2Auditing in a Computer Environment Computers are used by almost all audit clients. Thus, computer auditing is practicsd, to a greater or lesser extent, in almost all audits. Computers introduce electronic technology in four phases of the audit process: (1) planning the audit, (2) obtaining an understanding of the control structure and control risk, (3) testing controls, and (4) using the computer to obtain substantive evidence about account balances.Chapter 8 covers the basic concepts in all four phases with focus on simple systems.
3Learning Objective 1Explain how a computer accounting system differs from a manual accounting system.
4Computer EnvironmentThe CICA Handbook prefers the use of EDP or Electronic Data Processing.There is no fundamental difference between computer auditing and auditing.Certain areas are not changed:the definition of auditingthe purposes of auditingthe generally accepted auditing standardsthe control objectivesthe requirement to gather sufficient and appropriate evidencethe audit reportPage 253
5Elements of a Computer-Based System Hardware:The physical equipment.Software:System programs:Perform generalized functions for more than one program.Application programs:Sets of computer instructions that perform data processing tasks.Page 254
6Elements of a Computer-Based System Documentation:A description of the system and control structures.Personnel:Persons who manage, design, program, operate,or control the system.Page 254
7Elements of a Computer-Based System Data:Transactions and related information entered, stored, and processed by the system.Control procedures:Activities designed to ensure proper recording of transactions and to prevent or detect errors or irregularities.Page 254
8Elements of a Computer-Based System Management is responsible for internal controls; the auditor is responsible to understand controls and assess control risk.Management can meet responsibilities and assist the auditor byensuring documentation is currentensuring that systems produce an audit trailmaking computer resources and personnel available to the auditor as requiredPage 254
9Effect of Computer Processing Characteristics that distinguish computer processing from manual processing:Transaction trails may not exist, or may exist only in machine readable formats.Uniform processing of transactions eliminates random errors, but may cause systematic errors.Many internal controls may be concentrated in the computer systems; persons who have access to the computer may be in a position to perform incompatible functions.Page 255
10Computer ProcessingCharacteristics that distinguish computer processing from manual processing:The potential for errors and irregularities through inappropriate access to computer data or systems may be greater.A potential for increased management supervision with a wide variety of analytical tools is created in computerized processing.Initiation or subsequent execution of transactions by computer may not generate evidence of authorization.Page 255
11Learning Objective 2List and discuss additional matters of planning auditors should consider for clients who use computers.
12PlanningThe extent and complexity of computer processing may affect the nature, extent, and timing of procedures.The auditor should consider:the extent to which computers are used in accounting applicationsAuditors will need computer-related skills to understand the flow of transactions processed by computers.Page 256
13Planning The auditor should consider: the complexity of computer operations:Auditors will need to assess training and experience relative to the methods of computer processing.the organizational structure of computer processing activities:Auditors must consider the degree of centralization and standardization in computer-related operations.Page
14Planning The auditor should consider: the availability of data from the computer systemAuditors must consider when information may no longer be available for review.the use of computer-assisted audit techniques (CAATs) to increase the efficiency of audit proceduresthe need for audit personnel with specialized skillsPage
15Learning Objective 3Describe how the phases of control risk assessment are affected by computer processing.
16Phase 1 - UnderstandingThe purpose of Phase 1 is to obtain sufficient knowledge of controls for planning the audit.This will include a general knowledge ofthe organizational structuremethods used to communicate responsibility and authoritymethods used to supervise the systemComputer processing may affect each of these elements.Page
17Organizational Structure Understanding of the organization of the client computer functions is required for assessment of risk.The auditor should obtain and evaluatea description of computer resources and computer operating activitiesa description of the organizational structure of computer operations and related policiesThis understanding helps the auditor decide on the amount of reliance to place on system controls.Page 258
18Methods Used to Communicate Responsibility and Authority Auditors should understand how the computer resources are managed and how priorities for use are determined.Auditors should obtain evidence and evaluate information about the existence ofaccounting and other policy manualsformal job descriptions for computer department personnelPage 259
19Methods Used by Management to Supervise the System Auditors should learn the procedures management uses to monitor the computer operations.Auditors should evaluate:a) systems design and documentationb) procedures for modificationc) procedures limiting accessd) financial and other reportse) internal audit functionPage 259
20Understanding the Accounting System Auditors should gain an understanding of the flow of transactions through the accounting system for each significant accounting application.Page 259
21Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following:Identify specific control objectives based on the types of misstatements that may be present.Identify the points in the flow of transactions where specific types of misstatement could occur.Identify specific control activities designed to prevent or detect misstatements.Page 260See exhibit 8-1 for an illustration of points 1 and 2
22Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following:Identify the control activities that must function to prevent or detect misstatements.Evaluate the control activities to determine whether they suggest a low control risk and whether tests of controls might be cost effective.Page 260See exhibit 8-1 for an illustration of points 1 and 2
23Assessing Control Risk The information gathered should allow the auditor to decide the following:That:Control risk is assessed low, and it is cost effective to perform test of controls.Continue with testing of control.Control risk is assessed low, but it is not cost effective to perform tests of controls.Concentrate on substantive procedures.Control risk is assessed high.Page
24Learning Objective 4Describe and explain general control procedures and place the application control procedures covered in Chapter 6 in the context of computerized “error checking routines.”
25Simple Computer Systems Characteristics of a simple computer system:All processing occurs at a central processing facility.Three or four people are involved in operations of a simple system.System may use batch processing or online processing.Page 262
26Simple Computer Systems General control procedures:Those controls that relate to all or many computerized accounting functions.Organization and physical accessWeakness or absence of access controls decreases the overall integrity of the computer system.Documentation and systems developmentWeakness or absence of documentation and development standards also decrease the integrity of the system.Page
27Simple Computer Systems General control procedures:HardwareAuditor should be familiar with hardware controls.Data file and program control and securityControls are necessary to determine that the proper files and programs are being used, and that files are appropriately backed up.Page
28Application Control Procedures Application controls are those used in each “application.”Application controls are grouped under three categories:input controlsprocessing controlsoutput controlsPage
29Application Control Procedures Input controls:Controls at input are primarily preventative.It is generally more cost effective to prevent errors than it is to detect and correct them.Processing controls:Primarily oriented at detecting misstatements.Output controls:Primarily oriented at correcting misstatements.Page
30Control Risk in Simple Systems The purpose of review of controls is to understand the strengths and weakness of control systems.The general controls must be good in order for any application controls to be considered in planning the substantive procedures.The usual approach is to evaluate general controls first, then application controls.Pages
31Learning Objective 5Describe the characteristics and control problems of personal computer installations.
32Personal Computer Environment Computer activity involving PCs should be included in determination of risk.PCs may be standalone systems or part of a distributed system.The control environment, not the technology, is the important consideration for the auditorIn a PC environment, lack of segregation of duties may be a significant risk.Page 271
33Personal Computer Environment PC Control Considerations:Most control problems can be traced to lack of segregation of duties and lack of computerized control procedures.Auditors should consider the entire control structure and look for compensating control strengths.Page 272
34Personal Computer Environment Organizational control procedures:Limit concentration of functions as much as possible.Establish proper supervision.Operation control procedures:Controls over online entry are important.Restrict access to input devices.Use standard screens, computer prompting, and online editing procedures.Page
35Personal Computer Environment Processing control procedures:Ensure processing is correct and complete.Capture entries in transaction logs.Make use of control totals.Perform periodic reconciliation of input to output.Systems development and modification:Purchased applications should be reviewed carefully.Page
36Learning Objective 6Explain the differences among auditing around the computer, auditing through the computer, and auditing with the computer.
37Evaluation Approaches Auditing around the computer:Treat the computer as a “black box” and vouch and trace source documents and output.Adequate procedure where the computer is simply used as a calculator and printer.Auditing through the computer:Evaluate hardware, software, and controls.Uses computerized controls.Page
38Learning Objective 7Explain how the auditor can perform the test of controls audit of computerized controls in a simple computer system.
39Tests of Computer Controls There are two approaches to using the computer in test of controls procedures:Test data:Test the programmed controls using simulated data.Parallel simulation:Audit the programmed controls with live data reprocessed with an independent audit program.Pages
40Test DataA computer will process every transaction in a certain logical way exactly the same every time.Create hypothetical transactions to determine how the computer will handle errors.Test data is a sample of combinations of input data that may be processed through a system.Test data will contain planted errors in addition to good transactions.Pages
41Parallel SimulationAuditors prepare a program to process data correctly and compare results to results of actual client processing.Generalized audit software makes the process more attractive.First audit using a parallel simulation is time consuming and expensive.Economies are realized in subsequent audits of the same client.Pages
42Learning Objective 8Describe the use of generalized audit software.
43Generalized Audit Software Generalized audit software (GAS) programs are a set of functions that may be utilized to read, compute, and operate on machine-readable records.Used on audits where records are stored in computer files or databases.Page 280
44Generalized Audit Software Auditing with the computer:GAS was developed to access machine-readable detail records.Original programming is no longer required.The GAS consists of a set of pre-programmed editing, operating, and output subroutines.Required programming is easy.Simple, limited set of programming instructions is used to call the subroutines.Page 280
45Generalized Audit Software Audit procedures performed by generalized audit software:GAS can access huge volumes of machine-readable records, organizing them into a useful format for the audit team.GAS can be used for the following:computationconfirmationinspectionanalysisPage 281
46Using Generalized Audit Software Five phases in developing a GAS application:Define the audit objective.GAS is a tool, not an objective.Feasibility and planningDetermine if GAS is efficient and effective for the audit at hand.Application designCoding and testingProcessing and evaluationPages
47Learning Objective 9Describe how the personal computer can be used as an audit tool.
48Using the Personal Computer as an Audit Tool The PC is being used to perform clerical steps:working trial balanceposting adjustmentsgrouping accountscomputing comparative statementscomputing common ratiospreparing supporting working papersproducing draft statementsPCs are also used toassess control riskperform analytical functionsaccess databasesrun decision-making support softwareperform CAATsPage 284 – 286See exhibit 8-6
49Learning Objective 10Describe the effects of e-business on auditing.
50E-BusinessElectric commerce (e-commerce) is any trade that takes place by electronic means.This economic activity has been greatly facilitated by the growing use of the Internet.Segments of e-commerce include:B2B – Business to businessB2C – Business to consumerC2B – Consumer to businessC2C – Consumer to consumerPage
51E-BusinessThe audit strategy in e-business is to first evaluate general controls and then consider application controls.General control risks include confidentiality, integrity, authentication, repudiation, and unauthorized access.Controls include use of encryption, hashing, digital signatures, passwords, transaction certificates, confirmation services, firewalls, and biometric devices.Page
52Application Controls Credit card payments: Primary concern is the secure transmission credit card information.Protocols to ensure security include:Secure Socket Layers (SSL)Secure Electronic Transactions (SET)Auditors will need to compliance test the authentication, access, and confidentiality controls.Pages
53Effects of E-Business on Auditors Auditors should expect to encounter electronic records rather than paper.Auditors will need to put more reliance on controls.The quality of audit evidence will become very dependent on controls over accuracy and completeness.Pages
54Internet-based and Continuous Auditing A continuous audit enables the auditor to issue written assurance simultaneously, or shortly after the occurrence of the underlying events.Subject matter could be any type of information; for example, authenticity, integrity, or non-repudiation of e-commerce transactions.A CICA study has identified conditions necessary for a continuous audit.PagesSee individual point under heading Internet-based and Continuous Auditing and Exhibit 8-13.