Auditing in a Computer Environment

CHAPTER 8

Auditing in a Computer Environment

LEARNING OBJECTIVES

Review Checkpoints / Exercises and Problems / Cases
1.Explain how a computer accounting system differs from a manual accounting system. / 1, 2
2.List and discuss additional matters of planning auditors should consider for clients who use computers. / 3, 4 / 36, 37, 38
3.Describe how the phases of control risk assessment are affected by computer processing. / 5, 6, 7, 8 / 55
4.Describe and explain general control procedures and place the application control procedures covered in Chapter 11 in the context of computerized "error checking routine." / 9, 10, 11, 12, 13, 14, 15, 16 / 48, 49, 50, 51, 52, 53, 54 / 56
5.Describe the characteristics and control problems of micro- minicomputer installations. / 17, 18, 19, 20 / 57
6.Explain the differences among auditing around the computer, auditing through and with the computer. / 21
7.Explain how the auditor can perform the test of controls audit of computerized controls in a simple computer system. / 22, 23, 24, 25
8.Describe the use of generalized audit software. / 26, 27, 28, 29, 30, 31, 32
9.Describe how the microcomputer can be used as an audit tool. / 33, 34, 35

POWERPOINT SLIDES

PowerPoint slides are included on thewebsite. Please take special note of:

* Effect of Computer Processing

 Evaluation Approaches of Computer Systems

SOLUTIONS FOR REVIEW CHECKPOINTS

8.1Management can meet its responsibility for establishing and maintaining an internal control system and assist the auditors at the same time by: (1) ensuring that documentation of the system is complete and up to date, (2) maintaining a system of transaction processing that includes an audit trail, and (3) making computer resources and knowledgeable personnel available to the auditors to help them understand and audit the system.

8.2The important differences between manual and computer accounting systems are in these areas: (1) transaction trails, (2) uniform processing of transactions, (3) segregation of functions, (4) potential for errors and irregularities, (5) potential for increased management supervisions, and (6) initiation or subsequent execution of transactions by computer.

8.3Additional planning times that should be considered when computer processing is involved are:

*The extent to which the computer is used in each significant accounting application.

*The complexity of the computer operations used by the entity, including the use of an outside service center.

*The organizational structure of the computer processing activities.

*The availability of data.

*The computer-assisted audit techniques to increase the efficiency of audit procedures

*The need for specialized skills.

8.4General characteristics of transactions that are typically computerized: Frequent, repetitive, large number.

General characteristics of transactions that typically are not computerized: Infrequent, occasional, small number.

8.5Understanding the control environment is a part of the preliminary phase of control risk assessment. Computer use in data processing affects this understanding in each of the parts of the control environment as follows:

The organizational structure--should include an understanding of the organization of the computer function. Auditors should obtain and evaluate: (a) a description of the computer resources and (b) a description of the organizational structure of computer operations.

Methods used to communicate responsibility and authority--should include the methods related to computer processing. Auditors should obtain information about the existence of: (a) accounting and other policy manuals including computer operations and use manual and (b) formal job descriptions for computer department personnel. Further, auditors should gain an understanding of: (a) how the client's computer resources are managed, (b) how priorities for resources are determined and (c) if user departments have a clear understanding of how they are to comply with computer related standards and procedures.

Methods used by management to supervise the system--should include procedures management uses to supervise the computer operations. Items that are of interest to the auditors include: (a) the existence of systems design and documentation standards and the extent to which they are used, (b) the existence and quality of procedures for systems and program modification, systems acceptance approval and output modification, (c) the procedures limiting access to authorized information, (d) the availability of financial and other reports and (e) the existence of an internal audit function.

8.6Auditors can use these sources of information to obtain an understanding of

the flow of transactions through a client's computerized accounting system: client's description of the accounting applications (perhaps answers to inquiries), client's user manuals and instructions, file descriptions, system flowcharts, and written narrative descriptions.

8.7Five general tasks involved in computer system control risk assessment are:

(1)identify specific control objectives based on the type of misstatements that might occur,

(2)identify the points where misstatements might occur,

(3)identify specific control procedures designed to prevent or detect these misstatements,

(4)identify the control procedures that must function to prevent or detect the misstatements, and

(5)evaluate the design of controls and consider the cost-effectiveness of testing them.

8.8Manual Input

1.Source data preparation

2.Batch total preparation

3.Conversion to computer-readable form

9.Master file update (including conversion)

Computer Processing

4.Input file identification

5.Information transfer among computer programs

6.Computer files accessed for additional information

7.Transactions initiated by the computer

8.Output files and updated master files produced

10.Output reports or files produced

Error Correction

11.Error correction (including conversion and resubmission)

8.9The four categories of general control procedures are:

(1)organization and physical access controls,

(2)documentation and systems development controls,

(3)hardware controls, and

(4)data file program and security controls.

8.10General familiarity obtained by auditors with the preliminary information in the "organization and physical access" questionnaire includes:

(1)personnel organization chart,

(2)hardware and peripheral equipment descriptions,

(3)communication network description,

(4)major application processes (batch or online) used,

(5)description of significant input and output files,

(6)description of software, and

(7)physical layout of the data center.

8.11Typical content of application description documentation for a computerized accounting system includes:

(1)system flowcharts,

(2)descriptions of all inputs and outputs,

(3)record formats,

(4)lists of computer codes, and

(5)control features.

Typical content of the program description documentation includes:

(1)a program flowchart,

(2)a listing of the program source code, and

(3)a record of all program changes.

Typical content the acceptance testing records documentation includes:

(1)test data the auditors can use or review,

(2)users' manual, and

(3)log of program changes and modifications.

Typical content of the controls section documentation includes:

(1)description and specification of all manual and computer controls in the program.

8.12An external label on a magnetic file is a paper label affixed to the outside of the tape reel or disk pack that identifies the contents like a book title identifies the book. An internal label is also an identifying label, but it is magnetically coded on the magnetic tape or disk itself at the beginning of the data (a header label).

8.13Documentation differs significantly as to inclusion of program flowcharts, program listings, and technical operator instructions.

File security and retention differs because of the relatively delicate form of the magnetic media requiring fireproof vault storage, insulation from other magnetic fields, safeguards from accidental writing on data files, and so forth.

8.14Auditors review documentation to gain an understanding of the system and to determine whether the documentation itself is adequate for helping manage and control the computer processing.

8.15Auditors are not expected to be computer technicians with respect to hardware controls, but they should be familiar with the terminology and the way they are supposed to work so that they will not escape attention and so that they can converse knowledgeably with client computer personnel. Auditors should be primarily concerned with operator procedures when hardware controls fail.

8.16A self-checking number is a two-part number consisting of a basic set of digits followed by (or preceded by) a "check digit." The check digit is determined by performing a mathematical calculation on the basic set of digits, thus an erroneous basic number may be detected by a computer. A common self-checking number is on every credit card number.

8.17Lack of Segregation of Accounting Functions.

People in user departments may initiate and authorize source documents, enter data, operate the computer, and distribute output reports.

Lack of Segregation of Computer Functions.

Small organizations may not separate the functions of programming and operating the computer. Programs and data are often resident on disk at all times and accessible by any operator.

8.18Control techniques a company can use to achieve control over the operation of a PC accounting system:

Restricting access to input devices

Standard screens and computer prompting

On-line editing and sight verification

8.19Control techniques a company can use to achieve control over the computer processing of accounting data in a PC system include:

Transaction logs

Control totals

Balancing input to output

Audit trail

8.20Major characteristics:

1.Staff and location of the computer--operated by small staff located within the user department and without physical security.

2.Programs--supplied by computer manufacturers or software houses.

3.Processing mode--interactive data entry by users with most of the master files accessible for inquiry and direct update.

Control Problems:

1.Lack of segregation of duties.

2.Lack of controls on the operating system and application programs.

3.Unlimited access to data files and programs.

4.No record of usage.

5.No backup of essential files.

6.No audit trail of processing.

7.No authorization or record of program changes.

8.21Auditing through the computer refers to making use of the computer itself to test the operative effectiveness of application controls in the program actually used to process accounting data. Thus the term refers only to the proper study and evaluation of internal control. Auditing with the computer refers both to the study of internal control (the same as "auditing through") and to the use of the computer to perform audit tasks, such as obtaining substantive monetary evidence.

8.22Both are audit procedures that use the computer to test controls that are included in a computer program. The basic difference is that the test data procedure utilizes the client's program with auditor-created transactions, while parallel simulation utilizes an auditor-created program with actual client transactions. In the test data procedure the results from the client program are compared to the auditor's predetermined results to determine whether the controls work as described. In the parallel simulation procedure, the results from the auditor program are compared to the results from the client program to determine whether the controls work as described.

8.23It is true that fictitious (fake) transactions are not used by the auditor when the data processing system is manual, but in a manual system documentary evidence is available that can be visually examined to audit control procedures. New techniques are necessary to gather evidence and evaluate controls with computer programs. The client should be advised of the nature of the "test data" or "integrated test facility" and these procedures must be carefully controlled to prevent contamination of actual client files. Test data and integrated test facility procedures are costly and used only if other audit procedures are not available.

8.24Controlled reprocessing is another method for obtaining parallel simulation test of controls evidence. In controlled reprocessing, the auditors create the "simulated system" by performing a thorough technical audit of the controls in the clients actual program, then keep a copy of it secure in the auditors' files. Actual client data can later be processed using this audited copy of the clients' program. The goal is to determine whether output from the program the client actually used in processing data produces satisfactory accounting output when compared to the output from the auditors' controlled copy of the program.

8.25The auditors' test of computer controls and assessment of related control risk is considered "crucial" because subsequent substantive audit work may be performed using magnetic files produced by the client's computerized information system. The control over the content of these files is important since they will be used in other computer-assisted audit work. If garbage goes in, the auditors might get garbage out and not know it.

8.26Generalized audit software is a set of preprogrammed editing, operating, and output routines that can be called into use with a simple, limited set of programming instructions by an auditor who has one or two weeks intensive training.

8.27Advantages of using GAS to perform recalculations are primarily speed and accuracy. With GAS it is just as easy to recalculate all client computations as it would be to test a sample of calculations. Any differences from client computations can be printed out for investigation.

When using GAS to select samples and print confirmations, the advantages include the use of preprogrammed statistical routines to randomly select the sample and the speed with which confirmations can be prepared on preprinted forms.

8.28Five audit procedures that can be performed using generalized audit software are:

1.Recalculation.

2.Confirmation

3.Document Examination (limited).

4.Scanning.

5.Analytical Procedures. Compare data on separate files.

6.Analytical Procedures. Summarize and resequence data for ease of other analysis or selection.

8.29PhasesNoncomputer auditor involvement

1.Define the audit objectivesPrimary responsibility

2.FeasibilityEvaluate alternatives

2.PlanningReview with computer auditor

3.Application designnone

4.Codingnone

4.TestingReview final test results, compare to plan

5.ProcessingActual computer processing--none

Use of results--depends on application

5.EvaluationFull responsibility for audit decisions.

8.30If planning is not adequate, the audit objectives may not be achieved, and problems are likely to occur in subsequent phases which will require extensive time and effort to correct. Further, in the planning phase the workpapers which will document the application are defined, the testing specified, and the controls over the application determined.

Testing must be adequate and well documented or else the probability of success will be low. Once processing commences, it is extremely difficult to correct errors and deficiencies. The noncomputer auditor should be actively involved in the planning and should review the results of testing.

8.31The audit manager (or another supervisory auditor on the main audit team), and not the computer audit specialist, should have the responsibility of deciding about the computer output that should be retained in the working papers.

8.32The statement is true. Auditors should think in terms of the total audit objectives and audit procedures, the same as they would in a manual environment. It is generally more efficient to have the same person do both the applications reviews and the generalized audit software (GAS) procedures. This person can gather the basic record layouts and identify the client files needed for the GAS, also the same client personnel will need to be involved in the reviews and the GAS procedures. However, in some firms, the regular audit staff performs the applications reviews, while computer audit specialists perform the GAS procedures.

8.33Word processing can be used in an audit to prepare audit programs, write audit memoranda, and write audit reports.

8.34Automated work paper software generally consists of trial balance and adjustment worksheets. working paper (lead schedule) forms, easy facilities for adjusting journal entries, and electronic spreadsheets for various analyses.

8.35An electronic spreadsheet can be used instead of paper and pencil to create the form of a bank reconciliation, with space provided for text lists of outstanding items (using the label input capability), and math formulas inserted for accurate arithmetic in the reconciliation. Printing such a reconciliation is easy (and much prettier than most accountants' handwriting!).

SOLUTIONS FOR KINGSTON CASE

8.36Effect of the Kingston Computer on Planning

TO:Dalton Wardlaw

FROM:

DATE:

SUBJECT:Effect of Kingston computer processing on audit planning

Several factors will cause our audit planning and design to be different for the computer-proceed records in comparison to the manual-processed records.

Extent of Computer Use

The HP General Accounting package was used only in the last three months of the year. However, it was completely initiated for all of Kingston's transaction processing. Therefore, we will need to use computer auditing knowledge to complete the audit.

Complexity of Computer Operations

Kingston does not use an outside service center.

The equipment is not particularly complex. The computers, terminals, and output devices (printers) are in the single office location. Kingston does not utilize data transmission over phone lines or microwaves, but there is a network of terminals in various locations. However, the HP system is a database system, which shares information for various transaction processing applications. Therefore, we will need to study the controls that limit access to various parts of the database.

Organizational Structure of Computer Activities

Kingston has centralized the management and control of the computer processing activity. We can perform most of our work in the computer rooms. We do not need to arrange for work at other data processing locations, although we will need to perform some work in the places where terminals are maintained.

Availability of Data

As of today, we have no definite information about Kingston's data retention policies. From our involvement in the planning for the system, however, we should be able to obtain this information from the MAS staff

people in the firm. With luck, Kingston will have dumped most of the data so we can use it to perform some extensive control risk assessment for this year and for future reference.

Computer-Assisted Audit Techniques

Data available on computer files will make many of out audit procedures much easier. We can print sample from the files and apply some calculation procedures (like annual depreciation charges) to entire populations of data. We need to investigate some parallel processing procedures.

Need for Specialized Audit Skills

We need one of the firm's computer audit specialists--someone who knows how to program some search and sampling commands for the HP system and Kingston's data bases.