The use of computer in data processing systems frequently eliminates the basic internal control of:

In recent years, there has been a rapid development in the use of computers to generate financial information. This development has created certain problems for the auditor in that although general auditing principles have not been affected, it is sometimes necessary to use specialised auditing procedures and techniques. As a result of this, within the accounting profession, a group of electronic data processing (EDP) audit specialists have emerged, equipped with sufficient technical expertise to make an intelligent analysis of complex computer audit situations. The intention of this chapter is to outline the various factors that need to be taken into consideration in evaluating internal control within EDP systems and to draw attention to the modifications in audit procedures, which may be required in certain circumstances.

The basic objective and nature of an audit does not change in a computer information system (CIS) environment. However, the use of computers in maintaining the books of accounts and records affects the processing, storage, retrieval and communication of financial information and may require changing the accounting and internal control systems employed by the organisation.

As given in SA-401, the auditor should evaluate the following factors to determine the effect of computer information system environment on the audit:

1. The extent to which the computer information system environment is used to record, compile, and analyse accounting information,
2. The system of internal control in existence in the entity with regard to:
   1. Flow of authorised, correct and complete data to the processing centre;
   2. Processing, analysis and reporting tasks undertaken in the installation; and
3. the impact of computer-based accounting system on the audit trial that could otherwise be expected to exist in an entirely manual system.

The auditor should have sufficient knowledge of the computer information systems to plan, direct, supervise, control and review the work performed. He should also consider whether any specialised skills are required in the conduct of audit in a computer information system environment. In planning the portions of the audit which may be affected by the computer information system environment, the auditor should obtain an understanding of the significance and complexity of the computer information system activities and the availability of the data for use in the audit. When the computer information systems are significant, the auditor should also obtain an understanding of the computer information system environment and whether it may influence the assessment of inherent and control risks.

The auditor should document the audit plan, the nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. In an audit in computer information system environment, some of the audit evidence may be in the electronic form. The auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required.

It is usual for the auditor to base his approach to an EDP based audit upon two completely separate types of review:

Organisational review is the review of the organisational controls within the computer installation itself. This review seeks to examine the internal control within the computer installation, to ensure that:

1. An acceptable standard of discipline and efficiency is maintained.
2. An adequate division of duties exists, thus preventing any undue concentration of functions.

Serious weaknesses in internal control within the EDP department itself can throw doubt on the validity of all the data it produces.

System review is a detailed review of the controls operating within each computer-based accounting system. This review seeks to establish that controls operate within each individual system which, inter alia, ensure that:

1. All data is completely and accurately processed.
2. Permanent data is adequately protected.
3. A satisfactory ‘audit trial’ exists.

Both types of review are carried out by the use of questionnaires and these questionnaires are based on the ‘key question’ principle. It is necessary to evaluate both the general and computer questionnaires together to obtain a proper understanding of the system and to access the significance of individual controls.

The organisational review seeks to establish that there are no serious internal control weaknesses within the installation, which could throw doubt on the validity of the information produced.

Adopting this approach, the auditor should seek to establish that six key controls operate within the installation. These controls are as follows:

The degree of control which general management should exercise over the EDP department will depend both upon the nature and complexity of the business and the complexity of the computer installation.

The following minimum standards should, however, apply:

1. The EDP Manager should report directly to senior management.
2. All significant aspects of EDP activity should be regularly reported.

It should therefore be ascertained that the person to whom the EDP Manager reports is a member of the senior management team and has sufficient authority to ensure that the department will receive adequate support and effective management.

The auditor should also enquire into the manner in which the activities of the department are reported to senior management. Ideally, a monthly control report should be prepared, which should include the following information:

1. An analysis of computer usage, showing productive and non-productive time separately.
2. A manpower allocation report.
3. A report on projects under development.
4. An analysis of expenditure against budget.

Arrangements should exist within every EDP installation, which attempt either to eliminate or to minimise the possibilities of EDP facilities being completely destroyed by any reason. These arrangements are significant in that the loss of certain vital information could seriously disrupt an organisation’s general business and profitability.

The auditor should enquire into the existence of the following controls:

1. Insurance Cover

   The following risks should be insured:

   1. Loss of equipment.
   2. Loss of file devices.
   3. Reconstruction of files (i.e., the cost of reconstituting the data from external sources).
   4. Consequential loss.
   5. Employee fidelity.

2. Emergency Precautions

   The operating area should be fitted with fire detection equipment and also with fire-fighting equipment. The computer operators should also be fully aware of the emergency procedures to be adopted in the event of fire. Adequate security measures should also exist to ensure that authorised persons only would gain access to key areas within the department.

3. Stand-by Facilities

   Arrangements should exist where by data can be processed at another installation in the event of machine failure. These arrangements are particularly important where certain systems are time-critical (e.g., payrolls).

   It is unfortunately rather common for these arrangements to be made only on a casual basis, since most machine breakdowns are only of a temporary nature. The auditor should therefore enquire into the stand by arrangements in some detail. In particular, he should direct his attention to the following points:

   1. Whether the arrangements are verbal, written or contractual.
   2. Whether or not the stand-by equipment is fully compatible and whether any recent changes have been made.
   3. Whether significant running time would be available if prolonged use of the stand-by facility were necessary.

4. Back-up Copies of Files, Programs and Documentation

   Processing arrangements should be such that a recent copy of all master files and programs are available in the event of the current copy being either lost, corrupted or destroyed. Similarly, a copy of all system flowcharts and program listings should also be maintained, so that loss of the originals would not destroy all evidence of programme details.

   The nature of the back-up arrangements and the frequency to which copies should be made will vary between installations and also different systems within an installation. It is considered, however, that the following minimum standards should apply:

   1. Programs and Systems Documentation: A back-up copy of each program should be maintained and stored under secure conditions in a place remote from the computer room. This will minimise the risk of both original and copy being destroyed. Similarly, a backup copy of system documentation should also be maintained. Arrangements should also exist which ensure that copy programs and documentation are regularly updated with amendments.
   2. Master Files: At least one recent copy of each master file should always be stored under secure conditions off the premises. Security is further strengthened by means of processing files on a generation basis. Under this system, a copy of the file can always be re-created before the live edition of the file is updated with current transaction data.

5. Equipment Maintenance

   The equipment should be subject to maintenance as recommended by the manufacturer. The auditor should enquire into the maintenance arrangements and ensure that they comply with the manufacturer’s recommendations.

The division of duties within the EDP department and the general procedural arrangements should be such that the records of the client are not exposed to any undue risk of loss or corruption, either accidental or deliberate.

The auditor should therefore direct his attention to the following aspects of internal control:

1. Division of Duties within the EDP Department

   In common with other departments of the organisation, the extent to which duties can be divided between the staff within the EDP department depends to a very large extent upon the size of the department.

   Ideally, the following duties should be carried out by separate individuals-

   1. Data initiation (outside the EDP department).
   2. Data control (within the EDP department).
   3. Data preparation (entering and verifying).
   4. Job scheduling.
   5. Operation of the computer.
   6. Maintenance of programs and the file library.
   7. Systems development.
   8. Programming of new systems.

   It should be emphasised that the full division of duties as listed above will only be found in very large institutions. Small installations, for example, rarely employ a file librarian and frequently combine the activities of systems development and programming.

2. Storage of Information, Files and Programs

   Procedural controls should be such that files and input and output data should not be accessible to unauthorised persons. The following matters warrant particular attention:

   1. Files should always be stored securely, preferably in a separate file library.
   2. Access to the files should be limited to authorised personnel only.
   3. Output should not be accessible to visitors to the department.
   4. Systems and programme documentation should be stored securely.

3. Processing of Files

   As stated, files should always be processed on a generation basis, thus ensuring that a copy can always be re-created should be the current edition of the file be either lost or destroyed.

   The auditor should enquire into the number of generations of master files that are kept and should access the adequacy of the storage arrangements for each generation.

4. Procedures to Prevent Accidental Overwriting of Files

   Operating procedures should incorporate controls designed to prevent the accidental overwriting of files. The auditor would normally expect to find the following procedures in operation:

   1. Files should be subject to retention periodical checks on set-up, i.e., the file label has a date imprinted on it, before which the file may not be overwritten or erased.
   2. Files should be written both internally and externally.
   3. Files should be stored in an orderly fashion to prevent the accidental selection of the incorrect file.
   4. Operators should be given details of files labels before processing, so that operating problems can be resolved.

5. Amendments to Programs

   Strict control should be exercised over amendments made to existing programs. This is not only to safeguard fraudulent manipulation or suppression of data, but also to ensure that costly amendments are not made without first establishing that they are both desirable and necessary.

   The auditor should establish that:

   1. operators are instructed only to accept amendments, which have been authorised, by either the EDP manager or the operations manager,
   2. amended versions of programs are thoroughly tested before implementation and
   3. all program amendments are recorded in the relevant programme documentation, the back-up documentation and also in a central record of all amendments.

Control over data submitted for processing is of vital concern to the auditor. The controls established within each system, such as control total checks and validation checks should be examined in detail by means of separate audit reviews of each individual system. Additionally, the auditor should examine as part of his installation review the general standard of controls, which are in operation within the EDP department, particularly within the data control section.

There are three main areas of control to which the auditor should direct his attention:

1. Controls Maintained by User Departments

   In all batch-processing installation, it should be regarded as a cardinal rule that all user departments should maintain strict input controls over the data, which they submit for processing.

   The type of control maintained will clearly vary according to the nature of the business and the individual requirements of each system. During his installation review, the auditor should therefore ascertain whether or not:

   1. all data is batched before it is submitted for processing,
   2. user departments are required to maintain Input/Output controls in the form of batch total summaries and
   3. there are indications that these user controls are effective.

2. Data Control Function within the EDP Department

   A data control section invariably exists in all but the smallest of installations. Its functions are to receive data from user departments, assemble it into a state ready for processing and to monitor its progress through the various stages of processing.

   Again, the auditor will review the activities of this section in detail during each of his reviews. During his installation review, however, he should seek to establish that:

   1. a data control section does exist within the EDP department,
   2. staff within the data control section does not have other duties, which give rise to internal control weaknesses,
   3. authorisation controls exist, which ensures that all authorised data is received form users and that only authorised data is accepted for processing,
   4. a record is maintained of all data received and of its progress through processing,
   5. control totals are balanced to output after processing and
   6. the data control section exercises anticipatory control over the receipt of data from users.

3. Storage Arrangements within the EDP Department

   There should be secure storage arrangements, both during and outside normal working hours, for

   1. unprocessed data in the data control section,
   2. data in the record room,
   3. data in the job assembly area (if any),
   4. input documents after processing,
   5. output documents after processing and
   6. undistributed output.

The procedural controls relating to the operation of the computer should also be reviewed, the objective being to ensure that there is no internal control weaknesses, which could give rise to the mis-processing of data.

The points to be considered during this aspect of the review are as follows:

1. Number of Operators Present During Processing

   Ideally, there should always be two operators present during processing. This means that collusion would have to exist before data could be deliberately copied, manipulated or destroyed. If two or more operators are employed, the auditor should ensure that adequate cover arrangements exist in the event of holidays, sickness, extended shifts and lunch or tea breaks. In such a situation, the rotation of operators’ duties is also of significance.

   If it is not the standard practice for at least two operators to be present during processing, the auditor should seek to assess other controls, which may exist and which may compensate for the absence of control over operators’ activities.

2. ‘Hands-on’ Testing

   There should invariably be a rule, within all expect the smallest of installations, that system analysts and programmers are not allowed access to the computer operating area, other than for ‘hands-on testing’. Hands-on testing is the term used to describe the situation where the programmer tests out, on the computer, programs which he is writing and developing.

   It should also be a rule that during hands-on testing, at least one operator should be present, who alone operates the computer. If no operator is present, special precautions should exist which ensure that the programmer or the analyst cannot access live files and programs.

3. File Library

   From an internal control point of view, it is clearly preferable that files and programs are stored in a separate file library. Where such library exists, it should be under the control of a file librarian. Operators should not have access to this library.

   Where such a library does exist, the auditor should establish that it is a requirement that all files are stored in this library when not in use. He should inspect other areas within the operations suite to confirm that this requirement is being observed.

4. Review of Operators’ Activities

   It should be an accepted principle within the installation that operators’ activities should be recorded and reviewed. The manner in which this is carried out will vary according to the nature of the installation.

5. Access to the Operating Area

   Clearly, access to the operating area should be subject to rigid security.

   The auditor should therefore ensure that

   1. unauthorised persons cannot gain access to the operating area either during or outside normal working hours,
   2. checks exist, which ensure that operators do not bring unauthorised files or work into the operating area and
   3. it is not possible for operators to remove files or work from the operating area without authorisation.

To contribute his review of the computer installation, the auditor should conduct a review of the internal control surrounding the general activities of the EDP department. The points that should be covered within this area of review are as follows:

1. Protection of Confidential Information

   Controls should exist which ensure that confidential information is adequately protected. Such controls will take one or other of the following forms:

   1. Attendance of users during the processing of sensitive applications.
   2. Security grading of printouts, with a corresponding restriction of distribution.
   3. If machine time is sold, special precautions relating to the protection of files, programs and data whilst visitors are in the operating area.

2. Development of New Systems and Applications

   Procedures within the department should ensure that computer systems are only developed in situations where there is a genuine need for them and that they are developed along practical and commercial lines.

   The controls surrounding systems development should therefore ensure that:

   1. feasibility studies are always carried out before new applications are authorised and undertaken. Such studies should have regard to all the relevant factors including: obtaining users co-operation; proving a need for the application; setting realistic time scales for implementation etc.,
   2. systems and programs under development are reviewed at critical stages during their development. It is clearly essential that systems, when developed, are acceptable to all concerned. Reviews should therefore be carried out as follows:
      • Users should approve the system before development begins.
      • Auditors should be involved before programming begins to ensure that acceptable control standards are incorporated into the system.
      • The system analysts should review all programs before they are compiled.
      • The programmer should extensively test the programs.
      • The analyst should review the results of program testing.
      • The user department should formally authorise the system as ready for implementation.

3. Sale of Machine Time/Data Conversion Facilities

   If computer time and/or operating facilities are sold on anything more than an occasional basis, controls should exist to ensure that all income is duly received. The auditor should therefore enquire into the following:

   1. The system surrounding the invoicing and collection of revenue.
   2. The rates charged and the comparison of these rates against commercial bureau charges.

4. Cost Control Over the Activities of the EDP Department

   The auditor should establish that there is an adequate form of review over the activities of the EDP department. As a corollary to this enquiry, it is appropriate to enquire under this heading into the detailed mechanics of cost control. In particular, the attention should be paid to the following:

   1. Any cost accounts prepared by the EDP department.
   2. The reconciliation of these cost accounts to the main financial accounts.
   3. The comparison of actual costs against budget.
   4. The means by which management review variances.

Having completed his review of the installation and satisfied himself as to the adequacy or otherwise of the design and operation of the various procedural controls, the auditor will be in a position to review in detail the design and operation of each of the individual systems.

His approach to this task will be similar to that employed in any other system based audit, which include the following:

The task of documenting a computer system is not dissimilar from that of documenting any other accounting system. In fact, the auditor is invariably aided in his work in that he will normally find that the system has already been well documented by the analysts who designed the system.

The amount of documentation, which will be available, will clearly vary from installation to installation. It some cases, it will be necessary to supplement the documentation with the auditor’s own notes and flowcharts, whereas in other cases the notes and flowcharts provided by the client will prove sufficient.

The documentation will need to be assembled in a manner, which will facilitate an evaluation of the system on the ‘key question’ principle. Clearly, no hard and fast rules can be laid down, but it will normally be convenient to use the outline system flowchart as the principal record of the system and to supplement this flowchart with the following four main schedules:

1. Schedule of input types
2. Schedule of master files
3. Schedule of intermediary files
4. Schedule of reports printed.

The outline system flowchart, together with the four main supporting schedules should provide the auditor with the bulk of the information, which he requires for his evaluation of the system.

Having completed his documentation of the system, the auditor can proceed with his evaluation of the internal controls operating within the system. He will do this by means of an internal control questionnaire. The questionnaire should seek to establish that the following seven key controls operate:

1. That it is possible to trace transactions through each stage of processing, i.e., a satisfactory audit trial exists.
2. That there are controls, which prove prima facie that transaction data, is processed correctly.
3. That there are adequate controls to protect standing data.
4. That controls exist to ensure that all authorised, and only authorised data is processed.
5. That adequate is exercised over rejections and resubmission of corrected data for reprocessing.
6. That the system provides adequate management information and that it is broadly suited to its purpose.
7. That the system is adequately documented.

Having documented the system and having evaluated the controls operating within the system, the auditor will be in a position to design his audit programme. It should be emphasised that the principles involved are identical to those in any other system-based audit, namely, that the auditor is seeking to assess and test the operation of the system, so that he can rely on the information produced by the system.

If he can satisfy himself as to the reliability of the system, this does not of course obviate the necessity for balance sheet verification work. Thus, even though the auditor is satisfied as to the operation of the computer systems, it will still be necessary to verify, for example, purchase ledger balances against circulars and statements and stock ledger balances against physical stock counts.

1. Transaction and Weakness Test

   The principles to be employed in designing computer system audit tests are again similar to those employed in designing audit tests in respect of manual or mechanised systems. If the answer to a key question is positive and the auditor is satisfied that no fundamental internal control weakness exists, and then he imposes a transaction test to establish that the system is operating satisfactorily. If, however, the answer to a key question is negative, he imposes special weakness test to assess the significance of that weakness. If at the conclusion of those tests he is satisfied that no major error could occur, he reports the weakness to the management and continues with normal balance sheet verification work. If he thinks that a major error could occur, he must then impose additional verification tests or perhaps qualify the audit report.

   It is not practical to specify a standard audit programme, which can be used in all cases where no major weakness has been identified. It is, however, possible to give an indication of the normal tests, which would be included in a transactions audit programme where there is no loss of audit trial.

2. Loss of Audit Trial

   The tests indicated above deal with the basically simple situation where all information is processed in batch form and where it is possible to link the input directly with output.

   However, losses of and changes in traditional audit trials are encountered increasingly in the more advanced computer applications. A typical example would be a large public company with a sales ledger comprising over half a lakh balances. It would be impractical to print out a full list of balances each month, so the control totals are printed, together with certain exception reports, such as overdue balances. There is, therefore, no output report against which the auditor can compare input.

   A commonsense approach should be adopted to losses of audit trial of this nature. The auditor must adapt his technique to suite the situation. A number of choices are open to him, including some sophisticated techniques.

   Techniques used in these circumstances include:

   1. Arranging for special printouts of additional information for the auditor’s use. This often involves an additional suite of programs, which are activated at the auditor’s request.
   2. Clerical re-creation, i.e., to verify a sales total when no detailed listings have been produced, the copy invoices can be add-listed and the totals compared against the computer reports.
   3. Testing on a total basis, ignoring individual items.
   4. Use of a computer audit programme to directly interrogate the magnetic file and printout information specifically selected by the auditor.
   5. Use of a test pack to test the correct processing of data.
   6. Relying on alternative tests.

Rapid changes in hardware and software have changed the conceptual approach to auditing in an EDP environment. In earlier times, audit approach consisted of ignoring the existence of computer and treating it as a black box and audit is conducted around the computer. However, the increasing developments of computers has since led to computers being used in two different ways:

1. As a tool to the auditor in conducting audit such as printing confirmation requests, and
2. As the target of the audit where data are submitted to the computer and the results are analyzed for processing reliability and accuracy of the computer system.

The auditor must plan whether to use the computer to assist the audit or whether to audit without using the computer. These two approaches are commonly known as ‘auditing around the computer’ and ‘auditing through the computer’.

Auditing around the computer involves arriving at a conclusion through examining the internal control system for computer installation and the input and output only for application systems. On the basis of the quality of the input and output of the application system, the auditors take decision about the quality of the processing carried out. Under this approach, the auditor considers the computer as a black box and as a result, the application system processing is not examined directly.

Usually the auditors adopt this approach of auditing around the computer, when any of the following conditions are fulfilled:

1. The system itself is very simple.
2. The system is batch oriented and
3. The system uses generalised software, which is well tested and used widely by many concerns.

For these well-defined systems, generalised software packages often are available. For example, software vendors have already developed packages for value-added tax calculation. If these software packages are provided by a recognised vendor, have received widespread use and appear error-free, the auditor may decide not to test directly the processing aspects of the system. However, the auditor must ensure that the installation has not modified the package in any way and that adequate controls exist to prevent unauthorised modification of the package.

The basic advantage of auditing around the computer is its simplicity. The auditors having little technical knowledge of computers can be trained easily to perform the audit.

However, this approach is also not free from defects. There are two major limitations to this approach. Firstly, the type of computer system where it is applicable is very restricted. It should not be used in those systems having complexity in terms of size or type of processing. Secondly, the auditor cannot assess very well the likelihood of the system degrading if the environment changes. The auditor should be concerned with the ability of the organisation to adjust with a changed environment. Systems can be designed and programs can be written in certain ways so that a change in the environment will not disturb the system to process data incorrectly or for it to degrade quickly.

The auditor can use the computer to test: (a) the logic and controls existing within the system and (b) the records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor.

Following are the situations where auditing through the computer must be used:

1. The logic of the system is complex and there are large portions that facilitate use of the system or efficient processing.
2. The application system processes large volumes of inputs and produces large volumes of output that makes extensive direct examination of the validity of input and output difficult.
3. Because of cost–benefit considerations, there are substantial gaps in the visible audit trial.
4. Significant parts of the internal control system are embodied in the computer system.

The main advantage of this auditing approach is that the auditor has increased power to effectively test a computer system. The range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system’s processing, the auditor also can assess the system’s ability to cope with environment change.

The main disadvantages of this approach are the high costs sometimes involved and the need for extensive technical expertise when systems are complex. However, these disadvantages are really spurious if auditing through the computer is the only viable method of carrying out the audit.

As in the case of manual systems, the basic approach to auditing in an EDP environment is to:

1. study and evaluate the system through which the information under audit is generated, including the various internal controls in the system and
2. carry out appropriate substantive procedures.

Due to the special characteristics of an EDP environment, auditors often use the computer for performing several compliance procedures as well as substantive procedures. The techniques, which involve the use of the computer for audit purposes, are known as computer-assisted audit techniques (CAATs).

Computer-assisted audit techniques involve the use of computers in the process of an audit rather than limiting it to an entirely manual approach. CAATs are defined as computer-based tools and techniques, which facilitate auditors to increase their personal productivity as well as that of audit function. CAATs are software tools for auditors to access, analyse and interpret data and to draw an opinion for an audit objective.

Standards on Auditing-401(SA-401) states that effectiveness and efficiency of audit procedures may be improved through use of CAATs. CAATs may be used in performing various auditing procedures, including the following:

• Tests of details of transactions and balances;
• Analytical procedures;
• Tests for general controls;
• Sampling programs to extract data for audit testing;
• Tests of application controls;
• Re-performing calculations performed by the organisation’s accounting system.

Guidance note on CAAT issued by the Institute of Chartered Accountants of India describes CAATs as important tools for the auditor in performing audits. During the course of audit, auditor is to obtain sufficient, relevant and useful evidence to achieve the audit objectives effectively. Audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence.

In auditing a computerised environment where all significant operations are computerised, it may be impractical to perform audit completely and with assurance unless the auditor uses CAATs for collection and evaluation of audit evidence by performing both compliance and substantive tests. By using CAATs, it is possible for the auditor to perform audit more effectively and efficiently and also have greater assurance on the audit process.

When planning an audit, the auditor may consider an appropriate combination of manual and computerassisted audit techniques. In determining whether to use CAATs, the factors to consider include:

• the IT knowledge, expertise and experience of the audit team;
• the availability of CAATs and suitable computer facilities and data;
• the impracticability of manual tests;
• effectiveness and efficiency; and
• time constraints.

Before using CAATs, the auditor considers the controls incorporated in the design of the entity’s computer system to which CAAT would be applied in order to determine whether, and if so, CAAT should be used.

CAATs can be broadly categorised into the following three types:

These are also referred as package programs. GAS refer to generalised computer programs designed to perform data processing functions such as reading data, selecting and analysing information, performing calculations, creating data files and reporting in a format specified by the auditor. GAS is standard off-the-shelf audit software, which can be used across enterprises and platforms.

These are also referred to as purpose-written programs. They perform audit tasks in specific circumstances. These are specifically written for performing audit tests for specific type of applications. These programs may be developed by the auditor, the business entity being audited or an outside programmer hired by the auditor. In some cases, the auditor may use an entity’s existing programs in their original or modified state because it may be more efficient than developing independent programs.

These are used by an entity to perform common data processing functions, such as sorting, creating and printing files. Utility software also includes utility programs available in system programs for performing debugging or analysis of various aspects of usage/access. These programs are generally not designed for audit purposes but can be used for performing specific tests.

CAATs and more specifically audit software have the potential to enable auditors to recognise computer as a tool to assist them in the audit process. Audit softwares give auditors access to data in the medium in which it is stored, eliminating the boundaries of how it can be audited. Once the auditors accept and learn how to use audit software, they will be in a better position to create value addition in their audit. The greatest barrier in promoting use of audit software is failure to recognise opportunities to use audit software for audit. Understanding and recognising how CAATs can be used and knowing how to use audit software is most critical to its effective use.

Using audit software enhances the effectiveness of audit and enables auditor to provide better assurance to their clients. In an increasingly computerised environment, it is critical for the auditor to move from ticks to clicks and learn to harness the power of computers for audit. Using audit software as their tool for auditing digitised data, auditor can shift focus from time-consuming manual verification audit procedures to intelligent analysis of data to provide assurance to clients and manage audit risks.

Your client is considering computers to replace his existing manual accounting system and has asked for your advice on the matter.

Discussion

1. Briefly outline the stages in the development of the new computer application.
2. Indicate the extent to which you, as an external auditor, need to be involved in the developments in order to make the changeover as smooth as efficient as possible and to simplify your audit procedures.

1. Short-essay type questions
   1. What are the features of an EDP environment that affect the nature, timing or extent of audit procedures?
   2. What do you mean by the term ‘computer-assisted audit techniques’? State the factors to be considered before using these techniques.
   3. Describe briefly the common types of computer-assisted audit techniques?
   4. Write short notes on:
      1. Batch total
      2. Test data
      3. Check digit
   5. State the primary purpose of generalised audit software.

2. Essay-type questions

   1. You have been appointed as the auditor of a company, which maintains its accounts on computers. Write in detail the audit approach that you would follow in the case of the company.
   2. Describe the similarities and differences in the approach of an auditor to conduct audit of accounts maintained manually and those maintained on computers.
   3. State the controls that can be applied over inputs and processing of data in a computerised accounting environment.
   4. Write notes on the following:
      1. Hands-on testing
      2. Files library
      3. Auditing around the computer
      4. Utility software
   5. Describe the steps to be followed in reviewing computer installation.