CHAPTER 16

Computers in auditing
EXAM FOCUS
There will be regular questions in the exam that require students to have knowledge of the
impact of computers on auditing, but this will often be linked into another area such as the
audit of inventory or auditing the expenses in the incom e statement.

There are two distinct ways in which computers impact upon the w ork of auditors.

¨ 2IWHQ D FOLHQW·V DFFRXQWLQJ V\VWHPV ZLOO EH FRPSXWHULVHG DQG WKLV JLYHV ULVH WR SDUWLFXODU
auditing problems; these problems are addressed in ISA 401.

¨ The auditor him self can use computers to assist in the conduct of the audit.

Both of the above are important areas as far as questions are concerned.

SYLLABUS AND STUDY GUIDE COVERAGE

This chapter covers the following elements of the ACCA study guide:

22 Other Audit and Review Evidence VII

¨ Describe and illustrate the use of computer assisted techniques in obtaining

evidence.

The ACCA Study Guide has no specific section on computer auditing. Instead it is assumed
that accounting systems are normally computerised, so any auditing activity w ill require
familiarity w ith computers. The syllabus content contains tw o relevant elements:

4h Information technology in planning and risk assessment

6e Computer-assisted audit techniques, their uses and limitations

In order to cover these elements the follow ing topics are included:

ISA 401 Auditing in a computer information systems environment

Internal controls in a computerised system
Use of computers in the audit process
Computer assisted audit techniques (CAATs)

1 Introduction
1.1 The auditor's primary objective
You should not forget that normal principles of auditing still apply irrespective of the system
of recording and processing transactions. W hilst the normal auditing standards should be
followed it is likely that the auditor will need additional guidance in carrying out his audit of a
computerised system.

255
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

The basic objective remains to form an opinion on the truth and fairness of the financial
statements but the methods by which the auditor obtains the evidence to enable him to form
his opinion may vary somew hat from the methods employed w hen auditing manual
accounting systems.

1.2 ISA 401: Auditing in a computer information system s environment

ISA 401 recognises that, although the overall objective and scope of an audit does not change in
a CIS environment, the procedures followed by the auditor may need to change. (Note that the
,$$6% QRZ XVHV WKH WHUP ¶FRPSXWHU LQIRUPDWLRQ V\VWHP V &,6  HQYLURQPHQW· UDWKHU WKDQ WKH
ROGIDVKLRQHGWHUP¶HOHFWURQLFGDWDSURFHVVLQJ ('3 HQYLURQPHQWRULJLQDOO\XVHGLQISAs.)

¶7KH DXGLWRU VKRXOG KDYH VXIILFLHQW NQRZOHGJH RI WKH &,6 WR SODQ GLUHFW VXSHUYLVH DQG
review the work performed. The auditor should consider whether specialised CIS skills are
QHHGHGLQDQDXGLW·

If specialised skills are needed, the auditor should seek the assistance of a professional w ith
VXFK VNLOOV HLWKHU RQ WKH DXGLWRU·V RZ Q VWDII RU H[WHUQDOO\  7KH SURYLVLRQV RI ,6$  ZLOO EH
UHOHYDQWLQWKHDXGLWRU·VXVHRIWKHZRUNRIDQH[SHUWLQVXFKFLUFXPVWDQFHV

1.3 Effects on the audit

The existence of a computer within the system will cause the auditor to consider the following
special factors:

(a) the need to use staff with specialised knowledge and skills (as noted above);

(b) the possible problem s of loss of visible evidence and systematic errors;

(c) the tim ing of audit w ork to ensure that data is available in readily usable form;

(d) the possible need to rely on internal controls and the special computer assisted
techniques which can be used.

The main problems facing the auditor are:

(i) understanding how the system processes and produces accounting information and
what controls are operating on the system;

(ii) the loss of a visible audit trail due to a reduction in the amount of printed output.

Loss of audit trail

The audit trail is the facility to trace individual transactions through a system from source (in
most cases a source document) to completion (inclusion in a summary figure in the accounts)
or vice versa. Frequently computer-generated totals, analyses and balances are not printed out
in detail because management is not exercising control through verification of the individual
items processed.

Techniques which the auditor can use to overcome this problem include:

(i) DUUDQJLQJIRUSULQWRXWVRILQIRUPDWLRQVSHFLILFDOO\IRUWKHDXGLWRU·VXVH

(ii) program med interrogation facilities whereby records stored on file are printed out on a
selective basis by means of a direct request to that file;

(iii) clerical recreation of totals from source documents;

(iv) testing on a totals basis rather than tracing individual items (eg, comparing analyses
with previous periods and budgets);

256
 Chapter 16 Computers in auditing

(v) using alternative tests (eg, testing inventory counting procedures w hen movements
making up inventory balances cannot be tested);

(vi) XVLQJFRPSXWHUDVVLVWHGDXGLWWHFKQLTXHV &$$7V²VHHEHORZ 

1.4 Computer-assisted audit techniques

CAATs are an important part of the syllabus. Examples of their use are provided later in the
chapter; a brief introduction of the key terminology is provided below:

Types of CAATs
Audit software Test data Others
7KHDXGLWRU·VSURJUDPV 7KHDXGLWRU·VGDWDDSSOLHGWRWKH
DSSOLHGWRWKHFOLHQW·VGDWD FOLHQW·VSURJUDPV
0DLQXVH²LQVXEVWDQWLYHWHVWV 0DLQXVH²LQWHVWVRIFRQWURO

¨ Package programs ¨ Live test data ¨ Embedded audit facilities

Embedded audit eg, resident code
¨ Purchase-written ¨
programs ¨ Integrated test facility ¨ Program code analysis
¨ Utilities

2 Internal controls
2.1 Types of controls
Controls over com puter-based accounting systems are usually considered under tw o main
headings, namely application controls and general controls.

(a) Application controls. These relate to the transactions and standing data appertaining to
each computer-based accounting system and are therefore specific to each application.
The objectives of application controls, which may be manual or program med, are to
ensure the completeness and accuracy of the accounting records and the validity of the
entries made therein resulting from both manual and program med processing.

(b) General controls. These are controls, other than application controls, w hich relate to the
environment within w hich computer-based accounting systems are developed,
maintained and operated, and which are therefore applicable to all the applications.
The objectives of general controls are to ensure the proper development and
implementation of applications, and the integrity of program and data files, and of
computer operations. Like application controls, general controls may be either manual
or program med.

Application and general controls are inter-related. Strong general controls contribute to the
assurance which may be obtained by the auditor in relation to application controls. On the
other hand, unsatisfactory general controls may underm ine strong application controls or
exacerbate unsatisfactory application controls.

2.2 Application controls

Main areas of controls

Control m ust be established over three areas and the examples of controls given below are
com mon to many applications.

257
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

Controls should cover:

(i) completeness, accuracy and authorisation of input;

(ii) completeness and accuracy of processing;
(iii) maintenance of master files and the standing data contained therein.

258
 Chapter 16 Computers in auditing

Controls over input

(i) Completeness checks include:

¨ manual or program med agreement of control totals;

¨ one for one checking of processed output to source documents;
¨ manual or program med sequence checking;
¨ program med matching of input to a control file, containing details of expected
input;
¨ procedures over resubmission of rejected data.

(ii) Accuracy checks include:

¨ program med check digit verification;

¨ program med reasonableness checks, including checking the logical relationship

between two or more files;

¨ program med existence checks against valid codes;

¨ manual scrutiny of output.

(iii) Authorisation checks include:

¨ checking and signing of input documents by a senior em ployee;

¨ program med checks that transactions do not exceed authorisation limits.

Controls over processing

Control techniques used to ensure completeness and accuracy of input may also assist in
controlling processing. Other controls are:

(i) batch reconciliations produced after a file update;

(ii) sum mary processing eg, a depreciation calculation based on total asset value
compared with the sum of depreciation calculations based on individual asset values.

Controls over master files and standing data

In view of the importance of these files more costly control techniques are often justified such
as:

(i) one for one checking of master file amendments;

(ii) user review of the contents of master files on a cyclical basis;

(iii) record counts and hash totals established and checked by the user each time the file is
used.

2.3 General controls

Areas of control

General controls must be established over many areas since they cover the computer
installation itself rather than any individual application. The principal requirements are
controls:

(i) over application development;

(ii) to prevent or detect unauthorised changes to programs;
(iii) to ensure that all program changes are adequately tested and documented;
(iv) to prevent or detect errors during program execution;

259
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

(v) to prevent unauthorised amendments to data files;

(vi) to ensure that system s software is properly installed and maintained;
(vii) to ensure that proper docum entation is kept; and
(viii) to ensure continuity of operations.

Application development and program amendments

Important controls over these areas include:

(i) segregation of duties for systems design, program ming, operating and supervision;
(ii) approval of development by senior employees and monitoring by internal audit;
(iii) procedures to prevent unauthorised access to programs;
(iv) comparison of production program s to controlled copies;
(v) documentation of all system changes.

Prevention and detection of errors during program execution

These controls are needed to ensure that the correct program is used with appropriate files,
programs are run in the correct sequence and errors arising during program execution are
resolved. Controls include:

(i) use of an operations manual setting out procedures;

(ii) job scheduling;
(iii) training and supervision of operators.

Prevention and detection of unauthorised amendments to data files

This area is largely dependent on application controls over specific files but general controls
may also be applicable. These would include:

(i) password protection of files;

(ii) procedures for recording and investigating unauthorised access attempts;
(iii) integrity of back up files;
(iv) physical protection of files.

Controls to ensure continuity of operations

These controls are necessary to minim ise the impact of any system failure that m ight occur.
Com mon back-up procedures include:

(i) arrangements to use alternative facilities (hot site);

(ii) protection of equipment against fire and other hazards;
(iii) emergency and disaster recovery procedures;
(iv) maintenance agreements and insurance.

3 Planning considerations
3.1 The audit strategy
The purpose of audit planning is to enable the auditor to achieve in the most efficient manner
the principal objective of the audit, which is to ascertain w hether, in his opinion, the financial
statements on which he is reporting show a true and fair view of the state of affairs at a given
date and of the results and cash flow s for the period ended on that date.

The first stage in the audit approach is for the auditor to determine the m ost efficient and
effective audit strategy for each aspect of the financial statements. In order to determ ine the
audit strategy, the auditor will need to gain a prelim inary understanding of the nature of the
FOLHQW·V EXVLQHVV DQG SDUWLFXODU ULVN DUHDV RI WKH QDWXUH DQG VLJQLILFDQFH RI DFFRXQW EDODQFHV
ZLWKLQ WKH ILQDQFLDO VWDWHPHQWV DQG RI WKH FOLHQW·V DFFRXQWLQJ V\VWHP DQG UHODWHG LQWHUQDO
controls.

260
 Chapter 16 Computers in auditing

Based on his prelim inary understanding the auditor w ill decide w hether to base the audit of
each significant account balance or group of account balances in the financial statem ents
principally on:

(a) tests of control designed to confirm the consistent and proper operation of accounting
systems from which account balances are derived in com bination w ith limited
substantive tests directed to the completeness, validity and accuracy of account
balances; or

(b) substantive tests directed to the completeness, validity and accuracy of account
balances.

3.2 Balance of compliance and substantive work

Although the principles of determining audit strategy are the same as for non-computerised
systems, in practice the process is m ore complicated where the client has a computer system.

This is because in addition to the manual controls carried out on the data being processed, the
auditor will be concerned with other types of procedures and controls w hich are unique to
computer systems. Tw o significant points can be made.

(a) The control environment will typically be m ore complex due to:

(i) WKH OLNHO\ H[LVWHQFH RI DQ DGGLWLRQDO ´OD\HUµ RI FRQWUROV LQ WKH IRUP RI JHQHUDO
controls; and

(ii) the existence of program med procedures and conWUROV Z LWKLQ WKH FOLHQW·V
software.

Controls

General Application

Programmed Manual
procedures

In determining the audit strategy, it w ill be necessary for the auditor to understand
clearly the nature and different types of internal control and the way in w hich they
relate to one another.

(b) Certain features of computerised processing in general may influence the audit
strategy decision. For example, the auditor may use computer programs to quickly
examine large volumes of processed data, thus adopting substantive testing
procedures as an alternative to, or to supplement, control reliance.

4 Internal control evaluation

4.1 Evaluation of internal control environm ent
: KHQ DV SDUW RI KLV DXGLW VWUDWHJ\ WKH DXGLWRU KDV GHFLGHG WR SODFH UHOLDQFH RQ KLV FOLHQW·V
system of internal control, he will need to carry out a detailed examination of the controls in
order to assess any weaknesses which may affect the extent to w hich he can place reliance on
them. He may also w ish to evaluate controls in order to report to management weaknesses
that come to his notice, so as to assist management in carrying out its obligations to establish

261
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

DQG PDLQWDLQ FRQWUROV WKDW Z LOO HQVXUH DV IDU DV SRVVLEOH WKH UHOLDELOLW\ RI WKH FRPSDQ\·V
accounting records and the safeguarding of its assets.

A comm on approach is the use of an internal control questionnaire (ICQ) to identify and
evaluate the controls which exist in a computer system.

This might consist of questions asking w hether there are controls in a system which meet
specified overall objectives, or which prevent or detect the occurrence of specified errors or
omissions.

In addition to a detailed ICQ, it is frequently helpful to sum marise the principal controls over
each system in a form that enables the auditor rapidly to gain an impression of the overall
VWUHQJWKRIFRQWURO7KLVPD\WDNHWKHIRUPRID´FRQWUROPDWUL[µ

Alternatively, some firms structure their ICQs for use in an EDP environment by considering
general controls in the first section, and only if these appear to be adequate for audit purposes
and suitable for testing would they move on to a second section w hich identifies and evaluates
application controls.

In the section on application controls, an integrated set of internal control questions may be
used covering controls over both the manual part and the program med part of the application,
and the impact of relevant general controls.

4.2 Timing of evaluation

It is highly desirable to evaluate the controls in a computer system before it becomes
operational. This is more im portant than it is in a non-computer system for the following
reasons:

(a) It is difficult to make changes to a computer system once it is operational. The auditor
should therefore make any suggestions or recommendations at the relevant stage of
development so that they can be incorporated easily. Indeed, clients often encourage
RUVSHFLILFDOO\UHTXLUHWKHDXGLWRU·VHYDOXDWLRQDQGFRPP HQWVSULRUWRLPSOHPHQWDWLRQ

(b) The auditor w ill need to know the nature and extent of programmed procedures in
order to decide whether to rely on and test the implementation controls. W ithout
adequate lead time before implementation he may be unable to plan and perform the
tests.

(c) The auditor may be able to arrange for additional features to be included in the system
that will assist his subsequent audit tests. For example, facilities may be arranged to
obtain print-outs on request or for additional fields to be included on master files for
subsequent exam ination by a computer audit program.

It should be added that, whilst for the above reasons it will be highly desirable for the auditor
to review systems prior to their going live, this will not be possible in all cases. W here he is
required to evaluate systems w hich have been in operation for some time, the auditor should
bear in mind the possible difficulty of making program changes, which he may nevertheless
deem desirable. In these cases he should consider, where practicable, making alternative
recommendations to strengthen manual controls.

4.3 Performing tests of control

The auditor m ust carry out suitable tests to provide evidence that the controls on which he
wishes to place reliance have continued to operate properly throughout the period under
review. In general, the auditor will w ish to carry out tests of control on all those controls
which he identified and expected to rely on w hen he was completing the ICQ.

262
 Chapter 16 Computers in auditing

The auditor w ill normally carry out his tests of control on general controls before those on
application controls. This is because, if the general controls have operated satisfactorily, the
auditor will be able to restrict his work on the application controls. The approach he adopts to
the application controls is thus largely dependent on the results of his tests on the general
controls.

Computer systems are frequently unable to carry out conventional audit tests because visible
evidence is not available as a routine. Alternative techniques include the use of CAATs such as
audit software, audit test data and program code analysis, which are unique to com puter
systems.

4.4 Loss of visible evidence

In com puter processing, the results of processing may not be printed out in detail. In the
absence of such a print-out, the auditor cannot test the operation of programmed procedures
by conventional means. There are three ways in w hich this difficulty can arise. Firstly, totals
and analyses may be printed out without supporting details, thus rendering it impossible for
the auditor to check the total or analysis. The second situation, although com m on, is less
obvious. W here exception reports and rejection listings are produced, it is often impossible, by
reference to the reports or listings, to establish that all items w hich should have been reported
or rejected have been properly treated. Thirdly, the control procedure may be carried out
entirely through a computer terminal with no evidence being printed out, as for example w hen
data is edited during input and errors are displayed on the screen for the operator to correct
immediately instead of being reported on an edit listing.

7KHVH WKUHH W\SHV RI VLWXDWLRQ KDYH WUDGLWLRQDOO\ EHHQ FRYHUHG E\ WKH SKUDVH ´ORVV RI DXGLW
WUDLOµ  +RZHYHU WKLV WHUP LV XQIRUWXQDWH LQ WKDW LW LPSOLHV WKDW WKH PHDQV WR FKHFN UHVXOWV E\
conventional tests should be available to auditors and the failure to incorporate this in the
system is a matter for criticism. This is not true; what matters is the adequacy of the controls.
If the failure to print out constitutes a weakness in control, as, for example, if the contents of
suspense files were not regularly printed out, the system is deficient and the auditor is correct
to draw this to the attention of the company. But if the failure to print out does not represent a
weakness, the auditor should normally devise alternative techniques to test the operation of
WKH SURJUDP PHG SURFHGXUHV  )RU WKHVH UHDVRQV WKH WHUP ´YLVLEOH HYLGHQFHµ LV XVHG LQ WKLV
FKDSWHULQSUHIHUHQFHWR´DXGLWWUDLOµ

4.5 Manual tests

M anual tests of programmed procedures can be carried out w here full visible evidence of the
program med procedure is available; for example, w here a complete listing of sales invoices is
SURYLGHGLWFDQEHDGGHGXSWRFRQILUPWKHVDOHV WRWDO RU ZKHUH GHEWRUV· VWDWHPHQWV VKRZ DOO
transactions on individual accounts, postings thereto can be checked. Tests will consist of
repeating the work that the program carried out and verifying that the results are the same.

M anual tests can also be carried out where full visible evidence is not provided by the system,
but can be created in one of the following ways:

(a) working on current data before it is sent for processing by the computer, for example
manually checking the validity of product codes on despatch notes in order to test a
program med validity check;
(b) selecting a small number of items from those subm itted for processing and processing
these in a separate run, for example processing a small number of purchase invoices
separately to allow the purchase analysis to be checked;
(c) simulating a condition which w ill produce a report if the programmed procedure is
working properly, for example altering an item on an input document so that it fails to
match correctly with data in a pipeline file, or withholding a document so that it is

263
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

reported as missing (this approach requires careful planning and the agreement of the
client); or
(d) requesting a special print-out of item s processed, for example a listing of sales invoices
included in a sales total produced by the computer.

W here visible evidence of the operation of a program med procedure neither exists nor can be
created, and the appropriate condition cannot be sim ulated, it is not possible to carry out
manual tests.

4.6 Audit test data

This technique consists of devising fictitious data and predicting the results that should be
obtained if the program med procedures operate properly. The data is processed against the
FOLHQW·V RSHUDWLRQDO SURJUDPV DQG WKH DFWXDO UHVXOWV DUH FKHFNHG DJDLQVW WKH SUHGLFWHG UHVXOWV
This technique is normally used w here there is incomplete evidence available of how the
procedure operated and manual tests are either impracticable or inefficient. Audit test data is
usually designed to test the operation of several programmed procedures within an
application, for example by processing fictitious orders to produce invoices, sales totals and
entries in inventory and accounts receivable ledgers. In this case, although it may remain
possible to test some of the program med procedures by manual tests, for example calculations,
it will often be m ore efficient to test them by the use of test data.

7KHUHDUHWZRPHWKRGVRIUXQQLQJDXGLWWHVWGDWDZKLFKDUHWHUPHG´OLYHµDQG´GHDGµ$XGLW
test data is classified as dead ZKHQ WKH GDWD LV SURFHVVHG XVLQJ WKH FRPSDQ\·V RSHUDWLRQDO
SURJUDPVEXWVHSDUDWHO\IURPWKHFRPSDQ\·VGDWDDQGXVLQJFRSLHVRIPDVWHUILOHVRUGXPP \
files set up for the purpose. Audit test data is classified as live where the data is processed at
WKHVDPHWLPHDVWKHFRPSDQ\·VGDWDXVLQJWKHDFWXDOPDVWHUILOHV8VXDOO\VSHFLILFUHFRUGVRQ
WKH PDVWHU ILOHV ZLOO EH UHVHUYHG RU FUHDWHG IRU WKLV SXUSRVH  7KLV IRUP RI ´OLYHµ WHVW GDWD LV
often called an integrated test facility (ITF).

7KHUH DUH DGYDQWDJHV DQG GLVDGYDQWDJHV LQ ERWK ´OLYHµ DQG ´GHDGµ DXGLW WHVW GDWD  7KH
disadvantages of one method are, in general, the advantages of the other. In practice, the
DGYDQWDJHVRIUXQQLQJ´OLYHµXVXDOO\RXWZHLJKWKHDGYDQWDJHVRIUXQQLQJ´GHDGµ

4.7 Audit software and program code analysis

$XGLW VRIWZDUH WKH DXGLWRU·V RZ Q FRP SXWHU SURJUDPV  DQG SURJUDP FRGH DQDO\VLV PD\
occasionally be used.

Audit software

The auditor usually makes use of his ow n com puter programs to assist in the carrying out of
substantive tests. However, the auditor may decide to use his own computer program s to
assist in testing program med controls. This use of program s is often referred to as simulation.
There is no fundamental difference between the audit use of computer program s as a
substantive test and as a test of a program med control. The main distinction is that, when used
IRUVLPXODWLRQWKHREMHFWLYHRIWKHDXGLWRU·VSURJUDPLVWRFKHFNWKDWWKHFRPSDQ\·VSURJUDPLV
RSHUDWLQJ FRUUHFWO\ E\ FKHFNLQJ DQG DJUHHLQJ ILJXUHV SUHSDUHG E\ WKH FRPSDQ\·V SURJUDP V
W hen used as a substantive test, the program is also used to provide the auditor with
information from the files, over and above that produced by the com pany, that will be helpful
in his audit.

Examples of the use of a computer audit program as a method of testing programmed

procedures include reading a sales invoicing file to verify the production of the sales analysis,
reading a file of numbered goods received notes to verify the production of a missing numbers
report, and reading a file of inventory movements to verify the production of an inventory
evaluation and analysis report.

Program code analysis

264
 Chapter 16 Computers in auditing

Program code analysis comprises the examination by the auditor of source listings of
operational program s to determ ine that the relevant program med procedures are present and
are logically coded. The technical skill required to perform program code analysis is high, as
the auditor needs to be familiar with the program language used. The auditor must verify that
the coding on the source listing that he is examining is the same as that contained in the
operational program which is used for processing.

5 Substantive testing
5.1 Techniques available
W here records supporting balance sheets and income statements are maintained by computer,
the objectives of the substantive tests and the relationship between the system of internal
control and the substantive tests remain the same. How ever, because of, firstly, the
opportunity to make use of the com puter to assist in substantive testing, and, secondly, the
distinctive control features in computer systems, there are often changes in the substantive
tests.

The audit use of file interrogation software to examine data held on computer files represents
the m ost comm on use of the computer to assist in substantive testing. The tw o m ost significant
features in using computer program s are that, firstly, all relevant items are normally exam ined,
whereas w hen manual tests are used only a sample is normally examined, and secondly,
additional information of assistance to the auditor can often be produced. The combination of
these tw o factors usually enables the auditor to carry out m ore effective or more efficient
substantive tests than are practicable by manual means.

It is advisable to establish formal procedures to control the use of audit software. This w ill
help ensure that software is used only in cases where the cost can be justified, that the
contemplated objectives are appropriate, and that the costs are controlled.

5.2 Use of audit software

The auditor can gain considerable improvements in both the effectiveness and efficiency of his
substantive testing by using the computer to assist in his w ork. The m ost effective use of the
computer for this purpose has been in the development of file interrogation software to
LQWHUURJDWHGDWDKHOGRQDFOLHQW·VV\VWHP

Auditors, confronted with large files of accounting data, quickly found the idea of using file
interrogation software attractive. Using such file interrogation program s offered several major
advantages over manual work. Firstly, the w ork is carried out much faster and more
accurately by program. A typical program running on a medium-size computer might review
and classify around 50,000 accounts in five minutes and with much greater consistency than
clerical workers would be able to achieve. Secondly, as a result, far more data can be reviewed.
Invariably, in manual auditing, a compromise has to be struck between the volume the auditor
would like to examine and the volume he can exam ine in practice. This leads in manual work
to the use of sampling techniques of either a formal or informal nature. W ith a file
interrogation program it is often possible to read the whole population in the time it would
take an auditor to work out what the sample should be. Thirdly, less paper work is required
and generated; it is only necessary to print out the results of the test or the items selected for
investigation. Lastly, and m ost importantly, clerical audit time can be devoted to an
examination of the item s defined by the auditor as significant; in other w ords, the auditor can
concentrate on w hat matters most.

In general, audit software can be used to assist substantive tests in the following ways:

265
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

¨ 7KH UHSHUIRUPDQFH RI WKH FRPSDQ\·V SURFHGXUHV IRU H[DPSOH UHSHUIRUPLQJ WKH
accumulation and ageing of accounts receivable.

¨ The selection of defined items in account balances for the purpose of confirmation or
inspection. The program can also assist in the confirmation work, for example by printing
confirmation request letters. In the context of sampling, the program could also perform
stratification.

¨ The production of additional account analyses and exception reports, for example an
analysis of accounts receivable in relation to credit limits, or exception reports of excess
inventory based on past usage.

The precise nature of the tasks which could be performed will depend on the specific
application. An illustration of the use of audit software in the area of accounts receivable is
provided below.

5.3 Audit of accounts receivable

Tasks of audit software might include:

¨ Analysing the balances or transactions into age categories. Often a m ore detailed analysis
than that prepared by the company is required. Analysing by transaction type may
produce useful information regarding payments on account and unmatched adjustm ents.
¨ Analysing the balances into strata by reference to the amount outstanding and reporting
the largest individual balances on the file.
¨ Identifying balances in excess of credit lim its, analysing them into strata by reference to the
amount by w hich the credit limit is exceeded and computing the am ount of excess over
credit limits.
¨ Identifying accounts with unusual credit limits or no credit limits.
¨ Identifying unusual transactions, for example large sales near the year end or transfers
between accounts.
¨ Identifying unmatched transactions, for example payments on account.
¨ Identifying unusual standing data, for example high discount rates.
¨ Selecting items for confirmation and printing appropriate confirmation requests. These
items can be written to the file and replies can be matched. Information regarding
outstanding item s and second requests can then be produced.
¨ Comparing am ounts outstanding at the balance sheet date with subsequent cash receipts,
computing the am ount remaining unpaid after a reasonable time and analysing the
balances into strata by reference to this am ount.

5.4 Audit use of microcomputers

Auditors have made increasing use of m icrocomputers in recent years in a variety of aspects of
their w ork. M any of these uses are administrative and do not relate to substantive test work,
for example program s for preparing audit budgets and programs for non-audit purposes such
as cashflow projections. M icrocomputer software is, however, also being used to assist in
substantive testing in a variety of ways. M uch of this software is being developed using
packages which are com monly available for microcomputers such as spreadsheet and data
storage and retrieval packages. The program is thus a tailored version of the standard
package, comm only referred to as a template.

A particularly effective use of such packages may be to assist in analytical review w ork. For
example, a template might be programmed to include the normal income statement and
balance sheet headings and a variety of useful ratios and comparisons can be program med into
the m odel. Data for a particular client can then be input to the template, w hich will analyse the

266
 Chapter 16 Computers in auditing

information for audit purposes. It may well be possible to use such templates to com pare
actual to budgeted figures or to build up a history of a client covering a number of past years.

5.5 Resident code

Resident code, also known as a resident program or embedded audit facilities, consists of
SURJUDP VWHSV ZULWWHQ E\ WKH DXGLWRU DQG LQVHUWHG LQWR WKH FRPSDQ\·V DFFRXQWLQJ SURJUDPV
7KH DXGLWRU·V FRGLQJ PD\ EH LQFOXGHG Z LWKLQ D FRPSDQ\·V H[LVWLQJ RSHUDWLRQDO SURJUDP
Alternatively, it may be written as a separate program or programs and be processed, at a
SUHGHWHUPLQHG SRLQW DV SDUW RI WKH FRPSDQ\·V SURJUDPV  7KH SULQFLSDO SXUSRVH RI WKH
UHVLGHQWFRGHLVWRUHYLHZ´OLYHµWUDQVDFWLRQVDVWKH\DUHSURFHVVHGWRVHOHFWLWHP VDFFRUGLQJWR
criteria specified in the resident code, and to write the selected items to an output file for
examination by the auditor.

This technique is highly relevant to the m odern event-driven processing system s. Resident
code can randomly check transactions for validity and capture data for the auditor. This type
of random check is very useful in high volume high speed applications such as banking.

6 Microcomputers in the audit practice

6.1 Introduction
The audit firm w hich wishes to make use of a microcomputer or microcomputers in its own
practice will generally find it m ost useful to begin by automating audit adm inistration. The
most obvious exam ple is the automation of audit budgets and actual cost recording.

It is also possible to extend the uses of microcomputer software to tasks that are a more integral
part of the audit process. For example, audit w orking papers may be produced using portable
QRWHERRNFRP SXWHUVZ KLFKFDQEHHDVLO\WUDQVSRUWHGWRWKHFOLHQW·VSUHPLVHV

6.2 Audit administration

Audit budgets and actual costs

Audit assignments typically require a detailed budget expressed in units of time and analysed
by grade of staff and by task. Totals and sub-totals of hours allocated then need to be
multiplied by the charge-out rates for each grade of staff so that the budget costs can be
evaluated and a fee can be set. Actual costs will be accumulated from timesheets, again
analysed at least by grade of staff, and ideally also by task, for example, compliance testing and
substantive testing. Such tw o-dimensional arrays of num erical data are exactly suited to the
type of software known as a spreadsheet package.

Spreadsheet packages normally allow some degree of protection for the embedded formulae
and a limited amount of program ming (know n as execute or macro routines, for example),
making it possible for simple system s to be prepared and data files to be maintained. Taking
audit budgets as an example, a spreadsheet system could be designed:

¨ to handle any number of files of budget and actual data, for as many years as required;

¨ to produce standard reports comparing any pair of files, for example actual costs for this
year compared to actual costs on the same client for last year;

¨ to produce sum marised reports or variance reports;

¨ to accumulate and evaluate the timesheet data for each period and then to add it to the
accumulating file of current year actual costs.

Contacts and other databases

267
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

Having dealt w ith automating budgets, the next m ost com mon use of microcomputers by the
auditor is automating various lists of names and addresses. At the simplest this will be
nothing m ore than a mailing list, varying up through degrees of complexity to a full contacts or
client database.

$QRWKHUIRUPRIGDWDEDVHFRXOGEHEXLOWXSIURPWKHDXGLWRU·VRZQGLDU\RIMREVWKDWQHHGWREH
done on each client assignment and the dates on w hich they fall due. In addition to reports on
an individual audit, the system allow s exception reports to be produced for groups of clients.
Such reports could be used to monitor progress on the audits of a parent company and its
subsidiaries or on all of the jobs controlled by a particular audit partner or manager. Reports
can also be produced by date to assist in planning w ork, for example all tasks scheduled to be
completed in the month ahead.

Statistics

Perhaps the most complex administration system that the auditor would be tempted to set up
on a microcomputer w ould be one designed to produce statistics to help monitor and control
aspects of his ow n business, for example:

¨ personal data, recording staff qualifications, w ork experience, courses attended, and so on,
to help with managing staff;

¨ billing information, showing dates due and dates paid, to help with cashflow management;

¨ client information, for example data processing installation and application details, to help
analyse the extent of likely future computer-assisted audit techniques needed on current
audit clients;

¨ information on businesses in an area, extracted from a public database, to help prom ote
practice development.

Producing audit working papers

The working paper is an integral part of the audit. M ost lead schedules and their supporting
analyses vary very little from year to year. They will normally hold prior year figures as well
as current year, and the percentage fluctuation will usually be com puted. A word-processing
or a spreadsheet package can be used to automate standard audit w orking papers.

A more ambitious project, but one which offers the potential for greater cost savings, would be
WRFDSWXUHWKHFOLHQW·VWULDOEDODQFHRQWKHPLFURFRPSXWHUWRJHWKHUZLWKDVXLWDEOH GHVFULSWLRQ
RIWKHZD\LQZKLFKWKHWULDOEDODQFHLWHPVVKRXOGEHSURFHVVHGWRSURGXFHWKHFOLHQW·VILQDQFLDO
accounts, and then to produce or deal with:

¨ lead schedules;
¨ supporting analyses;
¨ financial statements;
¨ client adjustments;
¨ proposed audit adjustments;
¨ reports and ratios designed for analytical review work.

Audit test decision support systems

In addition to using software to produce working papers upon which to record the audit w ork
that was done, it is also possible to use m icrocomputer software to assist in tasks that require
the exercise of audit judgement. There are many instances where computations need to be
made to help the auditor reach a decision on an audit test, and it often happens that those
computations need to be made many times, using different values for the most significant

268
 Chapter 16 Computers in auditing

variables. In these cases a microcomputer can be programmed to carry out the com putation in
such a way that the im portant variables can be changed easily and the results produced as
many times as may be needed to show how sensitive they are to fluctuations in the underlying
assumptions.

A spreadsheet package could be used to set up such models.

Analytical review software is a particular type of audit test decision support software. Here,
the microcomputer w ould be used to store, rearrange and report data, including industry
comparatives, on w hich the auditor may wish to perform analytical review. The computation
of ratios and presentation of the results, possibly in the form of a graph, are tasks which most
microcomputers and printers can perform, with the appropriate software.

Downloading and the use of audit software

'DWDILOHLQWHUURJDWLRQVRIWZDUHRQDPLFURFRPSXWHUZ LOOEHUHOHYDQWLQFDVHVZ KHUHWKHFOLHQW·V

GDWDILOHFDQEHDFFHVVHGXVLQJWKHDXGLWPLFURFRPSXWHUDVDWHUPLQDORUZKHUHWKHFOLHQW·VGDWD
ILOHFDQEHWUDQVIHUUHGWRWKHDXGLWP LFURFRPSXWHUDQGLQWHUURJDWHGWKHUH ´GRZQORDGLQJµ 

Technical assistance may be needed to transfer data files to a microcomputer in order to

reformat the file into a form that can be read by whatever interrogation software package is to
be used on the microcomputer.

Expert systems

The auditor m ust make many selections, decisions and judgements in the course of reaching
the audit opinion. There is no doubt that microcomputer software can be used to support the
DXGLWRU·V GHFLVLRQ PDNLQJ EXW ZKHWKHU LW FDQ HYHU JR VR IDU DV WR PDNH GHFLVLRQV IRU WKH
auditor is a different matter. Software capable of exercising judgement is generally know n as
an expert system. An expert system attempts to codify the knowledge and experience of one or
more expert persons, in a way that incorporates the lack of precision in human opinions.
M icrocomputer packages that can be used to build simple expert system s are available, and
many pilot auditor system s are in development. W hether any of these current developments
will result in practical audit systems is, at the m oment, a matter for speculation.

Practice question 1 (The answer is in the final chapter of this book)

Computer security

Computer security is of vital importance, not only to the accountant in industry but also to the
accountant in practice, w ho may be advising his client as to suitable security controls or w ho
may be auditing a computer system. Security is the means by which losses are controlled and
therefore involves the identification of risks and the institution of measures either to prevent
such risks entirely or to reduce their impact.

Required

(a) State the main areas of risk w hich may arise in relation to a computer system and in
each case explain one factor w hich could lead to the system being exposed to such a
risk.

(b) Describe the different forms of control w hich should be instituted to safeguard against
computer security risks. (10 marks)

269
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

Practice question 2 (The answer is in the final chapter of this book)

M icrocomputers

The use of m icrocomputers in accounting systems may create problem s for the auditor due to:

(a) direct access to the computer by users;

(b) immediate processing of data;
(c) the lack of permanent records of data input.

Required

Explain controls w hich should be exercised:

(a) to ensure that only authorised people are allowed access to information on files and to
input data to update them;

(b) to ensure that only authorised data is input and that a proper record of all data is kept;

(c) to ensure that all input errors and unauthorised file amendments are highlighted.
(15 marks)

Practice question 3 (The answer is in the final chapter of this book)

Test packs and computer audit techniques

The main computer audit techniques w hich make use of a computer while auditing are test
packs (test data) and computer audit programs (audit software).

Required

(a) Discuss the lim itations of these tw o techniques.

(b) Describe five input control techniques which can be incorporated into a computer
operational program. (15 marks)

7 Summary
This chapter has covered three main aspects of computer auditing.

Required internal controls

Controls are divided into:

¨ Application controls - to ensure the completeness and accuracy of accounting records;

¨ General controls - to ensure the proper development and implementation of applications

and the integrity of program and data files and of computer operations.

You should learn the various possible controls, since questions on them are likely to occur.

Use of computer assisted audit techniques (CAATs)

It is important to have a good knowledge of audit software and test data, the form that they
take and the uses to which they can be put.

Other forms of CAATs are not likely to give rise to specific questions but a background
knowledge may be useful.

270
 Chapter 16 Computers in auditing

Special problem areas

There are four possible areas:

(i) small installations;

(ii) on-line, real time system s;
(iii) database systems;
(iv) use of service bureaux.

7KHUH LV PXFK RYHUODS ² HVSHFLDOO\ EHWZHHQ WKH FRQWUROV UHTXLUHG LQ VPDOO RQOLQH DQG
database systems. Use your comm on sense to think of the particular problems these areas
present. Then use your know ledge of the controls to consider w hich controls are particularly
relevant.

Finally, the examiner does not expect a technical know ledge of computers. W hat is required is
an understanding of the impact computers have and how auditors can overcome the special
difficulties they present.

271
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH ,QWHUQDWLRQDO

272