Audit Principles and Practices - DFA 3103

UNIT 11 AUDIT OF COMPUTERISED SYSTEMS

Unit Structure

11.0 Overview
11.1 Learning Outcomes
11.2 Features and Risks in Auditing Computerised Systems
11.3 Controls in Computerised Systems
11.3.1 General IS Controls
11.3.2 Application Controls
11.4 Use of IT by Auditors
11.5 Computer-Assisted Audit Techniques
11.6 Summary
11.7 Activity

11.0 OVERVIEW

Auditing in a computerised information system environment is the rule rather than the
exception. Today, very few businesses operate a wholly manual accounting system and so
‘computer audit’ is actually the norm. Auditors all over the world now use computers to a
greater extent and the proportion of their clients without a single PC must be very small or
non-existent. In this unit, the features, risks and controls involved in auditing in a computer
information system will be considered.

11.1 LEARNING OUTCOMES

By the end of this Unit, you should be able to do the following:

1. Explain the planning procedures that auditors will adopt in CIS environment.
2. Describe the different control procedures that may exist within a computerised
information system.

Unit 11 1
 Audit Principles and Practices - DFA 3103

3. Describe the various IT tools that my be used to assist auditors in their audit
assignments.
4. Explain the use of Computer-assisted audit techniques by auditors.

11.2 FEATURES AND RISKS IN AUDITING COMPUTERISED

SYSTEMS

Assuming that an enterprise that has acquired a computerised information system during the
current period. To carry out the audit, the auditor will usually consider the following features
and risks of the CIS at the planning stage:

Consistency of Performance

Consistency of performance can be both strength and a weakness. Computer systems are
more reliable than manual systems. A properly programmed application will process
transactions consistently accurately while a programme with errors will make errors
consistently.

Concentration of Knowledge, Programmes and Data Files

The number of computer specialists involved in a computerised system environment will

generally be low. In most organisations, small or large, there may be one individual with a
detailed knowledge of the functioning of the system as a whole. Such individuals are in a
position to alter programmes and data, and potentially conceal fraud. Transactions, masterfile
and program data are often held together and this increases the potential for unauthorised
access. It might be difficult for an audit firm to perform proper risk assessment if it has very
few computer specialists.

Ease of Access to Data and Programmes

This problem can be particularly acute where data can be altered from remote terminals.
There is still a widespread belief that computers and the records contained on them are
inherently safer, and less vulnerable to loss and corruption than manual systems.

Unit 11 2
 Audit Principles and Practices - DFA 3103

Automatically Generated Transactions

Most systems are capable of generating transactions without human intervention. For
example, bank interest is almost charged automatically. The lack of authorisation and
documentation can be a significant audit issue if many transactions are generated this way.

Lack of Source Documentation and Audit

Computers do not show handwriting, and the proper authorisation and attribution of
transactions processed is correspondingly important. Many systems report by exception only
and this can make an audit trail difficult to follow if there is no hard copy of all transactions
processed.

Programmed Controls

Programmed controls integrated within the information system are generally not visible and
therefore need to be tested using alternative means such as test data.

Vulnerability of Storage Media

The data stored on CDs is highly vulnerable to loss, corruption, theft and destruction.

Multiple Update of Files

Incorrect entries, particularly when encoded, may result in incorrect data in many different
accounts. This could seriously damage a database system.

Unit 11 3
 Audit Principles and Practices - DFA 3103

11.3 CONTROLS IN COMPUTERISED SYSTEMS

The purpose of controls in a computerised information system is to establish a framework of

overall control. These controls are usually classified as general controls and application
controls.

11.3.1 General IS Controls

The general IS controls act as an ‘umbrella’ to specific IS controls. These controls may
include the following:

a) Access Controls

Access controls include the use of security personnel, locked doors, keypads swipecards
and logical access controls (passwords) that allow only authorised individuals access to
the relevant areas of the system. More sophisticated procedures would include voice,
fingerprint, and retina recognition. Systems software data shows who has attempted to
enter the system, when, what files were used and so on. Analysis of this data goes some
way to detecting and preventing unauthorised access.

b) Encryption and Call-back Procedures

These procedures help to prevent hacking, particularly where public telecommunications

lines or networks are involved. File transfer protocols are necessary to ensure the
complete and accurate transfer of data without loss.

c) Read Only Memory ( ROM)

ROM is necessary for the more important program and data files as it helps to protect data
generally.

Unit 11 4
 Audit Principles and Practices - DFA 3103

d) Antiviral Software

The use of antiviral software, the enforcement of policies discouraging the use of non-
authorised software, effective disaster recover and contingency planning all help to
minimise the risks associated with the loss or corruption of data. Simple fire and flood
prevention measures help control the hardware, as well as software.

e) System Development Controls

Systems development controls such as the use of proper programming standards,

qualified programmers, testing and conversion procedures, are all necessary to ensure that
the system does not fail for the lack of properly controlled design and development.

11.3.2 Application Controls

The purpose of IS application controls is to provide assurance that all transactions are
authorised, recorded and processed completely, accurately, and on a timely basis.

Application controls may include the following:

a) Batch Totals

Batch and hash totals are designed to check the completeness and accuracy of inputs.
Hash totals are meaningless numbers created by the addition of, say, employee
numbers on a payroll or customer codes on a batch of invoices.

b) Sequence Test

Sequence checks and document counts ensure the completeness of input, and like
batch and hash totals, can often be reconstructed at the output stage.

Unit 11 5
 Audit Principles and Practices - DFA 3103

c) Reasonableness Checks

Parameter (or ‘reasonableness’) checks ensure, usually, that the value of a transaction
is not totally wrong but they do not ensure that it is absolutely right!

d) Check Digits

Check digits are single digits that appear somewhere within codes, such as bar codes.
They are arrived at by the application of a mathematical formula (such as Modulus
11) that is designed to give a single figure ‘remainder’, that forms the check digit. If
the code has been input incorrectly, and the formula is applied, an incorrect check
digit will be calculated and an exception report produced. Check digits are thus a
check on accuracy.

e) Screen Prompt

Screen prompts (‘do you really want to quit? y/n’) help prevent many types of input
error.

f) Existence Checks

Existence checks ensure that the customer, supplier, or employee who is being entered
on a transaction file, actually exists on the masterfile.

g) Consistency Checks

Consistency checks help ensure that one part of the transaction being entered is
consistent with another, e.g., if there is a charge for carriage, there should also be a
charge for goods.

h) Authorisation Controls

Authorisation controls are both manual and computerised and are essential to prevent
the recording of invalid and inaccurate transactions.

Unit 11 6
 Audit Principles and Practices - DFA 3103

11.4 USE OF IT BY AUDITORS

In a computerised information system environment, auditors will use various information

technology tools to assist them in their audit assignments. This means that auditors should be
computer literate and have the ability to use IT to perform the audit in an efficient manner.
The following are the commonly used IT tools:

a) Spreadsheets

Spreadsheets are ‘sheets’, similar to analysis paper, divided into individually referenced
‘cells’ that can be programmed with formulae in order to calculate or recalculate quickly
and accurately. They hold much more data than can be comfortably held on analysis
paper.

Spreadsheets can be used in the following areas:

i) Accounts Preparation
Good Quality inexpensive, standardised accounts preparation packages are now
available and are suitable for anything from the smallest of entities, to large
consolidation packages. Many of these are spreadsheet based.

ii) Time/Cost Budgeting

The firm’s staffing requirements and planning can be performed using
spreadsheets and the costs of individual audits can be budgeted using integrated
software.

iii) Analytical Procedures

Analytical procedures that involved the calculation of trends, ratios and other
relationships can be dealt with effectively using spreadsheets. Data in relation to
financial performance and position can be held for comparison with subsequent
years, and the use of spreadsheets facilitates consistency, particularly where there
are changes of staff.

Unit 11 7
 Audit Principles and Practices - DFA 3103

b) Statistical Packages

This type of package is particularly useful in the application of sampling procedures.

Packages can, for example:

i) select the number of items to test, within given parameters of risk and assurance
required;
ii) select which items to test, at random, on a systematic, block or monetary basis;
iii) analyse results, by means of extrapolation to the population as a whole.

Such packages increase the efficiency of the audit as they promote accuracy and speed,
and facilitate delegation and review. The danger is that the package will be used
mechanically, without the proper use of professional judgement and that the results will
be assumed to be correct, simply because they have been produced by the computer.

If the auditor’s PCs can be connected to the client’s PCs, or are compatible with them,
there will be no need to input data relating to populations from which samples are drawn,
as they can be taken directly from the client’s system. This may represent a considerable
time and cost saving.

c) Word Processing

Word processing is used in almost all areas of the audit. It is used for the routine
production of reports, faxes, letters, memos, emails and other communications. It
reduces the need for support staff and shortens the time in which documents can be
produced, as the packages are user-friendly ad can be used by professional staff. It
also improves client and staff relations, particularly where email can be used to
eliminate the physical movement of large documents that need to be reviewed or
edited.

Specifically, it can be used to produce audit programmes, audit planning

documentation, ordinary working papers, lead schedules, and almost all other current
file documentation. Providing there is adequate backup and proper contingency

Unit 11 8
 Audit Principles and Practices - DFA 3103

planning, it may be possible to reduce the number of paper based files kept, with a
consequent reduction in storage costs.

11.5 COMPUTER-ASSISTED AUDITS TECHNIQUES (CAATS)

CAATs are now available as standardised packages, but are generally still only used in
auditing large client firms. They are quicker and more accurate than conventional techniques.
The effective use of CAATs relies on the co-operation of clients and a proper understanding
of their use.

There are two basic categories of CAAT:

1. Audit Software

a) audit software is primarily used for substantive procedures. Client data is

processed though the auditor’s programmes. These programmes can, for
example:
b) check additions;
c) select high value, static, or negative transactions and balances, for review;
d) perform, or re-perform the ageing of a ledger;
e) select samples for further testing.

The data can be downloaded directly from the client’s system, or re-input into the
auditor’s system. Obviously, the better the communications between auditor and
client systems, the more efficient this process will be. ‘Embedded audit facilities’
amount to audit software that has been written into the client’s system, to trap items as
they are processed for further testing at a later date.

b) Test Data

Test data is auditor generated data that is used primarily for testing controls. The
auditor will test access controls over the system by attempting to gain unauthorised
entry into it, or by attempting to process invalid data. For example, unauthorised

Unit 11 9
 Audit Principles and Practices - DFA 3103

passwords, employee manes or numbers may be used in an attempt to gain entry.

Incomplete transactions, transactions with incorrect coding, transactions outside
programmed parameters, and transactions with non-existent customers or suppliers –
all of these may be used in testing to ensure that the system properly rejects invalid
transactions.

Test data carries with it the inherent risk of corruption of client data. ‘Integrated test
of facilities’ may prevent such risk through testing controls. For example, the auditor
may post a sales invoice to the ‘A. Auditor’ account on the sales ledger. He would
hope that in a few weeks or months time, the invoice would show in the client’s
system as an overdue debtor.

11.6 SUMMARY

It is important to remember the following:

1. To carry out the audit, the auditor will usually consider the various features and risks
of the CIS at the planning stage such as Consistency of performance concentration of
knowledge, programmes and data files, ease of access to data and programmes,
automatically generated transactions, lack of source documentation and audit
2. The purpose of controls in a computerised information system is to establish a
framework of overall control. These controls are usually classified as general controls
and application controls.
3. The general IS controls act as an ‘umbrella’ to specific IS controls. These controls
include access controls, encryption and call-back procedures, Read Only Memory
(ROM), system development controls and antiviral software.
4. The purpose of IS application controls is to provide assurance that all transactions are
authorised, recorded and processed completely, accurately, and on a timely basis.
These controls include batch totals, sequence test, reasonableness checks, check
digits, screen prompt, existence checks, authorisation controls and consistency checks
5. In a computerised information system environment, auditors will various information
technology tools to assist them in their audit assignments. For example, spreadsheets,
statistical packages, word processing and CAATs.

Unit 11 10
 Audit Principles and Practices - DFA 3103

6. CAATs are now available as standardised packages, but are generally still only used
in auditing larger client firms. They are quicker and more accurate than conventional
techniques. The effective use of CAATs relies on the co-operation of clients and a
proper understanding of their use. Two basic categories of CAATs are audit software
and test data.

11.7 ACTIVITY

Activity 1

Computer Point Ltd – effect of audit computerisation; errors in wages system

You are the auditor of Computer Point Ltd which has recently installed a computerised
financial and management accounting and reporting system.

An outline description of the Wages System and the reports produced is set out below:

Wages System Stage Document/Report

Time worked recorded Clock card/time Sheets

Hours worked (including Reports on departmental total

overtime) input to computer hours worked
file

New/Leaving Employees Changes Form

Changes in pay rates
deductions input by
Personnel Department

Pay calculated by reference Weekly report on gross and

to basic/overtime rates and net pay Individual pay slips
deductions etc.

Unit 11 11
 Audit Principles and Practices - DFA 3103

Required

(a) As the newly appointed manager in charge of the audit, describe in tabulation, how
you would conduct the audit of Computer Point Ltd’s wages system.

(b) State how the use of the computer by a client affects the work of the auditor.

(c) Give FOUR major computer controls you would expect to find in operation in the
wages cycle indicating the purpose of EACH control.

Unit 11 12