Computer Audit Chapter 19 COMPUTER AUDIT ]Instructional Objectives: After studying this chapter you will be able to; ¥ Define application controls and general con: trols. v Identity the main advantages in using an au- tomated working papers package, v Describe the two principal categories of CAAT, v Explain the term audit trail. v ltemize the advantages of an embedded facil- ity. v List the major areas in which general controls ‘should operate. v Describe an “integrated test facility”. v Enumerate the factors that will determine whether the auditors perform a test manually or by using a CAAT. y Distinguish between audit round the com- puter and through the computer. v Identify security and confidentiality problems likely to be encountered in a small computer environment. 19.0 INTRODUCTION As computers continue to become cheaper, more flexible and easier to operate, their use in accounting functions increases. Auditors now regularly have to consider accounting systems which are based to some extent on a computer. In order to conclude whether accounting records produced by a computer form a reliable basis for the preparation of financial statements, the auditor must understand and be able to audit the system. ‘The purpose of this chapter is to highlight the main aspects of the system that the auditor should consider and to identify particular problem areas. 19.1 THE AUDITOR'S PRIMARY OBJECTIVE (4) It is important to note that, normal principles of auditing still apply irrespective of the system of recording and processing transactions. Whilst the Auditing Standards and Operational Guidelines should be followed it is likely that the auditor will need additional guidance in carrying out his audit. ‘The APC issued an auditing guidelines, titled Auditing in a computer environment in 1984, This textbook does no more than set out the basic approach to computer Fundamentals of Auditing 222Computer (b) 19.2 EFF The existence of a computer within the system will cause the 19 Audit thatauditors should obtain detailed practical ends, nt meet and or cessing situations which they mig auditing and the Institute rece guidance on the particular pre ques which they might have to employ the The basie objective remains to form an opinion on the truth and faimess of the nethods by which the auditor obtains the evidence nployed financial statements but the to enable hiny to form his opinion may vary somewhat from the methods when auditing manual accounting systems. ‘TSON THEAUDIT auditor to consider the following special factors: (a) (b) (c) @) the need to use staff with specialised knowledge and skill the possible problems of loss of visible evidence and systematic errors; lable in readily usable form; the timing of audit work to ensure that data is ava and the possible need to rely on internal controls and the special computer assisted techniques which can be used. 19.3 THE PROBLEMS @ () The main problems facing the auditor are; (i) understanding how the system processes and produces accounting information and what controls are operating on the system; and (ii) the loss of a visible audit trail due to a reduction in the amount of printed output. Loss of audit trail The audit trail is the facility to trace individual transactions through a system from source (in most cases a source document) to completion (inclusion in a summary figure in the accounts) or vice versa, Frequently computer generated totals, analyses and balances are not printed out in detail because management is not exercising control through verification of the individual items processed. Techniques which the auditor can use to overcome this problem include: @ (ii) (iii) (iv) arranging for printouts of information specifically for the auditor’s use; cords: programmed interrogation facilities whereby 1 ‘ored on file are printed ‘out on a selective basis by means of a direct request to that file; clerical recreation of totals from source document: testing on a totals basis rather than tracing individual items, (e.g., comparing, analyses with previous periods and budgets); zi Fundamentals of Auditing 223= 19 Computer Audit (eg. testing stocktaking procedures when movements 1 be tested); and using computer assisted audit using alternative tes! © g up stock balances cannot techniques. puter Environment of computers for accounting purposes will certainly continue be able to cope with the special problems that arise when ment and keep abreast of technical innovation. First we .e nature of controls in a computer environment. Broad guidance is provided for the auditor in the form of the old APC operational guideline guditing in a computer environment. This guideline has not been replaced by anew APB auditing standard, so it is followed here as it still demonstrates best practice for the most part. The introduction to this guideline sets the scene 19.4 Controls In A Com The expansion in the use Auditors must therefore auditing in a computer environ Jook in a rather general way at thi ier which is significantly “Computer systems record and process transactions in a mam ties as a lack of visible different from manual systems, giving rise to which possibi evidence and systematic errors. As a result, when auditing in a computer environment, the auditor will need to take into account additional considerations relating to the techniques available to him, the timing of his work, the form in which the accounting records are maintained, the internal controls which exist, the availability of the data and the length of time it is retained in readily usable form.” ‘al controls over computer-based accounting systems may be considered under Intern the following two main headings. ‘Application control relates to the transactions and standing data appertaining to each computer-based accounting system and are therefore specific to each such application, The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the accounting records and the validity of the entries made in these records resulting from both manual and programmed processing. General controls are controls, other than application controls, which relate to the environment within which computer based accounting systems are developed, maintained and operated, and which are therefore applicable to all the applications. The objectives of general controls are to ensure the proper development and implementation of applications and the integrity of program and data files and of computer operation like application controls, general controls may be either manual or programmed. Application controls and general controls are interrelated. Strong general controls contribute to the assurance which may be obtained by an auditor in relation to application controls. On the other hand, unsatisfactory general controls may undermine strong lication controls or exacerbate unsatisfactory application controls. The draft version ofthe auditing, guideline Auditing ina computer environment contained useful appendices identifying typical, and desirable, application and general controls. The authorised guideline did not retain these appendices and some of the computing concepts referred 224 iy Fundamentals of Auditing19 Computer Audit modem technology. Nevertheless, a relatively detailed to have been superseded by knowledge of controls is useful, so the appendices are reproduced below. Examples of application controls To achieve the overall objectives of application controls identified above, the specific requirements are controls over: * completeness, accuracy and authorisation of input; * completeness and accuracy of processing; * maintenance of master files and the standing data contained therein. Controls over input Control techniques for ensuring the completeness of input in a timely fashion include: * — manual or programmed agreement of control totals; * one for one checking of processed output to source documents; * manual or programmed sequence checking; + programmed matching of input to a control file, containing details of expected input; * procedures over resubmission of rejected controls. Controls over the accuracy of input are concerned with the data fields on input transactions. Control should be exercised not only over value fields, such as invoice amounts, but also important reference fields, audit as account number or date of payment. Some of the completeness control techniques, such as a batch total, will also control accuracy but others, such as sequence checks, will not. Additional techniques to ensure accuracy include: + programmed check digit verification (a check digit included in a reference number is arithmetically checked to ensure that it bears the required relationship to the rest of the number); programmed reasonableness checks, including checking the logical relationship between two or more files; * programmed existence checks against valid codes; * — manual scrutiny of output. Control over authorisation involve checking: * all transactions are authorised; and + the individual who authorised each transaction was empowered to do so. ‘This will generally involve a clerical review of input transactions, although a programmed check to detect transactions that exceed authorisation limits may be possible. The clerical review should be done either after a control total has been established or after processing, to ensure that unauthorised transactions cannot be introduced after the review. Fundamentals of Auditing 22519 Computer Audit Controls over processing. Controls are required fo ensure (hat + all input data is processed ; © the correct master files and standing data files are used; © the processing of each transaction 'S accurate © the updating of data, and any new data gene ated during processing, is accurat and authorised; * output reports are complete and accurate The control techniques used to ensure the completeness and accuracy of input may algo be used to ensure the completeness nd accuracy of processing. The techniques ults of processing, such as a batch reconciliation produced edit. Another technique for must be applied to th sal after the update and not the one produced after the initia nsuring the completeness and accuracy of processing is summary processing Controls over master files and standing data leteness, accuracy and authorisation of amendments Techniques for ensuring the comp! to master files and standing data files and for ensuring the completeness and accuracy of the processing of these amendments are similarto the techniques for transaction input. ‘The following controls may be © More costly techniques suc! greater importance of master ‘All master files and standing data may be Record counts and hash totals may be use« Controls may be exercised over the deletion balance. Examples of general controls ‘To achieve overall objectives of general controls, controls are required to: * ensure proper application development; prevent or detect unauthorised changes to programs; censure that all program changes are adequately tested and documented; prevent or detect errors during program executions; prevent unauthorised amendments to data files; ensure that systems software is properly installed and maintained; ensure that proper documentation is kept; * ensure continuity of operations, Controls over application development ‘The auditors might consider: * system design standards; Relating particularly important. thas one to one checking may be used because of the files and standing data reviewed cyclically. .d every time master files are used of accounts which contain a current a 226Rahs Computer Audit ors during program execution Controls to prevent or detect err The Thes auditors might consider: adequacy of operations controls included i the s¥5 use of job control procedure libraries: operations manual detailing set up and execution Prock Job scheduling, emergency back up procedures: training and supervision. res should provide protection against errors such as: 5 procedit incorrect data files; wrong versions of production programs; running programs in the wrong sequence, incorrect response to 3 Program requ job control errors. Controls to prevent unauthorised amendment to data files Controls to prevent unauthorised amendments to data files are dependent upon * * The auditors might consider the adequacy of general control procedures such as. * * ee ew Controls to ensure that systems software is properly installed and maintained application controls over the file; manner in which the file is maintained; file management software used. authorisation of jobs prior to processing; procedures to detect unauthorised amendments; password protection and procedures for recording and investigating unauthorise access attempts; emergency modification procedures; integrity of back up files; physical protection of data files; restricted use of utility programs; segregation of duties. Systems software includes the operating system, teleprocessing monitors, data bas: management system, spooling systems and other software aid to increase i eae of processing and to control processing. The auditors Eabeat ider not ly the controls exercised by the software but also the controls over eae such * * * as: : frequency of amendments; amendment procedures; access controls; i segregation of duties. Fundamentals of Auditing Bias 2 1) elComputer Audit er documentation is kept ient and accurate operatio ns by users and computer applications, and recovery from disas Controls to ensure that prop ster. Proper documentation aids effici personnel, setting up and amendments to The auditors would consider such matters as: * quality of documentation; * quality of standards used; * enforcement of standards, internal audit involvement; * updating procedures Controls to ensure continuity of operation As part of their overall assessment of the enterprise the auditors might consider * back up procedures; * testing of back up facilities and procedures; * protection of equipment against fire and other hazards; * emergency and disaster recovery procedures; * — maintenance agreements insurance. 19.5 THEAUDITORS’APPROACH Audits are performed in a computer environment wherever computer-based acounting systems, large or small, are operated by an enterprise, or by a third party on behalf of the enterprise, for the purpose of processing information supporting amounts included. in the financial statements. ‘The nature of computer-based accounting systems is such that the auditors are afforded opportunities to use either the enterprise’s or another computer to assist them in the performance of their audit work. Techniques performed with computers in this way are known as Computer Assisted Audit Techniques (CAATs) of which the following, are the major categories according to the old APC guideline: (a) Use of audit software: computer programs used for audit purposes to examine the contents of the enterprise’s computer files. (b) Use of test data: data used by the auditors for computer processing to test the operation of the enterprise's computer programs. The Audit Approach Planning the audit The reporting partners ‘planning procedures should include: (a) Consultation with the computer audit section over the best approach to adopt. (6) Consideration of these techniques that can be applied by general audit staff. (©) Consideration of the use of the specialist services provided by the computer audit section. Fundamentals of Auditing 229t tests and the setting of audi Computer Audit =i ce of audit (d) Determining the timing and inciden objectives for each test. Controlling the audit work ie should be determined for: : : ait ime to be spent in applying spect the various tests and following up areas where further h al techniques, Procedu (a) Budgeting the necessary (b) Controlling the results of ‘ reassurance needs to be obtaine Recording the work done : The audit ofa computer based system will generally eee - (a) A ‘background to the installation’ file giving details ae ee , data processing standards in use and staffing of the abe processing ees, (b) A systems permanent file for each system eppbication provi is is (i) _ the system’s aims and objectives in layman’s language; (ii) system outputs inputs processes and files; (iii) specimen layouts of each of the above; (iv) systems descriptions flow charts for clerical systems flow charts for computer systems (overview charts) block diagram, and /or decision tables source program listing (see figure 4); (v) Internal control questionnaires A specially designed internal control questionnaire is a feature of any systems permanent file in order to ascertain and evaluate the system. An extract of such an ICQ used by an international firm of accountants is reproduced below. ASCERTAINMENT RASTA ‘THE SPECIFICATION OF HARDWARE - CPU type storage Bide GR HION AREAS) capacity - peripheral devi andeapabliiies San SOFTWARE - details of RES operating system meee ~ programming; languages supported PROCESSES = utility software available ORGANISATION - details of sub-division of duties ie Fundamentals of Auditing 230‘omputer Audit DOCUMENTATION saves ore a descriptions and capacity of system tic ification of Inputs outputs Copy of organisation chart paves Sec reenter ss ee eeu ‘Specimen forms Bei iincas tena: Flow charts - clerical systems peg eee emer eee eo ke a Sa EVALUATION ICQS ‘Notes on control weaknesses Figure 4: The audit approach to computer systems Control Objectives. That all input data is complete correct and authorised A. I. Il. ‘Are all types of data batched before submission for processing? If not, what controls operate to ensure that: (a) All transactions are processed (e.g., sequence checks to report missing serial numbers)? (b) Transactions are only processed once (e.g., sequence checks to report duplicated serial numbers, or exception reports to list duplicated input)? Where data is batched, are all important fields totalled, in the form of either record counts, value totals or hash totals? If not, what alternative methods are used to ensure that such fields are correctly processed (e.g., the use of check digits)? Are control totals of input printed by the system in respect of: (a) each batch? (b) each transaction type? (c) each complete run? Fundamentals of Auditir bee 23119 Computer Audit ey « jguish between, FPsuch control totals are pried, dovthey cisting (a) accepted input? (b) rejected input? (c) total Input? IV. Where calculations are p ensure that this function ope reconciliation of the results of success! preserve the audit trail of control totals? n, are there controls to govern .d by the system liation to predetermined control total red by the system are there controls which wy tes properly (¢.B» uns)? Is there sufficient overlap i, reasonableness checks V._ Where transactions are generate the operation of this process (eg, recone! i reasonableness checks; regular test checking) VI. Can totals of transactions be traced through t processing (ie, through further validation programs, each program which updates master files)? Is balance data (j.e., data held on master files, such ledger balances) listed periodically for checking and review by user departments? Balance data printed at the end of the accounting, period, in sufficient detail for audit purposes? he vital stages of subsequent sort programs and throuph VIL s, such as sales and purchase VII. Testing the system of controls (a) The testing of the system of controls can be broken down into tests on the disciplines involved within the system. These tests will consist, in the main, of witnessing the evidence of: () manuals and procedures distributed to staff; (i compliance with manuals, procedures and security measures; (iil) segregation of duties between various work sections; (iv) work schedules, logs and time records to Illustrate that the flow of work is supervised and controlled. (b) Testing the user’s Integrity controls. ‘These can be done by ajudicious mixture of manual witnessing and machine operations. The manual operations will consist largely of witnessing procedures eg, witnessing that job instructions exist and that each processing task is properly set up. The machine procedures should be noted and include the following co: sii a mput sisted audit techniques (CAATs): E a (a) Systems software testing whereby the company’s programs in daily use ae compared with a file copy in order to discover if unauthorised changes have been made. * (b) Testing password controls so that i a access toa fi Sai yypans of an Grvalle aeterond file is prevented by means ¢ Fundamentals of AuditingComputer Audit Josses of audit trail can be compensated 19.7 Substantive testing using CAATS and the the amount at Where internal controls are satisfactory ribed earlier, for by altemative andit routines such as the CAATS Ce ‘ reduced. However, where internal controls idence of processingis lacking lidate the figures in the substantive testing of transactions can be reduce : hnere visible evi are weak and there are significant areas W! ie there is a need for independent audit evidence in order 10 financial statements. : ‘The commonly used CAATs with examples of their use are Eten” the follow: sections. We shall consider: * computer audit programs; + resident or embedded code. Do not forget thatthe technique of audi assurance as well. «simulation described earlier gives substantive + Computer audit programs z : The general computer audit, program or fixed audit program-is a standard piece of file enquiry software which can be purchased by the practising firm or indeed obtains a tape or disc file and a manual of developed for their own use. The user f instructions. The user must ensure that his copy of the file is always physically secure and free from the threat of client interference. The manual describes the * various procedures that need to be carried out in order to exercise the various options available to the user. The usual options are: (extractive routines; (@ _reperformance routines; (ii) statistical sampling routines. + Embedded or resident code This technique consists of program steps written by the auditor which are inserted into the client's program. The purpose is to test live transactions as they are being processed and to select a sample for further examination. This system may be usefully applied when dealing with real time or data base systems when there is an immediacy of results or processing. 4 19.8 | AUDIT PROBLEMS RELATINGTO SMALL COMPUTER SYSTEMS + Introduction The problems facing the auditor in res : spect of these types of syste y to a Jack of controls in certain areas. We shall consider Be meen avin _ mini and micro computer systems. : + Minis and micros ee =f - arises due to the following factors: (a) ick of segregatios ie Due the sal mrt people cena contot People operating the system, users and operators Fundamentals of Auditing -Computer Audit uditor and practical obstacles he might encounter 44 Wile him to rely on the work of aller auditors or hy row at the bureau hinwell considerations for the have to carry oul ste have to perform procedi + The problems ‘The main problems facing the (a) the client is unlikely to be able controls used by the bureau (b) the auditor is unlikely (0 he files held at the bureau and so checking, the controls over the detailed content may be difficult; and the auditor will need to ensure that the elient has re produced and that appropriate action was taken by the client and the bures resolve exceptions and correct errors, iditor in this situation are that to specify precisely the general and applic and standing, dy ve files and 1 1 easy access to master file ced all exception rey (c) + The audit approach (a) The audit approach should evaluate the Internal controls at the bureau ay between the client and the bureau, ICQs completed by appropriate client s1{/ and bureau officials may be utilised, Where a bureau has many us often arrange for a suitable independent firm of auditors to carry out a re of its internal controls and then make this available to users’ auditor auditor will have to determine the amount of reliance he can place on this third party review, The auditor can use test data to check controls and procedures at the bureau ‘The auditor can use audit software to check the results of processing by th: bureau, The sofiware could be run either at the bureau or on the auditor’ own hardware. It will (b) (c) * Specific internal control considerations The auditor should review the following practical considerations and satisfy himself that; (a) adequate investigation has been made into the stability of the bureau, its ability to provide a continuing service, and the quality of the work or service provided; (b) control of data processing by the bureau is adequate: (c) _ the client provides a control section, which handles and records data going to the bureau, checks the results of bureau processing, controls the handling and clearance of errors, records the return of data from the bureau, and records the receipt of output from the bureau; ? (d) good control procedures are established in the clerical and financial departments of the client, and these link to the work of the control section; (©) _ error correction is well-handled, This is a problem with bureaux, because urgency and communication difficulties cause points to be raised verbally 3 Ec Fundamentals of Auditing a0: time which suits the bureau. Care needs to be taken that amendments are determined by the correct personnel and are recorded; the question of program ownership is considered, relative to its impact on the continued operation of the client’s system. When a bureau is paid to provide programs specially for a client, it should be clear who owns the programs, and preferably the client should be in possession of a copy; the implementation of the system is. r