AUDITING IN THE DATA PROCESSING ENVIRONMENT - THE EVOLVING ROLE OF THE INTERNAL AUDITOR A Thesis Presented to The School of Business Quinnipiac College In Partial Fulfillment of the Re
Trang 1
AUDITING IN THE DATA PROCESSING ENVIRONMENT - THE EVOLVING ROLE OF THE INTERNAL AUDITOR
A Thesis Presented to The School of Business Quinnipiac College
In Partial Fulfillment
of the Requirements for the Degree Master of Business Administration
by Jatin M Patel April 1988
Trang 2
UMI Number: 1414101
®
UMI
UMI Microform 1414104
Copyright 2003 by ProQuest information and Learning Company All rights reserved This microform edition is protected against unauthorized copying under Title 17, United States Code
ProQuest Information and Learning Company
300 North Zeeb Road P.O Box 1346 Ann Arbor, MI 48106-1346
Trang 3APPROVAL PAGE
AUDITING IN THE DATA PROCESSING ENVIRONMENT -
THE EVOLVING ROLE OF THE INTERNAL AUDITOR
This thesis is approved as a creditable and independent
investigation by a candidate for the degree of Master of
Business Administration, and is acceptable as meeting the
thesis requirements for this degree, but without implying
that the conclusions reached by the candidate are neces-
sarily the conclusions of the major department
Graduate Program Director
Lawrence Harris, Ph.D Professor of Marketing Quinnipiac College
ii
Trang 4ACKNOWLEDGEMENTS
I wish to express my appreciation to Dr Vincent Celeste for his guidance, assistance and patience in the completion of this project
iii
Trang 5TABLE OF CONTENTS
INTRODUCTION ° ° e ° s e ° e ° e e e e e e s ° e e e ° 1
THE TRADITIONAL ROLE OF THE INTERNAL AUDITOR - 4
IMPACT OF EDP ON THE INTERNAL AUDIT FUNCTION - 8
THE GROWING GAP e e e e e e s ° e ° e ° e e ° e ° e s ° 1 9
CONCLUS ION e e s ° ° e ° s e ° ° e e e a s s ° bu ° e e 3 0
REFERENCES e e e 6 e e ° e ° a e ° ° e ° e s e a s e e 33
iv
Trang 6TNTRODUCTION
Rapid economic growth within the past two or three decades has resulted in a tremendous expansion o£ the world markets and products This growth has brought about a widespread expansion in the business activities within the confines of various nations, as well as across the borders
of these nations This widespread expansion has brought about a dramatic change in the day to day operations of a business enterprise which has resulted in increasingly complex information requirements on the part of management
in order to operate most efficiently
Coupled with this widespread economic growth, governmental and legislative regulations and regulatory reporting requirements have increased significantly, thereby, magnifying the complexity of managements informa- tion requirements
In order to effectively meet these intricate information requirements, management has turned to the rapidly advancing field of Electronic Data Processing (EDP), which, in turn, has been tremendously successful in develop- ing and applying new technology and concepts to satisfy the ever-growing information needs of management As a result of this, management has become increasingly reliant upon Data Processing to meet all its information requirements in order
Trang 7for it to plan, evaluate and control the various activities
of its organization effectively
It is clearly evident from the comments above, that computers have become a mainstay of the informational requirements of a business enterprise " The various business records that are maintained today on a computer may constitute virtual ‘information assets' of the organization The very existence of the organization is heavily reliant upon the safety and preservation of these ‘information assets'" 1,
The tremendous increase in management's dependence upon data-processing for meeting its day to day information requirements for effective management control and strategic planning functions has resulted in widespread concern about the ability of the data-processing system to generate the requisite information with continuing accuracy, completeness and , most important of all, on a timely basis This is where the Internal Auditor comes into play Management relies upon the Internal Auditor to evaluate the efficiency and accuracy of available management resources With the advent of EDP, the importance of the Internal Audit function has increased tremendously Today, management relies upon the Internal Auditor to evaluate and verify the effective- ness of the data-processing system and its ability to
1 Mair, William C.; Wood, Donald R.; & Davis,
Keagle W : Computer Control & Audit (Institute of Internal Auditors Inc., FLA, 1976
Trang 8generate accurate, complete and timely information The Internal Auditor assumes the responsibility of evaluating and verifying the EDP system and of assuring management whether or not the information being generated by the system
is accurate and reliable, and, if it is not sc, what procedures should be implemented by management to ensure reliability and accuracy Therefore, the Internal Auditor has a very important role in a business organization which
is reliant upon EDP ,and it is this role that is the subject
of this thesis
Trang 9THE TRADITIONAL ROLE OF THE INTERNAL AUDITOR
Auditing has been defined as " the examination of information by a third party other than the preparer or the user with the intent of establishing its reliability and the reporting of the results of this examination with the expectation of increasing the usefulness of the information
to the user" 2 Traditionally, the role of the Internal Auditor was similar to that of the External Auditor The Internal Audit function was limited to financial audits, i.e = evaluation and verification of the completeness and accuracy of financial statements However, with the revela- tions of illegal corporate activities and large scale frauds and bankruptcies, top level management showed a greater interest in broadening the scope of the Internal Audit function There was a greater awareness that the Internal Audit function was a very effective management tool that could assist management in the fulfillment of their respon- sibilities for controlling corporate activities and stemming the advent and growth of illegal and unethical behavior As
a result, the scope of the Internal Audit function broadened
to include operational or non-financial auditing along with the traditional financial auditing The Internal Auditor became responsible for the implementation and evaluation of
2 Porter, Thomas W & Burton, John C : Auditing : AConceptual Approach (Wadsworth Inc., Belmont, CA, 1971)
h
Trang 10internal controls and internal checks to ensure compliance with company policies and procedures, evaluation of reports and the system of reporting in both the financial and non-financial areas, evaluation of the quality of management performance to ensure that management is utilizing available company resources most efficiently and in the most economic manner The Internal Auditor also became responsible for making recommendations to management to make changes or implement new systems and procedures in both financial and non-financial areas of corporate activity
During this period of growth in the scope of the Internal Audit function, the corporate environment was being gradually influenced by the evolution of EDP In the late fifties and early sixties, there were relatively few computers being utilized in business enterprises However, starting from the earlier part of the sixties, there has been a tremendous increase in the number of computers in
use "At the end of 1973, 133,000 computers valued at almost
$30 billion were in use The number of installed computers was estimated to grow to 500,000 by 1978 with a projected value of over $50 billion."3 Coupled with the increase in the use of computers was the increase in managements reliance upon EDP, as discussed earlier The increase in management's recognition of the tremendous potential of the
3 Mair,William C.; Wood, Donald R.; & Davis,
Keagle W : Computer Control & Audit ( Institute of Internal Auditors, FLA, 1976
Trang 11computer in the promotion of operational efficiency and effective decision making generated a resultant increase in the number of applications and procedures that were come- puterized With the introduction of the computer into the business environment, the inherent risks associated with the use of a computer were also introduced However, the Internal Audit function during this period of EDP expansion was not able to keep pace with the introduction of the new technologies and applications Until recently most Internal Auditors preferred "auditing around the computer" which involved reviewing the systems and procedures related to the feeding of data into the EDP system and reviewing and verifying the completeness and accuracy of the resultant computer output They felt that auditing the various controls that were external to the EDP system would provide them with sufficient evidence that the system was function- ing effectively, rather than getting directly involved with the verification of controls within the EDP systems
The traditional Internal Auditor restricted the scope of his audit to the verification of controls external
to the EDP system and the verification of the accuracy and completeness of processing results However, the increasing occurrence of computer errors and omissions, computer frauds and the abuse of computers has raised the concerns of management and made them recognize the need for redefining the role of the Internal Auditor The fact that billions of
Trang 12dollars were being lost by various organizations as a result
of computer fraud and theft, input errors and omissions, programming errors, lack of effective controls, etc was a cause of both alarm as well as embarrassment to top manage- ment Both management and the Internal Auditors realized that the traditional approach of “auditing around the computer" which was limited to the verification of reports and records, was inadequate and that there was an urgent need to expand the scope of the Internal Audit function to encompass all phases of the EDP function, which includes the review and verification of application system controls, verification of data-processing files and reports, review and verification of procedures and controls related to computer operations and last but not least, the hands on involvement of Internal Auditors during systems development This redefining of the Internal Auditor's role within the corporate structure has had a major impact on the role of the Internal Auditor in the field of EDP
Trang 13IMPACT OF EDP ON THE INTERNAL AUDIT FUNCTION
The advent of computers has had a tremendous impact on the business organization as a whole and the Internal Audit function in particular The introduction of computers into the business environment has proved very beneficial to the corporate structure Computers have come
to be considered an essential part of the business environ- ment The increased use of computers in the business environment is largely attributable to the rapid growth and diversification in managements information requirements coupled with the increase in government regulatory reporting requirements As a result of the aforementioned information requirements, management has become increasingly reliant upon EDP to plan, evaluate and control the activities of the organization in an effective manner
This tremendous increase in management's depen- dence upon EDP has resulted in the following :
(e) New data=processing application areas
4 Stanford Research Institute : Systems Auditability & Control Study - Data-Processing Audit Practices Report (Institute of Internal Auditors Inc., FLA,
8
Trang 14The increased use of computer systems can best be appreciated by considering the number of computer systems installed in business organizations within the past few
years "At the end of 1973, 133,000 computers valued at
almost $30 billion were in use The number of installed computers was estimated to grow to 500,000 by the end of
1978 with a projected value of over $50 billion."9
The widespread geographic distribution of business activity can largely be attributed to the advent of high speed data communication facilities At the same time, it can be emphatically stated that this geographic growth and the sustenance of this growth is largely attributable to the use of these data communication facilities The significant increase in the use of data communication facilities has been evidenced by the fact that "while in 1970, only 25 % of the general purpose computers installed were equipped with data communication terminals, by 1975, 54% of the general purpose had terminals."6
1977)
2 Mair, William C.; Wood, Donald R.; & Davis;
Keagle W.: Computer Control & Audit (Institute of Internal Auditors Inc., FLA, 1976)
6 Stanford Research Institute : Systems Auditability & Control Study - Data-Processing Audit T0 Report (Institute of Internal Auditors Inc., FLA, 1977
Trang 15The increase in the usage of computer systems and data communication facilities combined with rapid economic growth have resulted in the development of new data-process- ing application areas that were unheard of even a decade or two ago Some examples of these new application areas are Electronic Fund Transfers, Automated Bank Teller Machines, Retail Point of Sale terminals
The concept of distributed data-processing involves decentralization of data-processing activities The advent of high speed, low cost mini-computers is largely responsible for this concept gaining favor with management because of the various advantages it has to offer over totally centralized data-processing facilities
Rapid technological changes have resulted in integrating data-processing procedures such that a single transaction entered into a computer system automatically is processed by all computer application systems that are affected by that transaction Eg : When a person operates terminal keys in a specified order, the following transac- tions will automatically be performed - order entry, updating of inventory records, preparation of customer billings, preparation of shipping documents, updating of accounts receivable and updating of customers records
The concept of a data base, also referred to as a centralized shared data file, has been instrumental in the advent and growth of integrated data-processing applica-
10
Trang 16tions "The data base concept is to capture and maintain data in a single central file, which can be accessed by those programs that have a need for specific data elements
In the past, each application was designed around its own files The same data elements would occur in different files, and would even have different values because of inconsistent processing procedures and/or schedules".? The development of centralized files has resulted in the elimination of redundancy and also in the arrangement of the various data files in a more logical sequence based on their computer application systems
The above discussion clearly describes how computers have become a mainstay in today's business environment However, any new venture that a business undertakes has its associated risks The primary risk associated with a computer system is the risk of error or omission According to a mail survey conducted by the Stanford Research Institute, - “loss from errors and omissions is one of the most frequently reported concerns of both data-processing managers and internal auditors."8
Auditability & Control Study - Data-Processing Audit Practices Report (Institute of Internal Auditors Inc., FLA,
1977
Auditability & Control Study - Data-Processing Audit ony) Report (Institute of Internal Auditors Inc., FLA,
1977
11
Trang 17It is very imperative to recognize the fact that while computers are highly reliable to perform given functions, they only do what they are programmed to do and they function with information that is provided by humans
An error in programming or an error or omission in providing input could prove catastrophic and could result in a loss that could add up to millions of dollars Consider the following example
" A manufacturing company converted its inventory
control system from a manual system to a com-
puterized one They were pleasantly surprised but
somewhat perplexed when the reported inventory
increased by approximately $1 million Subsequent
investigation eventually disclosed that the
instruction manuals for their product were
classified under the same part number as the
machine they described The 50 manuals in stock
were treated by the computer as also being worth
$20,000 aviece."9
It is clearly evident that a small error such as the one mentioned above resulted in inflating the company's assets by $1 million, which could have been catastrophic had
it not been detected in time Thus, we see, that, while computers can be highly beneficial on the one hand, on the other hand, a minor flaw or error in the program or data can prove to be disastrous The key to utilizing the computer most effectively is harnessing its power with the implemen- tation of effective checks and controls to minimize the risk
of loss
9 Mair, William C.; Wood, Donald R.; & Davis,
Keagle W : Computer Control & Audit (Institute of Internal
Auditors Inc., FLA,1976)
12
Trang 18In order to understand better the Internal Audit function, one must understand the concept of Internal Controls The American Institute of Certified Public Accountants has defined internal control as : "The plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to pre-
scribed managerial controls" 10
In simple terms, internal controls are procedures implemented within a business organization that:
(a) Safeguard the assets of the business
(b) Ensure the accuracy, reliability, completeness and
timeliness of all business transactions, records and reports (both manual and computerized)
(c) Ensure the detection, prevention and correction of
erroneous processing This is accomplished by various internal checks such as transaction authorization, segregation of functional respon- sibilities
(d) Ensure compliance with company policies and
Trang 19(e) Evaluate management control and performance to
ensure management is utilizing available company resources in the most effective and efficient
manner
The implementation of internal controls is an absolute necessity in today's business environment They play a significant role in the prevention, reduction and detection of business risks or exposures Some of these business risks or exposures are as follows
(1) Erroneous record keeping or reporting (2) Fraud, theft or embezzlement
(3) Business interruption due to loss or destruction of information or assets
Internal auditors play a significant role in as much as they reduce business losses by the prevention, reduction or detection of the above business risks or exposures
The primary objective of the Internal Audit function is the evaluation and verification of these internal controls together with the evaluation and verifica- tion of data-processing results The Internal Auditor's review and evaluation of these internal controls provides assurance of the integrity of financial records and also
14