tests
- Applied to all programs in the systems to check if they will function if they run at the same time
o Pilot tests
- Involve the processing of actual transaction on the new system on an after-the fact basis, then
comparing the results from the existing system
o Parallel tests
- The old and the new systems are ran simultaneously using the same inputs, and the outputs are
compared to detect system errors
(7) Final approval
- Provides and opportunity to examine the final best results to make a final judgment
- Final approval should be given by management, users and EDP personnel before the system is
implemented
(8) Conversion and migration control
- Controls to prevent and detect errors when converting and migrating files to the new system
 Data Conversion
 The translation of computer data from one format to another
 Data Migration
 The process of transferring data from one system to another; generally, migration requires
data conversion
 Control Procedure:
 File conversion approval should be obtained before te process begins to ensure that the files
being converted are fully controlled
 The original and new files can be reconciled through record, counts, hash totals or amount
totals
 Compare records from the original files and with the new files to ensure that those are no
discrepancies
 Confirmation requests may be sent to third parties asking them to confirm the data that
relates to them
 Operational approval should be obtained from the users after they had used the system a
few times, which served as the “acceptance test”
o Approval indicates their satisfaction with the way the system is operating
(9) Post-implementation review
Conducted to:
 Determine if the system is operating as intended
 Evaluate the effectiveness of the entire process of developing the system

“ the feedback from this review is useful to the external auditor as it indicates that controls are either
functioning as desired or not.”

(10) Program change control

- Strong system development controls are negated if subsequently, unauthorized modifications to the
programs are performed due to inadequate program change control
- Program changes results from a desire to improve the system, the need to adjust to changing
business conditions or the need to incorporate new operating, accounting and control policies.
These changes are referred to as program maintenance
- The objective if program change control is to ensure that all program change authorized program
change requests are completed

Controls:

1. Program changes should be in accordance with established systems, programming and

documentation standards
2. Program changes should be restricted to system personnel; operating personnel should not make
changes to programs – even temporary changes to facilitate the running of a program