Chapter 7

AUDITING IN A COMPUTERIZED ENVIRONMENT

With the rapid development in technology in recent years, computer information systems (CIS)
have become feasible, perhaps essential, for use even in small scale business operations. Almost
all entities now use computers to some extent in their accounting systems. This widespread use
of computers has offered new opportunities for professional accountants and has also created
some challenging problems to auditors.

Regardless of the extent of computerization or the methods of data processing being used, the
responsibility for the establishment and implementation of appropriate internal control systems
rests with management and those charged with governance. The auditor's responsibility is to
obtain an understanding of the entity's internal control system to be able to assess control risk,
and determine the nature, timing and extent of tests to be performed.

 Characteristics of Computer Information Systems (CIS)

Computer information systems have essential characteristics that distinguish them from
manual processing systems.

 Lack of visible transaction trails

In a manual system, it is normally possible to follow a transaction through the system by
examining source documents, entity's records, and financial reports. In a CIS
environment, data can be entered directly into the computer system without supporting
documents. Furthermore, records and files may not be printed and cannot be read without
using the computer. The absence of these visible documents supporting the processing of
transactions makes the examination of evidence more difficult.

 Consistency of Performance CIS

performs functions exactly as programmed. If the computer is programmed to perform a
specific data processing task, it will never get tired of performing the assigned task in
exactly the same manner. Because of this capability of the computer to process
transactions uniformly, clerical errors that are normally associated with manual
processing are eliminated. On the other hand, an incorrect program could be very
devastating because it will result to consistently erroneous data processing.

 Ease of Access to Data and Computer Programs

In a CIS environment, data and computer programs may be accessed and altered by
unauthorized persons leaving no visible evidence. It is important, therefore, that

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 appropriate controls are incorporated to the system to limit the access to data files and
programs only to authorized personnel.

 Concentration of duties
Proper segregation of duties is an essential characteristic of a sound internal control
system. However, because of the ability of the computer to process data efficiently, there
are functions that are normally segregated in manual processing that are combined in a
CIS environment.

As a particular example, in manual processing the function of recording cash

disbursements is incompatible with the responsibility for reconciling disbursements.
Since one of these functions serves as a check upon the other, assigning both functions to
one employee would enable that employee to commit and conceal errors or irregularities.
A properly programmed computer, on the other hand, has no tendency or motivation to
commit irregularities or conceal its errors. Hence, what appears to be an incompatible
combination of functions may be combined in a CIS environment without weakening the
internal control provided appropriate compensating controls are put in place.

 Systems generated transactions

Certain transactions may be initiated by the CIS itself without the need for an input
document. For example, interest may be calculated and charged automatically to
customers' account balances on the basis of pre- authorized terms contained in a
computer program.

 Vulnerability of data and program storage media

In a manual system, the records are written in ink on substantial paper. The only way to
lose the information is to lose or to destroy the physical records. The situation is
completely different in a CIS environment. The information on the computer can be
easily changed, leaving no trace of the original content. This change could happen
inadvertently and huge amount of information can be quickly lost.

 Internal Control in a CIS Environment

Many of the control procedures used in manual processing also apply in a CIS
environment. Examples of such control procedures include authorization of transactions,
proper segregation of duties, and independent checking. The elements of internal control
are the same; the computer just changes the methods by which these elements are
implemented.

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 A variety of controls are performed to check accuracy, completeness, and authorization of
transactions. When computer processing is used in significant accounting applications, internal
control procedures can be classified into two types: general and application controls.

 General Controls
General controls are those control policies and procedures that relate to the overall
computer information system. These controls include:

1. Organizational controls
Just as in a manual system, there should be a written plan of the organization, with clear
assignment of authority and responsibility. In a CIS environment, the plan of an
organization for an entity's computer system should include segregation between the user
and CIS department, and segregation of duties within the CIS department.

a. Segregation between the CIS department and user departments.

CIS department must be independent of all departments within the entity that provide
input data or that use output generated by the CIS.

The function of CIS department is to process transactions. However, no transaction will

be processed unless it is initiated by the user department. Therefore, all changes in
computer files must be initiated and authorized by the user department.

b. Segregation of duties within the CIS department

Functions within the CIS department should be properly segregated for good
organizational controls. The entity's organizational structure should provide for definite
lines of authority and responsibility within the CIS department. A sample of an
organizational structure within the CIS department is presented below:

Position Primary responsibilities

CIS Director Exercises control over the CIS operation
Design new systems, evaluates and improves existing systems,
Systems Analyst
and prepares specifications for programmers.
Guided by the specifications of the systems analyst, the
Programmer programmer writes a program, tests and debugs such
programs, and prepares the computer operating instructions.
Using the program and detailed operating instructions
Computer
prepared by the programmer, computer operator operates the
Operator
computer to process transactions
Data Entry Prepares and verifies input data for processing

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 Operator
Librarian
Maintains custody of systems documentation, programs and
files

Reviews all input procedures, monitors computer-processing,

Control Group follows- up data processing errors, reviews the reasonableness
of output, and distributes output to authorized personnel.

Optimal segregation of duties dictates that each of the above tasks be assigned to different employees.
However, some entities may not have enough resources to maintain a large CIS department.

In small entities, with limited number of personnel, there are some functions that may be combined.
But as a minimum, the functions of systems development and computer operations must be segregated.
Systems analyst and programmer should not be allowed to use the programs they developed, and they
should not be allowed to operate the computer. Also, computer operators who run the program should
not participate in program design. A number of computer related frauds have resulted when these
functions are combined.

2. Systems development and documentation controls

Software development as well as changes thereof must be approved by the appropriate level of
management and the user department. To ensure that computer programs are functioning as
designed, the program must be tested and modified, if needed, by the user and CIS department.
Moreover, adequate systems documentation must be made in order to facilitate the use of the
program the system as well as changes that may be introduced later into the system.

3. Access Controls

Every computer system should have adequate security controls to protect equipment, files and
programs. Access to the computer should be limited only to operators and other authorized
employees. Additionally, appropriate controls such as the use of passwords must be adopted in order
to limit access to data files and programs only to authorized personnel.

4. Data recovery controls

One of the characteristics of the CIS is the vulnerability of files and programs. Computer files can
be easily lost and the loss of these files can be disastrous to an entity. The survival of an entity
affected by such disaster depends on its ability to recover the files on a timely basis.

A data recovery control provides for the maintenance of back-up files and off-site storage
procedures. Computer files should be copied daily to tape or disks and secured off-site. In the event
of disruption, reconstruction of files is achieved by updating the most recent back-up with
subsequent transaction data. When magnetic tapes are used, a common practice in file retention
called Grand-father, father, son practice requires an entity to keep the two most recent generation of
master files and transaction files in order to permit reconstruction of master files if needed.

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 5. Monitoring controls

Monitoring controls are designed to ensure that CIS controls are working effectively as planned.
These include periodic evaluation of the adequacy and effectiveness of the overall CIS operations
conducted by persons within or outside the entity.

 Application Controls

The processing of transaction involves three stages: the input, processing, and output stage. The
input stage involves capturing of a mass of data; the processing stage involves converting the mass
of raw data into useful information; and output stage involves preparation of information in a form
useful to those who wish to use it. To ensure that all relevant data are captured as input to the system,
and to ensure that the data are accurately processed during their conversion into meaningful financial
information, controls or other mechanisms must be incorporated into the system.

Application controls are those policies and procedures that relate to specific use of the system. These
are designed to provide reasonable assurance that all transactions are authorized, and that they are
processed completely, accurately and on a timely basis. These include:

1. Controls over input

A large number of errors in a computer system are caused by inaccurate or incomplete data entry.
Input controls are designed to provide reasonable assurance that data submitted for processing are
complete, properly authorized and accurately translated into machine readable form.

Examples of input controls include:

Key verification
This requires data to be entered twice (usually by different operators) to provide assurance that there
are no key entry errors committed.

Field check
This ensures that the input data agree with the required field format. For example, al SSS number
must contain ten digits. An input of an employee’s SSS number with more or less than ten digits will
be rejected by the computer.

Validity check
Information entered are compared with valid information in the master file to determine the
authenticity of the input. For example, the employees' master file may contain two valid codes to
indicate the employee's gender "1" for male and “2” for female. A code of “3” is considered invalid
and will be rejected by the computer.

Self-checking digit
This is a mathematically calculated digit which is usually added to a document number to detect
common transposition errors in data submitted for processing.

Limit check
Limit check or reasonable check is designed to ensure that data submitted for processing do not
exceed a pre-determined limit or a reasonable amount

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 Control totals
Control totals These are totals computed based on the data submitted for processing. ensure the
completeness of data before and after they are processed. These controls include financial totals, hash
totals and record counts. As an example, assume the following data regarding the entity's
disbursements for the day.

2. Controls over processing

Processing controls are designed to provide reasonable assurance that input data are processed
accurately, and that data are not lost, added, excluded, duplicated or improperly changed. Almost all
of the input controls that were mentioned earlier are also part of the processing controls because such
controls are usually incorporated in the client's computer program to detect errors in processing of
transactions.

3. Controls over output

Output controls are designed to provide reasonable assurance that the results of processing are
complete, accurate and that these outputs are distributed only to authorized personnel.

person who knows what an output should look like must review the CIS output for reasonableness.
totals are compared with those computed prior to processing to ensure completeness of information.
Finally, CIS outputs must be restricted only to authorized employees who will be using such outputs.

The effectiveness of the general CIS controls is essential to the effectiveness of CIS application
controls. Thus, it may be more efficient to review the design of the general controls first before
reviewing the application controls.

 Test of Control in a CIS environment

Like manual processing environment, test of control in a CIS environment involves evaluating the
client's internal control policies and procedures to determine if they are functioning as intended.
Regardless of the nature of the client's data processing system, auditors must perform tests of
controls if they intend to rely on the client's internal control.

The auditor's objectives and scope of the audit do not change

in a CIS environment. However, the use of the computer changes the processing and storage of
financial information and may affect the organization and procedures employed by the entity to
achieve adequate internal control. Accordingly, the methods employed by the auditor in testing the
control may also be affected.

Testing the reliability of general controls may include observing client's personnel in performing
their duties; inspecting program documentation; and observing the security measures in force. In
testing application controls, the auditor may either:

1. Audit around the computer; or

2. Use Computer-Assisted Audit Techniques

 Auditing Around the Computer

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 Auditing around the computer is similar to testing control in a manual control structure in that it
involves examination of documents and reports to determine the reliability of the system. When
using this approach, the auditor ignores the client's data processing procedures focusing solely on the
input documents and the CIS output. Input data are simply reconciled with the output to verify the
accuracy of processing. Auditing around the computer is based on the assumption that if the input
reconciles with the output, then the computer program must have processed the transaction
accurately. Hence; the auditor obtains knowledge about the reliability of the system without directly
examining the computer program of the system.

Auditing around the computer can be used only if there are visible input documents and detailed
output that will enable the auditor to trace individual transactions back and forth. This is also known
as "black box approach” because it does not permit direct assessment of actual processing of
transactions.

 Computer Assisted Audit Techniques (CAATs)

When computerized accounting systems perform tasks for which no visible evidence is available, it
may be impracticable for the auditor to test manually. Such is usually the case when the entity uses
advanced CIS. Consequently, auditor will have to audit directly the client's computer program using
CAATs. This is also called "white box approach"

CAATs are computer programs and data which the auditor uses as part of the audit procedures to
process data of audit significance contained in an entity's information systems. Some of the
commonly used CAATs include test data, integrated test facility and parallel simulation.

1. Test data

The test data technique is primarily designed to test the effectiveness of the internal control
procedures which are incorporated in the client's computer program. The objective of the test data
technique is to determine whether the client's computer programs can correctly handle valid and
invalid conditions as they arise.

To accomplish this objective the auditor prepares test data (fictitious transactions) that consist of
valid and invalid conditions. The auditor enters the test data into the system and have the data
processed by the entity's computer program.

Since the auditor is the one who creates the test data, the auditor knows what the output should look
like assuming the client's computer program is functioning effectively. The auditor then compares
the processing results with his predetermined output. If the output generated by the client's program
is the same as the auditor's expected output, the auditor may conclude that the client's program is
reliable.

2.Integrated test facility (ITF)

A disadvantage of the test data technique is the transposition auditor does not have an assurance that
the program tested is the same program used by the client throughout the accounting period. In order
to overcome this disadvantage, the test data technique can be extended to an integrated test facility
(ITF).

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 When using ITF, the auditor creates dummy or fictitious employee or other appropriate unit for
testing within the entity's computer system. Unlike test data, which is run independently of the
client's data, an ITF integrates the processing of test data with the actual processing of ordinary
transactions without management being aware of the testing process. The resultant output, relating to
the dummy unit, is then compared with the predetermined results to evaluate the reliability of the
client's program.

By processing test data simultaneously with client's data, ITF provides assurance that the program
tested by the auditor is the same program used by the client in the processing of transactions.

When using ITF, the auditor must be alert to the danger of contaminating the client's master files.
Thus, care must be taken to reverse or eliminate the effects of all audit test transactions in order to
avoid contamination of client's computer files.

3. Parallel simulation

In contrast to the test data and ITF techniques, which require the auditor to create test inputs (data)
and process these data using the client's computer program; parallel simulation requires the auditor
write a program that simulates key features or processes of the program under review. The simulated
program is then used to reprocess transactions that were previously processed by the
client's program.

The auditor compares the results obtained from the simulation with the client's output to be able to
draw conclusion about the reliability of the client's program.

Parallel simulation can be accomplished by using generalized audit software or purpose written
programs. Generalized audit software consists of generally available computer packages which have
been designed to perform common audit tasks such as performing or verifying calculations,
summarizing and totaling files, and reporting in format specified by the auditor. Purpose-written
programs, on the other hand, are designed to perform audit tasks in specific circumstances. These
programs may be developed by the auditor, hired by the auditor the entity being audited or an
outside programmer

 Other CAATS
Highly complicated computerized systems sometimes do not retain permanent audit trails and would
require capturing of audit data as transactions are processed. Under this scenario, the CAATs
available to the auditor may include:

1. Snapshots

This technique involves taking a picture of a transaction as it flows through the computer systems.
Audit software routines are embedded at different points in the processing logic to capture the
images of the transaction as it progresses through the various stages of processing. Such a technique
permits an auditor to track data and evaluate the computer processes applied to the data.

2. Systems control audit review files (SCARF)

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
 This involves embedding audit software modules within an application system to provide
continuous monitoring of the systems transactions. The information is collected into a special
computer file that the auditor can examine.

This study source was downloaded by 100000853650481 from CourseHero.com on 11-23-2022 07:06:50 GMT -06:00

https://www.coursehero.com/file/81984468/Chapter-7-Auditing-in-a-Computerize-Environmentdocx/
Powered by TCPDF (www.tcpdf.org)