11.

E commerce audit (computerized audit)

Benefits to client using a computerized accounting system
 It gives rise to a strong ICS,
 It reduces overtime costs
 Clear and neat work e.g. computations, ledgers, etc
 Enhance arithmetic accuracy
 Increased efficiency
 Increased speed
 Increased effectiveness
 Used in Preparation of mgt reports

Ways in which IT enhance the admin procedures and controls over an audit.
 Confidentiality through password
 Create efficiency in audit process
 Substantive &compliance tests
 Improve client and staff relations, e.g. email
 Cost budgeting - staffing requirements and planning by using spreadsheets
 Word processing –for routine production of reports, faxes, letters, memos,
 word processing to produce audit programs, working papers etc

Features of computer based systems (risks in computerized environment)

1. Lack of primary records
In some systems conventional daybooks will not be maintained. in others
originating documents may not be created, in some data keyed after receiving order
via telephone .the auditor will be unable to trace this transactions back to
originating documents
2. Programmed controls
The auditor has to test controls which he wishes to rely on, this means he must use
computer assisted audit techniques (CAATs)
3. Concentration of function and controls
Due to the use of computers few people are involved in the processing of financial
information. This results in weak internal controls and in particular poor
segregation of duties.
4. Encoded data
There is a danger of errors arising at encoding stage when data is converted from
human to machine language
5. Need for experts
As computers become extensively used in business it is relevant for all auditors to
become computer literate, it will also require experts when designing
6. Availability of computer time
The use of CAATs involves the use of client’s computer facilities. There is need to
organize such facilities well ahead of required time
7. Data needed for audit may be overwritten
Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 1
When data is stored in tapes or discs it may be overwritten with new data
8. Loss of audit trail
Most computerized systems limits printed data and files are magnetically stored
.the auditor is therefore unable to trace an individual transaction through the
system from origin to financial statements. This is said to be loss of visible audit
trail

Controls in computerized environment

Divided into two categories
1 application controls
2 general controls

1. Application controls
The objectives of application controls which may be manual or programmed are to
ensure the completeness and accuracy of the accounting records and the validity of
the entries made therein resulting from both manual and programmed processing.
Application controls are generally divided into:

 Input controls.
 Processing controls.
 Output controls.

Input controls
 Missing field checks-checks that all data is present
 Sequence checks- ensures data fall within predefined sequence
 Validity checks-to check data for validity in accordance with predetermined
criteria
 Reasonableness checks- check that data fall within reasonable limit
 hash totals-refer to additions e.g. student registration no’s
 document counts-agrees number of input records into the batch with the total
batch control form
 run to run totals-computes documents in cumulative form
 master file checks-checks that codes match those in the master file
 range checks-checks that data falls within predetermined range
 check digit-ensures accuracy of codes
 zero balance checks-checks reconciliation of debits and credits
 sign checks-ensures data has been keyed in with correct arithmetic sign

Processing controls

 Program file identification procedures,

 Physical file identification procedures
 Control totals
 Limit and reasonableness tests

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 2
 Sequence tests over pre-numbered documents.
 Validation checks
 Hard ware and software controls
 Encryption procedures

Output controls
 agreeing all output to input,
 Noting distribution of all the output.
 Output checklists
 Logging of all output
 Print control totals
 Use of screen warning message e.g. do you want to save
 Backup procedures
 Print terminal message at the end of the report

2. General controls
These are controls, which relate to the environment within which computer-based
accounting systems are developed, maintained and operated aimed at providing
reasonable assurance that the overall objectives of internal controls are achieved.
They are classified into
 Physical controls
 Logical controls

Physical controls
Are measures designed to limit actual physical access to the computer and related
facilities.they include
 Bolting door locks-it requires traditional metal key to gain in
 Combination of door locks(cipher locks)-uses numeric key pad or dial to gain
access
 Electronic door locks-uses magnetic chip
 Biometric door locks-uses voice, retina recognition
 Controlled visitor access
 Security guards
 Use mbwa kali
 Alarm system
 Use dust covers
 Adequate ventilation of computer room
 Use CCTV
 Use electric fences
 Use fire extinguishers to safeguard against fire
 Computer room should be in a well drained field
Logical controls
 Use of passwords
 Data encryption

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 3
  User ID
 PIN numbers
 Biometric controls e.g. retina
 One token password e.g. smart cards

Computer assisted audit techniques (CAATs)

These are audit programmes used to interrogate the client computer files so as to
enable the auditor to form an opinion as to the accuracy, authenticity and validity of
clients’ transactions
Factors to consider b4 using CAATs
 Knowledge &expertise of auditor
 Availability of suitable CAATs
 Efficiency &effectiveness
 Time constraints
 Level of audit risk
 Level of training required
 Integrity of clients systems
 Impracticability of manual tests

Uses of CAATs
 Test of transactions and balances
 Sampling programs
 Analytical procedures
 Compliance test of general controls
 Penetration testing
 Compliance testing of application controls

Advantages of Assisted Audit Techniques (CAATs)

 Quick and more efficient
 facilitates planning
 Once acquired it is cost effective
 Auditor can test a no of items quickly and accurately;
 Enable the auditor to test the accounting system
 Provide the auditor with additional options
 Likely to be the only effective way of testing programmed controls.
 Reduced human errors

Types of CAATs
1. Computer audit programs (Audit software)
These consist of computer programs used by an auditor to read magnetic files and to
extract specified information from the files. They are also used to carry out audit
work in the contents of the file.
It consist of three programs
 Generalized package program

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 4
  Specially written programs
 Utility programs
Generalized package programs
These are programs already written either by the auditor or a software specialist
designed to be used on different types of machines. They need to be tailored to each
specific case by determining or defining the format of the files to be interrogated and
by specifying the parameters of output data and form of that output
Specially written programs
In some cases it is not possible to adapt a package program because of the type of
machine processing or file interrogation method used. In such cases a specially
written program is required it could be written by the auditor or by a specialist or by
the client acting on the instruction of the auditor
Utility programs
These are programs used by the entity to perform data processing functions which
are such as sort utility, batch utility and print utility
Uses of audit software (substantive tests over computer based systems)
 Totalling and subtotalling files
 Stratifying and analyzing files
 Re-performing calculations
 Producing exception reports
 Detecting gaps or duplicate entries
 Selection of audit samples
 Comparison of information on separate files
 Multiple file format handling
 Scrutinising files selecting & printing exceptional items for further examination
 Verify data at interim stage e.g. stock& fixed assets
 Comparing files at succeeding year ends
 Carrying out detailed tests &calculations

Advantages:
 Examination of data is more rapid;
 Examination of data is more accurate;
 The only practical method of examining large amounts of data;
 Gives the auditor practical acquaintance with live files;
 Overcomes in some cases a loss of audit trail;
 Relatively cheap to use once set up costs have been incurred;

Disadvantages:
 Can be expensive to set up or acquire.
 Some technical knowledge is required.
 A variety of programming languages is used in business.
 Detailed knowledge of systems and programs is required.
 Difficulty in obtaining computer time especially for testing.

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 5
 2. Test data (test packs)
This is data used by the auditor for computer processing to test operations of the
enterprises computer programs.
There are three approaches to use test data
a) using live data-this is the simplest approach to the auditor and involves
pre-determining the results which the auditor would expect from processing

Disadvantages
 If the data is included with normal data, separate test data totals cannot be
obtained.
 Side effects can occur. It has been known for an auditor's dummy product to be
included in a catalogue.
 Client's files and totals are corrupted although this is unlikely to be material.
 If the auditor is testing procedures such as debt follow up, then the testing has
to be over a fairly long period of time. This can be difficult to organize

b) Dummy data in a normal production run-this is where the auditor

constructs dummy translations which contain the required conditions. They
are processed along with normal data. Actual results are then compared
with the predetermined results

Disadvantages
 Difficulties will be encountered in simulating a whole system or even a part of it.
 A more detailed knowledge of the system is required than with the use of live
files.
 There is often uncertainty as to whether operational programs are really being
used for the test.
 The time span problem is still difficult but more capable of resolution than with
live testing.

c) Dummy data in a special run-in this method the auditor creates special
data and uses it against copies of clients’ data files.

Disadvantages of test data

 Costs- there may be considerable cost involved in constructing considerable
data involved
 Objectives of the test- test data is likely to be confined o test of controls and
may therefore be less valuable in audit terms than using audit software.
 Recording- the use of test data does not necessarily provide visible evidence
of the audit work performed. Working papers should therefore include
details of controls to be tested and explanation of how they are tested and
the details of transactions and files used.

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 6
  Dangers of testing during a special run- if special test runs are used on
artificial running environment is created, Assurance is needed that normal
programs and files have been used

Benefits of automating procedures

 Files are kept in a more compact form
 Rapid sharing of information
 Savings due to efficient working
 Better compliance with audit firm procedures & ISAs
 Creation of networks so that online supervision becomes possible
 Instant availability of information on a wide range of audit related subjects
 Systems designed for optimal auditing are adhered to by audit staff
 Automatic generation of audit plans,programmes,schedules & procedures
 Creation of data for audit examination or analytical review not readily
available from clients’ records
 Better public relations as clients expect and demand that their auditors are
upto date& efficient

Risk facing e-commerce audit

 Systems breakdowns
 Threats by hackers
 Loss of data during changeover from manual to computerised system
 Loss of audit trail
 Low internet connectivity
 Software may not meet the needs
 Data corruption by virus
 Health and safety risk e.g. loss of eyesight
 Risk of lack of confidentiality- commercially sensitive data sensitive may be
accessed
 Lack of technical skills
 Most computerised systems increases chances of frauds and errors
 Lack of primary records
 Defective software this leads to lost revenue
 Unauthorised updating of data
 Integrity-data can be duplicated or accessed by unauthorised accessors
 Cyber crimes e.g. spoofing
 Lack of punishment over cyber crimes

Controls in online and real time processing

 Segregation of duties
 Restrict access to terminals
 Use passwords
 Restriction of operating system to specific personnel
 Use backup facilities

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 7
  Use of firewalls
 Restricting unauthorized access using system software
 Lock &key i.e. physical restriction
 Data encryption
 Lockable keyboards
 Training staff on new procedures
 Restricting access to central computer
 Protect equipment against fire & other hazards
 Validation procedures
 Verification procedures
 Environmental controls e.g. moisture, dust etc
 Logging off attempted violation by automatic shutdown
 Automatic locking of keyboard e.g. after a few seconds
 Install antivirus software
And He said to man the fear of the Lord, That is wisdom and to shun evil is
understanding

………………………………………Dios Te bendiga………………………………………

Compiled by: Pst Brian MSC, BBA, CIFA (K), CPA (K) ,DICM @2018 Page 8