Chapter 12 Computer Auditing

1. Chapter Summary

2. Types of Computer Information Systems

2.1 Batch input – source documents are accumulated for input, processing may take place at regular (predetermined) or irregular (random) intervals.

2.2 On-line input – transactions with immediate validation is permitted but actual update of the master file does not take place at the time of on-line entry.

2.3 Data base system – centrally controlled series of related data or files.2.4 Small computer systems – minicomputer has less storage capacity than a

larger computer and operates at slower processing speed.2.5 Distributed processing systems – two or more computer systems linked

together through the user of special software, e.g. network.2.6 Electronic funds transfer systems (EFTS) – computer-based network that

enables payment system transactions.2.7 Electronic business through internet

3. Nature of Risks and Control Characteristics in CIS Environment

N12-1

3.1 Concentration of function, data and knowledge(a) concentration of recording, processing and control functions within the

CIS department.(b) data may be concentrated in one department, i.e. CIS department.(c) financial information may be centralized into one computer program,

eliminating many conventional controls based on adequate segregation of duties.

(d) greater reliance on programmed controls, to ensure the reliability of computer system outputs.

(e) may increase potential risk of fraud or error and make detection difficult.

3.2 Control procedures – decrease in human involvement eliminates most of the visual checking performed during processing in manual systems, but may increase the potential for individuals to gain unauthorized access to information and alter information to the detriment of the entity concerned.

3.3 System integration and generated transactions(a) computer systems may permit the single transaction update of multiple

or data base computer files. An erroneous entry in such a system may create errors in several financial accounts.

(b) system generated transactions may not be specifically documented.3.4 Accessibility of data and computer programs

(a) unauthorized uses of terminal and transactions.(b) unauthorized modification of previously entered transactions,

alteration of data and programs, etc.3.5 Transient (短暫的) nature or lack of hardcopy evidence

(a) Lack of documentation – i.e. no audit trail, is the name given to the facility to trace individual transactions through a system from its origin to completion.

(b) Storage of processing procedures or programs rely on both a computer and a program to reveal.

(c) Results of processing may be highly summarized.(d) On-line computer system may not be designed to provide printed

reports.(e) CIS auditor must frequently become involved in the early stages of

systems design.3.6 Vulnerability (脆弱) of data and program storage media – easy to theft, loss or

intentional or accidental destruction.

N12-2

4. Audit Trails

4.1 An audit trail allows auditors to investigate errors that they have discovered in more detail. Ideally the audit trail should make it possible to trace all the reports and other information terms that have been affected by the error, and to trace the cause of the error.

4.2 Audit around the computer (繞過計算機审計)(a) performed by examining and reconciling the input to the computer

with the output from it.(b) concept means that auditors bypasses the computer and treat it as a

giant bookkeeping machine.(c) This technique is used when the audit trail is complete, computer

processing operations are straightforward and system documentation is complete and readily available.

(d) The disadvantages(i) auditor cannot determine how all transactions will be handed

by computer programs(ii) costly and time consuming to provide printouts for audit

purposes where no ready audit trail exists(iii) not adequate for use in advanced and sophisticated computer

system(所謂繞過電腦審計又稱為“黑盒法”，它是將電算化系統中的電腦系統作為一個不可知的黑盒子看待，無需對電腦的處理過程和程式化控制加以直接、詳細的瞭解，只是對電腦的輸入和輸出資料加以檢查，將一定時期內的輸入輸出資料全部列印出來，從已由電腦處理過的業務中選擇部分業務，並由審計人員對其進行手工重複處理，然後將預期結果與電腦處理結果相比較。根據比較的一致程度來評價系統處理及控制的功能。繞過電腦審計方法是依據下列假定：若系統的輸入、輸出是正確的，則可以認為資料處理的過程也是正確的。因此，審計人員可以繞過電腦，在不知道電腦資料處理具體的內容和方法的前提下，通過檢查肉眼可見的輸入輸出資料形成判斷和結論。如果輸入正確而輸出有錯，則可以肯定電腦處理過程存在問題。採用繞過電腦方法進行審計測試，工作的重點在於檢查核對，以驗證輸出結果的正確性。)

4.3 Audit through the computer (透過計算機审計)(a) focuses on the computer and its programs directly in the audit. E.g.

submits data for processing and analyse results to determine the

N12-3

processing reliability and accuracy of the computer program.(b) on-line data entry, system designed with elimination or reduction of

printouts and real-time updating.(c) forced to adopted if there is an inability to locate the source documents

or printouts.(所謂通過電腦審計又為白盒法，是指將電腦的處理過程本身作為審計測試的直接物件的一種審計方法。通過電腦審計的名稱與黑箱理論有關。電腦處理過程技術上的複雜性，使某些審計人員對之產生了畏懼心理，認為這一過程是不可知的，並提出了很多理由，人們稱之為“黑箱理論”。在電算化系統審計中直接檢查電腦處理過程，其意義在於破除了不可知論，穿透、打開了電腦處理的黑箱，故稱為通過電腦審計法。)

4.4 Auditing with the computer (利用計算機审計)(a) use the computer and its programs as a tool of the auditor, e.g. putting

computers to work footing subsidiary ledgers on magnetic tape or disk, calculating amounts such as depreciation, comparing the contents of two files and computing the required ratios for analysis purpose.

(b) Some public accounting firms have developed generalized audit software to perform the tasks.

4.5 Test your understanding 1A computer information systems (CIS) environment exists when a computer of any type or size is involved in the processing of financial information by an entity. Such financial information must be of significance to the audit, whether that computer is operated by the entity or by a third party.

The overall objective and scope of an audit does not change in a CIS environment. However, the use of a computer changes the processing, storage and communication of financial information and may affect the accounting and internal control systems employed by the entity.

Required:

(a) What is the meaning of each of the following audit approaches in a CIS environment?(i) audit around the computer;(ii) audit through the computer; and(iii) audit with the computer. (5 marks)

N12-4

(b) Describe the circumstances under which auditors may adopt the following audit approaches in a CIS environment:(i) audit around the computer; and(ii) audit through the computer. (4 marks)

(c) Describe FOUR characteristics of CIS with respect to risks and internal controls. (8 marks)

(Adapted HKAAT Paper 8 Auditing June 2000)

5. Controls in CIS Environments

(A) General control

5.1 It refers to the environment within which computer applications are developed, maintained and operated, and within which the application controls operate.

5.2 The objectives are to ensure the proper development and implementation of applications, and the integrity of programme and data files, and of computer operations.

5.3 It includes(a) organization and management controls – policies and procedures

relating to controls over computer processing functions.(b) system development and program maintenance controls – ensure the

effective systems and programmes are formally developed as authorized.

(c) Computer operation controls – used for authorized purposes only; restricted to authorized personnel; ensured that errors are detected.

(d) System software controls over acquisition or development – changes are authorized, approved, tested, implemented and documented.

(e) Program library (程式庫 ) security controls – unauthorized changes cannot be made; separation of responsibilities between programme libraries and programme changes; protect of back-up copies of programmes.

(f) Data security controls – unauthorized changes cannot be made to data on files or databases.

(g) Other general controls – e.g. offsite storage of data; protection against fire, theft, loss, etc.

N12-5

(B) Application control

5.4 It refers to controls that are specific to individual accounting applications, and are therefore unique to particular accounting applications or functions.

5.5 The purpose is to ensure the completeness and accuracy of the accounting records and the validity of the entries therein. They consist of a combination of manual and programmed procedures.

5.6 It classifies as:(a) input controls

(i) completeness of input – e.g. record counts, control or batch totals, hash totals.

(ii) accuracy of input – e.g. validity check (customer no. checked to master file); reasonableness tests; limit checks, etc.

(iii) Validity of input – e.g. authorization limits; clerical review of input transactions.

(b) Processing controls – e.g. input controls as above; control totals; error logs; cross footing tests.

(c) Output controls – e.g. compared with source documents, error logs or exception reports; scrutiny of output before dispatch.

(C) The audit approach

5.7 Test of controls procedures and final evaluation(a) may use CAATs for assistance.(b) program control procedures were operated throughout the year;(c) the current versions of computer programmes were used;(d) no authorized alternations were made to previously approved computer

programs; and(e) the integrity of master files was maintained.

5.8 Documentation – general controls and application controls can be identified and documented through the use of techniques such as flowcharts, questionnaires, checklists or narrative descriptions.

5.9 Test your understanding 2Controls over computerized accounting systems consist of controls over the computer processing function (general controls) and specific controls over the accounting applications (application controls).

N12-6

General controls relate to environment within which computer processing applications are developed, maintained and operated, and within which the application controls operate.

Application controls relate to the transaction flows through each application. The objectives of application controls are to ensure the completeness and accuracy of the accounting records and the validity of the entries therein. They consist of a combination of manual and programmed procedures. The application control structure should take account of the whole sequence of processing from the origin of a transaction to the action taken on relevant output.

Required:

(a) Name any five types of general controls and briefly explain the objectives to be accomplished for each of the mentioned five types of general controls. (10 marks)

(b) Name any five types of application controls and briefly explain the objectives to be accomplished for each of the mentioned five types of application controls. (10 marks)

(Total 20 marks)(Adapted HKAAT Paper 8 Auditing June 1996)

5.10 Test your understanding 3

N12-7

6. Computer-Assisted Audit Techniques (CAATs)

(A) Reasons for using CAATs

6.1 Loss of audit trails (審計跟踪):(a) when no visible audit trails, e.g. conventional vouching of transactions

may not be possible, the transactions input are stored on a log file with no listing of daily or periodic transactions.

(b) Where the audit trail is not available in the design of a computer system, test data may be used to check the processes are being performed properly.

6.2 CIS controls – program controls may not be possible to review manually. Using test data or re-performing the processes by programs may be the only method to test the control.

6.3 Volume of transactions and output – volume of transaction data is large.

N12-8

(B) Considerations in the use of CAATs

6.4 CAATs may be used during various audit procedures, such as:(a) detailed testing of transactions and balances – use of audit software to

test all or a sample of transactions in a computer file, for example.(b) analytical procedures – use of audit software to identify unusual

fluctuations or items, for example.(c) testing of application controls – use of test data to check the

functioning of a programmed procedure.(d) testing of general controls – analyse logs and to review program library

access procedures.

(C) Categories of computer-assisted audit techniques

(a) Test data

6.5 This technique is used where programmed controls are tested using simulated transactions which are processed through the client’s computer system. Its primary use is in the testing of application controls.(指審計人員在進行電子資料處理系統遵行查核程式前，預先想像各種可能產生的錯誤資料，錄製於磁片中。查核時，輸入系統，以測驗系統能否揭發各種類比錯誤。)

6.6 The results of processing are compared with the predetermined results. Any differences could be the results of control weaknesses or programming errors.

6.7 Advantages of test data techniques include:(a) Objective evidence is provided of compliance with established policies

of the client’s CIS.(b) It verifies program specifications which include program controls such

as edit and validation checks.(c) User procedures which are supposed to be complied with according to

the user manual or other documentation may be examined.(d) It increases the auditor’s understanding of the client’s applications

system and related procedures.6.8 Disadvantages of test data techniques include:

(a) It test only preconceived situations and may have the same oversights that exist in the documentation of the application.

(b) It lacks objectivity in that tests are oriented only to documented

N12-9

controls.(c) The preparation of comprehensive test data necessary to determine the

specific areas to be tested may be time consuming and expensive.(d) It tests the functioning of controls only at a specific point in time, not

cover the entire audit period.(e) The auditor requires detailed knowledge of application program logic

routines in order to design a suitable test.(f) It may become difficult to perform testing in complex computer

systems.6.9 Two methods of using test data:

(a) Dead data (i.e. dead testing) – uses copies of the client programs and transaction files and processes the test data separate from the normal production run.(i) Advantages – test will not interrupt with client’s system and the

results can be interpreted easily.(ii) Disadvantages – additional computer time is required and it has

to be arranged before hand and there is uncertainty as to whether the actual operational programs are being used for the test.

(b) Live data – at its simplest level the auditors could use real data that has been processed which involves the controls they want to test. The auditor takes control of client data before it is processed. He then determines how the data should be processed, enters the data and checks the output. Data which should be rejected by the system is also entered, if the client has given permission.

(b) Integrated test facility (ITF) (整體測試設施)

6.10 An ITF uses test data input as part of a normal run which is then applied to dummy records set up by the auditor on the client’s master files.

6.11 A dummy entity is created through which data are processed. For example, a fictitious employee, department or customer is established and the auditor will process transactions against the entity under normal live operating conditions. Therefore, ITF data are entered with the live data of the client and are processed in the same way.(指內部稽核人員或外部審計人員用以測試、監視電子資料處理系統應用中各種會計控制方法之一，此措施在電子資料處理系統內設置虛擬部門、個體及全套虛擬記錄及假檔案，並與正常交易資料同時處理，以測試前

N12-10

述虛擬部門、檔案資料是否只會影響虛擬檔案的輸出。)

(c) Generalised audit software programs (通用審計程式)

6.12 They consist of a set of computer programs designed to perform audit functions that would normally be performed manually. The programs are essentially data manipulation and output programs which are adaptable to various data formats and computer systems.

6.13 The functions include:(a) Extract data from files based on criteria specified by the auditor.(b) Perform calculations.(c) Compare data.(d) Select and print audit samples.(e) Summarise data for audit analysis.(f) Print reports in a format specified by the auditor.

(d) Specialised audit software programs

6.14 These are computer programs designed to perform audit tasks in specific circumstances. These programs may be developed by the auditor, by the entity or by an outside programmer engaged by the auditors.

(e) Utility programs and existing entity programs

6.15 These programs are used by the entity to perform common data processing functions such as sort, create and print computer files.

6.16 These computer programs are not designed for audit purposes and therefore may not contain such features as automatic record counts or control totals.

(f) Embedded audit facilities (嵌入審計設施)

6.17 This consists of a module of a computer program written by the auditor which is incorporated into the client’s computer system either temporarily or permanently. This technique allows tests to be made at the time the data is being processed.

6.18 It is real time auditing. It is useful where the audit trail is deficient so that historical audit work is difficult, or where files are constantly being updated.

N12-11

(g) Expert systems

6.19 They are computer programs that emulate the thought processes of human experts in solving problems or achieving goals.

6.20 They consist of two basic components:(a) the knowledge base, which contains information, facts and rules

necessary for solving problems and deriving solutions; and(b) the inference engine, which is a computer program that contains the

analytical structure for providing the wanted advice to users.

(D) The advantages of CAATs to the auditor

6.21 In a computer based system, the large volume of transactions is likely to force the auditor to rely on programmed controls.

6.22 The use of CAATs enables auditors to test a much larger number of items quickly and accurately.

6.23 It enables auditors to test the accounting system and its records rather than relying on testing printouts of what they believe to be a copy of those records.

6.24 Once set up, CAATs are likely to be a cost effective way of obtaining audit evidence provided that the enterprise does not regularly change its sytems.

6.25 Careful planning by auditors should enable the results of their work using CAATs to be compared with results from the traditional clerical audit work to increase confidence.

7. Small Computer Systems

7.1 Small computer systems are generally considered to be those which are located in the normal office environment, and do not require specialist staff to operate the system. These are usually based on personal computers (PCs), often networked together to share access to data.

7.2 Problems associated with small computer systems:(a) Lack of control(b) Lack of segregation of duties – the same person may be responsible for

preparation of input data, computer operations and distribution of output.

(c) Lack of computer expertise – In any case the system may not be fully documented and the supplier of a package may not be prepared to release full details. The auditor may need to rely largely on substantive

N12-12

testing to obtain adequate audit evidence.(d) Inadequate physical security – there may be unrestricted access to

terminals or data.(e) Control over standing data (永久性數據，這些數據不常更動， 例如

產品價格文件或姓名地址文件) – many small systems operate on a real-time basis. Controls may include detailed editing of transactions, the maintenance of transaction logs and control accounts and full review of output by officials outside the computer department. The auditor should check that editing and authorization extend to changes in standing data as well as routine transactions.

(f) Conversions problems – There are dangers of errors or loss of data on the conversion to a new small computer system. The conversion process should be fully documented and controls such as maintaining record counts and controls totals should be used.

(g) Unauthorised changes – There are dangers that program changes are made that are unauthorized or badly designed by the client’s staff. In addition the client’s staff may neglect other managerial duties in spending time attempting to program the computer.

(h) Lack of audit trail – There is finally a general problem that such systems may not provide a visible audit trail. Therefore, CAATs can be helped.

N12-13

7.3 Test your understanding 4

7.4 Test your understanding 5JOHN.COM provides an information web site to the public, but the company has difficulty recruiting good computer staff.

Duties and responsibilitiesCurrently the computer department has three employees: a manager, a programmer and an input clerk. The input clerk is responsible for inputting all transactions and the programmer runs the computer programmes. The output reports are passed to the user departments. They rely on the computer programmes and do not perform any checking on the output reports. Due to a lack of resources, the errors reports are normally left unattended until the user department raises a query. The programmer has the right to write and amend computer programmes on his own. In order to reduce the workload of the programmer, the manager does not require the programmer to document any amendments to the computer programmes or to inform him of any changes.

N12-14

SecurityThe company does not have a firewall between the internet server and the company’s computer system; this makes it easier for staff to access the company’s computer system from home via the internet. Documentation of the computer system is distributed to all company staff.

Data backup and disaster recoveryDaily backup is required on all daily transactions; the backup tapes are stored in the office until Friday afternoon. The computer department has prepared a set of disaster recovery procedures without involving other user departments. There is only one set of recovery procedures and this is kept in the office of the manager.

Required:

Identify ten internal control weaknesses and make recommendations for improvement. (Total 20 marks)

(Adapted HKIAAT December 2000)

N12-15