Auditing through the computer refers to making use of the computer itself to test the operative effectiveness of application controls in the program actually used to process accounting d
Trang 1AUDITING IN A COMPUTER INFORMATION SYSTEMS
(CIS) ENVIRONMENT
I Review Questions
1 Additional planning items that should be considered when computer processing
is involved are:
The extent to which the computer is used in each significant accounting application
The complexity of the computer operations used by the entity, including the use of an outside service center
The organizational structure of the computer processing activities
The availability of data
The computer-assisted audit techniques to increase the efficiency of audit procedures
The need for specialized skills
2 Understanding the control environment is a part of the preliminary phase of control risk assessment Computer use in data processing affects this understanding in each of the parts of the control environment as follows:
The organizational structure – should include an understanding of the
organization of the computer function Auditors should obtain and evaluate: (a)
a description of the computer resources and (b) a description of the organizational structure of computer operations
Methods used to communicate responsibility and authority – should include the
methods related to computer processing Auditors should obtain information about the existence of: (a) accounting and other policy manuals including computer operations and user manual and (b) formal job descriptions for computer department personnel Further, auditors should gain an understanding of: (a) how the client’s computer resources are managed, (b) how priorities for resources are determined and (c) if user departments have a clear understanding
of how they are to comply with computer related standards and procedures
Methods used by management to supervise the system – should include
procedures management uses to supervise the computer operations Items that are of interest to the auditors include: (a) the existence of systems design and documentation standards and the extent to which they are used, (b) the existence and quality of procedures for systems and program modification, systems
Trang 2acceptance approval and output modification, (c) the procedures limiting access
to authorized information, (d) the availability of financial and other reports and (e) the existence of an internal audit function
3 The “audit trail” is the source documents, journal postings and ledger account postings maintained by a client in order to keep books These are a “trail” of the bookkeeping (transaction data processing) that the auditor can follow forward with a tracing procedure or back ward with a vouching procedure
In a manual system this “trail” is usually visible to the eye with posting references in the journal and ledger and hard-copy documents in files But in a computer system, the posting references may not exist, and the “records must be read using the computer rather than the naked eye.” Most systems still have hard-copy papers for basic documentation, but in some advanced systems even these might be absent
4 The audit trail (sometimes called “management trail” as it is used more in daily operations than by auditors) is composed of all manual and computer records that allow one to follow the sequence of processing on (or because of) a transaction
The audit trail in advanced systems may not be in a human-readable form and may exist for only a fraction of a second
The first control implication is that concern for an audit trail needs to be
recognized at the time a system is designed Techniques such as integrated test facility, audit files and extended records must be specified to the systems
designer The second control implication is that if the audit trail exists only momentarily in the form of transaction logs or master records before destructive update, the external auditor must review and evaluate the transaction flow at various times throughout the processing period Alternatively, the external auditor can rely more extensively on the internal auditor to monitor the audit trail
5 Major characteristics:
1 Staff and location of the computer – operated by small staff located within
the user department and without physical security
2 Programs – supplied by computer manufacturers or software houses.
3 Processing mode – interactive data entry by users with most of the master
file accessible for inquiry and direct update
Control Problems:
1 Lack of segregation of duties
2 Lack of controls on the operating system and application programs
Trang 33 Unlimited access to data files and programs.
4 No record of usage
5 No backup of essential files
6 No audit trail of processing
7 No authorization or record of program changes
6 Auditing through the computer refers to making use of the computer itself to test
the operative effectiveness of application controls in the program actually used
to process accounting data Thus the term refers only to the proper study and
evaluation of internal control Auditing with the computer refers both to the study of internal control (the same as “auditing through”) and to the use of the
computer to perform audit tasks
7 Both are audit procedures that use the computer to test controls that are included
in a computer program The basic difference is that the test data procedure utilizes the client’s program with auditor-created transactions, while parallel simulation utilizes an auditor-created program with actual client transactions In the test data procedure the results from the client program are compared to the
auditor’s predetermined results to determine whether the controls work as
described In the parallel simulation procedures the results from the auditor
program are compared to the results from the client program to determine whether the controls work as described
8 The test data technique utilizes simulated transactions created by the auditor,
processed by actual programs but at a time completely separate from the
processing of actual, live transactions The integrated test facility technique is
an extension of the test data technique, but the simulated transactions are intermingled with the real transactions and run on the actual programs processing actual data
9 User identification numbers and passwords prevent unauthorized access to accounting records and application programs The transaction log does not
prevent unauthorized access but may be reviewed to detect unauthorized access.
Even then, responsibility could not be traced to a particular individual without user identification numbers and passwords The transaction log is more important to establish the audit trail than to detect unauthorized access
10 Generalized audit software is a set of preprogrammed editing, operating, and
output routines that can be called into use with a simple, limited set of programming instructions by an auditor who has one or two weeks intensive training
Trang 4Phases Noncomputer auditor involvement
1 Define the audit objectively 1 Primary responsibility
2 Feasibility 2 Evaluate alternatives
4 Application design 4 none
6 Testing 6 Review final test results, compare to plan
7 Processing 7 Actual computer processing – none
Use of results – depends on application
12 Automated microcomputer work paper software generally consists of trial
balance and adjustment worksheets, working paper (lead schedule) forms, easy facilities for adjusting journal entries, and electronic spreadsheets for various analyses
13 A microcomputerized electronic spreadsheet can be used instead of paper and pencil to create the form of a bank reconciliation, with space provided for text lists of outstanding items (using the label input capability), and math formulas inserted for accurate arithmetic in the reconciliation Printing such a reconciliation is easy (and much prettier than most accountants’ handwriting!)
14 With either data base or spreadsheet software packages, macros (sets of instructions) can be developed for retrieving data from the working trial balance and converting this data into classified financial statements If one or more subsidiaries are to be included, the consolidated process can also be automated
by the inclusion of special modules designed for that purpose The standard audit report, as well as recurring footnotes, can be included in the data base, and modified to fit the circumstances of the current year’s audit results
15 Relational data base packages have all the advantages of spreadsheets, and, in addition, have the capacity to store and handle larger quantities of data They are especially useful in manipulating large data bases, such as customer accounts receivable, plant assets, and inventories
II Multiple Choice Questions
Trang 5III Comprehensive Cases
Case 1 a Auditing “around” the computer generally refers to examinations of
transactions in which a representative sample of transactions is traced from the original source documents, perhaps through existing intermediate records in hard copy, to output reports or records, or from reports back to source documents Little or no attempt is made to audit the computer program or procedures employed by the computer to process the data This audit approach is based on the premise that the method of processing data is irrelevant as long as the results can be traced back to the input of data and the input can be validated If the sample of transactions has been handled correctly, then the system outputs can be considered to be correct within a satisfactory degree of confidence
b The CPA would decide to audit “through” the computer instead of “around” the computer (1) when the computer applications become complex or (2) when audit trails become partly obscured and external evidence is not available
Auditing “around” the computer would be inappropriate and inefficient in the examination of transactions when the major portion of the internal control system is embodied in the computer system and when accounting information is intermixed with operation information in a computer program that is too complex to permit the ready identification of data inputs and outputs Auditing “around” the computer will also be ineffective if the sample of transactions selected for auditing does not cover unusual transactions that require special treatment
c (1) “Test data” is usually a set of data in the form of punched cards or
magnetic tape representing a full range of simulated transactions, some
of which may be erroneous, to test the effectiveness of the programmed controls and to ascertain how transactions would be handled (accepted
or rejected) and if accepted, the effect they would have on the accumulated accounting data
(2) The auditor may use test data to gain a better understanding of what the data processing system does, and to check its conformity to desired objectives Test data may be used to test the accuracy of programming
by comparing computer results with results predetermined manually Test data may also be used to determine whether errors can occur without observation and thus test the system’s ability to detect noncompliance with prescribed procedures and methods
Assurance is provided by the fact that if one transaction of a given type passes a test, then all transactions containing the identical test characteristics will – if the appropriate control features are functioning
Trang 6– pass the same test Accordingly, the volume of test transactions of a given type is not important
d In addition to actually observing the processing of data by the client, the CPA can satisfy himself that the computer program tapes presented to him are actually being used by the client to process its accounting data by requesting the program of a surprise basis from a computer librarian and using it to process test data
The CPA may also request, on a surprise basis, that the program be left in the computer at the completion of processing data so that he can use the program to process his test data This procedure may reveal computer operation intervention If, so, ensures that a current version of the program
is being audited, an important procedure in computer installations newly installed and undergoing many program changes To gain further assurance about this matter, the CPA should inquire into the client’s procedures and controls for making program changes and erasing superseded program tapes, and should examine log tapes where available
Case 2 a Document retention
IMPACT ON THE INTERNAL CONTROL SYSTEM: In on-line real time systems and EDI systems, the audit trail is frequently modified in the form
of reduced documentation To compensate, internal controls should provide for adequate input editing, as well as some form of transaction log as documentation at the input stage
IMPACT ON THE INDEPENDENT AUDIT: In examining internal control, under these circumstances, the auditor must rely more on observation, inquiry, and reprocessing of transactions for control testing purposes, and less on document testing If documents are retained for only
a short period, the auditor should also consider the feasibility of frequent visits for both substantive and control testing purposes
b Uniformity of processing
IMPACT ON THE INTERNAL CONTROL SYSTEM: The impact of this internal control characteristic is to generally strengthen control by increasing the consistency of processing Once the proper controls are installed and tested, processing consistency increases the accuracy of transaction processing over that which exists in manual systems
IMPACT ON THE INDEPENDENT AUDIT: The auditor must emphasize control study and testing at the point of transaction input and processing to determine that the necessary controls exist and are functioning Upon determining that the necessary input and processing controls are in place
Trang 7and functioning properly, the auditor may elect to perform little or no document testing
c Concentration of functions
IMPACT ON THE INTERNAL CONTROL SYSTEM: In manual systems, separation of functional responsibilities provides a double-check for the purpose of enhancing processing accuracy In EDP accounting systems, consistency of processing removes the need for double-check
IMPACT ON THE INDEPENDENT AUDIT: The auditor must determine that the necessary input editing controls are in place and functioning to ensure that transactions are accurately introduced into the processing stream Moreover, to ensure checks and balances within the electronic data processing function, the auditor should study the organizational structure of the EDP group to ascertain proper separation among the following functions:
Systems analysis and design
Program design, development, and testing
Computer operations involving data processing
Distribution of EDP output and reprocessing of errors
d Access to data bases
IMPACT ON THE INTERNAL CONTROL SYSTEM: The greater the number of input terminals providing access to data bases, and the more integrated the data base, the greater the danger of unauthorized access To protect the data bases under these circumstances, the internal control policies and procedures should provide for effective control over identification codes and passwords permitting access to data bases; and the control policies should also fix responsibility in designated individuals for specified elements of data bases
In batch systems, access to magnetic tape and disk files and programs should be secured by assigning responsibility over these files to one or more individuals designated as “librarians,” and instituting a formal “checkout” system for releasing and reacquiring files and programs
IMPACT ON THE INDEPENDENT AUDIT: The auditor should determine that proper control over I.D codes and passwords exists, that codes and passwords are changed frequently and voided upon termination of employment, and that responsibility for elements of data bases has been appropriately fixed
In batch systems, the auditors should determine that tape and disk files and programs stored off-line are properly secured
Trang 8Case 3 a Test data approach: The auditor prepares simulated input data (both valid
and invalid transactions) that are processed, under the auditor’s control, by the client’s processing system
Advantage: A good way of testing existing controls for proper functioning Disadvantage: Difficulty in designing comprehensive test data; Difficulty
in ascertaining whether the programs tested are the same programs used by the client in processing actual transactions and events during the year
ITF approach: The auditor creates a fictitious entity within the client’s
actual data files, and processes simulated data during live processing by client The auditor then compares the results of processing with anticipated results
Advantage: Greater assurance that programs tested are programs used by
the client (the approach can be applied at different points in time during the year)
Disadvantage: Difficult to remove test data from the system without
harming client’s files
Tagging and tracing: This is a technique whereby an identifier or “tag” is
affixed to a transaction record; and the tag triggers “snapshots” during the processing of transactions Following the tagged transactions through the system permits the auditor to evaluate the logic of the processing steps and the adequacy of programmed controls
Advantage: The use of actual data eliminates the need for removing data
from the client’s processing system
Disadvantage: The auditor analyzes the transactions only after processing
is completed
SCARF: A systems control audit review file is an audit log used to collect
information for subsequent analysis and review An imbedded audit module monitors selected transactions as they pass by specific processing points The module then captures the input data so that relevant information, accessible only by the auditor, is displayed at key points in the processing system
Advantage: Utilizes real- rather than simulated-transaction data, and does
not require reversing the entries
Disadvantage: Does not necessarily capture erroneous data.
Trang 9Surprise audit: The auditor, on an unannounced basis, requests copies of
client’s programs, and compares them with auditor’s copy of authorized versions
Advantage: Assists the auditor in determining whether client personnel are
using authorized versions of programs in processing data
Disadvantage: Auditor may not always be notified by the client when
program changes are made, thus making the comparison irrelevant
b Inasmuch as each of the above alternatives have distinct advantages and disadvantages, a combination approach overcomes the disadvantages resulting from using a single approach Using ITF, for example on a few simulated transactions, while applying the tagging and tracing or SCARF approach for numerous actual transactions, provides effective testing of control procedures for error prevention and detection, without requiring the reversal of a large number of simulated transactions from the client’s system
c In auditing around the computer, the auditor predetermines the processing
results (output) of selected input data, and compares the predetermined results with actual computer output The advantage of this approach is its ease of application; a significant disadvantage is that the auditor gains no understanding of how the computer processes data, nor of the controls which have been incorporated into the computer programs
In auditing through the computer, the auditor actually tests the programmed
controls used in processing specific applications Such techniques as design phase auditing, ITF, tagging and tracing, SCARF, test data, and surprise audit are examples of auditing through the computer
d Parallel simulation is an automated version of auditing around the computer
in that the auditor creates a set of application programs that simulate the processing system, and compares output from the real and simulated systems Comparison of input with output ignores the essential characteristics of the processing system and assumes that if the outputs are identical, the system is processing transactions accurately
The auditor might elect to use parallel simulation in combination with design phase auditing Design phase auditing ensures that the necessary controls are installed during system design By permitting the auditor to test large volumes of transactions, parallel simulation helps to confirm whether these controls are working
Trang 10Case 4 (a) Test decks, also called “test data,” are sets of computer input data which
reflect a variety of auditor-identified transactions for verification through actual computer processing to detect invalid processing of results (i.e., existing programs run test data) Ideal test data should present the application under examination with every possible combination of transactions, master file situations, and processing logic which could be encountered during actual comprehensive processing Test data are usually processed separately from actual data using copies of master files Test decks are most feasible when the variety of transactions processing and controls is relatively limited (i.e., fairly simple files)
Uses include checking and verifying: (1) input transaction validation routines, error detection, and application system controls, (2) processing logic, and controls associated with creation and maintenance of master files, (3) computational routines such as interest and asset depreciation, and (4) incorporation of program changes
(b) Parallel simulation consists of the preparation of a separate computer
application that performs the same functions as those used by the actual application programs The simulation programs read the same input data as the application programs, use the same files, and attempt to produce the same results (e.g., real data run through test programs) These simulated results are matched with those from the live programs, providing a means
for testing through comparison.
Uses include all those cited for test decks
(c) The integrated test facility approach permits the introduction of
auditor-selected test data into a computer system with actual or “live” data and then traces the flow of transactions through the various system processing functions for comparison to predetermined actual results An ITF involves the creation or establishment of a “dummy” entity (e.g., a branch or division) to receive the results of the test processing Therefore, transactions are processed against the test entity together with actual transactions Test data must be removed from the entity’s records upon completion of the test Uses are identical to the test deck technique
(d) Tagging and tracing and SCARF are forms of transaction tracking provided
only for auditor selected computer inputs carrying a special code If the capability is provided in the application system in advance, the attachment
of a code to any input transaction can be made to generate a printed transaction trail for that item following each step of the application processing