Approaches to Audit in CIS Environment

Changes in hardware and software, have changed the conceptual approach to auditing. An early approach consisted of essentially ignoring the computer, treating it as a black box, and auditing around it. The increasing sophistication of computers, however, has since led to computers being used in two ways; (1) as a tool of the auditor aiding in the performance of the audit, such as printing confirmation
requests, and (2) as the target of the audit where data are submitted to the computer and the results are analyzed for processing reliability and accuracy of the computer program.
The auditor must plan whether to use the computer to assist the audit or whether or whether to audit without using the computer. The two approaches are commonly called “auditing around the computer” and “auditing through the computer”. The work of an auditor would be hardly affected if “Audit Trail” is maintained i.e. if it were still possible to relate, on a ‘one-to-one’ basis, the original input with the final output. A simplified representation of the documentation in a manually created audit trail.  The particular credit notes may be located by the auditor at any time he may wish to examine them, even months after the balance sheet date. He also has the means, should he so wish, of directly verifying the accuracy of the totals and sub-totals that feature in the control listing, by reference to individual credit notes. He can, of course, check all detailed calculations, casts and postings in the accounting records, at any time.

In first and early second-generation computer systems, such a complete audit trail was generally available, no doubt, to management’s own healthy scepticism of what the new machine could be relied upon to achieve – an attitude obviously shared by the auditor. The documentation in such a trail might again be portrayed as shown, in an over-simplified way, in Figure I.
It is once again clear from the diagram that there is an abundance of documentation upon which the auditor can use his traditional symbols of scrutiny, in the form of coloured ticks and rubber stamps. Specifically :
1. The output itself is as complete and as detailed as in any manual system.
2. The trail, from beginning to end, is complete, so that all documents may be identified by locating for purposes of vouching, totalling and gross-referencing.
Any form of audit checking is possible, including depth testing in either direction. The execution of normal audit tests on records which are produced by computer, but which are nevertheless as complete as indicated above, is usually described as audit testing round the machine.
Auditing around the Computer – Auditing around the computer involves arriving at an audit opinion through examining the internal control system for a computer installation and the input and output only for application systems. On the basis of the quality of the input and output of the application system, the auditor infers the quality of the processing carried out. Application system processing is not examined directly. The auditor views the computer as a black box. The auditor can usually audit around the computer when either of the following situations applies to application systems existing in the installation:
1. The system is simple and batch oriented.
2. The system uses generalized software that is well-tested and used widely by many installations.

Sometimes batch computer systems are just an extension of manual systems. These systems have the following attributes:
1. The system logic is straightforward and there are no special routines resulting from the use of the computer to process data.
2. Input transactions are batched and control can be maintained through the normal methods, for example, separation of duties and management supervision.
3. Processing primarily consists of sorting the input data and updating the master file sequentially.
4. There is a clear audit trail and detailed reports are prepared at key processing points within the system.
5. The task environment is relatively constant and few stresses are placed on the system.

For these well-defined systems, generalized software packages often are available. For example, software vendors have developed payroll, accounts receivable, and accounts payable packages. If these packages are provided by a reputable vendor, have received widespread use, and appear errorfree, the auditor may decide not to test directly the processing aspects of the system. The auditor must ensure, however, that the installation has not modified the package in any way and that adequate controls exist, to prevent unauthorized modification of the package. Not all generalized software packages make application systems amenable to auditing around the computer. Some packages provide a set of generalized functions that still must be selected and combined to accomplish application system purposes. For example, database management system software may provide generalized update functions, but a high-level program still must be written to
combine these functions in the required way. In this situation the auditor is less able to infer the quality of processing from simply examining the system’s input and output. The primary advantage of auditing around the computer is simplicity. Auditors having little technical knowledge of computers can be trained easily to perform the audit.
There are two major disadvantages to the approach. First, the type of computer system where it is applicable is very restricted. It should not be used for systems having any complexity in terms of size or type of processing. Second, the auditor cannot assess very well the likelihood of the system degrading if the environment changes. The auditor should be concerned with the ability of the system to cope with a changed environment. Systems can be designed and programs can be written in certain ways so that a change in the environment will not cause the system to process data incorrectly or for it to degrade quickly.

Auditing through the Computer – The auditor can use the computer to test:

  •  the logic and controls existing within the system and
  •  the records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor.

There are several circumstances where auditing through the computer must be used:
1. The application system processes large volumes of input and produces large volumes of output that make extensive direct examination of the validity of input and output difficult.
2. Significant parts of the internal control system are embodied in the computer system. For example, in an online banking system a computer program may batch transactions for individual tellers to provide control totals for reconciliation at the end of the day’s processing.
3. The logic of the system is complex and there are large portions that facilitate use of the system or efficient processing.
4. Because of cost-benefit considerations, there are substantial gaps in the visible audit trail.

The primary advantage of this approach is that the auditor has increased power to effectively test a computer system. The range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system’s processing the auditor also can assess the system’s ability to cope with environment change. The primary disadvantages of the approach are the high costs sometimes involved and the need for extensive technical expertise when systems are complex. However, these disadvantages are really spurious if auditing through the computer is the only viable method of carrying out the audit.

(Visited 935 times, 3 visits today)
Share this:

Written by