ENTITY’S COMPUTER SYSTEMS AND CONTROLS
In the modern age many businesses use computer systems to help them run their business and produce financial information. Directors are still required to put into place safeguards to protect the assets of a company but many are now generally incorporated into the computer systems. A balance must be struck between the degree of control and the requirement for a user friendly computer system.
Controls can be classified into the following areas:
Integrity controls can be further subdivided into Data integrity and Systems integrity. With data integrity, the data is the same in the computer system as it is in the source documents and has not been accidentally or intentionally altered, destroyed or disclosed. Whereas systems integrity refers to systems operations conforming to the design specification set out despite deliberate or accidental attempts to cause it to do otherwise.
The auditor’s focus on the general and application controls of the systems when carrying out control assessment, as it is important that the system used operates reliably and that risks are mitigated against
Key risks include the system being put at risk by a virus or some other fault which spreads across the system and the system being accessed by an unauthorised user who could affect the smooth operation of the system or obtain commercially sensitive information. The client should have contingency plans in the event of a system difficulty. Need for assurance
It is important to know that the original system is as reliable as could be expected and whether it is the best system that the company could be using at the given cost. The company might seek such assurance from its service provider. However, the service provider may not be objective as they have a vested interest. They are paid to provide a solid system, they will hardly find fault with it. This means that the directors might seek an assurance from its auditors to undertake work to ascertain if the assertions of the service provider are accurate. In considering taking on such an assurance engagement, one should ensure that sufficient skills are available to undertake such procedures.
Internal control effectiveness is generally assessed by undertaking a systems audit. The key areas to establish the reliability of systems are:
- Is there a written policy for computer systems?
- Is it compatible with policies in other areas?
- Is it adhered to?
- Is it sufficient and effective?
- Is it updated when the systems are updated?
- Does it relate to the current system?
Segregation of duties
- Is there adequate segregation of duties for data input?
- Are there adequate system controls e.g. passwords to enforce segregation ?
- Is there a physical security policy such as a locked room and password access?
- Is there data security software such as virus shields?
Management should receive information on the effectiveness of their controls systems and systems reliability. The operations are likely to rely heavily if not completely on computer systems and if problems arise, operations could be severely affected. Such problems could include no production, no invoicing or duplicate or omitted invoicing.
Other stakeholders, customers and suppliers will be interested in the reliability of the company’s systems as they would not want to deal with ineffective operations.
Internal control systems in a computer information system environment
Internal control systems include both manual procedures and procedures designed into computer programmes.
There are two types of controls:
General CIS (computer information system) controls whose aim is to establish a framework of overall controls over the computer systems to provide reasonable assurance that the overall objectives are achieved.
Application CIS controls whose purpose is to establish specific control procedures over the applications in order to provide reasonable assurance that all transactions are authorised, recorded and processed in a timely, complete and accurate manner.
General CIS controls
- Development of computer applications
- Standards over systems design, programming and documentation
- Full testing procedures fully documented
- Approval of computer users
- Segregation of duties so that those responsible for design are not responsible for testing
- Installation procedures so that data are not corrupted in transition
- Training of staff in the new procedures
- Prevention or detection of unauthorised changes to programmes
- Segregation of duties
- Full records of programme changes through detailed maintenance of programme logs
- Password protection of programmes so that access is limited
- Restricted access to central computers – locked doors & keypads
- Virus checks of software and use of anti-virus software & firewalls
- Back-up copies of programmes secured off site
- Testing and documentation of programme changes
- Comprehensive testing procedures
- Documentation standards applied
- Approval of changes by management
- Controls to prevent wrong programmes or files being used
- Adequate training of staff
- Operation controls over programmes and their use/access
- Controlled libraries of programmes
- Proper automated job scheduling
- Controls to prevent unauthorised amendments to data files
- Password protection
- Use of security levels
- Controls to ensure continuity of operations
- Storing copies of programmes off site
- Back-up procedures for data files to be stored off-site
- Disaster recovery procedures
- Maintenance agreements and insurance
The auditors will test some or all of the above controls depending on their impact on the audit. It is more efficient to review the design of general controls before reviewing the application controls. If there are weaknesses in the general controls, these may have a negative impact on the application controls. The former may have a pervasive effect on the processing of transactions in application systems. If these general controls are not effective there may be a risk of misstatement that could go undetected in the application systems. Although weaknesses in general controls may preclude testing certain application systems, it is possible that manual procedures exercised may provide effective control at the application level.
Application CIS controls
Controls over input
- Completeness Document counts
One for one checking, source to output Control totals
Digit verification – reference numbers are as expected Existence checks – customer names & details
Review of data for gaps
Permitted ranges acceptable
Scrutiny of output
Manual checks to ensure data entered was authorised
Input by authorised personnel – user entry codes
Controls over processing Batch reconciliations
Screen warnings to prevent logging off before processing is complete
Exception reports output
Required code such as PIN
Required date fields for cut-off purposes – period closing
Controls over master files and standing data
One to one checking
Controls over deletion of accounts/data
Authentication codes to update
Logs of changes
Testing of application controls
If manual controls exercised by the user of the systems are capable of providing reasonable assurance that the systems output is complete, accurate and authorised, the auditor may decide to limit tests of controls to these manual controls.
In addition, computer controls may be tested examining the systems output using either manual procedures or CAATs. Such output may be in the form of magnetic media, microfilm or printouts. Alternatively, the auditor may test the controls by performing them with the use of CAATs.
In some instances it may not be possible or in some cases impractical to test controls by examining user controls or system output. The auditor may need to perform tests using CAATs such as test data, re-processing transaction data or in some unusual circumstance, examining the code of the programmes. On-Line systems
On-line systems enable users to access data and programmes directly through a networked environment. They allow users to initiate functions directly such as:
- Entering transactions
- Making data enquiries
- Requesting reports
- Updating master files
- Electronic commercial activities such as internet banking
On-line systems allow on-line data entry so data validation is vital from the outset. In addition, there is the risk of unlimited access and this is undesirable from a risk and control point of view. Being on-line often results in a lack of a transaction trail which is the opposite of what an auditor seeks. Finally, there is normally programmer access and this needs strict controls in place.
Internal control in an on-line environment
In an on-line environment it would be important to have general controls such as access controls, control over passwords, systems development and maintenance of controls procedures, programming controls, transaction logs and firewalls.
Application controls should also be in place and these should include authorisation checks such as a need for a PIN, reasonableness and other validation data tests, cut off procedures especially where continuous flow of data, file controls and master file controls.
Internal control in micro computer environment
In larger companies controls over systems development and operations are required for effective control to be in operation. In a micro environment such controls may not be seen to be important or cost effective.
The accuracy and dependability of financial information produced by the computer information system will depend upon the internal controls required by management and adopted by the user. In any event it may be difficult to distinguish between general controls and application controls.
Specific controls are important namely:
- Physical security over equipment and removable and non-removable media
- Program and data security, using hidden files and passwords
- Security and data integrity
- Hardware, software and data back- up, copies of hard disks or tapes kept off site and within fireproof containers.
Electronic data interchange systems (EDI)
These are systems allowing the electronic transmission of business documents. Information via EDI is automatically transferred to another entity for processing such as orders, invoices, statements or payroll information.
- Lack of a paper/audit trail
- Greater impact on the normal operations and records if there is a failure in an entity’s computer systems
- Risk of loss, corruption and/or theft of data in the transmission process
The auditor will need to review the controls that management have in place to address these risks. Controls could include acknowledgements, agreements by both parties of amount transmitted, authentication codes and encryption techniques. In addition, there is a need for virus protection, insurance, contingency plans and back-up arrangements. E-Business
Part of the auditor’s responsibilities’ is to assess the risks for the audit process from the company using electronic business. This will impact on the skills and knowledge required by the auditor to understand the complexities of the entity’s business and operational transactions.
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)
The scope and objectives of an audit do not change even in a situation where a client is heavily computerised. However, the application of auditing procedures does require the auditor to consider procedures that use the computer as an audit tool. These are known as computer assisted (or aided) audit techniques (CAATs).
In the absence of input documents or where there is a lack of an audit trail, the auditor may need to use CAATs in testing controls and substantive testing. CAATs can improve the effectiveness and efficiency of auditing procedures.
CAATs can be used in the performance of auditing procedures such as:
- Tests of details of transactions and balances
- Analytical review procedures
- Tests of computer information system controls
Types of CAATs
There are two types of CAATs. Audit software and Test data.
This is used to process data from a client’s accounting system. It is used to check that the figures within the accounting system are correct. Examples of substantive procedures using audit software include:
- Extracting samples to specified criteria
- Calculating ratios and totals
- Select items outside a specific criteria range – exception reporting
- Check arithmetic calculations
- Compare budget vs. actual
Take the example of amounts receivable. CAATs could be used to extract the following information from within a computerised system:
- Whether the total in the sales ledger agrees to the total of debtors control account in the nominal ledger
- Are all balances within agreed credit limits
- Calculation of debtor days
- Sample selection of debtor balances for testing
- Identification of potential bad debts through production of an aged listing.
Types of audit software:
Designed to read files, select data, perform and print reports.
Purpose written programmes:
Generally prepared by the auditor, entity or external programmer for specific purposes.
Programmes designed to sort files, create files or print files. They are usually not designed for audit purposes and therefore may not contain control features such as automatic record counts or control totals which auditors’ will find very useful.
This is where sample data is entered into an entity’s computer system and the results are compared with predetermined results to determine whether controls are operating effectively.
The data can be processed during normal time or during a separate run at a time outside the normal time. Real data or dummy data can be used.
Examples of applying test data include:
- Testing specific controls such as data access controls by checking passwords and usernames
- Testing specific processing characteristics such as invalid stock codes or customer codes
- Testing transactions in an integrated test facility such as setting up dummy account to process dummy data. In this case, the test data could be processed during normal business hours in order to test the accuracy of the cycle.
Difficulties using test data
- When using dummy transactions there may be a need to reverse the transactions.
- Test data only tests the system at a particular point in time.
- Corruption of data files has to be corrected. This may be difficult with modern systems which often have built-in security with controls to ensure that data entered cannot be easily removed.
Specific examples of CAATs applied using test data
- Input an order that exceeds set credit limits
- Input a negative number on an order
- Input incomplete or inaccurate customer details
- Input an excessive amount
- Raise an order from a supplier not on the preferred list
- Process an order with an unauthorised staff number
- Make changes to standing data with unauthorised access
- Set up new employee without using authorised staff number
- Make authorised changes to staff details
- Input excessive payroll details
Before using CAATs an auditor should consider the following:
- Set the audit objectives
- Determine the content and access to clients’ files
- Determine the transaction types to be tested
- Define the procedures to be applied
- Define the desired output from the system
- Identify the staff to be used in the design and application of the CAATS
- Assess the costs and benefits of using CAATs
- Ensure that the use of CAATs is controlled and documented
- Carry out the application
- Evaluate the results
Using CAATs in a small business computer environment
The level of computer information within a small business environment may result in the auditor placing less reliance on the system of internal control and instead placing greater emphasis on tests of details of transactions and balances and analytical review procedures. This could increase the effectiveness of certain CAATs particularly audit software.
Is use of CAATs appropriate?
Where smaller volumes of data are processed, manual audit procedures may be cost effective. It could be also the case that adequate technical assistance may not be available to the auditors thus making the use of CAATs impracticable. In addition, certain audit packages may not operate on small computers although the entity’s data files could be copied and processed on another computer.
Within a small business computer environment, detailed knowledge of computer operations programmes and files may be confined to a small number of persons. This could increase the risk of fraud changing programmes or data.
Advantages of using CAATs
- They assist the auditor in obtaining more audit evidence
- Large samples can be tested quickly and accurately
- CAATs test the original data and not just the printout so the validity of the test is more defined
- In many instances they are cost effective.
Issues relating to CAATs
CAATs are limited and are very dependent on the level of integration within clients’ computer systems. In addition, the current system may actually already perform the functions which the CAAT is meant to perform.
The CAAT is only of use if the reliability of the system has been assessed.
The cost may outweigh the benefit. In particular, there may be an initial outlay with regard to time and money required.
Lack of software documentation
Many clients’ system documentation is very poor and this results in the auditor been unable to gain a proper understanding of the system. Without this system it may not be beneficial to make use of CAATs.
Changes in clients’ systems
Any changes in the clients’ systems will require changes in the design of the CAAT which the auditor will need to fully understand before making the appropriate changes to the CAAT.
Lack of direction and useless results
There is a danger that the auditor will use CAATs due to its availability rather than its appropriateness in the individual circumstances.
Use of copy files
Where clients give the auditor copies of files, the auditor should ensure that these are the actual files which are been tested