ACC 213:AUDITING AND ASSURANCE

SERVICES II

TOPIC:AUDITING OF COMPUTERIZED
SYSTEM
 Learning Objectives
 Definitions and explanations of Computer terms
 Internal controls in a Computer Environment
 General Computer (CIS) Installation Controls
 Computer (CIS) Application Controls
 Computer-Assisted Audit techniques (CAATs)
 Uses of Computer-Assisted Audit techniques (CAATs)
 Auditor’s Operational Standards with Computers (CIS).
 Introduction
 Information technology (IT) is integral to modern accounting and
management information systems.
 Auditors should be fully aware of the impact of IT on the audit of a
client’s financial statements, both in the context of how it is used by a
client to gather, process and report financial information in its
financial statements, and how the auditor can use IT in the process
of auditing the financial statements and reporting.
 According to international standard in Auditing, a computer
information system (CIS) environment exist when a computer of any
type or size is involved by the entity in the processing of financial
information of significance to the audit, whether that computer is
operated by the entity or by a third party
 Cont….
Therefore, this topic will provide guidance on;
 General computer information system controls,
 Application controls, comprising input, processing, output and
master file controls established by the client under audit, over its
computer-based accounting system and,
 Computer-assisted audit techniques (CAATs) that may be
employed by auditors to test and conclude on the integrity of a
client’s computer-based accounting system. The use of computer-
assisted audit techniques (CAATs) may enable more extensive
testing of electronic transactions and account files.
 Such techniques can be used to select sample transactions from
key electronic files, to sort transactions with specific
characteristics, or to test an entire population instead of a sample
 Internal Control in Computer
Environment
 These are mechanisms, rules and procedures implemented
by the company to ensure integrity, promote accountability
and prevent fraud.
 There are two classes of internal control under computer
information system environment. These are;
i. General (CIS) Controls
ii. Application (CIS) Controls, which include
-Input Controls
-Processing Controls
-Output Controls
 General Controls
 These are policies and procedures that relate to the overall
computer information system.
 They are evaluated before the Application controls, and they go
through the whole system of the CIS as they are applied to all
functions of the IT.
 General control applies to all the aspects of the IT function
 General controls include but not limited to the following;
i. Documentation Controls
ii. Access Controls
iii. Data Recovery Controls
iv. Monitoring Controls
 Application Controls
 These are policies and procedures that relate to the
specific use of the system. They are specific to a given
application and their objectives are to ensure the
completeness and accuracy of the accounting records
and the validity of entries made in those records.
 An effective computer based system will ensure that
there are adequate controls existing at the point of input,
processing and output stages of the computer processing
cycle and over standing data contained in master files.
 Cont….
 Input Control
 Control activities designed to ensure that input is authorized, complete,
accurate and timely are referred to as input controls.
 Dependent on the complexity of the application program in question,
such controls will vary in terms of quantity and sophistication.
 Factors to be considered in determining these variables include cost
considerations, and confidentiality requirements with regard to the
data input.
 Input controls common to most effective application programs include
on-screen prompt facilities (for example, a request for an authorized
user to ‘log-in’) and a facility to produce an audit trail allowing a user to
trace a transaction from its origin to disposition in the system.
 Cont….
 Processing Control
 Processing controls exist to ensure that all data input is
processed correctly and that data files are appropriately
updated accurately in a timely manner.
 The processing controls for a specified application program
should be designed and then tested prior to ‘live’ running with
real data.
 These may typically include the use of run-to-run controls,
which ensure the integrity of cumulative totals contained in the
accounting records is maintained from one data processing run
to the next.
 Cont…..

 Output Controls
Output controls exist to ensure that all data is processed
and that output is distributed only to prescribed
authorized users.
While the degree of output controls will vary from one
organization to another (dependent on the confidentiality
of the information and size of the organization).
 Computer Assisted Audit
Techniques (CAATs)
 Computer-assisted audit techniques (CAATs) refer to the practice of using
computers to automate the IT audit processes.
 CAATs may involves software packages that apply statistical analysis and
business intelligence tools.
 The nature of computer-based accounting systems is such that auditors may
use the client/company’s computer, or their own, as an audit tool, to assist
them in their audit procedures.
 By the use of CAATs, an auditor can go through a lot of data in a minimum
time than if the audit was done manually
 Also with CAATs the auditor can quickly go through 100% of the clients
records.
 Classes of CAATs
 There are two classes of CAATs
i. Audit Software
 Audit software is a generic term used to describe computer programs
designed to carry out tests of control and/or substantive procedures. Audit
software is used to interrogate a client's system. It can be either packaged,
off-the-shelf software or it can be purpose written to work on a client's
system.
 They may be used to carry out numerous audit tasks, for example, to select a
sample, either statistically or judgementally, during arithmetic calculations
and checking for gaps in the processing of sequences, calculating ratios,
providing reports and checking arithmetical accuracy.
 Typically, they may be used to re-perform computerised control procedures
(for example, cost of sales calculations) or perhaps to carry out an aged
analysis of trade receivable (debtor) balances.
 Cont…..
ii. Test Data
 Is used to test the existence and effectiveness of controls built into
an application program used by an audit client. As such, dummy
transactions are processed through the client’s computerised
system.
 The results of processing are then compared to the auditor’s
expected results to determine whether controls are operating
efficiently and systems’ objectiveness are being achieved.
 Test data involves the auditor submitting 'dummy' data into the
client's system to ensure that the system correctly processes it and
that it prevents or detects and corrects misstatements.
 The objective of this is to test the operation of application controls
within the system.
 To be successful test data should include both data with errors
built into it and data without errors.
 Cont…..
The basis for which an auditor may choose between CAATs and
manual in audit engagement, depends on the following aspects;
i. The practicality of carrying out manual testing
ii. The cost effectiveness of using CAATs
iii. The availability of audit time
iv. The availability of the audit client’s computer facility
v. The level of audit experience and expertise in using a specified
CAAT
vi. The level of CAATs carried out by the audit client’s internal
audit function and the extent to which the external auditor can
rely on this work.
 INFORMATION SYSTEMS
AUDITS
 The purpose of an information systems audit is to review
and evaluate the internal controls that protect the system.
 When performing an information system audit, auditors
should ascertain that the following objectives are met:
 Security provisions protect computer equipment, programs,
communications, and data from unauthorized access,
modification, or destruction.
 Program development and acquisition are performed in
accordance with management’s general and specific
authorization.
 Program modifications have management’s authorization and
approval.
INFORMATION SYSTEMS
AUDITS cont…
 Processing of transactions, files, reports, and other
computer records is accurate and complete.
 Source data that are inaccurate or improperly
authorized are identified and handled according to
prescribed managerial policies.
 Computer data files are accurate, complete, and
confidential.
 OBJECTIVE 1: OVERALL SECURITY

 Types of security errors and fraud

faced by companies:
 Accidental or intentional damage to system
assets.
 Unauthorized access, disclosure, or
modification of data and programs.
 Theft.
 Interruption of crucial business activities.
 OVERALL SECURITY cont..
 Control procedures to minimize security errors and
fraud:
 Developing an information security/protection plan.
 Restricting physical and logical access.
 Encrypting data.
 Protecting against viruses.
 Implementing firewalls.
 Instituting data transmission controls.
 Preventing and recovering from system failures or disasters,
including:
 Designing fault-tolerant systems.
 Preventive maintenance.
 Backup and recovery procedures.
 Disaster recovery plans.
 Adequate insurance.
OVERALL SECURITY cont..

 Audit Procedures: Systems Review

 Inspecting computer sites.
 Interviewing personnel.
 Reviewing policies and procedures.
 Examining access logs, insurance policies,
and the disaster recovery plan.
OVERALL SECURITY cont..

 Audit Procedures: Tests of Controls

 Auditors test security controls by:
 Observing procedures.
 Verifying that controls are in place and work as intended.
 Investigating errors or problems to ensure they were
handled correctly.
 Examining any tests previously performed.
 One way to test logical access controls is to try to
break into a system.
 OBJECTIVE 2:
PROGRAM DEVELOPMENT AND
ACQUISITION
 Types of errors and fraud:
 Two things can go wrong in program
development:
 Inadvertent errors due to careless programming or
misunderstanding specifications; or
 Deliberate insertion of unauthorized instructions
into the programs.
PROGRAM DEVELOPMENT
AND ACQUISITION cont..
 Control procedures:
 The preceding problems can be controlled by
requiring:
 Management and user authorization and approval
 Thorough testing
 Proper documentation
PROGRAM DEVELOPMENT
AND ACQUISITION cont..
 Audit Procedures: Systems Review
 The auditor’s role in systems development should
be limited to an independent review of system
development activities.
 To maintain necessary objectivity for performing an
independent evaluation, the auditor should not be
involved in system development.
 During the systems review, the auditor should gain an
understanding of development procedures by discussing
them with management, users, and IS personnel.
 Should also review policies, procedures, standards, and
documentation for systems and programs.
 PROGRAM DEVELOPMENT AND
ACQUISITION cont..

 Audit Procedures: Tests of Controls

 To test systems development controls, auditors
should:
 Interview managers and system users.
 Examine development approvals.
 Review the minutes of development team meetings.
 Thoroughly review all documentation relating to the testing
process and ascertain that all program changes were tested.
 Examine the test specifications, review the test data, and
evaluate the test results.
 If results were unexpected, ascertain how
the problem was resolved.
 OBJECTIVE 3:
PROGRAM MODIFICATION

 Types of Errors and Fraud

 Same that can occur during program
development:
 Inadvertent programming errors
 Unauthorized programming code
 PROGRAM MODIFICATION
cont..
 Control Procedures
 When a program change is submitted for approval, a list of
all required updates should be compiled by management and
program users.
 Changes should be thoroughly tested and documented.
 During the change process, the developmental version of the
program must be kept separate from the production version.
 When the amended program has received final approval, it
should replace the production version.
 Changes should be implemented by personnel independent of
users or programmers.
 Logical access controls should be employed at all times.
PROGRAM MODIFICATION
cont..
 Audit Procedures: System Review
 During systems review, auditors should:
 Gain an understanding of the change process by
discussing it with management and user personnel.
 Examine the policies, procedures, and standards for
approving, modifying, testing, and documenting the
changes.
 Review a complete set of final documentation
materials for recent program changes, including test
procedures and results.
 Review the procedures used to restrict logical
access to the developmental version of the program.
PROGRAM MODIFICATION
cont..
 Audit Procedures: Tests of Controls
 An important part of these tests is to verify that program
changes were identified, listed, approved, tested, and
documented.
 Requires that the auditor observe how changes are
implemented to verify that:
 Separate development and production programs are
maintained; and
 Changes are implemented by someone independent
of the user and programming functions.
 The auditor should review the development program’s
access control table to verify that only those users
assigned to carry out modification had access to the
system.
 PROGRAM MODIFICATION
cont..
 To test for unauthorized program changes, auditors can
use a source code comparison program to compare the
current version of the program with the original source
code.
 Any unauthorized differences should result in an investigation.
 If the difference represents an authorized change, the auditor
can refer to the program change specifications to ensure that
the changes were authorized and correctly incorporated.
 PROGRAM MODIFICATION
cont..
 Two additional techniques detect unauthorized program
changes:
 Reprocessing
 On a surprise basis, the auditor uses a verified copy of the source
code to reprocess data and compare that output with the company’s
data.
 Discrepancies are investigated.
 Parallel simulation
 Similar to reprocessing except that the auditor writes his own
program instead of using verified source code.
 Can be used to test a program during the implementation process.
 PROGRAM MODIFICATION
cont..
 Auditors should observe testing and implementation,
review related authorizations, and, if necessary, perform
independent tests for each major program change.
 If this step is skipped and program change controls are
subsequently deemed inadequate, it may not be possible
to rely on program outputs.
 Auditors should always test programs on a surprise basis
to protect against unauthorized changes being inserted
after the examination is completed and then removed
prior to scheduled audits.
 OBJECTIVE 4:
COMPUTER PROCESSING
 Types of Errors and Fraud
 During computer processing, the system may:
 Fail to detect erroneous input
 Improperly correct input errors
 Process erroneous input
 Improperly distribute or disclose output
COMPUTER PROCESSING
cont..
 Control Procedures
 Computer data editing routines
 Proper use of internal and external file labels
 Reconciliation of batch totals
 Effective error correction procedures
 Understandable operating documentation and run manuals
 Competent supervision of computer operations
 Effective handling of data input and output by data control
personnel
 File change listings and summaries prepared for user
department review
 Maintenance of proper environmental conditions in
computer facility
 COMPUTER PROCESSING
cont..
 Audit Procedures: Systems Review
 Review administrative documentation for processing
control standards
 Review systems documentation for data editing and
other processing controls
 Review operating documentation for completeness and
clarity
 Review copies of error listings, batch total reports, and
file change lists
 Observe computer operations and data control functions
 Discuss processing and output controls with operations
and IS supervisory personnel
 COMPUTER PROCESSING
cont..
 Audit Procedures: Tests of Controls
 Evaluate adequacy of processing control standards and procedures
 Evaluate adequacy and completeness of data editing controls
 Verify adherence to processing control procedures by observing
computer operations and the data control function
 Verify that selected application system output is properly
distributed
 Reconcile a sample of batch totals, and follow up on discrepancies
 Trace disposition of a sample of errors flagged by data edit routines
to ensure proper handling
 Verify processing accuracy for a sample of sensitive transactions
 COMPUTER PROCESSING
cont..
 Verify processing accuracy for selected computer-generated
transactions
 Search for erroneous or unauthorized code via analysis of
program logic
 Check accuracy and completeness of processing controls
using test data
 Monitor online processing systems using concurrent audit
techniques
 Recreate selected reports to test for accuracy and
completeness
THANK YOU FOR LISTENING