Introduction
We live in a fast-moving and automated world of information superhighway. No country or organization can afford to be left behind since by doing so, she risks underdevelopment, isolation and backwardness. Most businesses are no longer using the manual way of book – keeping technology of the late nineties but are now keeping records in soft copies and are using either tailor – made or general purpose software to keep their records. This calls for newer and sophisticated ways of auditing. Vouching and other methods of
auditing are done through the computer software. This chapter draws its content from International Standards on Auditing numbers ISA 401 – Auditing in a computer Information System and ISA 1008 – Risk Assessment and Internal Controls
Features of Computerized Systems
There are fundamental differences between manual systems and computerized systems. The manual systems are likely to physical controls as opposed to the computerized systems whereby the controls may be both physical controls and system in – built. The fundamental differences are:
1. Computerized systems are complex as compared to manual systems. The auditor is likely to spend a few hours to understand a manual system but a computerized system may take a lot of time to understand besides requiring expert skill and technical know – how.
2. A separation between computer and user personnel that may be physical but is also likely to psychological and due to use of technical jargon and language in speech communication. The natural physical check for errors and fraud may not be in place.
3. There is lack of visible and physical evidence in computerized systems as opposed to manual systems. The information contained in soft records is not easily examined.
4. The data in soft copies may be stored for a short period of time as opposed to manual system where data can be stored for a long periods of time
5. Computerized systems can have automatic control to check as programmed. Manual systems lack this capability.
6. It is easy to access data and output in computerized systems as opposed to manual systems where data must be accessed manually.
7. Lack of audit trail in computerized systems as opposed to manual systems where one trace a transaction through the system from initialization up to the end
8. A single input in a computerized system update all the necessary file as opposed to manual system where the update must be done to each and every file
Internal Controls in a Computerized System
For all processing systems, including computerized systems, accuracy and reliability can be achievable only with conscious planning designed to assure satisfactory results. Information, protection, and control, the objective of internal control earlier, are equally applicable to computerized systems. In order to minimize the risks associated with special features in computerized the management is advised to design controls over computerized systems. These controls usually consist of both manual systems and in – built procedures. These controls are classified as; General controls and Application controls
General Controls
A company designs general controls to ensure that its overall computer system is stable and well managed. General controls relate to the environment within which computerized systems are developed, maintained and operated. These controls are aimed at providing reasonable assurance that overall objective of the internal controls are achieved. They at ensuring proper development and
implementation of application are achieved and that the integrity of both data program is achieved. These are designed to make sure an organization’s control environment is stable and well managed. They apply to all sizes and types of systems.
General controls are usually classified into four categories. These are:
- System development controls
- The plan of organisation and operation of the computer activity
- Access controls
- Back – up and recovery procedures
Systems Development Controls
These controls relate those controls that must be exercised by the client when designing new systems or modifying existing systems. The top management is required to participate in the systems development for it to be effective. The controls that should be exercised during the systems development can be categorized into four:
Review, testing and approval of new systems
The basic principles of these controls
- The user departments must be included in review and testing. The input for the user departments is vital in this stage. Once the user departments are have input considered then the systems can reflect the need for these user department
- For the proposed system should have a written specification that should be approved by this management
- Communication between the user department and the computer department should be established during testing. Testing of new system is as vital as actual development of the development.
Controls over program
Program change refers to modification made to application program. These changes should be done under strict controls. These changes must be check against incorrect or incomplete data input.
Parallel running of the new and old system
It is important that before switching to new system, the whole system must be tested by running it parallel to the old systems. It is important to run the two systems alongside for sometimes while the same time testing the input and output from the two systems
Documentation procedures
This is collection of information that support and describe the computer application, including development. The documentation should be secured in a library with access control.
Plan of Organisation in Computer Activity
The business should have proper segregation of duties and functions and policies and procedures relating to control within the computerized accounting systems.
Segregation of Duties within Systems Function
- In highly integrated AIS, procedures that used to be performed by separate individuals are combined.
- Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
- To combat this threat, organizations must implement compensating control procedures.
- Authority and responsibility must be clearly divided among the following functions:
- Systems administration
- Network management
- Security management
- Change management
- Users
- Systems analysis
- Programming
- Computer operations
- Information system library
- Data control
- It is important that different people perform these functions.
- Allowing a person to perform two or more of these functions exposes the company to the possibility of fraud.
Physical Access Controls
- How can physical access security be achieved?
- Place computer equipment in locked rooms and restrict access to authorized personnel
- Have only one or two entrances to the computer room
- Require proper employee ID
- Require that visitors sign a log
- Use a security alarm system
- Restrict access to private secured telephone lines and terminals or PCs.
- Install locks on PCs.
- Restrict access of off-line programs, data and equipment
- Locate hardware and other critical system components away from hazardous materials.
- Install fire and smoke detectors and fire extinguishers that don not damage computer equipment
Logical Access Controls
- Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
- What are some logical access controls?
- passwords
- physical possession identification
- biometric identification
- compatibility tests
Application Controls
Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program. These controls ensure that the system produces results that complete and accurate. Companies must establish control procedures to ensure that all source documents are authorized, accurate, and complete and properly accounted for, and entered into the system or sent to their intended destination in a timely manner. Source data controls include:
- Forms design
- Pre-numbered forms sequence test
- Turnaround documents
- Cancellation and storage of documents
- Authorization and segregation of duties
- Visual scanning
- Check digit verification
- Key verification
Application controls are generally categorized into four groups. These are:
- Input controls
- Processing controls
- Output controls
- Control over master files and standing data
Input Controls
Faulty data input will always results into error and wrong output. Control over the completeness, validity, data conversion and controls of rejection of input are therefore very vital. Completeness control ensures that all transactions are recorded. Validity control ensures that only validly authorized transactions are the only ones transacted and recorded. Data conversion controls ensures that all data on source documents is properly entered into the system.
Processing Controls
These controls ensure that transactions are processed by the right software and program and transferred to the right master file besides producing the right output. Other input may be put in place such check overdue transactions and even credit limit.
Output Controls
These controls ensure that the right output is received from the input and that the results are accurate and that the out is distributed to appropriate personnel.
Control Over Master Files and Standing Data
These controls ensure that amendments to master file and standing file are complete accurate and properly authorized. These controls are similar to control over input.
Auditing In a Computer Environment
The use modern technology, especially computers in the processing of financial data and information has totally changed the general approach of the audit by auditors. The use modern technology in processing the data and information does not in any way the responsibility of the auditor
Planning The Audit In A Computerized Environment
All audits must be planned. In a computerized environment must be taken in account and considered.
- The auditors need to be involved in computerized systems at the planning, development and implementation stages. Knowledge of the systems gained at these stages is vital and will enable the auditor plan his audit with an understanding of the system.
- Timing is more important in a computerized environment than in manual systems.
- The auditor will need to be present when the data and files are available. More frequent visits to the client are usually required.
- Recording methods in computerized systems and environment may be different. Recent developments include use of portable laptops and other methods data storage.
- The allocation of suitably skilled staff and personnel to the audit is more vital. It may important and necessary to use computer audit department on some part of the audit.
- The extent to which computer assisted audit techniques (CAATs) can be used. These techniques often require considerable planning in advance.
Auditor’s Approach in Computerized Environment
Due to the special features in computerized systems, it is necessary to devise appropriate audit approach. There are usually two main approaches that can be adopted. These approaches are:
- Auditing around the computer
- Auditing through the computer
Auditing Around the Computer
This approach assumes that the presence of accurate output verifies processing operations. The approach pays no attention to the control procedures within the information technology (IT) department. The auditor does not rely on controls be they manual or computerized. This approach is mainly substantive. This approach is only suitable where:
- The audit trail is complete and visible
- Processing is simple and
- Complete documentation of transaction is available
This approach has its own demerits such as:
- It is extremely risky to audit and give an opinion records that have been produced and processed by that one does not fully understand
- A computer has immense advantages for the auditor and it is inefficient to carry out an audit in this manner
Auditing Through the Computer
There are two basic techniques that are available to the auditors. These are:
- The use of test data and
- The use computer audit program
These methods are generally referred to Computer Assisted Audit Techniques (CAATs)
Computer Assisted Audited Techniques
CAATs refer to any automated audit techniques such computer software and test data. CAATs are ways in which the computer may be used by the auditor in a computerized environment to gather, or assist in gathering audit evidence. CAATs are mainly categorized into audit software and test data
Audit Software
Any software with that capability of directly reading and accessing data from databases is called audit software. The software has the ability to carry out mathematical computation and operations, statistical analysis, sequence checks etc. the software assists the auditor in accessing directly the data stored in computer’s hard – disk and servers. There several types of audit software. These are
- Generalized Audit Software
- Utility Programs
- Purpose written Programs
- Commercial Software
- Embedded Audit Modules
- Integrated Test Facility
- Parrallel Simulation
- Program Code Analysis
These are explained here under.
Generalized Audit Software
These come in diverse variety of forms. It may be software available over the shelf or tailor – made software to specification of the auditor. The software has the capability of perform a variety of functionalities such as reading computer files, selecting specific data, manipulating data, sorting data summarizing data, selecting samples, recalculations etc in a way specified by the auditor.
Utility Programs
These are program, which are generally not designed for audit purpose but can be used by the auditor to perform common data processing functions such as sorting, creating and printing files
Purpose written Programs
These are tailor – made programs specifically written either by auditor or programmers at the request of the auditor.
Commercial Software
These are off the shelf programs that are readily available in the market. These include the Microsoft Excel, Microsoft Word etc. these programs are used by the auditor in analysis as well as writing reports.
Embedded Audit Modules
This is CAAT in which a code is prepared by the auditor and embedded in the client’s software. The code is designed to replicate a specific aspect of the control procedure or to record details of certain transaction in a file accessible only to the auditor
Integrated Test Facility
This is a facility forming part of the client’s software and enables the auditor’s test data to be integrated and be processed with the client’s live input data. The facility ensures that the test data updates auditor’s dummy files. The dummy files are examined to ensure that the test data is properly processed as required
Parallel Simulation
The actual client’s data is processed using a copy of the client’s software that has undergone program code analysis by the auditor and under that control of the auditor. The two copies of processed data are compared to ensure that the processing is identical
Program Code Analysis
This the analysis of the client’s program code to ensure that the instructions given to the computer are the same instructions that the auditor had identified when reviewing the system development
Audit Software Use
By use audit software, the auditor is able to test huge volumes of data within a very short time. Besides these functions can be performed using audit software:
- File re – organization such as indexing, sorting, merging and linking with other files
- Data selection such as data filtration
- File access
- Arithmetic functions
- Summarizing data
- Sample selection
- Report printing
Test Data
In test data the auditor prepares the test data and the data is processed on the current production version of the client’s software. The test data is processed separately from client’s normal input data. The test data that is processed updates the auditor’s copy of the client’s data files. The updated files are examined to ensure that the transactions were processed in the right and the expected manner.