Professional Documents
Culture Documents
Unit 11 Audit of Computerised Systems: 11.0 Overview
Unit 11 Audit of Computerised Systems: 11.0 Overview
Unit Structure
11.0 Overview
11.1 Learning Outcomes
11.2 Features and Risks in Auditing Computerised Systems
11.3 Controls in Computerised Systems
11.3.1 General IS Controls
11.3.2 Application Controls
11.4 Use of IT by Auditors
11.5 Computer-Assisted Audit Techniques
11.6 Summary
11.7 Activity
11.0 OVERVIEW
Auditing in a computerised information system environment is the rule rather than the
exception. Today, very few businesses operate a wholly manual accounting system and so
‘computer audit’ is actually the norm. Auditors all over the world now use computers to a
greater extent and the proportion of their clients without a single PC must be very small or
non-existent. In this unit, the features, risks and controls involved in auditing in a computer
information system will be considered.
1. Explain the planning procedures that auditors will adopt in CIS environment.
2. Describe the different control procedures that may exist within a computerised
information system.
Unit 11 1
Audit Principles and Practices - DFA 3103
3. Describe the various IT tools that my be used to assist auditors in their audit
assignments.
4. Explain the use of Computer-assisted audit techniques by auditors.
Assuming that an enterprise that has acquired a computerised information system during the
current period. To carry out the audit, the auditor will usually consider the following features
and risks of the CIS at the planning stage:
Consistency of Performance
Consistency of performance can be both strength and a weakness. Computer systems are
more reliable than manual systems. A properly programmed application will process
transactions consistently accurately while a programme with errors will make errors
consistently.
This problem can be particularly acute where data can be altered from remote terminals.
There is still a widespread belief that computers and the records contained on them are
inherently safer, and less vulnerable to loss and corruption than manual systems.
Unit 11 2
Audit Principles and Practices - DFA 3103
Most systems are capable of generating transactions without human intervention. For
example, bank interest is almost charged automatically. The lack of authorisation and
documentation can be a significant audit issue if many transactions are generated this way.
Computers do not show handwriting, and the proper authorisation and attribution of
transactions processed is correspondingly important. Many systems report by exception only
and this can make an audit trail difficult to follow if there is no hard copy of all transactions
processed.
Programmed Controls
Programmed controls integrated within the information system are generally not visible and
therefore need to be tested using alternative means such as test data.
The data stored on CDs is highly vulnerable to loss, corruption, theft and destruction.
Incorrect entries, particularly when encoded, may result in incorrect data in many different
accounts. This could seriously damage a database system.
Unit 11 3
Audit Principles and Practices - DFA 3103
The general IS controls act as an ‘umbrella’ to specific IS controls. These controls may
include the following:
a) Access Controls
Access controls include the use of security personnel, locked doors, keypads swipecards
and logical access controls (passwords) that allow only authorised individuals access to
the relevant areas of the system. More sophisticated procedures would include voice,
fingerprint, and retina recognition. Systems software data shows who has attempted to
enter the system, when, what files were used and so on. Analysis of this data goes some
way to detecting and preventing unauthorised access.
ROM is necessary for the more important program and data files as it helps to protect data
generally.
Unit 11 4
Audit Principles and Practices - DFA 3103
d) Antiviral Software
The use of antiviral software, the enforcement of policies discouraging the use of non-
authorised software, effective disaster recover and contingency planning all help to
minimise the risks associated with the loss or corruption of data. Simple fire and flood
prevention measures help control the hardware, as well as software.
The purpose of IS application controls is to provide assurance that all transactions are
authorised, recorded and processed completely, accurately, and on a timely basis.
a) Batch Totals
Batch and hash totals are designed to check the completeness and accuracy of inputs.
Hash totals are meaningless numbers created by the addition of, say, employee
numbers on a payroll or customer codes on a batch of invoices.
b) Sequence Test
Sequence checks and document counts ensure the completeness of input, and like
batch and hash totals, can often be reconstructed at the output stage.
Unit 11 5
Audit Principles and Practices - DFA 3103
c) Reasonableness Checks
Parameter (or ‘reasonableness’) checks ensure, usually, that the value of a transaction
is not totally wrong but they do not ensure that it is absolutely right!
d) Check Digits
Check digits are single digits that appear somewhere within codes, such as bar codes.
They are arrived at by the application of a mathematical formula (such as Modulus
11) that is designed to give a single figure ‘remainder’, that forms the check digit. If
the code has been input incorrectly, and the formula is applied, an incorrect check
digit will be calculated and an exception report produced. Check digits are thus a
check on accuracy.
e) Screen Prompt
Screen prompts (‘do you really want to quit? y/n’) help prevent many types of input
error.
f) Existence Checks
Existence checks ensure that the customer, supplier, or employee who is being entered
on a transaction file, actually exists on the masterfile.
g) Consistency Checks
Consistency checks help ensure that one part of the transaction being entered is
consistent with another, e.g., if there is a charge for carriage, there should also be a
charge for goods.
h) Authorisation Controls
Authorisation controls are both manual and computerised and are essential to prevent
the recording of invalid and inaccurate transactions.
Unit 11 6
Audit Principles and Practices - DFA 3103
a) Spreadsheets
Spreadsheets are ‘sheets’, similar to analysis paper, divided into individually referenced
‘cells’ that can be programmed with formulae in order to calculate or recalculate quickly
and accurately. They hold much more data than can be comfortably held on analysis
paper.
i) Accounts Preparation
Good Quality inexpensive, standardised accounts preparation packages are now
available and are suitable for anything from the smallest of entities, to large
consolidation packages. Many of these are spreadsheet based.
Unit 11 7
Audit Principles and Practices - DFA 3103
b) Statistical Packages
i) select the number of items to test, within given parameters of risk and assurance
required;
ii) select which items to test, at random, on a systematic, block or monetary basis;
iii) analyse results, by means of extrapolation to the population as a whole.
Such packages increase the efficiency of the audit as they promote accuracy and speed,
and facilitate delegation and review. The danger is that the package will be used
mechanically, without the proper use of professional judgement and that the results will
be assumed to be correct, simply because they have been produced by the computer.
If the auditor’s PCs can be connected to the client’s PCs, or are compatible with them,
there will be no need to input data relating to populations from which samples are drawn,
as they can be taken directly from the client’s system. This may represent a considerable
time and cost saving.
c) Word Processing
Word processing is used in almost all areas of the audit. It is used for the routine
production of reports, faxes, letters, memos, emails and other communications. It
reduces the need for support staff and shortens the time in which documents can be
produced, as the packages are user-friendly ad can be used by professional staff. It
also improves client and staff relations, particularly where email can be used to
eliminate the physical movement of large documents that need to be reviewed or
edited.
Unit 11 8
Audit Principles and Practices - DFA 3103
planning, it may be possible to reduce the number of paper based files kept, with a
consequent reduction in storage costs.
CAATs are now available as standardised packages, but are generally still only used in
auditing large client firms. They are quicker and more accurate than conventional techniques.
The effective use of CAATs relies on the co-operation of clients and a proper understanding
of their use.
1. Audit Software
The data can be downloaded directly from the client’s system, or re-input into the
auditor’s system. Obviously, the better the communications between auditor and
client systems, the more efficient this process will be. ‘Embedded audit facilities’
amount to audit software that has been written into the client’s system, to trap items as
they are processed for further testing at a later date.
b) Test Data
Test data is auditor generated data that is used primarily for testing controls. The
auditor will test access controls over the system by attempting to gain unauthorised
entry into it, or by attempting to process invalid data. For example, unauthorised
Unit 11 9
Audit Principles and Practices - DFA 3103
Test data carries with it the inherent risk of corruption of client data. ‘Integrated test
of facilities’ may prevent such risk through testing controls. For example, the auditor
may post a sales invoice to the ‘A. Auditor’ account on the sales ledger. He would
hope that in a few weeks or months time, the invoice would show in the client’s
system as an overdue debtor.
11.6 SUMMARY
1. To carry out the audit, the auditor will usually consider the various features and risks
of the CIS at the planning stage such as Consistency of performance concentration of
knowledge, programmes and data files, ease of access to data and programmes,
automatically generated transactions, lack of source documentation and audit
2. The purpose of controls in a computerised information system is to establish a
framework of overall control. These controls are usually classified as general controls
and application controls.
3. The general IS controls act as an ‘umbrella’ to specific IS controls. These controls
include access controls, encryption and call-back procedures, Read Only Memory
(ROM), system development controls and antiviral software.
4. The purpose of IS application controls is to provide assurance that all transactions are
authorised, recorded and processed completely, accurately, and on a timely basis.
These controls include batch totals, sequence test, reasonableness checks, check
digits, screen prompt, existence checks, authorisation controls and consistency checks
5. In a computerised information system environment, auditors will various information
technology tools to assist them in their audit assignments. For example, spreadsheets,
statistical packages, word processing and CAATs.
Unit 11 10
Audit Principles and Practices - DFA 3103
6. CAATs are now available as standardised packages, but are generally still only used
in auditing larger client firms. They are quicker and more accurate than conventional
techniques. The effective use of CAATs relies on the co-operation of clients and a
proper understanding of their use. Two basic categories of CAATs are audit software
and test data.
11.7 ACTIVITY
Activity 1
You are the auditor of Computer Point Ltd which has recently installed a computerised
financial and management accounting and reporting system.
An outline description of the Wages System and the reports produced is set out below:
Unit 11 11
Audit Principles and Practices - DFA 3103
Required
(a) As the newly appointed manager in charge of the audit, describe in tabulation, how
you would conduct the audit of Computer Point Ltd’s wages system.
(b) State how the use of the computer by a client affects the work of the auditor.
(c) Give FOUR major computer controls you would expect to find in operation in the
wages cycle indicating the purpose of EACH control.
Unit 11 12