Auditing

In A
Computerized Environment
With the rapid development in technology in recent years, computer information systems
(CIS) have become feasible, perhaps essential for use even in small scale business. Almost
all entities now use computers to some extent in their accounting systems.

This widespread use of computers has offered new opportunities for professional
accountants and has also created some challenging problems to auditors.
Characteristics of Computer Information System

Lack of visible transactions trails

1
In manual system, it is normally possible to follow a transaction through the system by examining
source documents, entity’s records and financial reports. In CIS environment, data can be entered directly into
the computer system without supporting documents. Furthermore records and files may not be printed and can
not be read without using the computer.

2 Consistency of Performance

CIS performs functions exactly as programmed. If the computer is programmed to perform a

specific data processing task, it will never get tired of performing the assigned task in exactly the same manner.

3 Ease of Access to Data and Computer Programs

In CIS environment, data and computer programs may be accessed and altered by unauthorized
persons leaving no visible evidence.
4 Concentration of duties

There are functions that are normally segregated in in manual processing that are combined in
CIS environment.

5 System Generated Transactions

Certain transactions may be initiated by the CIS itself without the need for an input document.

6 Vulnerability of data and program storage media

In manual system the records are written in ink on a substantial paper. The only way to lose the
information is to lose or to destroy the physical records. While on the CIS environment the information on
the computer can be easily changed; leaving no trace of the original content.
Internal Control in a CIS Environment
The elements of internal control are the same; the computer just changes the methods by which these elements are
implemented. A variety of controls are performed to check accuracy, completeness, and authorization of transactions.
When computer processing is used in significant accounting applications, internal control procedures can be classified
into two types: General and Application controls.
 IMPACT OF COMPUTERS ON ACCOUNTING AND INTERNAL
CONTROL SYSTEM
GENERAL CONTROL – are those control policies and procedures that relate to the OVERALL computer information
system.
OBJECTIVE: Are to ensure the proper development and implementation of application and the integrity of
program and data files and of computer operations.

These control include:

1. ORGANIZATIONAL CONTROL
a. SEGREGATION OF DUTIES BETWEEN THE CIS AND USER DEPARTMENT
- Why there is a segregation of duties between the two department?
- one of the reason is conflict of interest between the two department. And those who process the data should
have no responsibilities for initiating or altering the data that. That ‘s why the;
- CIS department must be independent of all department within the entity who provide input data or that use
output generated by the CIS.

- FUNCTION: Process Transactions

- but there will be no transaction to be processed unless it is initiated by the user department.
- All changes in the computer files must be initiated and authorized the user department.
b. SEGREGATION OF DUTIES WITHIN CIS DEPARTMENT
-the entity’s organizational structure should provide for definite lines of authority and responsibility within the CIS
Department.

CIS DIRECTOR

SYSTEM DEVELOPMENT OPERATIONS OTHER FUNCTION

SYSTEM ANALYST COMPUTER OPERATOR LIBRARIAN

DATA ENTRY
PROGRAMMERS CONTROL GROUP
OPERATOR
CIS DIRECTOR- Exercise control over the CIS Department.
SYSTEM ANALYST- Design new system, evaluate and improve existing system and prepares program specifications
for programmer.

PROGRAMMER- Guided by the program specifications, writes the program, test and debug such program and prepare
computer operating instructions.

COMPUTER OPERATOR- Using the program and detailed computer operating instructions prepared by the programmer, it
is the one who operates the computer to process transactions.

DATA ENTRY OPERATOR- Prepares and Verifies input data for processing.

LIBRARIAN- Maintain custody of system documentation, program and files.

CONROL GROUP- they are the one who;

* Review all input procedures
* Monitor computer processing
* Follows-up data procedure errors.
* Review the reasonableness of output.
* Distribute Output to Authorized Personnel.
• IMPORTANCE OF CONTROL GROUP – is to coordinate the work or activities between the CIS Department and user
department.
• Optimal segregation of duties of the task be assigned to different employees.
• Especially as to system development and operation must be segregated.
- SYSTEM ANALYST AND PROGRAMMER: Should not allowed to;
- used the program they developed.
- operate the computer.
- COMPUTER OPERATION: who run the program should not participate in program design.
• Because number of computer related frauds have resulted when these functions are combined.

2. SYSTEM DEVELOPMENT AND DOCUMENTATION CONTROLS

- system and programs as well as modification must be adequately documented and properly approved before being used
Documentation ordinarily assumes the following form;
a. system flowchart
b. program flowchart
c. program change
d. Operator instructions
e. program description.
• Adequate documentation evidencing approval of changes is needed to minimize the probability of unauthorized system
and program changes that could result in loss of control and decrease the reliability of financial statement.

3. ACCESS CONTROL – it is usually aimed at for preventing unauthorized access.

Access control are;

A. Access to program documentation should be limited to those person who require it in the performance of their duties.
B. Access to data files should be limited to those individual authorized to process data.
C. Access to computer hardware should be limited to authorized individual such as computer operator and their supervisor.

- This control seek to prevent access to restricted data and program. As well as preventing unauthorized person from gaining
access to system as a whole.
- Once the access control is lower, there’s a probability and maybe possibility of fraud or alteration. Because anyone can access
to the system.
- One of the appropriate access control is the used of passwords.
4. DATA RECOVERY CONTROL
-all critical data files program should be backed-up and stored off-sites.
-one of the characteristics of CIS is the vulnerability of files. Because files can
be easily lost. And such lost can be disastrous to the entity.
- it’s survival depend on the ability to recover the files on a timely basis.
-The files should be copied daily to tape or disk and secured off-sites. So, in the
event of disruption, the most recent with subsequent transaction data is the
one would be recovered.

5. MONITORING CONTROLS
-designed to ensure that CIS control are working effectively as planned.

Controls;
A. Periodic Evaluation of the adequacy
B. Effectiveness of the overall CIS operation conducted by person within or outside entity.
APPLICATION CONTROLS-
are those policies that and procedures that relate to specific use of the system.

3 Stages of PROCESSING TRANSACTIONS

1. INPUT STAGE- involves capturing a mass of data

2. PROCESSING STAGE- involves converting the mass of raw information into useful information
3. OUTPUT STAGE- involves preparation of information in a form of useful to those who wish to use it.
CONTROLS OVER INPUT
INPUT controls are designed to provide reasonable assurance that data submitted for processing are complete,
properly authorized and accurately translated into machine readable form.
Examples of input controls:

 Key Verification- this requires data to be entered twice to provide assurance that there are no key entry errors committed
.

 Field Check- this ensures that the input data agree with the required field format.

 Validity Check- information entered are compared with valid information in the master file to determine the authenticity
of the input.

 Self-Checking Digit- this is mathematically calculated digit which is usually added to a document number to detect comm
on transpositional errors in data submitted for processing.

 Limit Check- is designed to ensure that data submitted for processing do not exceed a pre-determined limit or a reasonabl
e amount.

 Control Totals- ensure the completeness of data before and after they are processed.
CONTROLS OVER PROCESSING
-are designed to provide reasonable assurance
that input data are processed accurately and that data are
not lost, added, excluded, duplicated or improperly changed.

CONTROLS OVER OUTPUT

-are designed to provide reasonable assurance
that the results of processing are complete, accurate, and
these outputs are distributed only to authorize personnel.
TEST OF CONTROL in a CIS Environment
The auditor’s objectives and scope of the audit do not change in a CIS environment.
However, the use of the computer changes the processing and storage of financial information
and may affect the organization and procedures employed by the entity to achieve adequate internal
control.

In testing application controls, the auditor may either:

Audit around the computer
Use Computer- Assisted audit techniques
Audit Around the Computer
-when using this approach, the auditor focusing solely on the INPUT documents and the CIS OUTPUT.
-input data are simply reconciled with the output to verify the accuracy of processing.

Effects of Computers on the Audit Process

The overall objective and scope of an audit does not change in a CIS environment. However, use of a computer changes the
processing, storage and communication of financial information and may affect the accounting and internal control systems em
ployed by the entity. Accordingly , a CIS environment may affect:

 The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control
systems.
 The consideration of inherent risk and control risk through which the auditor arrives at the risk assessment.
 The auditor’s design and performance of test of control and substantive procedures appropriate to meet the audit
objective.
Computer Assisted Audit Techniques (CAATs)
 Computer Assisted
Audit Techniques (CAATs)

CAATs are computer programs and data which the auditor uses as part of the audit procedures to
process data of audit significance contained in an entity's information systems. Some of the commonly used
CAATs include test data, integrated test facility and parallel simulation.
1.Test data
The test data technique is primarily designed to test the effectiveness of the internal control procedures
which are incorporated in the client’s computer program. The objective of the test data technique is to
determine whether the client’s computer programs can correctly handle valid and invalid conditions as they
arise.
 Test Data
Auditor’s
Test Data

Processed
Using client’s
program

Auditor’s
Output Compare Expected
Manually Output
2.Integrated test facility (ITF)
A disadvantage of the test data technique is that the auditor does not have an assurance that the program tested i
s the same program used by the client throughout the accounting period. When using the ITF, the auditor creates dummy or fict
itious employee or other appropriate unit for testing within the entity's computer system.

Auditor’s Client’s
Test Data Data

Processed
Using client’s
program

Auditor’s
Output Compare Expected
Manually Output
3. Parallel Simulation
Parallel simulation requires the auditor to write a program that simulates key features or processes of
the program under review. The simulated program is then used to reprocess transactions that were previously
processed by the client’s program.

Auditor’s Client’s
Test Data Data

Processed Processed
Using client’s Using auditor’s
program program

Auditor’s
Output Compare Expected
Manually Output
 Parallel simulation can be accomplished by using generalized audit software or purpose
written programs. Generalized audit software consists of generally available computer package
which have been designed to perform common audit task such as performing or verifying calculations,
summarizing and totalling files and reporting in a format specified by the auditor.
 Other Computer Assisted Audit Techniques (CAATs)

1. Snapshots
This technique involves taking a picture of a transaction as it
flows through the computer systems

2. Systems Control Audit Review Files (SCARF)

This involves embedding audit software modules within an
application system to provide continuous monitoring of the
systems transactions.
THANK YOU!!