Auditing in a computer environment copy

AUDIT AND ASSURANCE SERVICES

AUDITING IN A COMPUTER ENVIRONMENT.

AUDITING IN A COMPUTER ENVIRONMENT

INTRODUCTION.In recent years, there has been

development in the use of computers as a means of keeping the accounting records and producing financial information.

This trend has brought about significant changes in the way the organisations process, store data, and disseminate information.


INTRODUCTION.Hence a significant effect on internal control

systems employed by the entity.

This International Standard on Auditing (ISA 315) require the auditor to understand the entity and its Environment, including the entity’s internal control in order to assess the Risks of material misstatement in the financial statements.


INTRODUCTION.In a Computerized environment it is

expected that the auditor should satisfy himself that the controls are adequate enough to produce accurate and complete financial statements.


In planning the portions of audit which may be affected by the clients environment the auditor should obtain an understanding of significance and complexity of computerised information system activities and the availability of data for use in the audit.


Computerised environment

includes the following:• Hardware (i.e. CPU, monitor, printers, zip drive,

scanners• Software (Operating systems, database,

application software etc.• The transmission media (i.e. wires, optical fiber

cables and microwave links)• Network devices (i.e. modems, gateways etc)


Risk aspect to consider in Computer Systems.

Hardware-The computer may be stolen or damaged

Unauthorized access-possibility for unauthorized users to obtain information held on file.

System breakdown-there may be a loss of data for example if there is power failure.

Corrupt files.


Further challenges:1. Evidence collection - challenge

– Collecting evidence on the reliability of a computer system is often more complex than collecting evidence on the reliability of a manual system

– Hence Auditors have to run through computer system themselves using Computer Assisted Audit Techniques (CAATS) if they are to collect the necessary evidence


2. Changes to Evidence Evaluation - challenge

– Paper documents are inherently more reliable because alterations are generally apparent or may be uncovered by forensic analysis. By comparison, electronic documents in their uncontrolled state are highly vulnerable to forgery and unauthorised change.


3. Skill competence – challenge

– The ISA makes it clear that auditors should have sufficient knowledge of the computerised information system to perform such audit effectively. These skills are very limited especially in developing country like Tanzania


4. Risks in a network environment - challenges

– Threats to accountability - In a manual system, a person has to be physically present to handle a paper document. It is not the same in a networked computer system. In a network environment, an electronic document may be created, accessed, read, amended, deleted or replaced from anywhere at anytime and the true identity of the person responsible may not be known.

– Ease of amendment - Computer software and data are stored and transmitted in an intangible form. They can be amended without any trace.


– Ease of duplication - Computer files can be easily copied and made indistinguishable from the original. It is particularly important to prevent and to detect the duplication of electronic records which have financial value.


– Internet risks - When an entity uses a private network for e-business, transactions are transmitted between trading partners through a value added network with access only to the network’s trading partners. In contrast if e-business is transacted over the Internet, which is a public network, the information being transmitted is vulnerable to being intercepted, altered, lost, diverted or replaced.


Internet Risks.– Due to the open nature of the Internet, an

organisation’s network that is connected to the Internet is also vulnerable to unauthorised access, computer viruses and denial-of-service attacks. These vulnerabilities put the authenticity of audit evidence at risk.


Other challenges.• Lack of segregation of duties commonly in the past every

transaction would probably be reviewed and processed by several people which is not the case in CIS.

• The potential for fraud and error as result of system or program faults. Once a fault is in a system, the system processes incorrectly for ever as no human intervention or review may be included in the controls or the fault may simply not be visible as processing is not transparent e.g. use of wrong price for the sale of commodities or using a wrong wage-rate while paying wages and salaries to the employees


Internal controls in ICT Environment.

They are classified into:

• General Control

• Application Control


General controls.Controls over general environment in which

the system is developed, maintained and operated. They include:

• Complete review, testing and approval of the system and programs before they become fully operational.

• Competence of staff to implement the system


• Authorization of any changes in the system by responsible official.

• Segregation of duties so that different staffs perform the duties of system development, programming and data entry.

• Access control- only authorized personnel should have access of hardware, programs and data files.


• Stand by facilities for use in case of a temporary computer failure

• Back-up facilities to avoid loss of data.


Application controls classified into:

a) Input controls

b) Processing controls

c) Output controls.

The main aim is to ensure Validity, completeness and accuracy of accounting data.


Application Control.

Controls within a computer application to ensure- completeness, accuracy of input, processing and validity of the resulting accounting entries. They can be done foe specific areas of the system for example, control over sales, payroll, control over inventory and etc.


Input controlsThe main aim of input controls is to reduce errors

in the data entered in the system for processing. Input controls include checking and ensuring that:

• Input data are authorized by the appropriate official.

• Data represent valid record of actual transaction• Correctly classified for the purpose of

accounting.


Input control-examples

Sequence checks.

Transactions that are serially numbered should be in sequence and checked by the programs

If sales invoice are serially numbered for example 010 to 0200; then if invoice numbered 14 recorded before 12 then the system should reject invoice number 14 until number 12 is posted.


Batch control

Group together the sum of either sales invoice, purchase invoice or whatever, them there totals should be obtained manually then compare with computer own generated totals.Any difference means an error to be traced and corrected.


Digits check

Ascertaining the validity of number digit.

Reasonableness checks

Input data should be checked to ensure data items are within pre-defined limits.

For example on a payroll system, overtime hours recorded per day should fall within a certain range, let say 2hrs-8hrs.


• Checking of data items should be done as the item are entered and users requested to correct mistakes before being allowed to enter further data items.

• Transactions should not be allowed to proceed to further stages of processing unless they have been totally verified for accuracy or if key data items are missing.


• All transactions should contain a unique reference number to aid tracking.

• Sensitive data items should be subjected to independent verification by another user.


Processing controls

There are divided into mechanical and programmed controls.

Programmed control are done during the system development to ensure that only data related to a particular transaction is processed and not otherwise.


Output Controls

Controls relating to input and processing itself with the final objective of ensuring that the output:

• Relates precisely to the original input.

• Represents the outcome of a valid and tested program of instructions. (eg, digit check, reasonableness checks)


• Output reports are only accessed by the authorized personnel.

• Output reports checked by someone as to their reasonableness.


Approaches for Computer Audit.

The basic approaches for computer audit are:

a) Around the computer

b) Through the computer


Auditing around the computer.

Under this approach the computer is treated as a Black Box and only input and output documents are reviewed. The controls and procedures used in processing the data are not considered important and the auditor ignores the programs that causes the transformation of the input data into output data.Instead,the auditor selects and test inputs against appropriate outputs and vice versa.


If they matched and proved to be accurate and valid, then it is assumed that the system of control is operating properly.


Advantages.

i. Simple and straight forward approach which can be easily understood by anyone.

ii. Extensive knowledge of the computer and data processing is not required for the auditor

iii. Cost of audit resources is generally low.


Disadvantages.

i. Ignores the system of controls and hence fails to recognize pontential errors or weakness with the system

ii. Represents the after-fact rather than preventive auditing

iii. Amounts of auditing in nature of post mortem rather than preventive auditing.


iv. The auditor fails to utilize the full potential of the computer to assist him.

v. Increasing of printing expenses because of enormous print-out requirements (lot of data) of the auditor.


Auditing through the computer.

In this approach computer is treated as a white box. Auditing through the computer implies that the auditor makes use of the computer in carrying out his audit.Under this approch, auditor can test the processing and control systems.


This technique requires two basic tasks:

• The review and verification of source documents and

• The actual testing of the computer program logic and program controls.


Advantages.i. Utilizes the computer as a tool for

performing auditing functions.ii. Forces the auditor to get more involved

in the system, there by increasing his ability to perform more complex audit.

iii. Test results are readily identifiable and can be used as measures of internal processing reliability


iv. Increases service to clients because controls and operations are checked by the auditor

v. Provide effective test processing logic and program controls.


Disadvantages.

i. Requires more computer time.

ii. It is very expensive.

iii. It requires extensive knowledge of computer and data processing by the auditor.


Audit Trail.It is the means by which an individual transaction

can be traced sequentially through the system from source to completion and its loss will mean that normal audit techniques will break-down. In order that audit trail to be provided, every transaction on a file should contains a unique reference back to the original source of input. Loss of audit trail may be due to lack of trace reference or sudden break down of computer hardware with all information destroyed.


Computer assisted Audit Techniques

(CAATs)

CAATs are any automated audit techniques and they are important tools for the auditor in performing audits in computer environment. There are two main types:

1.Audit software

2.Test packs


1.Audit software.

This consist of a set of instructions or programs that an audit uses to extract and examine client’s file.

There are two categories

• Generalized programs (by manufacturer)

• Specialized/Purpose-written programs (by auditor or outside programmer)


2.Test packs.They consist of test data which is processed

in the same manner as actual data.The auditor in this case prepares a test data

and submits it for processing by the client computer program.The data include both valid and invalid transactions.They are designed to represent realistic operating conditions.


The main aim of test packs is to test whether the clients system will be able to detect errors, or invalid transactions included.The resulting of computer processing are compared with predetermined results.

It is very important to ensure that the progra being tested is the one which the client is using and has been in use throughout the year.


Uses of CAATs.

1.In Substantive testing.Test of details of transactions and balances

2.Analytical review procedures to identify unusual fluctuations or items

3.Compiance test of Electronic data processing-e.g the use of test data to test the functioning of a programme.


Considerations in the use of CAATs.

1.Computer knowledge, expertise and experience of the auditor.

2.Availability of CAATs and suitable computer facilities.

3.Timing

4.Impracticability of manual tests.

Auditing in a computer environment copy

Technology

Transcript of Auditing in a computer environment copy