In recent years, there has been a rapid development in the use of computers to generate financial information. This development has created certain problems for the auditor in that although general auditing principles have not been affected, it is sometimes necessary to use specialised auditing procedures and techniques. As a result of this, within the accounting profession, a group of electronic data processing (EDP) audit specialists have emerged, equipped with sufficient technical expertise to make an intelligent analysis of complex computer audit situations. The intention of this chapter is to outline the various factors that need to be taken into consideration in evaluating internal control within EDP systems and to draw attention to the modifications in audit procedures, which may be required in certain circumstances. The basic objective and nature of an audit does not change in a computer information system (CIS) environment. However, the use of computers in maintaining the books of accounts and records affects the processing, storage, retrieval and communication of financial information and may require changing the accounting and internal control systems employed by the organisation. As given in SA-401, the auditor should evaluate the following factors to determine the effect of computer information system environment on the audit:
The auditor should have sufficient knowledge of the computer information systems to plan, direct, supervise, control and review the work performed. He should also consider whether any specialised skills are required in the conduct of audit in a computer information system environment. In planning the portions of the audit which may be affected by the computer information system environment, the auditor should obtain an understanding of the significance and complexity of the computer information system activities and the availability of the data for use in the audit. When the computer information systems are significant, the auditor should also obtain an understanding of the computer information system environment and whether it may influence the assessment of inherent and control risks. The auditor should document the audit plan, the nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. In an audit in computer information system environment, some of the audit evidence may be in the electronic form. The auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required. It is usual for the auditor to base his approach to an EDP based audit upon two completely separate types of review: Organisational review is the review of the organisational controls within the computer installation itself. This review seeks to examine the internal control within the computer installation, to ensure that:
Serious weaknesses in internal control within the EDP department itself can throw doubt on the validity of all the data it produces. System review is a detailed review of the controls operating within each computer-based accounting system. This review seeks to establish that controls operate within each individual system which, inter alia, ensure that:
Both types of review are carried out by the use of questionnaires and these questionnaires are based on the ‘key question’ principle. It is necessary to evaluate both the general and computer questionnaires together to obtain a proper understanding of the system and to access the significance of individual controls. The organisational review seeks to establish that there are no serious internal control weaknesses within the installation, which could throw doubt on the validity of the information produced. Adopting this approach, the auditor should seek to establish that six key controls operate within the installation. These controls are as follows: The degree of control which general management should exercise over the EDP department will depend both upon the nature and complexity of the business and the complexity of the computer installation. The following minimum standards should, however, apply:
It should therefore be ascertained that the person to whom the EDP Manager reports is a member of the senior management team and has sufficient authority to ensure that the department will receive adequate support and effective management. The auditor should also enquire into the manner in which the activities of the department are reported to senior management. Ideally, a monthly control report should be prepared, which should include the following information:
Arrangements should exist within every EDP installation, which attempt either to eliminate or to minimise the possibilities of EDP facilities being completely destroyed by any reason. These arrangements are significant in that the loss of certain vital information could seriously disrupt an organisation’s general business and profitability. The auditor should enquire into the existence of the following controls:
The division of duties within the EDP department and the general procedural arrangements should be such that the records of the client are not exposed to any undue risk of loss or corruption, either accidental or deliberate. The auditor should therefore direct his attention to the following aspects of internal control:
Control over data submitted for processing is of vital concern to the auditor. The controls established within each system, such as control total checks and validation checks should be examined in detail by means of separate audit reviews of each individual system. Additionally, the auditor should examine as part of his installation review the general standard of controls, which are in operation within the EDP department, particularly within the data control section. There are three main areas of control to which the auditor should direct his attention:
The procedural controls relating to the operation of the computer should also be reviewed, the objective being to ensure that there is no internal control weaknesses, which could give rise to the mis-processing of data. The points to be considered during this aspect of the review are as follows:
To contribute his review of the computer installation, the auditor should conduct a review of the internal control surrounding the general activities of the EDP department. The points that should be covered within this area of review are as follows:
Having completed his review of the installation and satisfied himself as to the adequacy or otherwise of the design and operation of the various procedural controls, the auditor will be in a position to review in detail the design and operation of each of the individual systems. His approach to this task will be similar to that employed in any other system based audit, which include the following: The task of documenting a computer system is not dissimilar from that of documenting any other accounting system. In fact, the auditor is invariably aided in his work in that he will normally find that the system has already been well documented by the analysts who designed the system. The amount of documentation, which will be available, will clearly vary from installation to installation. It some cases, it will be necessary to supplement the documentation with the auditor’s own notes and flowcharts, whereas in other cases the notes and flowcharts provided by the client will prove sufficient. The documentation will need to be assembled in a manner, which will facilitate an evaluation of the system on the ‘key question’ principle. Clearly, no hard and fast rules can be laid down, but it will normally be convenient to use the outline system flowchart as the principal record of the system and to supplement this flowchart with the following four main schedules:
The outline system flowchart, together with the four main supporting schedules should provide the auditor with the bulk of the information, which he requires for his evaluation of the system. Having completed his documentation of the system, the auditor can proceed with his evaluation of the internal controls operating within the system. He will do this by means of an internal control questionnaire. The questionnaire should seek to establish that the following seven key controls operate:
Having documented the system and having evaluated the controls operating within the system, the auditor will be in a position to design his audit programme. It should be emphasised that the principles involved are identical to those in any other system-based audit, namely, that the auditor is seeking to assess and test the operation of the system, so that he can rely on the information produced by the system. If he can satisfy himself as to the reliability of the system, this does not of course obviate the necessity for balance sheet verification work. Thus, even though the auditor is satisfied as to the operation of the computer systems, it will still be necessary to verify, for example, purchase ledger balances against circulars and statements and stock ledger balances against physical stock counts.
Rapid changes in hardware and software have changed the conceptual approach to auditing in an EDP environment. In earlier times, audit approach consisted of ignoring the existence of computer and treating it as a black box and audit is conducted around the computer. However, the increasing developments of computers has since led to computers being used in two different ways:
The auditor must plan whether to use the computer to assist the audit or whether to audit without using the computer. These two approaches are commonly known as ‘auditing around the computer’ and ‘auditing through the computer’. Auditing around the computer involves arriving at a conclusion through examining the internal control system for computer installation and the input and output only for application systems. On the basis of the quality of the input and output of the application system, the auditors take decision about the quality of the processing carried out. Under this approach, the auditor considers the computer as a black box and as a result, the application system processing is not examined directly. Usually the auditors adopt this approach of auditing around the computer, when any of the following conditions are fulfilled:
For these well-defined systems, generalised software packages often are available. For example, software vendors have already developed packages for value-added tax calculation. If these software packages are provided by a recognised vendor, have received widespread use and appear error-free, the auditor may decide not to test directly the processing aspects of the system. However, the auditor must ensure that the installation has not modified the package in any way and that adequate controls exist to prevent unauthorised modification of the package. The basic advantage of auditing around the computer is its simplicity. The auditors having little technical knowledge of computers can be trained easily to perform the audit. However, this approach is also not free from defects. There are two major limitations to this approach. Firstly, the type of computer system where it is applicable is very restricted. It should not be used in those systems having complexity in terms of size or type of processing. Secondly, the auditor cannot assess very well the likelihood of the system degrading if the environment changes. The auditor should be concerned with the ability of the organisation to adjust with a changed environment. Systems can be designed and programs can be written in certain ways so that a change in the environment will not disturb the system to process data incorrectly or for it to degrade quickly. The auditor can use the computer to test: (a) the logic and controls existing within the system and (b) the records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor. Following are the situations where auditing through the computer must be used:
The main advantage of this auditing approach is that the auditor has increased power to effectively test a computer system. The range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system’s processing, the auditor also can assess the system’s ability to cope with environment change. The main disadvantages of this approach are the high costs sometimes involved and the need for extensive technical expertise when systems are complex. However, these disadvantages are really spurious if auditing through the computer is the only viable method of carrying out the audit. As in the case of manual systems, the basic approach to auditing in an EDP environment is to:
Due to the special characteristics of an EDP environment, auditors often use the computer for performing several compliance procedures as well as substantive procedures. The techniques, which involve the use of the computer for audit purposes, are known as computer-assisted audit techniques (CAATs). Computer-assisted audit techniques involve the use of computers in the process of an audit rather than limiting it to an entirely manual approach. CAATs are defined as computer-based tools and techniques, which facilitate auditors to increase their personal productivity as well as that of audit function. CAATs are software tools for auditors to access, analyse and interpret data and to draw an opinion for an audit objective. Standards on Auditing-401(SA-401) states that effectiveness and efficiency of audit procedures may be improved through use of CAATs. CAATs may be used in performing various auditing procedures, including the following:
Guidance note on CAAT issued by the Institute of Chartered Accountants of India describes CAATs as important tools for the auditor in performing audits. During the course of audit, auditor is to obtain sufficient, relevant and useful evidence to achieve the audit objectives effectively. Audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence. In auditing a computerised environment where all significant operations are computerised, it may be impractical to perform audit completely and with assurance unless the auditor uses CAATs for collection and evaluation of audit evidence by performing both compliance and substantive tests. By using CAATs, it is possible for the auditor to perform audit more effectively and efficiently and also have greater assurance on the audit process. When planning an audit, the auditor may consider an appropriate combination of manual and computerassisted audit techniques. In determining whether to use CAATs, the factors to consider include:
Before using CAATs, the auditor considers the controls incorporated in the design of the entity’s computer system to which CAAT would be applied in order to determine whether, and if so, CAAT should be used. CAATs can be broadly categorised into the following three types: These are also referred as package programs. GAS refer to generalised computer programs designed to perform data processing functions such as reading data, selecting and analysing information, performing calculations, creating data files and reporting in a format specified by the auditor. GAS is standard off-the-shelf audit software, which can be used across enterprises and platforms. These are also referred to as purpose-written programs. They perform audit tasks in specific circumstances. These are specifically written for performing audit tests for specific type of applications. These programs may be developed by the auditor, the business entity being audited or an outside programmer hired by the auditor. In some cases, the auditor may use an entity’s existing programs in their original or modified state because it may be more efficient than developing independent programs. These are used by an entity to perform common data processing functions, such as sorting, creating and printing files. Utility software also includes utility programs available in system programs for performing debugging or analysis of various aspects of usage/access. These programs are generally not designed for audit purposes but can be used for performing specific tests. CAATs and more specifically audit software have the potential to enable auditors to recognise computer as a tool to assist them in the audit process. Audit softwares give auditors access to data in the medium in which it is stored, eliminating the boundaries of how it can be audited. Once the auditors accept and learn how to use audit software, they will be in a better position to create value addition in their audit. The greatest barrier in promoting use of audit software is failure to recognise opportunities to use audit software for audit. Understanding and recognising how CAATs can be used and knowing how to use audit software is most critical to its effective use. Using audit software enhances the effectiveness of audit and enables auditor to provide better assurance to their clients. In an increasingly computerised environment, it is critical for the auditor to move from ticks to clicks and learn to harness the power of computers for audit. Using audit software as their tool for auditing digitised data, auditor can shift focus from time-consuming manual verification audit procedures to intelligent analysis of data to provide assurance to clients and manage audit risks.
Your client is considering computers to replace his existing manual accounting system and has asked for your advice on the matter. Discussion
|