AUDIT OF COMPUTERISED

ENVIRONMENT

Dr. Mwiga Wiljonsi Mbesi

 Learning Objectives

At the end of this module you should be able to:

 Describe audit in computerized Environment

 Differentiate between auditing manual environment and auditing

computerized environment

Dr. Mwiga Wiljonsi Mbesi 2

 Introduction

Auditing computer based system of accounting has the same audit objectives
as an auditing client who adopts manual methods of accounting.

The auditing objectives are:

 to form an opinion as to whether the financial statements show a true and fair
view of the state of affairs of the enterprise;

 to verify the balance sheet and profit and loss account;

 to evaluate the reliability and accuracy of the system of accounting and

internal controls.

 However, audit procedures must be ALTERED in order to ensure that the

scope of the audit is not limited in any way.
Dr. Mwiga Wiljonsi Mbesi 3
 Cont...

Scope of the audit

The auditor’s choice of strategy and the techniques must be proper to provide the
necessary reassurance and to overcome the problems that he may encounter.

Dr. Mwiga Wiljonsi Mbesi 4

 Common problems auditing in
computerized environment
The commonest problems that a computer auditor is likely to meet are these:

 Lack of ‘audit trail’: The term ‘audit trail’ refers to the ability to follow a transaction
from its origin to its completion. In a manual system it is generally easy to follow the
audit trail. If audit trail is lost an auditor may not be able to obtain the necessary
reassurance that all transactions have been completely and accurately processed.

 The ability to obtain INDEPENDENT audit evidence. The auditor must exercise
considerable judgment in obtaining relevant reliable and sufficient evidence. The
evidence must be gathered with no limitation in the scope of the audit, i.e., with true
investigative and programming independence.

Dr. Mwiga Wiljonsi Mbesi 5

 Features of internal control in a computer
based system

Internal Controls in Computerized can be divided into:

 General controls and

 application controls

Dr. Mwiga Wiljonsi Mbesi 6

 General controls

 Administrative controls

 System development controls

 Organization control

Dr. Mwiga Wiljonsi Mbesi 7

 Administrative controls

Administrative controls: These are controls over the organization of the data
processing function.

These controls may themselves be divided into four areas.

 A sub-division of duties

 Operation controls

 File controls

 Hardware security

Dr. Mwiga Wiljonsi Mbesi 8

 System development controls
System development controls: These are controls over systems design and
implementation

The controls comprises of the following features:

 Standardization

 Managerial involvement

 Testing and trials

 Documentation

 Acceptance

 Conversion

Dr. Mwiga Wiljonsi Mbesi 9

Application control or Procedural controls

Procedural controls: These are controls over day to day running of the system.
These controls may be divided into four areas namely:

 Input control

 Process control

 Output controls

 Storage controls

Dr. Mwiga Wiljonsi Mbesi 10

 Input controls
Input controls include the following USER controls such as:
 Serial numbering of documents;
 Validation checks on documents to ensure that they are complete and correct;
 Batching documents and controlling the batches by numbering them and
Recording them in control records;
 Authorization procedures.

Department controls such as:

 Vetting batches of records from user department in order to ensure that they
are complete and correct;
 Scheduling of work in accordance with arranged deadlines;
 Checks on data conversion methods.

Dr. Mwiga Wiljonsi Mbesi 11

 Processing controls

Processing controls may be divided into two main areas Programmed (i.e.
machine) checks on input validity by the use of a variety of tests:
 Check digit verification;
 Size of field/record;
 Mode of field;
 Consistency of field;
 Range test on numbers or values;
 Feasibility test on quantities;
 ‘Hash totals for providing batches of data or items;
 Control/record total checks.

Dr. Mwiga Wiljonsi Mbesi 12

 Processing controls

Computer checks on processing of files:

 Identification of file use of header (title or description) label;

 Assurance of completeness of ‘read’ by use of trailer (clip or promo)label;

 Arithmetical proof totals of master files (see diagram) by use of control

records;

 Production of exception reports.

Dr. Mwiga Wiljonsi Mbesi 13

 Output controls

Output controls: Output is vetted (examined, inspected) by the data control

section in order to discover:
 If the input and output are consistent i.e. 400 records input accepted; and

 If the output generated is of the sort that requires some action by the user e.g. a
report of rejected items from a batch process will require amendment and
resubmission;

 If the output is in a form which appears to be complete, correct and ready for
distribution.

 The data control department is also responsible for ensuring that output is
sorted to the person authorized to receive ti by the relevant deadline data.

Dr. Mwiga Wiljonsi Mbesi 14

 Storage controls
Storage controls includes:

 Program file security. NO program files should be altered in any way without the
AUTHORITY OF SENIOR OFFICIALS, the change must also be FULLY
DOCUMENTED. Security copies of program files must be kept for security reasons.

 Master file maintenance. This itern is used to describe all additions, deletions or
amendments to standing data. In all cases there must be AUTHORITY for the change
which should be fully DOCUMENTED and approved.

 Master file security copies. It is vital to preserve copies of master files in order to guard
against damage or corruption. The method of making copies depends on the type of
processing system in force.

Dr. Mwiga Wiljonsi Mbesi 15

 On-line systems

 This is a computer systems where data is captured by a system of remote terminal

devices at the point of origin and entered directly to the computer. Such on line systems
utilise, in the main, disc based systems.

 Such systems enable both batch processing as well as demand of ‘real time processing’ .

 The batch processing is generally achieved by capturing small batches of data as they
arise and processing them at opportune moments. A good example is the automated
bank cash point which processes a customer’s demand for cash by referencing the
relevant account balance but the update is not achieved until the early hours of the next
business day.

Dr. Mwiga Wiljonsi Mbesi 16

 On-line systems
The use of these systems poses a number of internal control problems and these ware dealt
with as follows:

 Passwords – to guard against unauthorized access to system.

 Data encryption – to guard against message interception between input point and the
computer, e.g. between a branch of a bank and the bank’s computer center.

 Restriction of access to terminate and employment of skilled operators.

 Tight control of clerical procedures to minimize error.

 Reliable validation software to provide instant validation (acceptance or rejection) of a

transaction.

 Dump routines to preserve the security of disc files which are organized as DIRECT
ACCESS devices. Dr. Mwiga Wiljonsi Mbesi 17
 Important things to consider
When testing the system, the auditor will be concerned with:

 Completeness of audit trail;

 Operation of internal controls;

 Reliability of records;
 Independent evidence to support Balance Sheet and Profit and Loss Items.

Most computer auditors are generally agreed on the need to use computer assisted
audit techniques in order to obtain reliable relevant and sufficient evidence.

Dr. Mwiga Wiljonsi Mbesi 18

 CAAT AND NON-CAAT

NON CAAT CAAT

 Tracing transactions in dept to follow audit trail Test packs which may be ‘live’ or dead’

 Witnessing the disciplines of INTEGRITY CONTROLS, i.e. controls on organization.

Dr. Mwiga Wiljonsi Mbesi 19

 ‘Live’ Test Packs

 These are auditors own programs

 These are routines which enable the auditor to test live data by the use of:

 ‘Embedded Code’: special validation routines built into the client’s program;

 Simulation Software: special programs that contain features of client’s

programs. Test files are crated and compared with client files.

These routines are used in those on line systems or data base systems where the
immediacy of results demands that live data be tested.

Dr. Mwiga Wiljonsi Mbesi 20

 ‘Dead’ Test Packs

 Method of operation:
 Auditor selects a number of transactions containing routine, erroneous or
exceptional data.

 Audit or computes solutions.

 Data is converted to computer input and processed with a copy of the client’s
program. Outputs are then compared with predetermined solutions. This
technique enables the auditor to ‘walk through’ the system and test control
parameters.

 Disadvantages include:
 costing
 indirect nature of the evidence
 Dr. Mwiga Wiljonsi Mbesi 21
 Substantive testing
 The most important feature of substantive testing is the use of computer file
interrogation/questioning techniques.

 The use of these audit programs enables the auditors to read a computer file
and carry out tests of three in types:
 Re-performance tests – these could include proving a control total
stratifying the balances on a stock file by age.

 Extractive tests – examining for instance every fixed asset acquisition over
TZS 5 million.

 Statistical routines – interval selection techniques for obtaining a sample

(the technique of cumulative monetary amount sampling is widely used).

Dr. Mwiga Wiljonsi Mbesi 22

 END OF PRESENTATION

THANK YOU FOR LISTENING

Dr. Mwiga Wiljonsi Mbesi 23